Wi-Fi guide

A practical guide to deploying wireless Ethernet.

By John Cox
Network World, 03/25/02

Wi-Fi wireless LANs are deceptively easy to install. In fact, you might already have some.

"Users are installing these on their own," says Guy Denton, executive principal with IBM's Global Center of Competency. "We do security audits and find numerous wireless access points that the company knows nothing about."

The simplicity, however, masks an array of critical issues. "We often get called into projects after the fact," when clients run into unexpected problems, says Joe Musgrave, vice president with Signa Services, a wireless LAN consulting company in Erlanger, Ky. Users who aren't getting the bandwidth they expected, for example, might add more access points only to see bandwidth plummet.

Rolling out Wi-Fi LANs - products that meet interoperability tests spelled out by the Wireless Ethernet Compatibility Association - requires careful planning, a thorough security analysis, in-depth network design, and knowledge of products and evolving standards.

Easy? Well, not if you want to do it right.

Initial requirements

Presuming there is a call to add wireless support - workers that want to bring laptops to conference rooms, the cafeteria or other offices, for example - a good place to start is your local wired network, says E.J. von Schaumburg, CEO of InvisiNet, a wireless LAN installer. By examining your wired network you will see traffic patterns and bandwidth demand typical of the user population. After all, the wireless network will be an extension of the existing network.

Based on this review, you can start to estimate what throughput, coverage and security you'll need for a given set of applications, Musgrave says.

These considerations, in turn, guide planners through the process of evaluating different wireless interface cards and access points.

The expertise to handle such evaluations varies widely. At BMW Group, which has 200 802.11b Wi-Fi access points at plants in Munich, the IT staff handles the process with help from equipment vendors and some outside support staff, says Daniel Lange, IT strategist with BMW.

Currently, the decision to go wireless, he says, is made on a case-by-case basis, weighing business needs at a given site against criteria such as security and costs. Later this year BMW will formalize a process that will help business users evaluate the need for wireless before they formulate their IT requests, Lange says. In particular, the process will help users assess the emerging 802.11a technology, which supports a maximum speed of 54M bit/sec.

To help users through the Wi-Fi needs assessment phase, Signa has created a seven-page preproject information sheet covering details such as the size of the facility, building construction materials and number of users. "We often hear from IT managers, 'I never thought about those things,'" Musgrave says.

One thing often overlooked is that wireless LANs require wiring: Wired Ethernet jacks may have to be installed so access points can be attached to the corporate LAN. And electrical power outlets may be needed for the access points, though some vendors offer the option of powering the access devices over Category 5 cable.

Wireless everywhere?

While wireless offers obvious utility in warehouses and other wide open spaces, there is disagreement about whether wireless LANs are suitable for general office environments.

At BMW, such deployments are discouraged because of the limited 802.11b bandwidth, about 5M to 6M bit/sec, and because of security concerns. "We do not consider 802.11b to be a drop-in replacement for wired infrastructure," Lange says. Some corporations limit wireless to conference rooms or other semipublic areas, relying on the wired net for day-to-day use.

But Federal Express is deploying wireless throughout two campuses at headquarters in Memphis, treating it as an extension of the corporate net.

FedEx workers have come to expect the convenience of wireless access, according to Ken Pasley, directory of wireless development at the company. If a group gathers for a meeting in one location that doesn't have wireless coverage, they'll move until they find it, he says.

One potential gotcha: Because of the limited bandwidth, Pasley says you have to watch out for large file downloads, such as CAD/CAM drawings. "You'd have to look at those closely," he says. But Signa's Musgrave says that even at 5M bit/sec, wireless LANs can support a range of business applications, including enterprise resource planning and PowerPoint.

FedEx started using wireless LANs five years ago, mainly in package sorting and aircraft maintenance areas. With the shift from those early proprietary LANs to 802.11b, which doubled bandwidth to 11M bit/sec, the company saw a 30% jump in productivity at the package sorting centers, Pasley says.

Security

Although security often comes up later in network design, it has to be considered early with wireless because of the inherent vulnerabilities. Wireless LANs are, by definition, not secure: Data is broadcast through the air and is hard to contain. The original encryption scheme for 802.11, called Wired Equivalent Privacy (WEP), is known to have several inherent weaknesses (see related story, page 17).

Given that, wireless security is a blend of art and science. "You should know what the vulnerabilities are and do what you can within reason to mitigate them," says Dennis Moule, information systems manager for carrier software vendor CoManage. "You make reasonable, sensible precautions to minimize risks. . . . And keep current with the emerging risks and how these might affect the equation."

Depending on the requirements, security can range from turning on the basic WEP encryption, to full-blown authentication and encryption via VPNs tied into RADIUS servers. One Canadian integrator reports that many of his wireless customers say their data has almost no value to anyone outside the company, so security is not a priority for them.

But that's a deliberate decision. Many users don't seem to realize that the default security level for most wireless LAN equipment is zero. "I've been doing research on companies that have wireless nets and it appears the majority don't turn on [WEP] encryption, leaving their nets completely open," says Vincent , head network engineer for LANocracy, a wireless LAN installer.

"We assume that there is no security, that the wireless access point is an open, public Ethernet jack," says Christopher Hertel, network design engineer with the University of Minnesota's office of IT. The university treats the wireless LAN as if it were a public Internet, putting a firewall between the LAN and the wired net, and using a campus VPN and authentication via an X.500 directory.

This configuration is increasingly common, but it comes with a number of trade-offs. Administration becomes more complicated, requiring the distribution and updates of VPN client software to thousands of devices. There may be a lack of VPN clients for some operating systems. You have to build a separate wired infrastructure linking access points on the other side of the firewall. And destination addresses are limited to the VPN gate servers.

A related but obscure issue is that most employees with wireless laptops don't realize their wireless cards remain active, even if they're not using the VPN. It's possible for an attacker to use that active link to jump a worker's laptop and infect it with a virus or other malicious code, which is transmitted to the corporate network via the VPN when the worker logs on.

For its part, CoManage uses basic security steps: 128-bit WEP encryption, obscure network names, a clear prohibition on hooking up access points without talking to the IS department and periodic efforts to crack its own net using programs such as WEP Crack, Airsnort and Netstumbler. Moul plans to use the improved WEP Plus when his vendor upgrades access points and network interface card (NIC) software. At some point, as attacks become more common, CoManage will adopt a firewall/VPN model.

Site survey

The actual LAN design - how many access points are placed - draws on all this data and research, and hinges on several factors: the type of materials used in building construction and furnishings, the number of users in a given area and whether that number changes, and the throughput those users need. The larger the deployment and the more demanding the applications, the more complicated the equation becomes.

Signa uses a blend of off-the-shelf programs, such as AutoCAD and Visio, with their own list of wireless parameters when they reach the design phase. They enter data on the site dimensions, wall materials and other variables, and create a three-dimensional model showing an initial placement for the access points. But this model is always augmented with an on-site survey.

Most corporations don't have the expertise of Signa's designers. However, they can use handheld spectrum analyzers to detect radio interference and the same laptop applications many wireless LAN vendors offer for the site survey. You plug in an access point, then walk around with a wireless laptop and the programs show signal strength and throughput at different locations and different distances.

If you're doing this design work yourself, watch out for a common mistake: using one brand of interface card and access point for the initial design then a different brand in the final deployment.Doing so can lead to surprises stemming from different radio-frequency propagation characteristics, which leads to dead spots and lower bandwidth.

One consideration sometimes overlooked is aesthetics: do you want the access points to be visible or hidden behind ceiling tiles? And then there's the basketball factor: FedEx had to raise the access points in its sorting bays higher off the ground because college-age part-timers were leaping up and slapping at them to practice slam-dunks.

The site survey is essential for dealing with one of the most confusing design issues: 802.11b access points have a maximum of three nonoverlapping channels for users. Too many access points, haphazardly placed, will overlap these channels and users will see a serious drop in performance because of contention for the channel. Proper channel configuration can let you stack three access points atop each other giving users maximum available bandwidth.

The just-emerging 802.11a products have eight indoor channels and four more for outdoors, which means that more access points can be packed into the same area, to support more users at higher bandwidth - and, for now, at a higher cost compared with 802.11b LANs.

In theory, the higher bandwidth of 11a means the radios cover less distance, so two to four times more 11a access points will be needed to cover the same area as with 11b. But this will vary greatly by site.

From B to A?

Most corporations seem to be going with 802.11b installations while planning to pilot 802.11a down the road. FedEx is sticking with 802.11b, with no plans to use 802.11a or 802.11g. The latter boosts 802.11b speeds to nearly 54M bit/sec but uses the same radio frequency band as 802.11b - 2.4 GHz.

One popular configuration that's emerging is using 802.11b to create blanket site coverage at a maximum usable bandwidth of 4.5M to 6M byte/sec, with an eye to using 802.11a products to create higher-bandwidth "hot spots" for select users or applications. Some vendors offer access points with two card slots so customers can add 802.11a when needed. One company, Symbol Technologies, will let customers snap on 802.11a access points to existing 802.11b products, so the former can use the power and network management features of the "host" access point.

There's no shortage of vendors for wireless access points and NICs. They range from inexpensive 802.11b products that require minimal configuration and offer limited opportunity for customization, to premium-priced "enterprise-class" devices. Enterprise access points, for example, may have metal covers, special seals for harsh environments, network management software, an advanced Web-based user interface for administrators, a range of specialized software and a battery of proprietary features. These vendor-exclusive features might include support of higher bandwidths using proprietary techniques that the IEEE standard does not cover.

These "vendor exclusives" can frustrate interoperability. But experts and experienced users agree that a number of other factors can also render systems incompatible. One is software: drivers available for one brand of network cards may not work with another brand of access points. Or a given may not vendor support the drivers you need.

This stew of variables is so complex that Signa's designers have created a chart that details the different features and performance characteristics of access points and interface cards. In some locations, a specialized antenna may be needed to "shape" and direct the radio transmission. In that case, the access point must be able to accept an external antenna.

The equipment criteria are established by blending data from phase 1, the initial requirements process, and phase 2, the site survey.

"You have to distinguish between what are features of the [802.11b] standard for interoperability and what are vendor proprietary 'standards,'" says Tiberio Massaro, Signa's professional services marketing manager. Then, network executives can make decisions knowing the trade-offs.

Deployment

It's a relief that most users and integrators agree that deployment of a properly surveyed and designed wireless LAN is pretty straightforward.

Experts recommend staging the equipment first - create the network names and identification databases, load the net information into the access points, burn in the IP addresses and test everything.

You know where the access points are going, and what interface cards are being installed in which clients. It's a matter of pulling the needed cables for the access points, possibly adding some power outlets and attaching the access points.

But details remain. If you have outdoor units, these need to be properly enclosed and grounded. LANocracy's Gullotta recommends always following the manufacturer's instructions. "For whatever reason, I've found that wireless LAN installations go much more smoothly if you follow these exactly," he says.

One of the final steps is to test the installed LAN thoroughly, at all levels, checking security policies, throughput and coverage.

There will be ongoing adjustments. FedEx employees piled equipment around one access point and network performance dropped. New shelving, new walls and shifts in inventory all can affect FedEx's throughput.

When an access point "hangs," for whatever reason, and simply stops working, it can create a more serious, hidden problem, IBM's Denton cautions. To get the device working again, you can shut off power and then turn it back on, or do a reset.

"But a reset clears out the security protocols," Denton says. "It can make a secure access point totally insecure, and no one will know the difference unless they specifically check."

User training must take into account everything from these serious security issues to the more mundane idea of teaching people that moving their wireless clients a foot or two might improve throughput drastically.

Such is the state of Wi-Fi: As easy as it to get a wireless network up and running, doing it right takes as much upfront planning and more ongoing diligence than your traditional wired networks.

Related links

Contact Senior Editor John Cox

Other recent articles by Cox

Wi-Fi world
Wireless LAN services are popping up in so-called "hot spots" across the country - airports, hotels, restaurants, cafés and convention centers.

Wi-Fi @ work
Doctors and nurses at St. Luke's Episcopal Health System had to change the way they dealt with patients to get the most out of their wireless LAN.

Wi-Fi spies
New authentication and encryption techniques will protect wireless LANs from drive-by hackers.

Breaking news

Wireless LAN breaking news page
Keep up to date on the latest vendor, product and technology news.

Wireless breaking news page
Keep up to date on the latest vendor, product and technology news.

Newsletters

Network World on Mobile Computing newsletter
The latest news, software links, opinions and other issues involved in supporting a mobile work force.

Research

Wireless LAN research page
Learn about WLAN security and the differences between the different varities of 802.11, Bluetooth, HiperLAN and others.

Reviews

Bring in the (802.11) A team
The first look at high-speed (5GHz) wireless LAN products.
Network World, 01/28/02.

Building wireless apps just got easier
The best tool for giving mobile workers wireless access to a vertical market application is iConverse's Mobile Studio and Interaction Server.
Network World, 06/25/01.

Apply for your free subscription to Network World. Click here.

Request a reprint or permission to use this article.

Send this article to a colleague