CORRECTION: Last month we reported that Verizon Wireless announced deployment of 300 - 500 Mbit/sec data service using the cellular phone network in selected markets. This should have been 300 - 500 Kilobits/second, not Megabits/second.

Essential Wi-Fi

Understanding Wi-Fi Equipment

Wi-Fi includes many different types of equipment: Access Points, NAT gateways, wireless repeaters, firewalls, and so forth.  Understanding what these types of equipment do is critical to "clearing up the confusion."  In this article, we will provide simple, understandable definitions of the most common types of Wi-Fi equipment including Access Points, Wireless Repeaters/Range Extenders, NAT Gateways, and Firewalls.

Access Point

Think of an access point (abbreviated as "AP") as being like a cell tower.  Your mobile phone uses radio waves to talk to the antenna on the cell tower.  The cell tower forwards that call to the service provider, which might route the call onto the wired telephone network.  If the phone moves away from one cell tower and towards another, it will stop sending its signal through the far one and start sending its signal through the near one, which is known as roaming.

In the same way, an 802.11 client uses radio waves to talk to the antenna on an access point.  The access point is usually plugged into a wired Ethernet network (although it doesn't have to be), and it will forward packets onto the wireless network if necessary.  This means that access points can give wireless clients access to resources on the wired network, such as a server, or an Internet connection.

Although 802.11 clients can connect directly to each other (without an access point), an access point is almost always used, especially in cases where the wireless network is intended to provide access to a wired network.  In general, in order to get access to a company's network, a wireless user must be in range of an access point.  This influences how many access points a company will need to install and where those access points can be placed.  Just like cellular signals can be blocked or have "dead zones," 802.11 wireless coverage can behave unpredictably (Connect802's predictive site survey service can help work around this).

Access points come in varying levels of complexity and cost.  More advanced access points offer more sophisticated management and security options.  For example, a corporate-grade access point might provide the ability to configure all of the company's access points remotely, en masse, whereas an access point intended for home use might have to be configured individually.

Wireless Repeater or Wireless Range Extender

Normally, the structure of a wireless network is: Client -> Access Point -> Wired LAN (optional).  But what about cases where some clients are so far from the access point that they are out of range?  You could add a second access point, but then clients near the second access point wouldn't have connectivity to clients near the first access point.  In addition, a whole new access point might be too expensive, especially if this is a home or small-office network.

A wireless repeater (also known as a wireless range extender) creates this structure: Client -> Wireless Repeater -> Access Point -> Wired LAN (optional).  The wireless repeater acts as a "client" to the access point, and then the wireless clients attach to the repeater.  The repeater then forwards the clients' packets to the access point, effectively extending the access point's range.

Although wireless repeaters can solve some tricky coverage problems, you should realize that they impose a performance penalty of about 50%, since every packet that a client sends through the repeater must be transmitted twice (once from the client to the repeater, once from the repeater to the access point).

NAT Gateway

NAT stands for "Network Address Translation."  It is a technology in which, as packets go through the NAT gateway, the IP addresses in the packets are substituted in real-time for other IP addresses.  This means that devices on the outside of the NAT gateway (after substitution) don't ever see the real IP addresses of the devices on the inside of the NAT gateway.  Since the NAT gateway reverses the substitution on inbound packets, neither device needs to know that the gateway is there.

NAT gateways have two main advantages.  They enhance security by preventing outsiders from learning the true IP addresses of your devices.  Because of the way in which NAT works, TCP/IP conversations cannot be initiated from the outside of a NAT gateway unless the administrator explicitly allows it.  This prevents attackers on the outside from scanning the network inside a NAT gateway.  Also, NAT gateways can allow many stations on the inside to share single external IP address.  This is useful in the case where the ISP only gives you a single IP address, but you want to connect multiple computers to the Internet.

A third advantage of NAT is that the administrator has complete freedom to assign whatever IP addresses he or she wants inside the NAT gateway.  External IP addresses must be assigned by the ISP.

Chances are that if you buy an 802.11 device with "gateway" or "router" in the name, it will be able to act as a NAT gateway.  If you buy a device that is described simply as an "access point," it may not act as a NAT gateway.  You should check to make sure that the device meets your needs.

Firewall

A firewall is a security device that monitors incoming and outgoing TCP/IP packets.  The firewall allows packets that it believes to be benign or permitted and blocks packets that it believes to be harmful or prohibited.  A firewall bases its decision on several common factors.

First, the firewall may be configured to explicitly allow or deny packets matching certain characteristics.  If this is the case, then that overrides the firewalls default behavior.  The firewall's default behavior is this: if the firewall observes a station on the inside of the firewall initiate an outgoing connection, it will allow inbound packets that are part of that conversation.  Inbound packets that are not part of a previously-initiated outbound conversation are blocked.

To make an analogy with the phone system, a firewall would be like a phone system where you could make outgoing calls, but nobody could make incoming calls to you.  This would completely prevent annoying or harassing phone calls, but it would also prevent anybody legitimate from calling you.  This isn't as big a deal with firewalls, since the majority of your computer's connections are outgoing, but it can be a problem if you're running a server (which accepts many incoming connections).  In that case, the administrator must explicitly configure the firewall to allow incoming connections to the server.

Most devices that act as a NAT gateway also act as firewalls.  Not all firewalls act as NAT gateways.

For more information, see the Connect802 On-Line Encyclopedia.

BACK TO TOP

Technology and Engineering

RF "Signal Quality"

Alongside signal strength, "signal quality" is commonly reported by vendors' client utilities. For example, Cisco's client utility presents a graph with signal strength on one axis and signal quality on the other axis. Anyone who is exposed to 802.11 for any length of time will pick up on the idea that these are the two general metrics of the "goodness" of an 802.11 signal. If either one of them is too low, then data rates may drop or the connection may be lost entirely. But what is "signal quality" really measuring? How can we use this term in planning and administering wireless LAN's?

Colloquial definitions of signal quality vary widely.  A web search on the term reveals that it is usually used as a general indicator of the "goodness" of a wireless link, without any more specific definition. This vagueness is in no small part because "signal quality" is a more obscure term than "signal strength" (it only appears three times in 802.11-1999). 802.11 defines "signal quality" as "PN code correlation strength". Unfortunately, 802.11 does not provide any further definition of "signal quality". Therefore, further investigation must hinge on the phrase, "PN code correlation".

DSSS mathematically combines one or more bits of data with a sequence of bits known as a "PN code", which is equal in length to or longer than the data bits to be encoded. The combination of the data bit(s) and the PN code, known as a "symbol", is what is ultimately transmitted into the air. The process of combining is known as "spreading". For example, in 802.11/802.11b DSSS at 1 Mbps and 2 Mbps, a single bit of data (a 1 or a 0) is XOR'ed with the 11-bit-long PN code, '10110111000'. This specific PN code is known as the "Barker Sequence" and is also sometimes represented as '+1, -1, +1, +1, -1, +1, +1, +1, -1, -1, -1'. In this algorithm, each 11-bit "symbol" corresponds to one data bit. At higher data rates, more sophisticated algorithms are used, but the nature of the PN code is the same.

For any DSSS algorithm, each symbol represents one or more bits, and a unique combination of a certain bit-string and PN-code will always result in the same symbol. Therefore, for any DSSS algorithm, we can define a set of "valid" symbols, which contains all symbols that could result from a bit-string and a PN code. A transmitter should never transmit an "invalid" symbol, but interference and attenuation might cause a "valid" symbol to appear to be "invalid" to a receiver. For example, suppose the symbol '1011011100 1 ' was received. This symbol is identical to the correct symbol for a '1', except that the last bit has been changed from '0' to '1'. The receiver could ask itself, "is this symbol closer to a zero or a one?"

The receiver could determine that the symbol is closer to a '1' than a '0' even though one of the bits of the symbol was corrupted. In fact, given an 11-bit symbol, up to five bits could be corrupted without negating the receiver's ability to recover the original data--if six bits or more are corrupted, then the receiver could choose the incorrect symbol, which would result in an incorrect data-link layer checksum and a corrupt packet.

The most likely definition of "signal quality," or "PN code correlation strength" is that it is some metric of the correlation between the correct symbol-stream and the actual symbol-stream received. For example, the PHY might count the average number of "wrong" bit positions over a window of some number of symbols, where zero "wrong" bit positions equals 100% signal quality and more "wrong" bit positions results in lower signal quality. This definition should be treated as speculation until it is corroborated or debunked. If that definition is correct, then signal quality should be used as a metric of the amount of corruption in the environment between the access point and the client.

This topic is discussed in more depth in Connect802's paper, "You Believe You Understand What You Think I Said -- The Truth About 802.11 Signal and Noise Metrics," available from our white papers page .

BACK TO TOP

To Infinity... and Beyond!

Security breaches result from equipment misconfiguration

The Gartner Group concludes that 70% of successful Wi-Fi security attacks will occur as a result of misconfiguration of access points or client software. The adoption of the new security standards (like Wi-Fi Protected Access, the basis for Connect802's Suite Shield security) provide the necessary bridge between the previously insecure Wired Equivalent Privacy (WEP) and the next-generation of 802.11i Advanced Encryption Standard (AES) security. So, while today's Wi-Fi networks can be reasonably secured against intruders, the need for security monitoring and intrusion detection systems remains the back-line of defense for critical systems. Read more about this issue at Computerworld.

Cisco enhances Voice-over-IP security

Cisco has extended encryption to include support for its VoIP wireless phones. This is significant since Wi-Fi security and encryption have been generally upgraded with the implementation of Wi-Fi Protected Access (WPA) that provides reasonable security for data transfer. The wireless Voice-over-IP space demands strong security for voice telephony and, as is the case many times, Cisco is a driving force in pushing new standards and new user expectations into the marketplace. Read more about this at Silicon.com

Voice-over-IP telephony is poised for phenomenal growth

This past month Connect802 spoke at two major Voice-over-IP conferences: Internet Telephony in San Diego and VON in Boston. We were surprised to see the sheer quantity of vendors offering various types of IP phones. On October 19, 2004 the Bellevue, Washington company TeleSym deployed the frist carrier-class mobile VoIP solution using the new Intel NetStructure Host Media Processing software. Customers can now place and receive phone calls over any private Wi-Fi network, public HotSpot, or broadband network. Currently the end-user devices must be computer devices (notebooks or PDAs with headsets) but the coming emergence of Wi-Fi VoIP cell phones promises to change that. Read more about this at TeleSym.

BACK TO TOP