There are almost an infinite number of ways you can configure your wireless network, depending on how many components you can lay your hands on, but the following are the most likely variants.
- Public campus
- Wireless bridge
- SOHO network
- Internal wireless network
- Internal wireless network secured by VPN
- Public hot spot attached to a private LAN
I'll take you through each variation and give you some pointers on how to boost your performance.
This is what a community would use to make a public hot spot. As illustrated in Figure A, the network is completely open and there is no private LAN. A wireless router provides DHCP and NAT, but no encryption or access controls are applied. Additional access points are deployed to extend range and coverage. Keep in mind that as you increase the number of access points connected to your router, the bandwidth available to each client decreases even as the number of clients you can support increases.
If you're mounting access points outside of buildings, you should use weatherproof storage with proper grounding. Antennas should be rated for external use, and you should consider using devices equipped with power over Ethernet (PoE) to avoid additional electrical wiring.
This is a typical corporate campus situation where a wireless link is used to extend a wired network to another facility. As Figure B illustrates, two wireless access points or routers are installed, usually outside, and set to bridge mode. While bridging, the access points will not communicate with other clients. The bridge scenario should be protected by WEP and WPA, as well as a VPN.
Wireless bridges are a useful backup plan for outdoor events. A convention hall or seminar might find a wireless bridge a convenient alternative to running the copious amounts of cables needed for DSL or dial-up lines. Wireless bridges are one of the few cases where the high-speed 802.11g variants make sense. There's no extra effort in acquiring compatible devices, and the additional bandwidth will be welcomed. As an added bonus, the lack of compatibility provides an extra hurdle for attackers. While security through incompatibility is not something to rely on, it's a nice bonus.
There are a number of devices that use manufacturer-specific modifications to get additional performance out of clients. These configurations include switching to an Orthogonal Frequency Division Multiplexing-only mode (OFDM) to eliminate the Complementary Code Keying (CCK) overhead; changing the Request to Send / Clear to Send (RTS/CTS) signals to eliminate the OFDM flag; using optimized packet sizes; adjusting the signal timings; and bonding multiple channels for additional bandwidth and possibly data compression.
While this looks good on paper, this network will function only when every device is from the particular manufacturer. Given the proliferation of integrated Wi-Fi solutions to laptops, the odds of having a homogenous network is somewhere between nil and laughable. The only plausible use for these devices is as a wireless bridge where two access points are used to connect disparate networks.
This is the most common configuration of a wireless router. As Figure C shows, computers immediately adjacent to the router should be connected via Ethernet, especially shared resources such as file servers. This will increase the available wireless bandwidth. On some wireless routers, you can restrict the Web administration page to Ethernet connections, limiting the impact of a digital break-in.
The weakness of this configuration is that it doesn't lend itself to visitor access. While there are routers that provide RADIUS-like WPA services for guest access, this often requires special client software to be installed and will not work on the multitude of non-WPA 802.11b devices. Sharing WEP keys is also not an easy option since it requires reconfiguration once your guests leave.
You might consider adding an 802.11b access point slaved to an Ethernet port on the wireless router. Be careful, though, because most wireless routers have limited configuration options and don't have the option of creating isolated subnets or true demilitarized zones (DMZs). If the DMZ access point can still see other computers on your network, you'll need to upgrade to a full router. If it works, be sure to set the routers to different channels, preferably 1 and 11.
The first use of an access point tends to extend an internal network without adding more wiring. As Figure D shows, using WPA and MAC-based access control lists provide a margin of security, but not one that I'd put complete trust in. Instead, I recommend that you install a VPN and skip ahead to the next configuration.
Internal Wi-Fi + VPN
Internal Wi-Fi + VPN (Figure E) requires all wireless clients to use WPA and be on the access control list, but it adds a virtual private network (VPN) system to give an additional layer of security. A VPN has two distinct advantages over WPA:
- VPN has been tested significantly by hackers for several years, unlike the relatively new WPA.
- A VPN can easily be upgraded without requiring a hardware change. Several free open source VPN options enable you to change your security rapidly and inexpensively should vulnerability be discovered.
VPN on the cheap
There are volumes written on setting up a virtual private network. The following are some inexpensive VPN solutions to consider adding to your technical toolkit:
Publicly accessible hot spot with a private LAN
This is the kind of public connection you'd find in a coffee shop or airport. Anyone can access the network, but the facility's LAN is inaccessible from the wireless point without making a VPN connection.
As you can see in Figure F, you must place the wireless router in a proper DMZ, where it is functionally outside your network. Some low-end routers provide a DMZ option that merely directs all incoming requests to the DMZ port. A true DMZ is located outside your firewall and may or may not be completely exposed to the Internet. In this configuration, you should provide some basic firewall and NAT protection from your primary router to maximize your security.
I recommend using a wireless router instead of an access point so you can use port filtering to prevent servers, as well as block access to everything except the VPN after normal business hours.
Squeezing out the last Kbps
Once you have your network established, there are a few things you should do. First, conduct a complete feature inventory. Wherever you can lock a configuration on the access point, you can increase performance by reducing processing load.
This performance boost extends to clients. You can improve the performance of stationary clients by locking their transfer rates. This may prevent clients from occasionally getting a better transfer rate than they might enjoy, but the act of negotiation often slows down connections or causes packet loss when the connection rate increases beyond what the environment can sustain.
If you're configuring a g-only network, disable 802.11b support and switch to short preambles to reduce network overhead; use OFDM to transmit the RTS/CTS instead of direct-sequence spread spectrum (DSSS). While doing so will consume some of that reduced overhead, I'd also set all devices to use Advanced Encryption Standard (AES) for an extra layer of security.
Consider using USB 2.0 adapters where PCs are kept beneath desks. Remember that solid objects reduce signal strength and thus transfer speeds. By using an external adapter mounted on the desk, you'll significantly increase the performance of the client. Be sure to put the adapter on its own USB 2.0 controller to prevent bus conflict. If you have to put multiple devices on the same controller, be sure they are all USB 2.0 devices, or else you'll limit your wireless adapter to less than 11 Mbps.
When configuring multiple access points, be sure to use the non-overlapping channels. If you're deploying only two overlapping access points, set them to channels 1 and 11. Signal bleed is not unheard of, so the more dead air you put between the transmission channels, the better.
Finally, use the latest drivers, firmware, and operating system patches. A firmware upgrade can reduce dropped packets, add new features, or improve efficiency, while drivers can offload math-intensive functions to the processor for quicker operation. And lastly, current operating systems have native support for Wi-Fi, creating common calls that all drivers will use. Windows XP SP2 and the Mac OS X update 10.3.5 both include improvements to wireless networking.