Download - I.com Deploying and Securing a Wireless LAN
-
8/2/2019 I.com Deploying and Securing a Wireless LAN
1/14an Networking eBook
Deploying
and Securinga Wireless LAN
-
8/2/2019 I.com Deploying and Securing a Wireless LAN
2/14
Deploying and Securing a Wireless LAN
2 Dene Your Wireless LAN Deployment Risks
4 Minimize WLAN Intererence
7 How to Secure Your WLAN
9 Twelve Key Wireless Network Security Policies
12 Troubleshooting Poor WLAN Perormance
4
2
7
9
12
12
Contents
This content was adapted from Internet.coms Wi-Fi Planet, eSecurity Planet, Enterprise Net-working Planet, and Practically Networked Web sites. Contributors: Jim Geier and Michael
Horowitz.
-
8/2/2019 I.com Deploying and Securing a Wireless LAN
3/14
2 Deploying and Securing a Wireless LAN, an Internet.com Networking eBook. 2009, Internet.com, a division of QuinStreet, IncBack to Contents
Deploying and Securing a Wireless LAN
hen planning a wireless network installa-
tion, be sure to careully assess and resolve
risks. Otherwise unoreseen implications,
such as RF intererence, poor perormance,
and security holes will wreak havoc. By handling risks dur-
ing the early phases o the deployment, youll signicantly
increase the success o a wirelessnetwork.
The ollowing are common risks to
consider:
Unclear RequirementsI you deploy a wireless network
without rst clariying requirements,
then the wireless network may not
satisy the needs o the users. In
act, poor requirements are otenthe reason why inormation system
projects are unsuccessul. As a re-
sult, always dene clear require-
ments beore getting too ar with
the deployment.
For example, you may install 802.11g today to support
needs or a moderate number o users accessing e-mail
and browsing the Web. Ten months rom now, your orga-
nization may increase the density o users or need to utilize
multimedia applications demanding a higher-perormingsolution. The organization would then be acing a decision
to migrate to 802.11n. Start o right ater careully consid-
ering requirements so that you choose the right technolo-
gies rom the beginning.
RF InterferenceDevices such as 2.4 GHz and 5 GHz cordless phones, mi-
crowave ovens, and neighboring wireless networks, can
cause damaging RF intererence that impedes the peror
mance o a wireless network. To minimize the risk o RF
intererence, perorm a wireless site survey to detect the
presence o intererence, and dene countermeasures be
ore installing the access points.
The problem with RF inter-erence is that its not always
controllable. For example, you
may deploy a 2.4 GHz 802.11n
wireless network in an oce
complex, then three months
later the company next doo
installs a wireless network set
to the same channels. This re-
sults in both wireless networks
interering with each other. A
possible solution to minimizethis risk is to utilize directive an-
tennas that ensure transmit and
receive power o your wireless
network alls only within you
acility. This would limit the im-
pact o the interering wireless
network. You could also speciy the use o 5 GHz 802.11n
which oers more fexibility in choosing channels that don
confict with others.
Security WeaknessesThe potential or an unauthorized person accessing cor-
porate inormation is a signicant threat or wireless net-
works. An eavesdropper can use a reely-available wireless
network analyzer, such as WireShark, to passively receive
and view contents o 802.11 data rames. This could dis-
close credit card numbers, passwords, and other sensitive
inormation.
Dene Your Wireless LAN Deployment RisksBy Jim Geier
W
-
8/2/2019 I.com Deploying and Securing a Wireless LAN
4/14
3 Deploying and Securing a Wireless LAN, an Internet.com Networking eBook. 2009, Internet.com, a division of QuinStreet, IncBack to Contents
Deploying and Securing a Wireless LAN
Avoid security risks by careully assessing the vulnerabil-
ities o a wireless network, and dene eective security
policies based on the value o inormation you need to
protect. In some cases, you may simply need rewall pro-
tection. Other applications may require eective orms o
encryption. 802.1x port-based authentication will also pro-
vide added security.
Well discuss security more in depth later in this eBook.
Applications InterfacesIn some cases, interaces with applications located on vari-
ous hosts and servers can bring about major problems
when using a wireless network. A relatively short loss oconnectivity due to RF intererence or poor coverage area
causes some applications to produce errors. This occurs
mostly with legacy applications lacking error recovery
mechanisms or wireless systems.
For example, a user may be using an inventory application
by scanning items and entering total counts via a keypad
on the scanner. I loss o connectivity occurs ater scan-
ning the bar code and beore entering the count, the host
based application could log the use out without complet
ing the inventory transaction. As a result, the application
on the host may record an incorrect or invalid value or the
inventory item.
To avoid these types o risks, careully dene the types o
applications the wireless user devices will interace with. I
needed, incorporate solutions such as wireless middleware
(such as NetMotion) to provide adequate handle recovery
mechanisms related to wireless networks.
By identiying and solving these potential risks, youll have
a much more successul wireless network deployment.
-
8/2/2019 I.com Deploying and Securing a Wireless LAN
5/14
4 Deploying and Securing a Wireless LAN, an Internet.com Networking eBook. 2009, Internet.com, a division of QuinStreet, IncBack to Contents
Deploying and Securing a Wireless LAN
adio requency (RF) intererence can lead to
disastrous problems on wireless LAN deploy-
ments. Many companies have gotten by with-
out any troubles, but some have installations
that dont operate nearly as well as planned. The perils o
interering signals rom external RF sources are oten the
culprit. As a result, its important that youre ully aware oRF intererence impacts and avoidance techniques.
Impacts of RF interferenceAs a basis or understanding the
problems associated with RF in-
tererence in wireless LANs, lets
quickly review how 802.11 stations
(client radios and access points)
access the wireless (air) medium.
Each 802.11 station only transmits
packets when there is no otherstation transmitting. I another
station happens to be sending a
packet, the other stations will wait
until the medium is ree. The actu-
al 802.11 medium access protocol
is somewhat more complex, but
this gives you enough o a start-
ing basis.
RF intererence involves the pres-
ence o unwanted, interering RF signals that disrupt normal
wireless operations. Because o the 802.11 medium access
protocol, an interering RF signal o sucient amplitude
and requency can appear as a bogus 802.11 station trans-
mitting a packet. This causes legitimate 802.11 stations to
wait or indenite periods o time beore attempting to ac-
cess the medium until the interering signal goes away.
To make matters worse, RF intererence doesnt abide by
the 802.11 protocols, so the interering signal may start
abruptly while a legitimate 802.11 station is in the process
o transmitting a packet. I this occurs, the destination sta-
tion will receive the packet with errors and not reply to the
source station with an acknowledgement. In return, the
source station will attempt retransmitting the packet, add-ing overhead on the network.
All o this leads to network latency and unhappy users. In
some causes, 802.11 protocols
will attempt to continue opera
tion in the presence o RF inter-
erence by automatically switch
ing to a lower data rate, which
also slows the use o wireless ap-
plications. The worst case, which
is airly uncommon, is that the802.11 stations will hold o unti
the interering signal goes com-
pletely away, which could be min-
utes, hours, or days.
Sources ofRF InterferenceWith 2.4 GHz wireless LANs
there are several sources o in-
terering signals, including microwave ovens, cordless phones, Bluetooth-enabled devices
FHSS wireless LANs, and neighboring wireless LANs. The
most damaging o these are 2.4 GHz cordless phones that
people use extensively in homes and businesses. I one o
these phones is in use within the same room as a 2.4GHz
(802.11b or 802.11g) wireless LAN, then expect poor wire-
less LAN perormance when the phones are in operation.
Minimize WLAN InterferenceBy Jim Geier
R
-
8/2/2019 I.com Deploying and Securing a Wireless LAN
6/14
5 Deploying and Securing a Wireless LAN, an Internet.com Networking eBook. 2009, Internet.com, a division of QuinStreet, IncBack to Contents
Deploying and Securing a Wireless LAN
This clearly shows relatively high-level signals emanat-
ing rom the microwave oven in the upper portion o the
2.4GHz requency band, which indicates that you should
tune any access points near this microwave oven to lowe
channels. To simpliy matters, MetaGeek has an interer-
ence identication guide that you can use with Wi-Spy to
help pinpoint interering sources. The benet o using a
spectrum analyzer in this manner is that you can identiy
the intererence aster and avoid guessing i a particular
device is (or may) cause intererence.
Take Action to Avoid RF InterferenceThe ollowing are tips you should consider or reducing RF
intererence issues:
1. Analyze the potential or RF intererenceDo this beore installing the wireless LAN by perorming
an RF site survey. Also, talk to people within the acility
and learn about other RF devices that might be in use
This arms you with inormation that will help when
deciding what course o action to take in order to reduce
the intererence
2. Prevent the interering sources rom
operating.Once you know the potential sources o RF intererence
you may be able to eliminate them by simply turning
them o. This is the best way to counter RF intererence
however, its not always practical. For example, you
cant usually tell the company in the oce space next to
you to stop using their cordless phones; however, you
might be able to disallow the use o Bluetooth-enabled
devices or microwave ovens where your 802.11 users
reside.
3. Provide adequate wireless LAN coverage.A good practice or reducing impacts o RF intererence
is to ensure the wireless LAN has strong signals
throughout the areas where users will reside. I signals
get to weak, then interering signals will be more
troublesome, similar to when youre talking to someone
and a loud plane fies over your heads. O course this
means doing a thorough RF site survey to determine the
most eective number and placement o access point.
A microwave operating within 10 eet or so o an access
point may also cause 802.11b/g perormance to drop.
The oven must be operating or the intererence to occur,
which may not happen very oten depending on the usage
o the oven. Bluetooth-enabled devices, such as laptops
and PDAs, will cause perormance degradations i operat-
ing in close proximately to 802.11 stations, especially i the
802.11 station is relatively ar (i.e., low signal levels) rom
the station that its communicating with. The presence o
FHSS wireless LANs is rare, but when theyre present, ex-
pect serious intererence to occur. Other wireless LANs,
such as one that your neighbor may be operating, can
cause intererence unless you coordinate the selection o
802.11b/g channels.
Use Tools to See RF InterferenceUnless youre Superman, you cant directly see RF interer-
ence with only your eyes. Sure, you might notice problems
in using the network that coincide with use o a device
that may be causing the intererence, such as turning on
a microwave oven and noticing browsing the Internet slow
dramatically, but having tools to conrm the source o the
RF intererence and possibly investigate potential sources
o RF intererence is crucial. For example, MetaGeeks Wi-
Spy is a relatively inexpensive USB-based Wi-Fi spectrumanalyzer that indicates the amplitude o signals across the
2.4GHz requency band. Figure 1 is a screenshot o the
Wi-Spy display with a microwave oven operating 10 eet
away.
Figure 1
-
8/2/2019 I.com Deploying and Securing a Wireless LAN
7/14
6 Deploying and Securing a Wireless LAN, an Internet.com Networking eBook. 2009, Internet.com, a division of QuinStreet, IncBack to Contents
Deploying and Securing a Wireless LAN
4. Set conguration parameters properly.I youre deploying 802.11g networks, tune access points
to channels that avoid the requencies o potentialinterering signals. This might not always work, but its
worth a try. For example, as pointed out earlier in this
tutorial, microwave ovens generally oer intererence in
the upper portion o the 2.4GHz band. As a result, you
might be able to avoid microwave oven intererence by
tuning the access points near the microwave oven to
channel 1 or 6 instead o 11.
5. Deploy 5GHz wireless LANs.Most potential or RF intererence today is in the 2.4 GHz
band (i.e., 802.11b/g). I you nd that other intererenceavoidance techniques dont work well enough, then
consider deploying 802.11a or 802.11n networks. In
addition to avoiding RF intererence, youll also receive
much higher throughput.
The problem with RF intererence is that it will likely change
over time. For example, a neighbor may purchase a cord-
less phone and start using it requently, or the use o wire
less LANs in your area may increase. This means that the
resulting impacts o RF intererence may grow over time
or they may come and go. As a result, in addition to sus-
pecting RF intererence as the underlying problem or poo
perormance, investigate the potential or RF intererence
in a proactive manner.
Dont let RF intererence ruin your day. Keep a continua
close watch on the use o wireless devices that might cause
a hit on the perormance o your wireless LAN.
-
8/2/2019 I.com Deploying and Securing a Wireless LAN
8/14
7 Deploying and Securing a Wireless LAN, an Internet.com Networking eBook. 2009, Internet.com, a division of QuinStreet, IncBack to Contents
Deploying and Securing a Wireless LAN
continued
ecuring a wireless network isnt a hard task.
The cheat sheet is relatively small. However,
the technical press continues to be fooded with
articles and blogs containing technical mistakes.
Take, or example, everyones trusted inormation source,
Consumer Reports magazine. Im a big an o the maga-zine, having subscribed to the hard copy edition or years.
But they seem out o their league when it comes to com-
puters.
On Aug. 6, 2009, a blog posting at
the magazines Web site suggest-
ed using WEP security or wireless
networks. This is very poor advice.
A week ater the posting, an edi-
tor corrected it to say they recom-
mend WPA security. This too, isnot the best option. Even ater
being shamed into a correction,
they still got it wrong.
Let me try to oer up just what
most people (and Consumer Re-
ports) need to know about secur-
ing a wireless network.
Starting at the BeginningTo begin with, there are our types o Wi-Fi networks (a, b,
g, and n). But the security is not tied to any one type.
I you can connect to a wireless network without entering
a password, then there is no security. In this context, the
term security reers to encrypting data as it travels over
the air. The idea being to prevent a bad guy rom captur-
ing all the inormation coming into and out o a victims
computer and, in eect, looking over their shoulder de-
spite being a ew hundred eet away.
Wi-Fi networks oer three security options: WEP, WPA
and WPA2. As a simplistic introduction, think o WEP as
bad, WPA as just ne, and WPA2 as great.
WEP is the oldest security option and it has been shown to
be very weak. It may be better than no security at all, bu
not by much. Dont use it. Other than Consumer Reportsmagazine, the last recommendation to use WEP was is-
sued in 2005.
WPA is technically a certication
not a security standard, but since
it includes only one security pro
tocol, TKIP, they are oten con
used. When people reer to WPA
security, they are really reerring
to the TKIP protocol.
The combination o WPA and TKIP
is not the best, but its reasonably
good. I you have a choice, you
should opt or the best security
(next topic), but i you dont have
a choice (more later) TKIP is rea
sonably strong.
WPA2 is also, technically, a certi
cation rather than a security standard. WPA2 includes two
security standards: TKIP and CCMP. I you are using TKIPit doesnt matter whether the router is WPA or WPA2. TKIP
is TKIP either way.
The best security option is CCMP and its only available in
WPA2. Here again, the security protocol is oten conused
with the certication. When people reer to WPA2 security
they are really reerring to CCMP.
How to Secure Your WLANBy Michael Horowitz
S
-
8/2/2019 I.com Deploying and Securing a Wireless LAN
9/14
8 Deploying and Securing a Wireless LAN, an Internet.com Networking eBook. 2009, Internet.com, a division of QuinStreet, IncBack to Contents
Deploying and Securing a Wireless LAN
radio, or whatever other device you want to use with your
wireless network.
For example, Windows XP SP2 does not support WPA2
even i it has been kept up to date on patches. A hotx
(KB893357) needs to be installed to add WPA2 support to
Windows XP SP2.
A WPA2 router may oer both TKIP and AES simultane
ously. Start with AES only and hope or the best. Only
choose this option i you have to in order to support an
older device.
The AES-CCMP security protocol was a long time coming
Rather than wait, some hardware manuacturers added
early versions o the protocol to WPA routers. Since these
were based on drat, rather than nal versions o the pro-
tocol, they may or may not work with newer hardware and
sotware.
Still, i replacing an old WPA router is a big deal, I suppose
its worth a try.
Two Other Aspects of Security
WPA and WPA2 both come in two favors, Personal and En-terprise. In the Personal version there is a single password
in the Enterprise version each user o the wireless network
gets his or her own password. The Personal version is also
known as Pre-Shared Key, or PSK or short.
Technically, the best security or consumers and small busi-
nesses is WPA2-PSK-AES-CCMP. This entire alphabet soup
alls down, however, i you chose a poor password.
Data is still traveling over the air and can be captured and
saved by a bad guy who can then try to guess the pass-word ofine thousands o guesses a second or days on
end.
Perhaps no one will attack the network you connect to this
way, but i they do, the only deense is a long, reasonably
random password. WPA and WPA2 support passwords up
to 63 characters long. Better yet, think pass sentence
rather than password.
But no one reers to CCMP (dont ask what it stands or).
For whatever reason, the CCMP security protocol is re-
erred to, incorrectly, as AES. When you are conguring
a router, you need to rst select WPA2, then you need to
select AES (rather than TKIP) to get the best possible se-
curity and encryption.
WPA TKIP FlawsThe TKIP security protocol (oten reerred to as WPA) is
fawed. The rst faw came to light in November 2008, the
second one just recently. But neither faw is serious.
The rst faw can be deended against simply by disabling
Quality o Service (QoS) in your router. Very ew peoplemake use o QoS.
The second faw was described by security expert Steve
Gibson as mostly theoretical. For example, it requires that
the victims computer be out o radio reception range rom
the router. The bad guy has to connect to the router on
one side and the victim on the other side. The bad guy
has to be logically and physically positioned between the
victim and the router.
Neither faw lets the bad guy recover the password, andthey only support decrypting very small data packets.
None o these small packets will contain any o your data.
Its not the faws themselves that make WPA2-AES the best
option, but the act that they are cracks in the dam. Who
knows what will turn up next? There are no known faws
in WPA2-AES, which was developed last and built on and
improved the work in the earlier security protocols.
Problems Getting to WPA2Everyone who can should opt or WPA2-AES, but there
may be roadblocks.
WPA2-AES requires more computational horsepower than
WPA-TKIP. Older routers may not have sucient horse-
power. I your router does not oer WPA2, you can check
or a rmware update, but most likely youll have to buy
a new router to get the best security. Then too, since it is
the latest and greatest, WPA2-AES may not be supported
on the computer, smartphone, gaming machine, Internet
-
8/2/2019 I.com Deploying and Securing a Wireless LAN
10/14
9 Deploying and Securing a Wireless LAN, an Internet.com Networking eBook. 2009, Internet.com, a division of QuinStreet, IncBack to Contents
Deploying and Securing a Wireless LAN
continued
ith a wireless network, you must consider se-
curity policies that will protect resources rom
unauthorized people. Lets take a look at what
you should include in a wireless network secu-
rity policy or an enterprise.
Consider the ollowing recommendations:
Activate 802.11 Encryption to Make DataUnintelligible to Unauthorized UsersAs mention earlier, WEP has weaknesses that make it in-
adequate or protecting networks
containing inormation extremely
valuable to others. There are some
good hackers out there who can
crack into a WEP-protected network
using reely-available tools. The
problem is that 802.11 doesnt sup-
port the dynamic exchange o WEP
keys, leaving the same key in use or
weeks, months, and years.
For encryption on enterprise net-
works, aim higher and choose WPA,
which is now part o the 802.11i
standard. Just keep in mind that
WPA (and WEP) only encrypts data
traversing the wireless link between
the client device and the access
point. That may be good enough i your wired network is
physically secured rom hackers. I not, such as when users
are accessing important inormation rom Wi-Fi hotspots,
youll need more protection.
Utilize IPSec-Based Virtual PrivateNetwork (VPN) Technology forEnd-to-End SecurityI users need access to sensitive applications rom Wi-F
hotspots, you should denitely utilize a VPN system to pro
vide sucient end-to-end encryption and access controlSome companies require VPNs or all wireless client devic
es, even when theyre connecting rom inside the secured
walls o the enterprise. A ull-throttle VPN solution such
as this oers good security, but it becomes costly and di
cult to manage when there are hundreds o wireless users
(mainly due to the need or VPN
servers). As a result, conside
implementing 802.11 encryp
tion when users are operating
inside the enterprise and VPNs
or the likely ewer users whoneed access rom hotspots.
Utilize 802.1X-BasedAuthenticationto Control Accessto Your NetworkThere are several favors o
802.1x port-based authentication systems. Choose one tha
meets the security requirements or your company. For ex
ample, EAP-TLS may be a wise choice i you have Micro
sot servers.
Twelve Key Wireless Network Security Policies
By Jim Geier
W
-
8/2/2019 I.com Deploying and Securing a Wireless LAN
11/14
10 Deploying and Securing a Wireless LAN, an Internet.com Networking eBook. 2009, Internet.com, a division of QuinStreet, IncBack to Contents
Deploying and Securing a Wireless LAN
Establish the WirelessNetwork on a Separate VLAN
A rewall can then help keep hackers located on the VLANassociated with the wireless network rom having easy ac-
cess to corporate servers located on dierent, more se-
cured VLANs (i.e., not accessible rom the wireless net-
work). In this manner, the wireless network is similar to a
public network, except you can apply encryption and au-
thentication mechanisms to the wireless users.
Ensure Firmware is Up-to-Datein Client Cards and Access Points
Vendors oten implement patches to rmware that x se-
curity issues. On an ongoing basis, make it a habit to check
that all wireless devices have the most recent rmware re-
leases.
Ensure Only Authorized PeopleCan Reset the Access PointsSome access points will revert back to actory deault set-
tings (i.e., no security at all) when someone pushes the re-
set button on the access point. Weve done this when per-
orming penetration testing during security assessments
to prove that this makes the access point a ragile entrypoint or a hacker to extend their reach into the network.
As a result, provide adequate physical security or the ac-
cess point hardware. For example, dont place an access
point within easy reach. Instead, mount the access points
out o view above ceiling tiles. Some access points dont
have reset buttons and allow you to reset the access point
via an RS-232 cable through a console connection. To min-
imize risks o someone resetting the access point in this
manner, be sure to disable the console port when initially
conguring the access point.
Disable Access Points DuringNon-Usage PeriodsI possible, shut down the access points when users dont
need them. This limits the window o opportunity or a
hacker to use an access point to their advantage as a weak
interace to the rest o the network. To accomplish this,
you can simply pull the power plug on each access point;
however, you can also deploy power-over-Ethernet (PoE
equipment that provides this eature in a more practica
manner via centralized operational support tools.
Assign Strong Passwordsto Access PointsDont use deault passwords or access points because
they are also well known, making it easy or someone to
change conguration parameters on the access point to
their advantage. Be sure to alter these passwords periodi-
cally. Ensure passwords are encrypted beore being sent
over the network.
Dont Broadcast SSIDsI this eature is available, you can avoid having user devic
es automatically sni the SSID in use by the access point.
Most current computer operating systems and monitoring
tools will automatically sni the 802.11 beacon rames to
obtain the SSID.
With SSID broadcasting turned o, the access point wil
not include the SSID in the beacon rame, making most
SSID sning tools useless. This isnt a oolproo method
o hiding the SSID, however, because someone can stil
monitor 802.11 association rames (which always carry theSSID, even i SSID broadcasting is turned o) with a packet
tracer. At least shutting o the broadcast mechanism wil
limit access.
Reduce Propagation ofRadio Waves Outside the FacilityThrough the use o directional antennas, you can direct the
propagation o radio waves inside the acility and reduce
the spillage outside the perimeter. This not only opti-
mizes coverage, it also minimizes the ability or a hackelocated outside the controlled portion o the company
to eavesdrop on user signal transmissions and interace
with the corporate network through an access point. This
also reduces the ability or someone to jam the wireless
LAN a orm o denial-o-service attack rom outside
the perimeter o the acility. In addition, consider setting
access points near the edge o the building to lower trans-
mit power to reduce range outside the acility. This testing
should be part o the wireless site survey.
-
8/2/2019 I.com Deploying and Securing a Wireless LAN
12/14
11 Deploying and Securing a Wireless LAN, an Internet.com Networking eBook. 2009, Internet.com, a division of QuinStreet, IncBack to Contents
Deploying and Securing a Wireless LAN
Implement Personal FirewallsI a hacker is able to associate with an access point, which
is extremely probable i there is no encryption or authen-tication congured, the hacker can easily access (via the
Windows operating system) les on other users devices
that are associated with an access point on the same wire-
less network. As a result, its crucial that all users disable
le sharing or all olders and utilize personal rewalls.
These rewalls are part o various operating systems, such
as Windows XP and Vista, and third-party applica-
tions as well.
Control the Deploymentof Wireless LANs
Ensure that all employees and organizations within thecompany coordinate the installation o wireless LANs with
the appropriate inormation systems group. Forbid the
use o unauthorized access points. Mandate the use o ap-
proved vendor products that youve had a chance to veriy
appropriate security saeguards. Maintain a list o autho-
rized radio NIC and access point MAC addresses that you
can use as the basis or identiying rogue access points.
With these recommendations in mind, you have a basis o
orming a solid security policy. When deciding on which
techniques to implement, however, be sure to consider ac
tual security needs.
-
8/2/2019 I.com Deploying and Securing a Wireless LAN
13/14
12 Deploying and Securing a Wireless LAN, an Internet.com Networking eBook. 2009, Internet.com, a division of QuinStreet, IncBack to Contents
Deploying and Securing a Wireless LAN
ter installing a wireless LAN, you might nd
that it doesnt support applications as well as
you expected. Users may complain o erratic
connections and slow perormance, which
hampers the use and benets o applications. When this
happens, youll need to do some troubleshooting. Start by
nding the root cause o the problems.
The table below gives you some pointers on what to look
or, specically the characteristics o signal level, noise
level, and retry rate that relate to the root causes o poor
wireless LAN perormance.
RF InterferenceRF intererence occupies the air medium, which delays us-
ers rom sending/receiving data and causes collisions and
resulting retransmissions. The combination o high noise
levels and high retry rates generally indicates that RF inter-
erence is impacting your wireless LAN. You can use tools
such as AirMagnet Analyzer or NetStumbler to measure
noise. AirMagnet also has tools or testing retry rates, and
most access points store retry statistics that you can viewthrough the admin console.
I the noise level is above -85dBm in the band where users
are operating, then RF intererence has the potential to
hurt perormance. In this case, the retry rates o users will
be above 10 percent, which is when users start eeling the
eects. This can occur, or example, when wireless users
are in the same room as an operating microwave oven.
Once you diagnose the problem as being RF intererence
then gure out where its coming rom and eliminate thecause. I the symptoms only occur when the microwave
oven or cordless phone is operating, then try setting the
access point to a dierent channel. That sometimes elimi
nates the intererence.
Take a quick scan o other wireless LANs operating in you
area. I you see that others are set to the same channel as
yours, then change your network to non-conficting chan
nels. Keep in mind that there are only three channels (1, 6
and 11) in the 2.4GHz band that dont confict with each
other. Most homes and small oces will have their access
point set to channel 6 because thats the most common
actory deault channel. For this reason you may need to
avoid using channel 6 with the access points near the pe-
rimeter o your enterprise.
I you cant seem to reduce RF intererence to acceptable
levels, then try increasing RF signal strength in the aect-
ed areas. You can do this by increasing transmit power
Troubleshooting Poor WLAN PerformanceBy Jim Geier
A
Signal Level Noise Level Retry Rate
RF Intererence n/a High High
High Utilization n/a n/a High
Coverage Hole Low n/a High
Bad Access Point None n/a Not Connected
-
8/2/2019 I.com Deploying and Securing a Wireless LAN
14/14
Deploying and Securing a Wireless LAN
replacing deault antennas with units that have a higher
gain, or placing the access points closer to each other. This
increases the signal-to-noise ratio (SNR), which improves
perormance.
High UtilizationWhen there are large numbers o active wireless users, or
the users are operating high-end applications such as Wi-
Fi phones or downloading large les, the utilization o the
network may be reaching the maximum capacity o the
access point. With this condition, the retry rates will be
relatively high (greater than 10 percent), even i signal lev-
els are high and noise levels are low (i.e., high SNR). The
result is lower throughput per user due to the additionaloverhead necessary to retransmit data rames.
You can increase the capacity and resolve this problem
by placing access points closer together with lower trans-
mit power to create smaller radio cells. This micro-cell
approach reduces the number o users per access point,
which enables more capacity per user.
Another method or handling high utilization is to move
some o the applications to a dierent requency band.
For example, you might consider having Wi-Fi phones in-teracing with a 5GHz 802.11a network and data applica-
tions running over 2.4GHz 802.11b/g.
Coverage HolesAter installing a wireless LAN, changes may take place
inside the acility that alter RF signal propagation. For
example, a company may construct a wall, which oers
signicant attenuation that wasnt there beore. Worse,
perhaps an RF site survey was not done prior to install-
ing the network. These situations oten result in areas o
the acility having limited or no RF signal coverage, whichdecreases the perormance and disrupts the operation o
wireless applications.
Indications o a coverage hole include low signal level (less
than -75dBm) and high retry rates (greater than 10 per-
cent), regardless o noise levels. The signal in this situation
is so low that the receiver in the radio card has dicul-
ties recovering the data, which triggers retransmissions
excessive overhead, and low throughput. For instance, a
user will likely experience a 75 percent drop in throughput
when operating rom an area having low signal levels.
To counter coverage holes, you need to improve the signa
strength in the aected areas. Try increasing transmit pow
er, replacing the antennas with ones having higher gain,
or moving access points around to better cover the area
Keep coverage holes rom popping up unexpectedly in
the uture by perorming a periodic RF site survey, possibly
every ew months.
Bad Access PointIn some cases, the root cause o poor perormance may
be an access point that has ailed. Check applicable access
points or broken antennas, status lights indicating ault
conditions, and insucient electrical power. Try rebooting
the access points, which oten resolves rmware lockups
Make sure that the rmware is up to date, however, to mini
mize lockups in the uture.