From businesses to coffee shops to convention centres, it seems everyone is going wireless these days.
The convenience of connecting to corporate networks and the Internet without plugging into the wall is undeniably attractive, but the lack of wires doesn’t mean there are no strings attached.
Wireless networking yields major benefits of convenience and lower cost if you do it right, but ignoring important fundamentals can send you into a death spiral of poor performance, negligible ROI, and porous security. The difference between success and failure lies in planning, and in understanding the technology and the possible pitfalls.
“Our mantra is look at the technology, look at the business problem, architect a solution,” says Richard Siber, partner in the U.S. wireless practice of consulting firm Accenture. “Write a business plan that says here’s the problem, here’s what we think the solution is, and then roll out a small application that can be used to test the business case before you go any farther.”
The first step should be the same as for any technology project, adds Shaun Leech, practice leader for wireless and messaging at CGI Group Inc., a Montreal-based information technology consulting firm. “Do the due diligence. Find out who needs it and what they need it for – you should be answering all the questions.”
While the CIO needn’t be concerned with all the technical details, planning a move into wireless means understanding the prevailing standards.
The most common wireless network specification in use today is the IEEE 802.11b standard, more popularly called WiFi. It can carry data at 11 megabits per second, and is the basis of most existing wireless local-area networks and the hotspots that let you connect to the Internet in many coffee shops, airports, hotels and other public places.
Eleven megabits is respectable, but in an era of 100-megabit wired connections to the desktop, it isn’t enough for everyone. Two faster versions of WiFi are contending to be the successor. Both 802.11g and 802.11a theoretically handle 54 megabits per second – still slower than many hardwired connections, but good enough for most purposes. The big difference between them is that the former has greater range and uses the same radio frequencies as 802.11b, so the two are compatible, while the latter uses a different frequency band and is not compatible with the existing standard. It does, however, have more channels, which makes it possible to pack more access points into a given area.
Enn Martin, director of consulting services, business development-wireless at CGI, says he would recommend 802.11g to most organizations because of compatibility.
Brent Nixon, product line manager at wireless networking vendor 3Com Corp. of Marlborough, Mass., says more and more customers are deploying 802.11g. They like the compatibility aspect and the longer range, he says, and can make do with the smaller number of channels by planning their installations carefully. It’s becoming increasingly common to see wireless network cards that support both of the new contenders, Nixon adds. And since 802.11g and 802.11b are compatible, such a card can connect to all three types of access point.
Besides the standards described above, there are also proprietary wireless technologies, often used for point-to-point connections such as linking two office buildings a few kilometres apart. For example, the City of Vaughan, near Toronto, uses point-to-point wireless links to carry traffic between buildings where laying cable would have been too costly, says the city’s CIO, Dimitri Yampolsky.
planning an installation
Having chosen a technology, the next move is planning the installation. This begins with understanding your needs.
For the Metropolitan Toronto Convention Centre, those needs were complex indeed. The centre’s two buildings house a combination of exhibit halls, conference space and offices, and a recently installed wireless LAN had to reach virtually every corner of the facility. In addition, wireless connections had to be provided not only to centre staff, but also to those using the facility – exhibitors and attendees at the trade shows and conferences.
“The network is very dynamic,” says Bill McDonald, director of technology services at the convention centre. “We have meeting rooms, we have large exhibit spaces – and who uses them at any one time, and how they use them, is subject to a lot of variance.”
Some large conferences occupy the entire facility, while at other times four to six separate events may go on in different parts of the building. McDonald needs to segment the wireless LAN so that each event has its own virtual network. Convention centre staff also use the LAN, and they need access to internal systems not accessible to visitors.
To further complicate things, both buildings of the convention centre have multiple floors, and the south building is almost entirely underground. “It’s the opposite of an easy building, which would be a great big open warehouse,” McDonald says. “We really had to look carefully at how we were going to achieve the needed flexibility in a building of this nature.”
The solution was a wireless LAN with strong central management. The technology, from Boston-based Chantry Networks Inc., makes it possible to reconfigure virtual LANs quickly.
“Through a central management point we can control the network, so we can protect the virtual networks from infringing on one another,” says McDonald. “That’s very important just from a system-load point of view. You don’t want a big guy clobbering a little guy, or a little guy clobbering a big guy.”
Coping with the centre’s complex design was simply a matter of care and patience in laying out the network infrastructure, McDonald adds. “You have to do your planning, do your signal testing.”
A good site survey is critical to any wireless network’s success. The purpose of the site survey is to determine the best places to put wireless access points, and this requires studying the layout of the building to identify likely obstacles to wireless signals and sources of interference, working out a tentative layout, and then testing it by placing access points, measuring signal strength, and adjusting as needed.
“You can do a site survey very quickly and get limited results,” warns 3Com’s Nixon, “or you can do it very thoroughly, and find that in the long run it’s worth doing.” 3Com recommends that its customers work with resellers who have experience in doing site surveys.
Both indoor wireless LANs and point-to-point wireless links between buildings require a site survey for best results, but the procedures are a bit different.
The first step in a LAN site survey is to look over all the area the LAN will cover and note the obvious problems. For example, elevator shafts and sheet metal cause problems for wireless signals. Such obstacles need access points on both sides.
“We found that in older buildings where there are a lot of concrete walls, the signal will not go through,” says the City of Vaughan’s Yampolsky. “Even in new buildings, if you have metal studs inside the drywall, that’s an issue.”
Various types of devices, from generators to microwave ovens, can cause interference, so access points shouldn’t be placed near them. Some problems may be seen at a glance, but others may not be very obvious. Matthew Hyson, director of technology development at Mississauga, Ont.-based network consulting firm Wireless Friendly Inc., says it’s wise to have a technician walk around with a spectrum analyzer looking for excessive radio-frequency noise.
Having devised a rough plan for placing access points, the next step is to place them temporarily and test. Simply moving around the area with a wireless device looking for areas of poor coverage will help identify cases where an access point needs to be moved. If this process discovers gaps in coverage, adjusting the positions of access points or adding more may help. Another option is to attach a higher-gain or directional antenna to extend the reach of an access point. Placing access points on the ceiling may give better results than mounting them on walls.
In some installations, issues discovered in the initial site survey aren’t the only ones that need to be dealt with. The Metro Toronto Convention Centre, for instance, hosts trade shows with large displays that may interfere with wireless signals. The automotive show is a case in point. “It’s amazing what the Ford sign does to an RF signal,” notes Chris Taylor, the centre’s telecommunications manager.
Here again, central control paid off for the convention centre. Signal strength and direction of individual access points can be adjusted from a central console. “When we were doing our vendor selection that was a very important factor,” says McDonald. “It would drive us crazy any other way.”
Choosing channels is also critical. The 802.11b standard has 11 separate channels that access points can use, but only three do not overlap. Relying on the non-overlapping channels is usually the best option. Software designed to aid in site surveys – available from access-point vendors and other suppliers – can show all the access points in an area and where channels overlap.
For outdoor point-to-point wireless links, site surveys are mainly concerned with ensuring an unobstructed line of sight between transmitters. But keep in mind that you must consider not just current but future obstacles. The City of Vaughan had to relocate a transmitter when the trees between two buildings grew up and blocked the line of sight.
Yampolsky also notes that weather can cause problems with outdoor wireless connections. “You have to make sure the mounting hardware is rigid enough to withstand weather, because if the antenna or the transmitter moves just a little bit, you’re going to lose the quality of transmission.”
getting a handle on security
One of the biggest issues surrounding wireless networks is, of course, security.
According to Keith D’Sousa, senior manager of risk and advisory services at consulting firm KPMG LLP in Toronto, the first step to appropriate security is to assess the risks. How will the wireless network be used? What information will travel over it? How sensitive is that information? What are the risks to which the information will be exposed? Once these risks have been determined, then decide what level of security is needed.
“Cost-benefit analysis would probably be the best way of looking at it,” says D’Sousa. “What kind of costs are going to be involved in implementing this solution based on your risk assessment?”
Improperly secured wireless networks are an open invitation to intruders. Because the technology is simple to install, unauthorized or “rogue” access points spring up in many organizations, often installed by well-intentioned power users with no thought of security precautions. And to further complicate matters, the basic security standard for wireless LANs until fairly recently – Wired Equivalent Privacy (WEP) – was not very secure.
“It’s so cheap to buy the technology these days that it’s not unusual for [users] to go off and do their own thing,” notes D’Sousa. Anyone can buy a wireless access point at a computer or office-supply store for around $100 and plug it into an existing network. That means that even organizations that don’t officially use wireless networks may have rogue access points springing up in their offices. Installed by end users, these access points often don’t even have basic WEP security turned on.
D’Sousa says every organization needs a clear policy stating that the IT department must be consulted and involved in any wireless deployment.
the problem with hotspots
Even in organizations without their own wireless LANs, security policies should take into consideration the proliferation of public wireless hotspots. Should employees use them for business purposes? Newer notebook PCs come equipped with the wireless technology to use hotspots, so it’s no longer enough just to avoid adding wireless cards to company machines.
Hotspots are insecure and should be used with care, cautions Diana Kelley, a security technology strategist with Computer Associates International Inc. of Islandia, N.Y. She recommends equipping notebooks with the ability to encrypt any traffic sent over a hotspot. Corporate systems can also be set up to require extra authentication when a user connects from an unusual location such as a hotspot.
Wireless networks need encryption if they are to be secure. WEP, the original encryption standard for 802.11b networks, is generally considered to be weak encryption that is too easily broken. “It’s not horrible,” Kelley says “but it’s certainly not the best we could have done.” WEP may be adequate for home users, Kelley says, but corporate LANs need stronger security.
improving security features
Fortunately, WEP is being supplanted by a better standard. The Wi-Fi Alliance, an industry body formed to promote 802.11 standards, has developed Wi-Fi Protected Access (WPA). It constructs encryption keys in a different way that makes them more secure than in WEP, and it also provides LAN access control capabilities.
“WPA is more secure than WEP,” says Martin at CGI, “but somebody who really wants to break in will be able to do so.” Martin recommends that all wireless connections use virtual private network (VPN) technology. Popular for remote dial-up connections, VPN uses software on both the PC and the server to encrypt traffic traveling over a public network.
In addition, another security advance is not far away. WPA is a subset of a security standard called 802.11i that is now in its final stages of development. Expected to be ratified by the middle of this year, 802.11i will include everything that is in WPA plus some added features. In particular, it will use a new and improved encryption technique known as the Advanced Encryption Algorithm (AES). The disadvantage of AES is that not all existing wireless networking hardware will be able to support it. This may lead some organizations to stick with WPA for the time being.
When WEP was the only encryption available, many organizations placed their wireless networks in the “demilitarized zone” outside corporate firewalls, so that even if an intruder broke in, he did not automatically have access to everything on the broader network. This practice may be less necessary with the advent of better standards, but it can still be a good idea.
Layered security provides additional lines of defence. Using a security token that must be plugged into a computer before it can connect to the wireless network provides one such layer.
At the City of Vaughan, explains Yampolsky, “once you have access to the network, the next thing is to gain access to the resources that are on the network, and that requires authentication.” The exception is a wireless hotspot the city has set up at its public library. No authentication is required to connect there, but the service provides access only to the Internet and to public information such as library catalogues.
The Metro Toronto Convention Centre also puts all wireless traffic through an authentication server, requiring each user to enter an ID and password.
Wireless network security is better understood than it was a few years ago, d’Sousa says, but there is still room for improvement. “I don’t think awareness is as high as it needs to be. You can never have enough security awareness.”
In fact, awareness is the key to success with wireless. Proper attention to the issues – from thinking through the business case, to choosing the right technology, to securing the network adequately – will help ensure that your high-wireless act doesn’t lead to a nasty fall.
Grant Buckler is a freelance writer specializing in information technology and IT management. He is based in Kingston, Ontario.