There are almost an infinite number of ways you can configure
your wireless network, depending on how many components you can lay your hands
on, but the following are the most likely variants.

  • Public campus
  • Wireless bridge
  • SOHO network
  • Internal wireless network
  • Internal wireless network secured by VPN
  • Public hot spot attached to a private LAN

I’ll take you through each variation and give you some
pointers on how to boost your performance.

Public campus

This is what a community would use to make a public hot spot.
As illustrated in Figure A, the network is
completely open and there is no private LAN. A wireless router provides DHCP
and NAT, but no encryption or access controls are applied. Additional access
points are deployed to extend range and coverage. Keep in mind that as you
increase the number of access points connected to your router, the bandwidth
available to each client decreases even as the number of clients you can
support increases.

If you’re mounting access points outside of buildings, you
should use weatherproof storage with proper grounding. Antennas should be rated
for external use, and you should consider using devices equipped with power
over Ethernet (PoE) to avoid additional electrical wiring.

Figure A

 

Wireless bridge

This is a typical corporate campus situation where a
wireless link is used to extend a wired network to another facility. As Figure B illustrates, two wireless
access points or routers are installed, usually outside, and set to bridge
mode. While bridging, the access points will not communicate with other
clients. The bridge scenario should be protected by WEP and WPA, as well as a
VPN.

Figure B

 

Wireless bridges are a useful backup plan for outdoor
events. A convention hall or seminar might find a wireless bridge a convenient
alternative to running the copious amounts of cables needed for DSL or dial-up
lines. Wireless bridges are one of the few cases where the high-speed 802.11g
variants make sense. There’s no extra effort in acquiring compatible devices,
and the additional bandwidth will be welcomed. As an added bonus, the lack of
compatibility provides an extra hurdle for attackers. While security through
incompatibility is not something to rely on, it’s a nice bonus.


“Extended” 802.11g

There are a number of devices that use manufacturer-specific
modifications to get additional performance out of clients. These
configurations include switching to an Orthogonal Frequency Division
Multiplexing-only mode (OFDM) to eliminate the Complementary Code Keying (CCK)
overhead; changing the Request to Send / Clear to Send (RTS/CTS) signals to
eliminate the OFDM flag; using optimized packet sizes; adjusting the signal
timings; and bonding multiple channels for additional bandwidth and possibly
data compression.

While this looks good on paper, this network will function only
when every device is from the particular manufacturer. Given the proliferation
of integrated Wi-Fi solutions to laptops, the odds of having a homogenous
network is somewhere between nil and laughable. The only plausible use for
these devices is as a wireless bridge where two access points are used to
connect disparate networks.


SOHO configuration

This is the most common configuration of a wireless router.
As Figure C shows, computers
immediately adjacent to the router should be connected via Ethernet, especially
shared resources such as file servers. This will increase the available wireless
bandwidth. On some wireless routers, you can restrict the Web administration
page to Ethernet connections, limiting the impact of a digital break-in.

Figure C

 

The weakness of this configuration is that it doesn’t lend
itself to visitor access. While there are routers that provide RADIUS-like WPA
services for guest access, this often requires special client software to be
installed and will not work on the multitude of non-WPA 802.11b devices.
Sharing WEP keys is also not an easy option since it requires reconfiguration
once your guests leave.

You might consider adding an 802.11b access point slaved to
an Ethernet port on the wireless router. Be careful, though, because most
wireless routers have limited configuration options and don’t have the option
of creating isolated subnets or true demilitarized zones (DMZs). If the DMZ
access point can still see other computers on your network, you’ll need to
upgrade to a full router. If it works, be sure to set the routers to different channels,
preferably 1 and 11.

Internal Wi-Fi

The first use of an access point tends to extend an internal
network without adding more wiring. As Figure
D
shows, using WPA and MAC-based access control lists provide a margin of
security, but not one that I’d put complete trust in. Instead, I recommend that
you install a VPN and skip ahead to the next configuration.

Figure D

 

Internal Wi-Fi + VPN

Internal Wi-Fi + VPN (Figure
E
) requires all wireless clients to use WPA and be on the access control
list, but it adds a virtual private network (VPN) system to give an additional
layer of security. A VPN has two distinct advantages over WPA:

  • VPN
    has been tested significantly by hackers for several years, unlike the
    relatively new WPA.
  • A
    VPN can easily be upgraded without requiring a hardware change. Several
    free open source VPN options enable you to change your security rapidly
    and inexpensively should vulnerability be discovered.

Figure E

 


VPN on the cheap

There are volumes written on setting up a virtual private
network. The following are some inexpensive VPN solutions to consider adding to
your technical toolkit:


Publicly accessible hot spot with a private LAN

This is the kind of public connection you’d find in a coffee
shop or airport. Anyone can access the network, but the facility’s LAN is
inaccessible from the wireless point without making a VPN connection.

As you can see in Figure
F
, you must place the wireless router in a proper DMZ, where it is
functionally outside your network. Some low-end routers provide a DMZ option
that merely directs all incoming requests to the DMZ port. A true DMZ is
located outside your firewall and may or may not be completely exposed to the
Internet. In this configuration, you should provide some basic firewall and NAT
protection from your primary router to maximize your security.

Figure F

 

I recommend using a wireless router instead of an access
point so you can use port filtering to prevent servers, as well as block access
to everything except the VPN after normal business hours.

Squeezing out the last Kbps

Once you have your network established, there are a few
things you should do. First, conduct a complete feature inventory. Wherever you
can lock a configuration on the access point, you can increase performance by
reducing processing load.

This performance boost extends to clients. You can improve
the performance of stationary clients by locking their transfer rates. This may
prevent clients from occasionally getting a better transfer rate than they
might enjoy, but the act of negotiation often slows down connections or causes
packet loss when the connection rate increases beyond what the environment can
sustain.

If you’re configuring a g-only network, disable 802.11b
support and switch to short preambles to reduce network overhead; use OFDM to
transmit the RTS/CTS instead of direct-sequence spread spectrum (DSSS). While doing
so will consume some of that reduced overhead, I’d also set all devices to use Advanced
Encryption Standard (AES) for an extra layer of security.

Consider using USB 2.0 adapters where PCs are kept beneath
desks. Remember that solid objects reduce signal strength and thus transfer
speeds. By using an external adapter mounted on the desk, you’ll significantly
increase the performance of the client. Be sure to put the adapter on its own
USB 2.0 controller to prevent bus conflict. If you have to put multiple devices
on the same controller, be sure they are all USB 2.0 devices, or else you’ll
limit your wireless adapter to less than 11 Mbps.

When configuring multiple access points, be sure to use the
non-overlapping channels. If you’re deploying only two overlapping access
points, set them to channels 1 and 11. Signal bleed is not unheard of, so the
more dead air you put between the transmission channels, the better.

Finally, use the latest drivers, firmware, and operating
system patches. A firmware upgrade can reduce dropped packets, add new
features, or improve efficiency, while drivers can offload math-intensive
functions to the processor for quicker operation. And lastly, current operating
systems have native support for Wi-Fi, creating common calls that all drivers
will use. Windows XP SP2 and the Mac OS X update 10.3.5 both include
improvements to wireless networking.