Security

10 tips for deploying new wireless access points

When you set up a wireless access point, certain basic practices can help you avoid problems. Brien Posey offers his advice for a successful deployment.

Wireless hardware manufacturers have made the process of setting up access points fairly painless, but there are still some best practices you should follow. Here are a few pointers for anyone who is about to deploy a new wireless access point.

1: Avoid placing access points near structural metal

When setting up a new wireless access point, you should install it in a location that will be unlikely to cause radio interference. I once had someone contact me because their wireless network was not working correctly. When I asked them to show me the access point, they led me into the warehouse where the access point sat on top of a steel beam just beneath a metal roof. The surrounding metal was interfering with the signal. Moving the access point took care of the problem. Since that time, I have always advised clients not to place access points in close proximity to structural metal.

2: Use Power over Ethernet when necessary

Many organizations like to place wireless access points on or near the ceiling in an effort to help wireless clients achieve the best possible range. But it can be difficult to get power to the access point. Rather than rely on extension cords (as I have occasionally seen done), consider using Power over Ethernet (PoE). PoE provides the access point with power over unused wires within an Ethernet cable. Special PoE modules at each end of the cable ensure that networking hardware is not exposed to the electricity the cable is carrying.

3: Reset the access point password immediately

The first thing you should do when setting up any new wireless access point is reset the access point's internal password. Otherwise, the access point's configuration interface will be accessible to anyone who knows how to look up the default password on the Internet.

4: Avoid overlapping DHCP scopes

I once ran into a situation in which an organization purchased a second wireless access point to try to provide better wireless coverage. An inexperienced technician was told to set it up just like the other access point. The problem was that both access points were configured with identical DHCP scopes. Fortunately, the access points were smart enough to look for IP address conflicts on the network before assigning any IP leases. Otherwise, the overlapping DHCP scopes could have caused a lot of problems for end users.

5: Treat wireless connections as insecure

One of the big problems with wireless networks is that a person does not need physical access to your facility to connect to your network. As a result, wireless encryption is a must — but I recommend taking security a step further. Instead of automatically trusting anyone who manages to connect to your wireless network, treat your wireless networks as you would treat an Internet connection. Make wireless users authenticate through a VPN or a similar mechanism before allowing them to access wired network segments.

6: Use meaningful SSIDs

Many IT pros recommend that you do not broadcast your wireless access point's SSID. However, it is fairly easy for a hacker to discover an SSID, even if it is not being broadcast. My recommendation is to use meaningful SSID names. Users who are connecting to your wireless network for the first time should never have to wonder if they are connecting to the right network.

7: Take advantage of built-in security features

Even the cheapest wireless access points come loaded with numerous security features. For example, most access points will allow you to restrict network access by MAC address. Some wireless access points also contain alerting mechanisms that can fire off an email message if someone repeatedly attempts to connect to your network using an incorrect pass phrase. Be sure you check out the security features your wireless access point offers and enable the ones that seem beneficial.

8: Connect access points to a UPS

If I had to give one piece of advice to a wireless network administrator, it would be to connect all wireless access points to backup batteries (UPSes). If the power fails, wireless users will get knocked off the network.

To see why this is such a big deal, forget about major power failures for a moment. Suppose that the power cuts out for only a second or two. That's usually a long enough to disconnect a wireless session. And since a lot of the people who are using the wireless connection are doing so from battery-powered laptops or mobile devices, they could be completely oblivious to the power blip. Most wireless hardware will automatically reestablish a lost connection, but if you require users to authenticate prior to connecting to any backend network resources, they could be locked out until they reauthenticate. This could lead to numerous help desk calls from confused users.

9: Adjust the signal strength if possible

Some wireless access points will allow you to adjust the signal strength through a Web interface. While it is tempting to use the maximum signal strength, do you really need to broadcast a wireless signal across the parking lot? Consider where your wireless network boundaries should be and then adjust your signal strength accordingly.

10: Take the time to fill out the warranty card

It may seem like a cliché, but take the time to fill out the warranty card that comes with your new access point. Maybe it's just bad luck, but I haven't had much success with access point longevity. My access points always seem to give out after six months to a year. Filling out the warranty card has on occasion saved me the expense of purchasing a new access point.

About

Brien Posey is a seven-time Microsoft MVP. He has written thousands of articles and written or contributed to dozens of books on a variety of IT subjects.

Editor's Picks