An Easier Way To Secure Wireless Networks

Best Buy reports that its most frequently returned products are Wi-Fi networking gear. While many end users want the benefits of Wi-Fi, apparently very few can figure out how to set the wireless security features and get them working properly. Even experienced networking pros have trouble configuring security on today's Wi-Fi networks.

If you set up Wi-Fi networks for your clients with any degree of regularity, you've probably come across security set-up issues of your own. Sometimes, WPA (Wi-Fi Protected Access) won't set-up properly, so you reduce the level of security to WEP (Wired Equivalent Privacy), the older, more easily crack-able scheme. Or maybe you've thrown in the towel altogether to run wireless networks without any protection at all--a dangerous setup.

Combine lax security with Wi-Fi security threats--such as drive-by spamming, man-in-the-middle attacks, and network snooping, sniffing and spoofing--and you're leading your users into trouble. They could lose intellectual property, suffer privacy breaches, or fall prey to malicious network attacks.

Fortunately, wiress equipment makers are improving their security set-up wizards and interfaces, though that does nothing for users of existing equipment. In this TechBuilder Recipe, I'll show you how secure existing wireless networks by choosing and positioning the Wi-Fi hardware, understanding important options (like 802.11a, b, g and n), installing the equipment, and locking down security settings.

Take a Site Survey

If your client has a large network, you'll need to start by conducting a site survey. Users in large organizations often introduce new equipment to the network without telling the IT department, so it's now your job to detect every device on the network. If you have a small network, you can do a simple walk-through, surveying existing equipment and talking to users.

On large networks, you need to survey the site with RF sensors and protocol analyzers to identify rogue equipment and determine whether existing access points have been secured. A number of vendors offer site-survey solutions, including NetStumbler, YellowJacket, AirMagnet, and WildPackets. These products also measure encroaching networks. You can even put an access point into "monitor" mode to view other Wi-Fi activity on or near the network.

PocketWINC is a free and useful tool that runs on wireless PDAs to identify wireless access points, security levels, channels, signal quality and more. You load it onto a Wi-Fi enabled PDA, which makes it easy to walk around the premises and survey the site from every possible angle and distance. Here's a look at the tool's main screen:

No matter which tool you use, once you've identified rogue equipment at the site, you need to either shut it down or adjust the equipment's security settings to comply with company policy. We'll cover those settings in a moment. But first let's examine hardware choices for new installations.

Coverage Options

There's a lot of new, inexpensive Wi-Fi equipment on the market, with more to come. I tested a couple of nice Wi-Fi routers: one basic model and one "Pre-N" router with an impressive range. Pre-N means the device was released prior to certification of 802.11n, which is a 108 megabits per second (Mbps) standard that broadcasts Wi-Fi signals much further and stronger than earlier Wi-Fi standards.

The first device I tested was SMC's 2.4-GHz 54-Mbps 802.11a/b/g wireless broadband router (Model #SMC2304WBR-AG). This router has four wired ports. It sells for about $80 on Amazon and just $47.33 on Buy.com after the mail-in rebate. Here's a look:

The second device I tested was the Belkin Pre-N router. It has three antennae, as opposed to the standard two, which boosts the router's range and throughput. The device has four ports for wired lines and 108-Mbps throughput on the local network (either wired or Wi-Fi). It sells for about $120 on Amazon. Here's a photo of this router:

The Belkin Pre-N router provides strong connectivity coverage for about 1.5 to 2 acres of area (with the router in the center). I've even seen some reports of five-acre coverage. Also, the Pre-N router is considered "tri-mode," meaning it's compatible with existing 801.11b and "g" equipment.

To use this router, you will need to add Pre-N adapter cards to your client's systems. The Belkin Pre-N router works with laptop adapters that either fit straight into a laptop PCMCIA slot or cradle into a PCI card that utilizes the same form factor (but in a desktop configuration), as shown below:

If you're buying a new router for your client, consider coverage options. For example, while the SMC router can easily cover a 2,000- to 2,500-square-foot office, line-of-sight issues that involve metal structures will hurt coverage performance. So your results will definitely vary by location.

Also, if users are located in a busy metropolitan area, using a Pre-N router is practically inviting hacker attempts. To avoid or at least lessen this risk, position 2.4-GHz 54-Mbps routers within the building so that their signal reaches only as far as the walls. That way, the only people who can access the router are those within the building.

Wireless Speeds and Standards: 802.11a, b, g, and n

Today there are three common 802.11 Wi-Fi standards, with one more on the way. The first popular standard was 802.11b. This offers 11 Mbps of throughput on the network and whatever rate you can get out of the DSL, cable modem or T1 pipe (up to 11 Mbps). Typically, you'd get 1-1.5 Mbps download speeds from a standard DSL modem, so the rest of the 11 Mbps bandwidth only helps for shuttling files around the network and managing multiple, simultaneous Web connections.

The second standard is 802.11a, which transmits in the 5 GHz frequency range. This is less crowded than 2.4 GHz; you avoid interference from mobile phones and microwave ovens. 802.11a can reach 108 Mbps speeds in ideal conditions.

The third standard, 802.11g, uses the 2.4 GHz range, transmits at 54 Mbps, and is backwards compatible with "b" equipment. The slower "b" speeds prevail when combined with "g."

With each of these 802.11 hardware platforms, throughput is variable but distance-dependent. So data speeds will drop as the remote device is positioned farther from the base station. Also, if you layer on encryption, speeds will drop considerably.

The new Pre-N equipment uses a technology called Multiple Input Multiple Output, or MIMO, that uses multiple transmitters and receivers (that is, antennas) to improve performance. With its two transmitters and two or more receivers, the equipment can send two simultaneous data streams. That effectively doubles the data rate and allows for greater distances between transmitters and receivers. For this reason, equipment for both Pre-N and the upcoming 802.11n standard is rated at 108 Mbps and higher.