Network Layer Security Features
The following network layer security features are often available on wireless routers.
IP Address Access Control Lists
Some wireless routers allow specific IP addresses to be included in an ACL. Addresses in
the list can either be denied or allowed network access.
Firewalls
Wireless routers sometimes contain firewall features. These features allow traffic to flow
outward from a local network to the Internet. Traffic flowing inward from the Internet to the
local network is filtered or blocked.
Virtual Private Networks
Virtual private network (VPN) features include IP Security (IPSec) encryption capabilities
and tunneling capabilities, such as the Point-to-Point Tunneling Protocol (PPTP).
APPLICATION LAYER FEATURES
Application layer features play a significant role in the network design, con.guration,
management, monitoring, and security of your wireless network.
Network Design
Many factors of network design, including terrain, distance, buildings, trees, and the
presence of other networks, in.uence the design of your network. Sometimes, relatively
expensive tools (such as spectrum analyzers) are needed to assist during the network design
process. Sometimes, however, inexpensive tools are available to help you with network
design.
Some wireless LAN equipment vendors include site survey utility software along with their
wireless equipment. These usually display signal strength, noise level, signal-to-noise ratio
(SNR), and signal quality information. Although these utilities are often designed for
indoor use, they are useful to show you how well a signal from your AP is being received
at different locations within your desired outdoor coverage area. These utilities are also
useful for antenna alignment. Sometimes, low-cost (or free) hardware-specific utilities are
available that function like a low-cost spectrum analyzer. Although these low-cost utilities
do not have the full range of regular spectrum analyzer features, they do cover the entire
2.4-GHz band and show which channels are in use by other networks.
Network Management
Network management system (NMS) capabilities vary widely between different models of
wireless equipment. Look for some of the following features:
Access method — Methods used to access the NMS include serial port access, telnet
access, generic Windows browser access, and proprietary Windows-based software.
Generic browser access is probably the easiest method to use.
Wireless link statistics — An NMS that provides statistics for each individual
wireless link in a point-to-multipoint system is important to allow effective network
monitoring. At a minimum, the following statistics should be available for each end
user link and each AP: signal strength, noise level, and percentage of packets that need
to be retransmitted.
Graphical usage statistics — Make network management easier. You can identify
light or heavy traffic patterns, perform usage-based billing based on either IP or MAC
address, and see when bandwidth usage peaks.
Simple Network Management Protocol (SNMP) — SNMP-based NMSs are fairly
standard today. Some wireless equipment uses proprietary management software;
however, many third-party management programs can manage SNMP-based systems.
Antenna-alignment utilities — Generate wireless link traffic and allow the system
administrator to see real-time statistics while turning the antenna to receive the
highest signal.
Flood ping capability — Floods a network with ping packet traffic. This test allows
the system administrator to test the wireless link while simulating a traffic load.
Application Layer Security Features
The capability to interface with Remote Authentication Dial-In User Service (RADIUS)
servers is possibly the most important Layer 7 security feature for wireless equipment.
MAJOR NETWORK FEATURES DECISIONS
Your network feature decisions have a major impact on the equipment that you choose to
purchase and on the success and profitability of your wireless WAN. The following sections
describe those decisions.
Market Versus Equipment Cost
The market that you choose to serve — commercial, residential, or some mixture of the
two — largely determines the price range for the wireless equipment that you purchase,
install, and resell. If you serve primarily residential users, you need to purchase lower-cost
equipment. If you provide higher-value service by providing more bandwidth and additional
value-added services to businesses, you can select higher-cost equipment with a larger
feature set.
802.11b Compatibility — Yes or No?
If you choose to use 802.11b equipment for your wireless WAN, you gain some significant
advantages and, at the same time, you face several disadvantages. The following sections
discuss these advantages and disadvantages.
Advantages of 802.11b Compatibility
The advantages of using 802.11b equipment include the following:
Cost — 802.11b equipment is available at the lowest cost of any wireless equipment.
Availability — 802.11b equipment is widely available.
NOTE: At the time of this writing, 802.11a equipment that is operating in the 5-GHz U-NII bands
(with bandwidths up to 54 Mbps) is beginning to become available. This equipment is
currently designed for use in indoor LANs and not in outdoor WANs. Further product
development might make outdoor versions available in the future.
Disadvantages of 802.11 Compatibility
The disadvantages of using 802.11b equipment outdoors include the following:
Security — Although newer security mechanisms are being developed to supplement
the current wired equivalent privacy (WEP) security, there is a somewhat greater
chance of security being compromised because many people are familiar with
802.11b technology and more hacking tools are available.
Interference — As more 802.11b APs are deployed, spectrum congestion and
interference between wireless networks become more of an issue.
Support — Most 802.11b equipment sold today is designed for low-cost in-home use.
The level of vendor support for this equipment is likely to be low, especially when the
equipment is used in an outdoor WAN environment. Vendors focus on supporting the
equipment in its intended (indoor LAN) use and not in the outdoor WAN environment.
Bridged Versus Routed WANs
Every wireless WAN is interconnected with a wired network that includes routing. During
the design phase of your wireless WAN, you need to determine how your WAN will interoperate
with your wired network. Based on your determinations, you will select wireless
equipment that either performs bridging only or that performs both bridging and routing.
The following questions can help you decide whether to purchase wireless equipment with
built-in routing or whether to use external routers (or perhaps, no routers):
IP-based network services — What advanced IP-based network services are already
provided in your existing wired network? What IP-based network services will you
need to provide immediately over your wireless network when it is first placed into
service? What additional IP-based services (such as voice-over-IP) will you want to
offer later to your wireless network users?
Edge routing — Relative to your existing core routers, where do you need edge
routing? If edge routing is (or will soon be) needed, is it better to select wireless
equipment that includes this routing functionality initially, or is it better to select
wireless bridges and add external routers later between a customer’s wireless bridge
and their LAN?
Multiple wireless backbone links — If you anticipate using multiple wireless
backbone links to provide extended wireless area coverage, you are more likely to
deploy routing within the wireless backbone. You might decide that selecting wireless
equipment with built-in routing is more practical or economical than using external
routers.
Backbone Feature Decisions
Your backbone supplies the bandwidth that your APs distribute wirelessly to your end
users. The following sections describe some key decisions that you will make as you select
backbone equipment.
Backbone Capacity
Your first backbone decision is to determine how much throughput you need. This
throughput decision is affected by the following factors:
Market needs — How much throughput do your markets require? A backbone link
that serves businesses located in several cities needs to provide more throughput than
a link that serves only one or two small residential areas.
Number of users — The number of wireless end users and the nature of their needs
determine the amount of throughput that your backbone needs to provide.
Simplex versus duplex backbone — Backbone equipment can be either simplex or
duplex. A duplex backbone can provide up to 50 percent more throughput than a
simplex backbone. Duplex backbone costs are generally higher because a duplex link
contains two complete transmitting systems and two complete receiving systems.
Overselling ratio — Internet usage is bursty. Most Internet users use bandwidth
intermittently; therefore, ISPs can oversell bandwidth knowing that not all users will
be on all the time. The number of times that you resell the same bandwidth (your
overselling ratio) affects the amount of backbone bandwidth that you need. Your ISP
experience combined with your observation of the usage patterns on your network
help you determine your best overselling ratio and your backbone bandwidth needs.
Wired Versus Wireless Backbone
If economical wired backbone connectivity is available at your wireless AP location, it
makes sense for you to use that wired connectivity. If wired backbone connectivity is not
available or if the cost is too high, a wireless distribution system is the logical choice.
License-Free Versus Licensed Backbone
After you choose to use a wireless backbone, it is important for you to evaluate and
compare the cost and the bandwidth of licensed wireless backbone equipment with the cost
and the bandwidth of license-free wireless backbone equipment.
The advantages of using a license-free wireless backbone are
Cost — The cost is generally lower.
Availability — Equipment is generally available more rapidly.
Licensing — There is no licensing cost, licensing paperwork, or licensing delay.
The disadvantage of using a license-free wireless backbone is that interference from other
license-free networks is a possibility, and it is your responsibility to ensure that license-free
equipment does not interfere with licensed equipment.
Given these advantages and disadvantages, it makes sense to use a license-free wireless
backbone if you are reasonably certain that interference levels (both from other networks
and from your own network) will remain reasonably low.
Dedicated Versus Shared Backbone Bandwidth
Wireless backbone links can be either of the following:
Dedicated to providing only backbone bandwidth.
Shared between backbone bandwidth and last-mile bandwidth. Examples of shared
bandwidth include mesh networks and 802.11b repeaters that both connect end users
and provide backbone connectivity for other APs.
Heavy bandwidth demands at one AP can cause slow performance at other APs. If possible,
try to avoid sharing wireless link bandwidth between backbone use and last-mile access
use. If you choose to share backbone bandwidth, you might find it necessary to use
additional routers throughout the backbone to allocate and manage the bandwidth demands.
AP Feature Decisions
The list that follows describes some of the key decisions that you need to make as you select
your AP equipment:
Frequency band — Your choice of frequency band is probably the most important
equipment decision that you will make. The difference in wireless propagation
characteristics and interference levels between the license-free bands means that a
poor decision here might result in an unusable network. Before making this decision,
you should review the propagation characteristics of each band (discussed earlier in
this chapter). You should also perform a wireless site survey (see Chapter 4,
"Performing Site Surveys") to determine potential interference levels on a frequency
band before you select equipment for that band. The information in Chapter 8 can help
you if you find high levels of interference.
NLOS environment — If you are considering buying equipment that operates in an
NLOS environment, you need to either rule out or verify the range claims that the
equipment manufacturer has made. You can do this by visiting an ISP that has the
equipment deployed in an NLOS environment that is similar (such as the same density
of trees and the same type of obstructions) to yours.
Modulation type — Your choice of modulation type (DSSS, FHSS, or proprietary) is
an important factor in the ultimate success of your network. Choose a modulation type
that is compatible with the level and the type of interference in your coverage area.
802.11b or proprietary — Every organization needs to match its budget to its
mission. If your budget is modest, the lowest-cost indoor 802.11b equipment might
be your only choice. A somewhat larger budget allows you to choose higher-cost
802.11b equipment with expanded feature and management capabilities. An even
larger budget allows you to choose from the full range of wireless equipment.
Hot spot use — 802.11b APs deployed for hot spot use should be 802.1x-capable to
implement improved security and to interface to external authentication and
accounting servers.
End user polling — Some APs implement end user polling as an option to the 802.11b
CSMA/CA and RTS/CTS collision-avoidance mechanisms. If you plan to serve more
than about 25 busy end users from one AP, polling increases your network reliability
and performance.
Bandwidth management — A few APs contain a bandwidth management capability
that allows you to set bandwidth for each end user link. If the AP that you choose does
not include this feature, consider adding this capability with an external bandwidth
manager.
Support — Vendor support is important when your wireless customers are looking to
you to provide reliable Internet service. Talk with other wireless network operators to
assess the availability of driver and firmware upgrades, as well as the response time
and quality of support from their equipment vendors.
CPE Feature Decisions
Price is often the top consideration in the selection of CPE. The competition between
broadband DSL and cable Internet access providers has driven the cost of broadband
service down. It can be difficult for broadband wireless companies to compete at these low
price points. For this reason, wireless providers constantly seek to lower the cost of CPE.
Business users usually understand that they need to pay for value received; in contrast,
residential users often seek to pay little (or nothing) for their CPE. Try not to cut too many
corners in seeking and deploying low-cost CPE. Although cost is important, it is more
important to deploy reliable, supportable, and manageable networks. The following
discussion can help you make these cost-benefit decisions:
Wireless card versus external radio-based CPE — Traditionally, license-free
broadband wireless equipment is mounted indoors with a coaxial cable running to the
outdoor antenna. In the drive to minimize CPE costs, wireless IPSs often choose to
install wireless network interface cards (NICs) in their customers’ computers, rather
than purchase full-size (and higher priced) wireless bridges or routers. If you choose
to deploy NICs in customer computers as CPE, recognize that some customers might
expect you to provide no-cost PC support indefinitely, and this can be a costly
situation for you. Also, be aware that the software tools needed to adequately monitor
the quality of the customers’ connection might not be available. This, too, can increase
your customer support costs and raise your costs above the level where you can make
a reasonable profit.
Separate versus integrated radio and antenna — An alternative to the traditional
wireless model is the integrated radio and antenna model. To reduce CPE costs and
installation costs, wireless ISPs are now using (wherever possible) integrated radio
and antenna equipment. These integrated units combine the radio and the antenna into
one plastic or fiberglass enclosure that is mounted outdoors in a location with an LOS
path to the AP. The integrated unit connects to the end user PC or network through
either an Ethernet cable or, in a few cases, through a universal serial bus (USB)
connection. The wireless performance is better because there is no coaxial cable loss
between the antenna and the radio.
Split radio architecture — There is one additional equipment con.guration for you
to evaluate: the split architecture. Split architecture actually divides the wireless unit
into two physical pieces: an indoor section and an outdoor section. The indoor section
contains the lower-power, lower-frequency circuits. The outdoor section contains the
higher-power, higher-frequency circuits and mounts just below the antenna. Split
architecture provides the benefits of the integrated radio and antenna architecture but
also allows a greater choice of antennas because the antenna and radio are not built
into one unit. Split architecture is often the most expensive con.guration; however, it
might be the best in terms of both performance and flexibility.
Wireless Network Card Decisions
If you decide to deploy wireless 802.11b cards as the customer CPE or if wireless cards
plug into the AP that you are using, you must evaluate the following wireless card characteristics:
Transmitter — Outlined earlier in this chapter; wireless cards share these same
characteristics. The key characteristic is transmitter power output. The ideal
transmitter would have a power output of 100 to 200 mW with a softwarecon
configurable power level.
Receiver characteristics — Also outlined earlier, the better the receiver sensitivity
(when combined with good selectivity), the better your wireless system performance
will be.
External antenna connector — An antenna is the key element in any wireless system.
A wireless card needs to have a connector that allows an external antenna to be
attached.
Form factor — The most frequently used wireless card form factor is PCMCIA;
however, other form factors are sometimes used. These other form factors include
industry-standard architecture (ISA), peripheral component interconnect (PCI), and
Compact Flash (CF).
Mesh Network Feature Decisions
You can evaluate mesh network equipment using the same considerations that you do for
all other wireless equipment. Keep the following differences in mind, however:
Network deployment process — Deploying a mesh network is different from deploying
a point-to-multipoint network. Every mesh network node serves as a repeater and
relay point for other network nodes. Nodes that are located farther away from the
Internet connection must be relayed through closer network nodes. Before distant
nodes can be deployed, nodes must be deployed closer to the Internet node. To provide
coverage to an entire geographical area, the area must be seeded. Some nodes must be
installed initially even if no end user is available to pay for the cost of the node.
Bandwidth and throughput limitations — Mesh networks share backbone
bandwidth with last mile bandwidth, which can reduce the amount of bandwidth to
each end user. Be sure to factor this throughput limitation into your evaluation process
and into your business plans.
Maximum hop limitations — The multihop nature of mesh networks increases network
latency and reduces network throughput. You will be limited to a maximum number
of hops, so be sure to factor this limitation into your business plan.
Operating temperature range — All wireless equipment is designed to operate
correctly between certain specified temperatures. Indoor equipment is designed to
operate within a narrower temperature range than outdoor equipment. If you choose
to use indoor equipment outdoors, be sure to provide cooling for it in the summer. In
severe winter climates, it might also be necessary to add a heat source to keep the
equipment warm.
Radio frequency (RF) immunity — Many models of broadband wireless equipment
are not designed to be used in a high-level RF environment. For example, locating a
wireless LAN AP designed for home use in the equipment vault of a mountaintop
transmitter site can lead to operating failures. The high-power transmitter energy can
either come down the antenna cable and overload the AP receiver, or the energy can
pass through the plastic case of the AP and disrupt the AP operation. If you plan to
deploy equipment like this, plan to use an external bandpass filter in the antenna
system. Also plan to mount the AP in a shielded and grounded metal equipment case.
As an alternative, you can select equipment designed for high-RF environments. This
equipment is usually designed for mounting in a standard 19-inch metal equipment
rack.
Wireless Amplifier Feature Decisions
Wireless network operators often add external bidirectional amplifiers to their wireless
systems. External means that the amplifier is external to the wireless equipment. Bidirectional
amplifiers actually contain two amplifiers: one to amplify the transmitter signal and
one to amplify the incoming received signals.
In the United States, FCC regulations require that external power amplifiers be marketed
and sold only as part of a complete legally certified radio-cable-amplifier-antenna combination.
The purpose of this regulation is to minimize the use of illegal overpowered
equipment. Excess transmitter power raises the noise level, increases interference, and
makes it harder for other, legal networks to operate correctly. Unfortunately, some wireless
WAN operators ignore this regulation and intentionally use external power amplifiers in
violation of FCC regulations. This behavior can result in heavy fines and equipment confiscation
and also decreases the usability of the license-free bands for everyone.
NOTE: Illegal amplifier use is not the answer to making your WAN operate over longer distances.
Often, a power amplifier actually decreases the receiving range of your WAN. In addition,
using illegally high transmitter power causes substantial interference to other network
operators who are operating legally. Finally, if illegal amplifier use increases, the FCC
might be forced to step in with new, more restrictive regulations that could reduce license-free
operating privileges for everyone. Resist the urge to amplify. Proper wireless network
design and proper antenna system design provides you with the best network performance.
The following sections explain how external amplifiers work and how to use these amplifiers properly.
Transmit Amplification
On transmit, an external amplifier increases the transmitter power that reaches the antenna.
This is useful when the power output of the transmitter is low and the cable length between
the wireless equipment and the antenna system is long. Without an amplifier placed at the
antenna, the high cable loss results in little signal reaching the antenna.
Here is an example of the correct way to use an amplifier. Start with a transmitter that has
an output of 50 mW (+17 dBm). If the antenna cable has a loss of –14 dBm, the power
reaching the antenna system is (+17 dBm – 14 dBm) = 3 dBm (2 mW). This is a low level
of transmit power. If an amplifier with +14 dB of gain is added at the antenna, the +3 dBm
that reaches the amplifier is amplified by +14 dB, resulting in a total of (3 dBm + 14 dB)
+17 dBm (50 mW) reaching the antenna. The amplifier has added back the power that was
lost in the antenna cable.
Receiver Amplification
On receive, an external amplifier mounted at the antenna performs two functions:
It helps to overcome the signal loss that occurs in the antenna cable.
It sets the SNR of the receiving system.
These two functions can lead to a small improvement in receiver performance if the
amplifier has a good, low-noise design. In addition, a properly designed antenna should be
used with the amplifier. If the antenna system design is poor, the amplifier can actually
reduce the receiving range of the system.
Up/Down Converters
Up/down converters translate wireless signals from one frequency band to another. If the
2.4-GHz band is crowded in your area and the 5.8-GHz band is less crowded, you might
want to use a 2.4-to-5.8 converter. Here is how this works. Each AP and end user station is
equipped with a converter. Then, the following occurs:
During transmit, each 2.4-GHz transmit signal is upconverted (translated up in
frequency) to the 5.8-GHz band.
During receive, the 5.8-GHz signal from the other station is downconverted to the
2.4-GHz band.
Using lower-cost 2.4-GHz equipment, communication actually takes place on the less
crowded 5.8-GHz band. The advantage of this approach is that it usually costs less than
buying more expensive equipment for 5.8 GHz. The disadvantage of this approach is that
only a few manufacturers supply frequency converters, so your choice is limited.
Converters need to be mounted at the antenna.
Compatibility Issues
Several compatibility issues can reduce the reliability of your network and consume
troubleshooting time. If you are deploying an 802.11b network, never assume that different
brands of wireless cards and wireless APs will work reliably together. Even hardware that
is wireless fidelity (WiFi)-certified sometimes has firmware, software, operating system,
and feature differences that can result in certain equipment combinations that do not work
together. In most cases, equipment manufacturers do not cause these issues intentionally.
There have, however, been a few instances in which large equipment vendors have intentionally
created incompatibilities to boost the sales of their equipment and hinder the sale
of lower-cost competitive equipment.
Watch for the folowing incompatibility issues:
Operating system software — New features might not work with older software
versions, or older features might not work in newer software versions. This situation
can require that you upgrade all your wireless equipment software simultaneously.
NIC firmware — Upgrades might have features that do not work even though they did
work in earlier versions. NIC firmware might work when matched with older versions
of AP software but not with upgraded AP software versions.
MAC incompatibilities — Different brands of equipment that should work together
do not work together or some of the features do not work.
NIC drivers — Drivers might not be available for your OS or, if available, they might
not be upgraded to work with newer versions of your OS.
USB — There might be incompatibilities between wireless USB devices and certain
PC operating systems.
Network management — Network management software and diagnostics software
can be unavailable or can be limited in their capability to manage mixed-equipment
networks.
Timing — Equipment that has timing designed for indoor (several hundred foot)
distances might not work outdoors at longer (several mile) distances.
Here are some of the things that you can do to minimize the loss of time and money caused
by these incompatibilities:
Standardize — As much as possible, standardize on one brand of equipment for your
APs and your CPE. Minimize the mixing and matching of different wireless equipment
brands that talk to the same AP. Using a different brand of equipment is .ne for
wireless backhaul links; however, the fewer types of AP/CPE equipment that you use,
the more efficiently you will be able to support that equipment and the more reliable
your service will be.
Test time — Be sure to plan for enough test time between the time that you build an
AP and the time that you begin service from that AP. The more dissimilar your
equipment, the more test time you need.
Wireless Support Issues
The quality of support from wireless vendors varies widely and ranges from excellent to
none. In addition, technology changes rapidly; new software, new hardware, new firmware,
and new drivers constantly become available. To maximize your chances of receiving
effective support, do the following:
Research — During your equipment research process, be sure to visit other organizations
that have deployed the equipment you are considering. Ask the organizations to
comment about the quality of vendor support they are receiving, including warranty
support.
Realistic approach — There still is no free lunch. Be realistic with your support
expectations. You deserve to be notified by your vendor when equipment problems are
discovered. You should rightfully expect that your vendor would not discontinue
support for equipment that you have purchased; however, after your warranty period
has expired, it is not unreasonable for a vendor to charge for software upgrades or new
and improved hardware. Expect to pay a reasonable amount to receive a high level of
continuing vendor support. You need your equipment vendor to make a profit so that
it will continue to be there when you need it.
Support groups — A number of online support groups are available for specific
brands of wireless equipment. Find a discussion group for your equipment and join it,
if possible, even before you purchase your equipment. You, your end users, and the
entire industry will benefit from this helpful and friendly sharing of information.
REVIEW QUESTIONS
Why is it important to visit an actual deployment site before you purchase wireless
equipment?
The electromagnetic waves that we call wireless exist at what layer of the seven-layer
OSI reference model?
How is a packet like a hamburger sandwich?
Why does a wireless network need a big MAC?
Wireless bandwidth and wireless throughput are the same thing. True or false?
The communications range under NLOS conditions is about the same as the
communications range under LOS conditions. True or false?
DSSS equipment hops from frequency to frequency. True or false?
Other things being equal, the higher the data rate, the shorter the communications
distance. True or false?
If you start receiving interference from another network, the best thing to do is to get
an amplifier. True or false?
Any 802.11b equipment works with any other 802.11b equipment. True or false?
Order Your SQL Fundamentals CD Today! Learn how to use SQL Server, understand Office integration techniques and dive into the essentials of SQL Express and Visual Basic with this free SQL Fundamentals CD.
You've Deployed SharePoint...Now What? This one-day free online conference delivers the technical knowledge needed to kick MOSS up a notch. In one information-packed day, independent SharePoint experts will present practical, real-world information and provide take-away, ready-to-use solutions
What Would You Do If You Ran Microsoft? ITTV's 2008 inaugural video contest, "If I Ran Microsoft..." is your chance to tell it like it is. Be goofy or be serious, but don"t miss this chance to have fun, win prizes, and go viral in a major way.
Maximize Your SharePoint Investment This web seminar discusses how true bi-directional replication of SharePoint content from one server to another enables branch offices to maintain access to current SharePoint content.
Windows IT Pro
Register
