5 Ways to Improve your Wireless Network
2007-09-28 (updated: 2009-11-09) by Comtrad
Tags: Wi-Fi, Wireless, encryption, WPA, WPA2, WEP, SSID, VLAN, 802.11x
While installing a wireless network may seem trendy, it makes good business sense. You have the flexibility and convenience of working untethered, plus you won't have to pay someone to come in and reroute network cables if you hire new employees or reconfigure your office floor plan.
Setting up a wireless network requires thought and planning. We spoke with Doug Potts, a security specialist at CDW, to find out what you can do to ensure their network works as smoothly and as securely as possible. The five steps to improving your wireless network are listed in order of their cost and complexity. Whether you take one or all five depends on the size of your budget and the level of security you need.
1. Set Up Wireless Encryption
Encrypting your network makes it difficult for hackers to crack in and use your wireless connection, access your data or other perform other malicious actions. "Encryption's an effective hacker deterrent," said Potts. "The thought of trying to hack a 128-bit or 256-bit cipher is enough to send a hacker packing — and looking for an easier target."
You have two types of encryption from which to choose: WEP and WPA with AES encryption. Potts likened 128-bit WEP encryption to a barking dog that frightens off a burglar. "Now AES, that's 256-bit — an even tougher type of encryption," Potts said. "That's like having the dog, an alarm system and a guard out front."
According to Potts, the 128-bit WEP encryption can be cracked, but it can take up to four hours of work to do it To date, he says, 256-bit AES has never been cracked.
Most wireless access points (APs) support both WEP and WPA standards, but not all client cards (the Wi-Fi card that plugs into your laptop) support AES encryption, which requires a dedicated chip.
"At the very minimum," said Potts, "everyone running a wireless network should have WEP installed and turned on."
Typically you'll pay about $50 to $100 more for an AP that supports AES. Potts says that if you're installing a wireless network for the first time, it's a good idea to invest in the security features that WPA offers. If you already have a wireless network, Potts recommends upgrading all of your APs to WPA over time as your budget allows.
2. Stick With the Same Vendor
Buying your APs and Wi-Fi cards from the same vendor increases your network performance and reduces compatibility issues, since not all vendors support the same features. Potts sited a feature called "Turbo mode" as an example.
"Some manufacturers build a Turbo mode into their APs and Wi-Fi cards," he said. "It's supposed to double your network throughput, but it only works if all your cards come from the same vendor. It could even be available only on a specific card within a vendor's line."
Potts continued, "D-Link has an AP and a Wi-Fi card that are specific to the Turbo mode feature. The company makes lots of cards and APs, but not all of them support that feature. This is true of most vendors," Potts said.
3. Do a Site Survey
Potts likes to ask his customers a question — Do you know where your wireless signal is? Unless you know exactly how far your wireless network reaches, and in what directions it travels, chances are you're leaking a Wi-Fi signal that anyone with a laptop and a Wi-Fi card — including hackers — can use for free.
"A site survey will tell you exactly how far your signal reaches," said Potts. "Take your laptop and Wi-Fi card and call up the utility that measures signal strength, [each maker has it's own — Cisco's is called ACU] and walk around your office with the utility running. That will tell you how far the signal reaches and the signals strength," said Potts. There's also lots of software that can help you do site surveys, such as the programs from Wireless Valley.
"If the signal's strong throughout the office, then go outside and keep walking around to see how far it leaks," he said. "I work on the fifth floor of a building in downtown Chicago, and when I'm in my office and I turn on my laptop, I can access the unprotected network from the coffee shop on the first floor."
Small businesses need to be aware that their network's AP signal could be traveling further than they want and creating a potential security breach. Potts pointed out that encryption offers a good deal of protection, but the longer someone has access to your network, the greater the chance they can crack it.
"Remember WEP encryption can be cracked," [argh] said Potts. "If your signal leaks out into the parking lot, you're giving someone the time and opportunity to hack you. If the signal's contained to your office, you significantly reduce the likelihood of an outside attack."
4. Place Your Wireless Network on Its own VLAN
Potts explained that a VLAN, or Virtual Local Area Network, is a way of segmenting your network so that employees can access only the job-related resources they need without having access to the entire network.
"Not everyone needs to know everything," said Potts "This is a way to add a layer of internal data protection to your business." This is a somewhat more costly addition to a wireless network, but a good option if your business requires compliance with HIPAA or other types of state and federal regulations or you want to make sure that your personnel or other backend data isn't readily accessible.
Potts pointed out that high-end equipment manufacturers typically support VLAN capability. "You'll find VLAN in Cisco, Proxim and 3Com products," said Potts, "but not in Linksys, D-Link or NetGear."
5. Set Up a Secondary Authentication Mechanism
Authentication is a way that people can prove they are who they say they are in order to access a network or any secure area. The most common authentication method is the user name and password. Potts said that companies that deal with highly sensitive data might want to consider adding a second method on top of the type they currently employ.
"Of these five steps, this is the most expensive option," he said. "A company would need to invest in a RADIUS server, which can range anywhere from $3,000 to $8,000 dollars depending on the size of the company."
However, a number of low cost solutions for small businesses exist to help them use authentication servers that utilize the protocol called 802.1X. They include software packages like LucidLink or Elektron that runs on a local computer to turn it into a RADIUS authentication server, or hosted RADIUS like WSC Guard or WiTopia.net.