With the growth of wireless networking a very common question we hear is “How should I secure my WLAN?”
Well as I said in my last post, “It Depends”
What are you looking to do? Do you have administrative control of the devices that are going to be on the network? Do you have AAA, want to implement one, what about PKI? Oh and my favorite question, is your LAN secure?
Don’t get me wrong, I love a well oiled EAP-TLS environment (PKI is required here folks it is not an option) . But if I can walk in and connect my laptop to the LAN and get access to your network, what’s the point in securing the wireless?
I am by no means saying that you should have a completely open wireless network. Except for guest, that needs to be open and ACL to high heaven to just have internet access. You need to have a secured wireless network, encryption at a minimum.
So notice I said encryption at a minimum.
WEP TKIP and AES-CCMP are encryptions. PSK or even better 802.1X are authentications.
PSK is a shared key. Think of this like the password to your clubhouse as a kid. It could be overheard and anyone could have it.
802.1X uses either credentials (usually domain) or certificates (PKI). Everyone has been trained to not share their domain login.
So decide how much you want to invest in your security, PSK minimal, TLS high. And remember to secure all your layer 1.
So one of the most common questions I hear is “How many AP’s do I need?”
The honest answer here is, It Depends. And believe it or not, this is a very common answer with regards to wireless.
What are you looking to accomplish with your wireless? Data or Voice usage? High Density? Video? All of these are questions that need to be addressed prior to being able to determine a “number”.
But on that, the “number” isn’t what matters here. What matters is the user experience.
If we, as wireless engineers/architects/monkeys/whatever, just give you a number then we are doing you a great disservice.
On top of the “number” we also need to talk about where we can mount the APs, how high, do we need to hide the AP and just have an antenna visible? All the aesthetics that you, as the customer, may require from us. As well as signal propagation, penetration, diffraction, and attenuation.
For an example:
I have a customer that had enough AP to cover each floor of his building. The problem was, access to the wireless was horrible. (Told you the number wasn’t important!!) When I started digging into his configuration, I found that all of his AP were at maximum power. In wireless networking, the client is what determines which AP it will connect to, not the AP/WLC. Yes we can attempt to influence this, but ultimately it’s the client and its driver that will decide.
So why is the AP at maximum power bad? Well, at any given time clients were hearing 3-4 AP, while this isn’t necessarily a bad thing, it also depends on how well the AP is being heard. In this case the client was hearing an AP across the building, and the signal was still decent and the client decided it would stay on that AP versus roaming to an AP that was closer. What do you get when that happens? Really, really slow throughput which tends to make for a bad user experience.
Part of what we Wireless Engineers do, is work to limit the Cell Size of any given AP, so that you don’t hang onto an AP that is farther away, so that you are able to maintain good throughput.
Yes this is an older image that doesn’t go into 802.11n/ac rates, but the theory is the same. Lower data rates, if enabled, carry really far. And this was part of the problem the clients were seeing. They stayed connected far past the time frame “we think they should have roamed”. The drivers of the clients believed they had a good enough signal to work, and they did, just at very very slow rates. My recommendations to my customer, turn the power down and disable the lower data rates. This was done on a test floor and on that floor things got better.
Years ago, the number of AP “really mattered” and was the focus of conversations. APs were installed sparsely, and with their power on high. This was how wireless networks were designed, right or wrong it’s the past.
Now we know better and design better. We use more APs, disable lower data rates and turn the power down to keep the cell sizes small. We do all of this to keep clients connected to the network at their highest possible speed. We do this so that your clients are able to connect to your network and get work down. We do this so that your users have a good experience on wireless.
But for those that are looking for numbers, it depends
*1 image is from here http://www.cisco.com/en/US/products/ps10315/products_tech_note09186a0080bfed06.shtml