 Number 267 - August 2005 |
|
| Networking Fun(damentals) Part 4 - WiFi | |
| by Bruce Preston, DACS | |
|
Setting up a wireless network adds a level of complexity that isn't present in a wired network. You need to make several decisions before you get going: Is it to be an infrastructure network, or an adhoc network? What kind of access point is available? Is it to be an open network or a secure network? Let's look at each of these:
Infrastructure vs. AdHoc Infrastructure - communication is between your device (i.e. PC) and a WiFi Access Point - typically a broadband router/firewall device. You must be within range of the access point, but the remote device(s) you are communicating with (wired PC on your local network, a web server on the other side of the country) may be well beyond wireless range. AdHoc - communication is directly between devices (i.e. PC to PC as peers). Note that the devices must be within range. Unless one of these devices is also acting as a gateway (via Internet Connection Sharing, for example), you will not have Internet access. Usually you would want an infrastructure configuration. Access point varieties come in 3 flavors: Bridge - connects a wireless network to a wired network. It is transparent. Devices on each network can see devices on the other network (subject to permissions, of course)' and communications can flow in either direction. NAT Router - Network Address Translation (see previous installments for explanation of NAT). Wired traffic will be routed to the other network (and perhaps beyond) but traffic can not be directed into the wireless network. Typically used to provide internet access from the wireless network. Hybrid NAT Router + Bridge - one device that combines both a wired and wireless network. This is the common Cable/DSL Router with Wireless device. Security - Wire-less access points, by default, broadcast their name (ESSID, see below) and thus invite devices to join the network. Any device within range can thus sense the presence of the network and with the click of a button the user may attempt to join. If there is no security established, the network becomes available, and any insecure resources on the network (file sharing, printer sharing, etc.) become available. 802.11b devices support WEP (Wired Equivalent Privacy) which makes use of either a 64-bit key or a 128-bit key to encrypt data flowing through the network. All devices on the network must make use of the same key string to have access to the network. WEP is not bullet-proof; it can be cracked, so it is not sufficient for data that must be held absolutely secure. However, breaking it requires either specialized hardware, or customized software drivers, neither of which are likely to be available to a casual 'eavesdropper.' Depending upon how well the drivers are implemented, enabling WEP security will degrade throughput by anywhere from about 20% to 50% of connection capacity. WiFi devices submitted for certification since August 2003 provide for WPA (WiFi Protected Access) - a considerably stronger encryption protocol. It contains a protection mechanism that prevents key-cracking by such methods as retransmitting with altered bits. Devices that support WPA quite often also support WEP for backwards compatibility, so an access point (or router) may simultaneously communicate with both WPA and WEP client devices. If you have a mixed environment, check to see if replacement drivers that implement WPA are available for your older devices. More Security - An access point may be set up to only communicate with wireless devices that have a specific MAC address. Every networking device has a burned-in unique identifier known as a MAC address. By loading MAC addresses of clients into the access point, you may be very explicit as to which devices may make use of the WiFi connection. Range - Manufacturers tend to be optimistic in stating the operating range of wireless devices. Obstructions between the devices such as walls, furniture, people etc. all degrade the signal. As a starting point, consider that you may have a usable signal within a 50 foot radius sphere from the access point. Thus, if you can put the access point exactly in the center of your house or office you might get a usable signal within the structure. Practically speaking, however, more often than not the access point will not be centrally located, in which case much of your signal may be going off 'in the wrong direction.' To address this, there are several options: It is possible to replace one of the 'rabbit ear' antennas with a directional antenna - such that the signal is concentrated in a 'cone' rather than distributed uniformly over a sphere. A second option is to add an additional, wired access point somewhere else in the structure. A third option is to add a range extender, also known as a repeater - an access point ESSID - An access point periodically broadcasts its Extended Service Set Identifier - a string of characters that identify the name and capabilities of the access point. In this way, a client device (i.e. a PC) can determine that it is within range of the access point such that the user may elect to which is within range of the primary access point and can thus communicate with it, and which then re-broadcasts the signal, thus extending the range. The repeater is not wired to the first access point - it picks up the signal on |
one radio channel, and then re-transmits it on another radio channel. make use of the offered connection. Broadcasting the ESSID also exposes whether the connection is open or secure (requiring a pass key.)
Most access point manufacturers pre-load the access point's ESSID with the manufacturer's name - so that unless you change it, the ESSID will be something like LinkSys, D-Link, Netgear, SMC, etc. Since these brands are all relatively common in the consumer market, it is quite possible that you may have two or more devices within range that have the same ESSID. It is wise to change the ESSID to something other than the brand of device - I have seen such things as SmithFamily, XYZoffice, etc. Then when you initiate a connection you can pick the correct access point. A downside of having the ESSID being broadcast is that you may have an unwelcome guest hitchhike on your connection. If your connection is not secure, all they have to do is select it. For this reason, it is prudent to disable ESSID broadcast. Now to establish a connection, the client machine must know in advance the name of the ESSDI and then specifically ask for it by name - it will not be displayed in the Available Connections dialog box. Turning off ESSID broadcast but leaving the default value of the ESSID gives you minimal protection, as many client wireless adapters will look for their own brand's ESSID. Transmission Rate - Typical WiFi devices give you a choice of transmission rates: all, 1, 2, 5.5, 11, and 54 Mbps (megabits per second) 54 is not supported by 802.11b. Upon connection negotiation, the devices will select the highest mutually-supported transmission rate. Channel - Typical WiFi devices provide a choice of automatic channel selection, or pre-specification of any channel (1 to 11). Two WiFi networks within range of each other will interfere with each other if they are on the same channel. Automatic will generally make use of the channel which appears to have the least interferences Encryption - You may select to have an open WiFi network or a secure WiFi network. If you have an open WiFi network, a relatively sophisticated user could eavesdrop on your data stream. For a secure WiFi network, depending upon the capabilities of the devices, you may select 64-bit WEP, 128-bit WEP, or WPA. Generally, you will want to make use of the highest level available unless forced otherwise. For example, since WPA requires more computational resources to process the encryption tasks, on a slower machine this may bog down the CPU. If that is the case, you may be faced with the necessity of working with a less stringent encryption policy. In either case, you will be required to enter an encryption key. Some manufacturers make it easy for you by including a key generator in their configuration screens. This takes a 'pass phrase' and converts it into a key. You may then take the generated key and apply it to the configuration screens of the other devices in the local network. Setting up the WiFi access point - You will need to get into the configuration screen of the access point. This is almost invariably done via a web browser interface. Within the WiFi section (which might be a subset of the LAN settings) select your ESSID, transmission rate and channel selection. Save your changes and boot the router if requested to do so. Then setup a client computer (next paragraph) and make certain that you have a basic connection. Once you have a basic connection configured for both your access point and a client machine, come back into the router's configuration screen and set up your secure environment. Setting up the WiFi client computer - If you have Windows XP Sp2, it includes support for WiFi within the operating system, including the zero configuration wizard. When it senses a WiFi connection, it will pop up a 'balloon' and offer to connect. Connecting a machine running Windows XP prior to SP2, or earlier operating systems (Windows 98SE, Me, 2000) then you will have to run a utility program provided by the hardware vendor which lets you specify the ESSID, Transmission Rate, Channel (and if necessary) and encryption settings. Checking it out - When I set up a new WiFi connection before I attempt to do any 'real' work, I invariably check to see whether I really have a connection. The signal strength meter often seen near the clock tells you how strong the signal is, but does not reveal whether you have a usable connection. It just tells you that there is something out there. For basic testing, I recommend that you first run IPCONFIG (or WinIPCfg for Windows 98SE, Windows Me) and see that you have an IP address associated with your wireless adapter, a network mask (typically 255.255.255.0,) at least one DNS entry, and that you have a gateway IP address. Without these 4 things, you won't get anywhere. Next, try to ping a site - such as via ping www.ebay.comideally you should see two things: a) Ping will respond with the DNS lookup results, i.e. it will report Pinging xxx.xxx.xxx.xxx with xxx bytes of data. That the address (xxx.xxx.xxx.xxx) appears means that you are OK - your Domain Name resolution is working, and by implication everything else is working since you would not have been able to resolve names without a proper TCP/IP stack configured. Do not be overly concerned if after the Pinging xxx.xxx.xxx.xxx with xxx bytes of data message you get no response or a timed-out situation - not all hosts respond to pings. That your DNS server did the name to IP address conversion is all you really needed. Bruce Preston is president of West Mountain Systems, a consultancy in Ridgefield, CT specializing in database applications. A DACS director, Bruce also leads the Access SIG. Members may send tech queries to Bruce at |
|
Number 267 - August 2005
|
|