Wireless networking is being implemented in many IT shops. Because wireless networking is very new, however, few IT pros have had significant exposure to the unique settings it requires. In this Daily Drill Down, I’ll offer a few notes to help you set up clients and access points, discuss the settings unique to wireless devices, and detail some standard wired options that affect special features of wireless devices.
Client setup notes
Wireless network interfaces are available in PCI, USB, and PC Card formats. USB devices should be connected directly to the computer or to a powered hub because most draw their power from the USB cable. PCI and PC Card devices should be installed in a slot that provides maximum exposure to the antenna. Take care to reroute cables away from the antenna to minimize RF interference. Use shielded cables and speakers wherever possible; electrical interference will reduce your maximum bandwidth.
When you set up your wireless clients, you’ll want to carefully consider whether you should keep default settings. While these settings will get you up and running quickly, they also could compromise security. Some of these settings need to be configured on the access point as well. Make sure they’re the same. Client settings include the following:
- Ad Hoc, Or Peer-To-Peer Networking: Some wireless devices can be set to communicate with one another without using an access point. This ability increases the flexibility of the client systems, but it can compromise a centrally administered network security policy.
- Encryption Keys: These keys are the values used to encrypt the data. They must match on both the client and access point. The default keys are acceptable for allowing clients to easily be added to your network, but in a location requiring maximum security, the keys should be changed regularly to prevent intruders from breaking the encryption.
- Mobile IP: Cellular wireless networks allow clients to roam from one wireless access point to another. In a large enough network, this could cause a client to enter a different subnet. Normally, this would cause an IP conflict; however, the use of mobile IPs creates a kind of forwarding address, enabling access points to reroute data across subnets. Mobile IP should not be used other than in especially large continuous wireless networks.
- Rate Control: Rate Control allows you to specify the communication speed. Reducing the maximum bandwidth increases the roaming range and reduces power consumption but at the cost of peak performance. The defaults are usually the best general-purpose settings. This setting may be configurable to allow different default speeds in each location.
- WEP: The encryption scheme used by the wireless standard (802.11b) is called Wired Equivalent Protection (WEP) and is intended to compensate for the lack of physical security. Not all wireless systems provide encryption. The default for 802.11b is the internationally exportable 40-bit encryption, but some U.S. models also support the much-preferred 128-bit encryption. Sometimes, encryption is disabled by default. This option should be enabled.
- WLAN Service Area: This value is analogous to a network workgroup, except that clients in the same service area can communicate with one another. Configuring different WLAN service areas allows multiple wireless networks of the same type to overlap in the same geographic area. Sometimes, a service area number—for example, 101—is enabled by default. You’ll want to change this setting—it is a security risk.
What if you need more than one network profile?
Because mobile devices move from network to network, your vendor’s network profile utility can make or break a wireless package. This is especially true for Windows 9x laptops, which have no support for multiple network configurations. Ease of use is important, especially with small-office and home-wireless setups.
The bare minimum for any network profiler is the ability to store multiple network configurations for the same device. The most advanced profilers are also capable of changing the default printers, modem settings, area codes, long-distance codes, and shared network volumes. This functionality can provide flexibility but can also become frustrating if it’s too complex.
I recommend evaluating the network profiler carefully to ensure that it meets the users’ networking and usability needs. Even if the hardware is virtually bulletproof, if the end users are unhappy with the application, you’ll hear about it.
Access point features
From a network-design stance, the access point is the most important component; it dictates how many clients can be served, the level of encryption, access controls, logging, network management, client administration—the whole shebang. You should choose an access point as carefully as you would your core routers.
In addition to the access point’s networking capabilities, examine its physical features. The 3Com Access Point includes what it dubs a “Power Base-T” connector that enables the CAT-5 cable to provide power. This facilitates installation in locations where power is not readily available. This model includes a serial port for configuration or for operating an external modem as well. Although it seems contradictory to have a wireless network with an attached modem, this allows for custom packet routing and filtering or even setting up temporary networks (such as at a trade show where a broadband connection isn’t available). Other units may include USB or even Bluetooth interfaces.
Access point settings
In this section, I’ll explain the configurable settings unique to wireless access points. Other options available in access point configuration screens are reports that help you troubleshoot and tune your device.
The way you initially configure access points varies among vendors. 3Com’s Access Point is configured using a crossover serial cable and a terminal client. The Proxim HomeRF wireless gateway is configured using the first wireless client that it sees. Other methods for setting up access points include Web, Ethernet, Telnet, or physical switches.
Some access points require a password. Default passwords are notoriously easy to acquire and could make your network vulnerable, especially if the device can be configured remotely. You would be wise to change the password during the configuration, but be careful when you do so. Lose it and you can no longer make changes to the device. Resetting the system to clear the password may also delete all your network settings, requiring you to reconfigure the system from scratch.
- Channel: The amount of available channels will depend on the type of wireless network. In a complex setting where multiple access point zones overlap—either due to multiple service area networks or overlap of consecutive access points—you will need to ensure that the channels don’t conflict.
- Default Interface: This is the interface used to route data where no specific rules exist. It’s typically Ethernet but may be serial if you’re using a modem or alternate port for routing.
- DHCP: This option enables DHCP services. Some models will operate only as a DHCP client, but others can act as a DHCP server. In that case, you would also need to set the valid range of IP addresses that it could assign to clients.
- Ethernet Timeout: The system will shut down its wireless link and disconnect clients if the Ethernet connection is disabled for a given amount of time. This feature is useful if you have multiple access points providing redundant coverage. When the station shuts down, the clients will switch to other access points. For wireless networks with a single access point, you should disable the Ethernet Timeout option. That way, you at least retain the ability for your wireless clients to communicate with one another.
- Interfaces: Ethernet, PPP, and RF interfaces can be enabled or disabled. Normally, you would always leave the Ethernet and RF (wireless) interfaces active. Whether you’ll use alternate interfaces will depend on your exact needs.
- Serial Port Use: An access point’s serial port can often be configured for multiple tasks, such as packet forwarding or special routing configurations via modem or other devices. If you’re using the serial port for anything other than the user interface, you’ll need to provide the additional configuration data, such as the dial-out number, whether to answer incoming calls, the type of connection, and connection speeds.
- System Password: You use this option to change the administrator password. Do not lose the password if you change it. Resetting the device can be difficult—you may need to contact the vendor’s technical support.
- WLAN Service Area: As with client settings, the access point WLAN service area is set by default. The entry in this field may be a network ID or workgroup name. As a security feature, this setting isn’t very robust because simple techniques can be used to identify it.
Many of these functions are optional, either because they are of only limited use or because they provide an alternate method to the generally accepted standard.
- Agent Ad Interval: This setting specifies the time between requests for clients using Mobile IPs. Longer times can create a lag for clients moving into a new zone.
- Load Balancing: Access points are often capable of load balancing where coverage areas overlap, moving clients from a heavily loaded access point to a less active one.
- Mobile IP: The bandwidth overhead could be excessive when mobile IP is used to relocate to a completely different network. In that case, the home access point receives the data and then forwards it on to the new access point. This multiplies the total bandwidth needs of that client for very little gain.
- Mobile-Home MD5 Key: This key is used to authorize the Mobile IP identities for data rerouting.
- Telnet/Web Server: You can use a number of different services for access point administration. As part of your security policy, however, you can restrict the available services. If you mount the access point in a difficult-to-reach location or plan on using the serial link for other purposes, however, you will need some form of remote administration. If you can find a vendor that provides a secure remote administration method—either via a secure Web server (HTTPS) or with Secure Shell (SSH)—that would be a plus.
- WNMP: Enabling Wireless Network Management Protocol (WNMP) allows you to propagate changes from one access point to another and reduce management overhead.
Settings in this category control your broadcast signal. You probably won’t need to alter these settings unless you’re experiencing connection problems.
- Antenna Diversity: Diversity enables an antenna to lock on to the strongest of overlapping signals. This option is enabled by default on most systems that support it and should rarely be turned off.
- Beacon Interval: Access points use a timing signal to allow clients to establish connections. Locations with interference may need to adjust the beacon interval to improve connection stability, but doing so comes at the cost of performance because time spent sending beacon signals is time not spent transmitting data. The alternative is to change the number of signals per second. Be sure to read the manual because increasing the delay reduces the number of beacons, whereas the other system sends more beacons as the rate is increased.
- Broadcast/Multicast Queuing: The nature of wireless is to share channels. Sharing means taking turns, which can delay broadcast or multicast data packets. The access point can set a maximum number of delayed packets that will queue before they are given priority. Default settings are fine unless you are specifically utilizing broadcast or multicast applications. If you are, you should look more at configuring a multicast mask rather than altering the queuing.
- Client Inactivity: Client inactivity times provide a “grace” period for clients that have their signals interrupted. Set this rating too low and you force the client to renegotiate connections. An inappropriately long timeout, however, could tie up system resources needlessly because each access point has a finite number of clients with which it can communicate.
- Max Retries: This setting controls the number of times the access point will try to contact a client before it aborts the transmission.
- Multicast Mask: This setting allows multicast packets to bypass the queue and be given immediate delivery. It is most often used for diskless systems using network resources to boot up.
- Rate Control: The communication speed can be specified. The defaults are usually the best general-purpose settings. If you need to extend your coverage zone, you can reduce the communication rate. Lower communication rates can get by with weaker or lower-quality connections. By reducing everyone’s connection rate and signal strength, you also lower the odds that a nearby signal will mask a more remote one.
In addition to encryption keys and WEP settings, you have the option of changing these access-point security settings:
- Access Control: This setting enables you to restrict the clients that can access your network. For instance, 3Com’s AirConnect allows you to both restrict the number of allowed clients and make specific exclusions. This is an excellent way to prevent unauthorized clients from utilizing bandwidth, though it requires extra management when adding new client systems or replacing wireless devices.
- Client-Client Communication Zone: Peer-to-peer networking circumvents the access point’s ability to administer a consistent security policy, but it does provide more client flexibility.
- Encryption Administration: For security, encryption administration can be limited to specific types of connections. Many access points support Telnet and Web administration in addition to the serial connection. 3Com can restrict encryption administration to just the serial interface, though doing so prevents you from placing the device in hard-to-reach locations, like ceilings, or using the serial port for a modem interface.
- Event Logging: A variety of event logs are possible depending on the access point. The most common settings would log filtered packets, load balancing, configuration changes, Simple Network Management Protocol (SNMP) or WNMP events, and operating history. Logging should be set up to match the logging done by other network segments along with the logs unique to wireless that meet your general security model.
- SNMP: SNMP is an advanced feature that not all devices will support. It is not difficult to configure SNMP agents into an SNMP community, but explaining the details of SNMP is best left for a separate article.
To wrap up
Wireless networking includes a number of new features. This can make it harder to set up a well-configured wireless network. In this Daily Drill Down, I’ve presented information to help you choose vendors, as well as set up and troubleshoot your client and access point connections.
For more information about wireless networking, check out these TechProGuild features: