Security

10 tips for deploying new wireless access points

When you set up a wireless access point, certain basic practices can help you avoid problems. Brien Posey offers his advice for a successful deployment.

Wireless hardware manufacturers have made the process of setting up access points fairly painless, but there are still some best practices you should follow. Here are a few pointers for anyone who is about to deploy a new wireless access point.

1: Avoid placing access points near structural metal

When setting up a new wireless access point, you should install it in a location that will be unlikely to cause radio interference. I once had someone contact me because their wireless network was not working correctly. When I asked them to show me the access point, they led me into the warehouse where the access point sat on top of a steel beam just beneath a metal roof. The surrounding metal was interfering with the signal. Moving the access point took care of the problem. Since that time, I have always advised clients not to place access points in close proximity to structural metal.

2: Use Power over Ethernet when necessary

Many organizations like to place wireless access points on or near the ceiling in an effort to help wireless clients achieve the best possible range. But it can be difficult to get power to the access point. Rather than rely on extension cords (as I have occasionally seen done), consider using Power over Ethernet (PoE). PoE provides the access point with power over unused wires within an Ethernet cable. Special PoE modules at each end of the cable ensure that networking hardware is not exposed to the electricity the cable is carrying.

3: Reset the access point password immediately

The first thing you should do when setting up any new wireless access point is reset the access point's internal password. Otherwise, the access point's configuration interface will be accessible to anyone who knows how to look up the default password on the Internet.

4: Avoid overlapping DHCP scopes

I once ran into a situation in which an organization purchased a second wireless access point to try to provide better wireless coverage. An inexperienced technician was told to set it up just like the other access point. The problem was that both access points were configured with identical DHCP scopes. Fortunately, the access points were smart enough to look for IP address conflicts on the network before assigning any IP leases. Otherwise, the overlapping DHCP scopes could have caused a lot of problems for end users.

5: Treat wireless connections as insecure

One of the big problems with wireless networks is that a person does not need physical access to your facility to connect to your network. As a result, wireless encryption is a must -- but I recommend taking security a step further. Instead of automatically trusting anyone who manages to connect to your wireless network, treat your wireless networks as you would treat an Internet connection. Make wireless users authenticate through a VPN or a similar mechanism before allowing them to access wired network segments.

6: Use meaningful SSIDs

Many IT pros recommend that you do not broadcast your wireless access point's SSID. However, it is fairly easy for a hacker to discover an SSID, even if it is not being broadcast. My recommendation is to use meaningful SSID names. Users who are connecting to your wireless network for the first time should never have to wonder if they are connecting to the right network.

7: Take advantage of built-in security features

Even the cheapest wireless access points come loaded with numerous security features. For example, most access points will allow you to restrict network access by MAC address. Some wireless access points also contain alerting mechanisms that can fire off an email message if someone repeatedly attempts to connect to your network using an incorrect pass phrase. Be sure you check out the security features your wireless access point offers and enable the ones that seem beneficial.

8: Connect access points to a UPS

If I had to give one piece of advice to a wireless network administrator, it would be to connect all wireless access points to backup batteries (UPSes). If the power fails, wireless users will get knocked off the network.

To see why this is such a big deal, forget about major power failures for a moment. Suppose that the power cuts out for only a second or two. That's usually a long enough to disconnect a wireless session. And since a lot of the people who are using the wireless connection are doing so from battery-powered laptops or mobile devices, they could be completely oblivious to the power blip. Most wireless hardware will automatically reestablish a lost connection, but if you require users to authenticate prior to connecting to any backend network resources, they could be locked out until they reauthenticate. This could lead to numerous help desk calls from confused users.

9: Adjust the signal strength if possible

Some wireless access points will allow you to adjust the signal strength through a Web interface. While it is tempting to use the maximum signal strength, do you really need to broadcast a wireless signal across the parking lot? Consider where your wireless network boundaries should be and then adjust your signal strength accordingly.

10: Take the time to fill out the warranty card

It may seem like a cliché, but take the time to fill out the warranty card that comes with your new access point. Maybe it's just bad luck, but I haven't had much success with access point longevity. My access points always seem to give out after six months to a year. Filling out the warranty card has on occasion saved me the expense of purchasing a new access point.

About

Brien Posey is a seven-time Microsoft MVP. He has written thousands of articles and written or contributed to dozens of books on a variety of IT subjects.

23 comments
ef5150
ef5150

Hi- If this isn't the correct forum for this, please let me know where i can post this, Thanks everyone: I need to succesfully wirelessly prelogon connect to an enterprise RADIUS (Certificate Based) domain. It always asks for the password and user account at boot up. Although this is pre-logging on, i want to store the certificate and credentials so that it autmatically connects to the wireless without prompting for domain credentials, how can i do that? I tried using intel pro set but that didnt help either. I want to reiterate that i am pre-logon connecting although just like you set up windows with AUTO-LOGON, i'd like to do the same with the prelogon wireless connection , (no user intervention). I have several tablet computers we need to deploy in a medical center network and we can't have any user interaction. The reason why we need the prelogon connect is because we do not cache the domain credentials since they save patient info to the C drive, if the laptop gets stolen , it would windows auto-logon and they would access the data. Again, without caching the DOMAIN credentials, it allows us a secure configuration since the logon would fail if not on our network. I wanted to explain this better......, So, the deal is, with windows XP and intel pro set , it allowed me to prelogon connect or should i say AUTO wireless prelogon-connect, meaning, no user interaction was needed. I have over 1300 of these on the network or more..... Windows 7 seems to not have this capability ( I thnk), of course you can pre-logon connect but you ALWAYS have to enter your domain\useraccount and password at the logon screen. I have pulled several PDF's and I dont think its possible, they also mention that Win7 will not save the users wireless credentials for use at pre-logon. this will be a HUGE show stopper for this medical center to move to Windows 7 if this is not resolved. We need to have no user interaction at log on and a secure NON-CACHED domain logon configuraion. MS - please help. Ed , Roch NY -

rudyg123
rudyg123

Filling out or not filling out a warranty card in no way affirms or negates your warranty rights. Laws regarding warranties are pretty clear in that regard. However, filling out the warranty card isn't a bad idea to register to receive product bulletins.

robo_dev
robo_dev

My SSIDs at home are HAL and DAVE for obvious reasons. My favorite ones I've seen are: Network Connection Error FBI Surveillance Van #2 I would think a SSID for a restaurant would be: Try_the_99cent_Taco_Meal_at_El_Toro

derek
derek

Very important - do a site survey and find out what channels are already out there, and be cautious of slapping it out there right out of the box.

Old Timer 8080
Old Timer 8080

Just sayin' Smart people KISS it when setting up wireless access... That means keeping a log and updating a building's blueprints...

Neon Samurai
Neon Samurai

Not that it was suggested by the article: "Many IT Pros recommend not broadcasting one's SSID".. gah.. is that falicy of obscurity still floating around? When the access point does not broadcast it's SSID, the client device must constantly call out for it hoping to discover that it's within range. This means that the network SSID is being announced all over town when the device is turned on. - One can have a bit of fun and do some information gathering by grabbing any handy wifi sniffer and watching what SSID names devices call out for. Watch the list of names that the same device requests and you'll get the home network, the work network, the hotels one's been at and so on. - Worse still, one can setup an access point that listens for any device calling out SSIDs and answers "yeah, that SSID is me.. send your password".. and the client device does just that. When the access point broadcasts the SSID, the client device knows to listen for it rather than constantly calling out. You can also set the client device to not try and connect to an access point which is not broadcasting the correct SSID reducing the risk of Mr Rouge AP in the second bullet above. (Windows has this option, not sure how other device software manages it. My Debian simply doesn't try to connect unless I tell it to do so.) You may even benefit from someone setting up there own access point, seeing your SSID and then knowing to use a different channel. "hm.. lots of wifi networks on channel 6, I better use channel 11 or 1 then".. and everybody is happy with less radio interference. And point 7; Yes! Use the security features provided by your access point. if it's a consumer device that doesn't do at least WPA or WPA2; return or replace it for/with one that does. Client devices that only do 802.11b? Your better off replacing them rather than decreasing the entire network's security because of them. Change the network password as soon as you can. Use a maximum length complex code and keep it in a password manager if you need too. yeah, it sucks to type it into your new Iphone but two minutes of typing versus a crapy short password easily broken by packet analysis (.11b at under five minutes) or dictionary (WPA/WPA2 in a day or so with some services). As for MAC filtering; this is not a security feature. Don't think for a second that a MAC filter stops people from connecting to your network if they want too. Any OS besides Windows is going to easily allow one to set the MAC address to whatever they like including MAC listed in the wifi scanner. Windows allows it also with special drivers so anyone who wants to do this is going to be able too. What MAC filtering can do for you is tell the access point if it should even care about the network packet. If the packet is not from a recognized MAC addrss, the access point will ignore it. This reduces resource load on your access point and the radio noise it responds too. That's not a security feature but it is a beneficial outcome. Point 9; be warned. Reducing signal strength may be of interest to reduce the range that clients can connect from (say, like the empty parking lot across the road.. probably not a lot of folks who need to connect from there). Be careful when increasing signal strength beyond the factory defaults though. An overpowered radio may get you a few extra meters of range but it can burn out your access point a lot sooner than expected.

psutsos
psutsos

I've heard this before and wanted a professional opinion: When selecting channels for your AP, put it not one, but two channels away from other nearby access points. For example: If another access point is on channel 3, you want to use 1 or 5, not 2 or 4. The radio signal for a channel can overlap into the one before and after, causing radio intereference and thus, performance issues. I think I've seen this on cruise ships before, where they use channels 1,3,5,7, etc. Can anybody confirm this?

TBone2k
TBone2k

Get a good access point that does 802.11x authentication. That makes it secure as plugging in to the network since all users must authenticate on the network (not the wireless encryption). The beauty of it is that you can also meet management's need to provide "guest access" by routing unauthenticated users directly to the internet.

jck
jck

I don't know anyone who would put in an access point and not turn on encryption. And in a small office environment, most (if not all) would maintain the MAC address list so that only specific machines can access the router. I've never ran a wireless router unencrypted. It's bad enough WEP can be cracked faster than a walnut under and elephant's foot.

Simon_T
Simon_T

LOL, I wish I could do that, but since I work on a cruiseship,all our AP's are near metal. PoE is a lifesaver.

douglas.gernat
douglas.gernat

If in an Active Directory environment, I'm a fan of PEAP+Encryption. Kind of a two factor authentication than be seemless to the user, and keep not AD machines off your WLAN.

AnsuGisalas
AnsuGisalas

"- Worse still, one can setup an access point that listens for any device calling out SSIDs and answers "yeah, that SSID is me.. send your password".. and the client device does just that." That's bad!

Neon Samurai
Neon Samurai

Channel frequencies cross over due to being an analog signal versus a digital. They don't have a hard set on or off but rather ranges where signal is stronger or weaker. If you think of a half circle, the peak may be channel 6 but your also getting decreasing signal strength bleeding into channels 4, 5, 7, 8. This type of wifi scanner display shows the peak plus the range of channel cross-over: http://maemo.org/downloads/product/Maemo5/wifieye/ Ideally, you want to pick channel 1, 6, or 11 since those provide the greatest seporation from each other. For the question attached to yours regarding multiple access points on the same channel: In short, it depends on if your getting interference from other routers on the same channel or not. I'm not sure about devices setup to extend a wireless coverage area; they may provide config to broadcast the same SSID on the same channel. In general though, you can have multiple different SSID broadcasting on the same channel up to the point when you start to sense interference. In a previous place I lived, I'd start to get slow and dropped wifi connections every three to six months as more folks around me baught wifi routers for home. My network would be fine up to a point until there was just too much radio noise (often newer 802.11n routers overpowering my humble 802.11g radio at the time). I'd pop open my wifi scanner, see what channels are least populated and change my router over to that one; poof.. rock solid and fast network connetions again.

fierascu
fierascu

I'm curios if I have multiple AP's and all of them are on the same channels?

Neon Samurai
Neon Samurai

Most folks I've seen buy a wifi access point, plug it in and think they're done. "What? You mean the factory defaults are wide open?"

jeffrick59
jeffrick59

We had great reception on the Zuiderdam Rotterdam deck - NEPTUNE LOUNGE area! The 10 day Caribbean cruise was awesome. The 128k was a little painful but it was flawless. Jeff United Health Care - IT Security

Neon Samurai
Neon Samurai

Is it just PEAP wrapped in an encrypted connection or is there "what you have" or "what you are" providing the second factor along side the "what you know" password hash value?

Neon Samurai
Neon Samurai

Another one is simply setting up an access point broadcasting "Free Internet" then watch who jumps on. [AP] [Silent Proxy sniffing traffic] {Internet} And technically, they connected to your network so you may have some legal argument against wire-tap charges for that silent sniffer in the middle. I still wouldn't recommend it without an initiall "welcome to Free Internet, all your traffic will be monitored while here" or similar method of assumed permission. Still, it's a possible attack criminals can easily make use of.

jck
jck

Gotta love promiscuous mode...

jck
jck

I set up my old neighbors in FL on wireless, and made sure the laptop that we got them had a card which could do everything it needed. They were going to do some limited shopping on the internet, and I didn't want them getting their info stolen. I helped their friends out too, but the husband was tech savvy to an extent and had read up and figured out how to setup encryption. I guess I got kinda spoiled that I didn't deal with the worst of the end-users.

info
info

You could still charge them with illegally connecting to an AP that they don't own... ;)

jck
jck

giving me really evil ideas... the likes I haven't since I worked for that company where I did really cool projects... B-)

Neon Samurai
Neon Samurai

With ISP's issuing access points that are insecure by default, I see a lot of network SSID that scream "five minutes of your time or less". I am happy to report an increase in the use of WPA for non-default SSID around home though.