tgif wireless

8/8/2019 TGIF Wireless

1/20

Wireless Networking

TGIF, April 18th, 2003

Alvin Chew ([email protected])Kent Reuber ([email protected])


2/20

Outline

Wireless technology overview

ITSS Wireless Net Department wireless nets

Home wireless nets

Questions


3/20

Wireless TechnologyO

verview


4/20

Why Wireless? (+) No wires. Convenience, flexible. But

(-) Relatively slow speeds, typically 5 Mbps with

802.11b. Nowhere near the 100 Mbps of typical wiredconnection.

(-) Wireless access points are hubs, not switches.Bandwidth is shared among wireless users. Think of itas phone party lines.

(-) Data is freely available in the air. Traffic is easily sniffed.

Data is not encrypted unless the protocol is encrypted (e.g.,SSL and Kerberos).

Stanford does not use WEP, because it can be cracked.


5/20

Wireless Terms Access Point (or AP): device that sends and receives wireless signals.

Usually directly connected to the wired net.

ITSS uses Cisco Aironet 350 APs.

SSID: the network name that Access Points broadcast.

ITSS uses Stanford.

Departments and home users may want to use other names.

Users can roam between access points with the same SSID.

Channel: radio frequency used by APs.

APs near one another should use different channels to minimize noise.

802.11b: Channels 1, 6, and 11 dont overlap. Channels 1, 4, 8, and 11

have only a little bit of overlap


6/20

Wireless Alphabet Soup 802.11b:

Most common wireless protocol. Uses 2.4GHz frequency, with 11Mbps bandwidth. (5 Mbps is more typical). ITSS wireless net and

most other campus wireless is based on this. 802.11a:

Uses 5.5GHz range, 54 Mbps bandwidth (~20 Mbps is typicalperformance). Produces to much radio power to be certified inmedical areas. Unlikely to become a standard at Stanford.

802.11g: Uses 2.4GHz band and is compatible with 802.11b. Also 54 Mbps

bandwidth (~20 Mbps typical). An emerging standard, but likelyto grow in the future.


7/20

ITSS Wireless Net


8/20

ITSS Wireless NetOverview

Coverage map at http://wirelessnet.stanford.edu

Wireless net uses separate physical and logical network. (Separate

switches, fiber, and address space.)

Prevents layer 2 attacks (e.g., broadcasts, IP/MAC spoofing) on wired net

Prevents wired broadcasts/multicasts from saturating wireless bandwidth

Dont have to dedicate department roaming IPs for wireless users

You still have to register wireless cards in NetDB.

provide the hardware address of the wireless card

enable DHCP and roaming.

Wireless card recommendations

Recommend Cisco and Apple cards which are available at the Bookstore.

Any WiFi certified card should work.


9/20

ITSS Wireless NetSecurity

Wireless networks are inherently insecure

Even with encryption, the data between client and APs are

available for anyone to capture.

Most corporate wireless nets lie outside of firewalls.

ITSS Wireless doesnt use WEP

Consumes client resources

Well-known security vulnerabilities

Other methods of wireless encryption are vendor-specific.

Stanford uses wireless authentication to protect campus

resources.


10/20

ITSS Wireless NetAuthentication

Protects the institution, not the user

S/ident integration

If you have PC/Mac-Leland, youre all set First net activity should bring up PC/Mac-Leland automatically

Web-based authentication backup

First web page you get is the authentication page

Automatically redirects you to your requested page after login

Future Guest Login feature

Any SUNet ID user will be able to sponsor a guest wireless

account


11/20

Department Wireless


12/20

My Department Wants Wireless! Net-to-jack clients are eligible for 1 AP for

every 16 wired ports.

Wireless net-to-jack: For non-net-to-jackclients, ITSS will do a survey, install,monitor, maintain, and upgrade yourwireless network. Price is $31/month perAP.

Or.


13/20

Do-It-YourselfOptions

Option 1: ITSS can place a wireless entrance

switch in your building and that carries the ITSS

Wireless net. Option 2: Departments can put their wireless

devices on their existing building net.

Both options require departments to purchase

APs and switches. ITSS can recommend

equipment, but departments will need to do their

own survey and place access points.


14/20

Department Wireless Setup ITSS Wireless net always uses Stanford

as the SSID.

APs plugged into the building netshouldnt use Stanford

This has caused problems when users roambetween access points.

Putting the department/group/lab name as theSSID makes it clear to users who to call in caseof trouble.


15/20

Recommended Cards and APs 802.11b cards:

Apple Airport card, Cisco Aironet 350 PC Card

In principle, any card that adhere to the WiFi

certification should work.

Access Points:

Cisco Aironet 350 APs for departments.


16/20

Home Wireless Nets


17/20

Keeping Your NeighborsO

ut The range of wireless means that its very possible that

your neighbors can use your wireless net too. And see allyour traffic

Precautions: Most APs have MAC address filters so that only specific cards

can associate. This is the most important thing to enable!

Most APs can also be set to not broadcast the SSID. (e.g., AppleAirports call this Create a closed network) That way, people

have to know the name of your network in order to join. Definitely want to use encrypted protocols whenever possible.

If available, consider turning down the power of your AP to restrictthe range.


18/20

Setup 1: Stanford DSL and

Stanford West In both cases, you can request multiple IP addresses for

home machines. You dont need a DSL router.

We suggest that you purchase access points that dobridging, where traffic is simply forwarded between thewired and wireless sides of the access point withoutalteration. Examples: Cisco Aironet 350, Linksys WAP11, Apple Airport.

Weve seen a number of people on the campus or StanfordWest who have installed Airport base stations with DHCPenabled on the Ethernet side, disrupting DHCP service. Breaks DHCP for other users.

We shut down their connections


19/20

Setup 2: Non-Stanford DSL or

Cable Modem In many cases, you only get one IP address.

Network Address Translation (NAT -- often

provided by DSL/wireless routers) can be usedto hide a network behind a single IP address:

Some wireless units do this by default. E.g., Apple

Airport.

Note that NAT disrupts some Stanford services,especially WebAuth.

Also interferes with some VPN setups.


20/20

Questions???

tgif wireless

Documents