Multiple Security Methods From a Single Access Point
Which security method to use is one of the primary considerations in designing a wireless network. Example security methods include WEP, WPA, WPA2, and 802.1x/EAP. Many access points, especially consumer-grade ones, can only support one security method at a time. This means that the wireless network must use the security method that represents the lowest common denominator of all of the methods that potential clients will use. For example, if some clients support 802.1x/EAP, but other clients only support WEP, then it might be necessary to set the access point to use WEP, in order to avoid excluding the less capable clients. In this case, the 802.1x/EAP clients can’t take advantage of their capability for increased security.
Some access points can be configured to use mixed security methods. For example, almost all access points can support both WPA2 and WPA encryption or WPA and WEP encryption at the same time. This is because these security protocols were designed with backwards compatibility built in. Even in this case, the situation is less than ideal. It might be desirable to segregate the lower-security stations from the higher-security stations, so that if a breach of the lower-security method occurred, the higher-security stations would still be protected.
In order to address these issues, enterprise-grade access points often have the capability of supporting multiple SSIDs, each of which is configured with a separate security method. This causes the access point to look to the clients as if it were two separate access points, each of which has identical coverage areas, but with different network names and security methods.
Examples of how this might work include: An SSID named “Guest” is set to have no encryption at all. Any station can connect. An SSID named “Corporate” has strong 802.1x/EAP encryption that requires a SecureID token to authenticate. An SSID named “VoIP” uses WEP encryption, since the VoIP phones used by the company only support WEP.
The astute reader will have figured out that there’s a problem with this setup. If one access point is advertising all of these SSIDs, what’s to stop an attacker from ignoring the “Corporate” and “VoIP” SSIDs and getting onto the network from the “Guest” SSID? So far, nothing. That’s why this multiple-SSID capability is usually combined with a back-end infrastructure that enforces per-SSID security policies on the clients. Using the 802.1p/q protocols, the access point can communicate which SSID a client is associated with to an Ethernet switch. The switch can be configured to, for example: only allow Guest clients to go to the Internet, not the local intranet; allow unlimited access to Corporate clients; and provide higher-priority QoS to Voice clients. The capability to provide different back-end services based on a client’s SSID exponentially enhances the value of having a single access point support multiple SSIDs.
This capability already exists in most enterprise-grade access points, but many networks do not take advantage of it, even if they could benefit from it. One reason is that administrators might not be aware of it (but not anymore, after reading this article). Another reason is that taking advantage of this capability requires knowledge of how to configure the switches and routers, as well as access points. This might require coordination between the wired and the wireless network teams, if they are separate.
The ability to support multiple SSIDs is also trickling down into consumer-grade products. For example, dd-wrt, which is an open-source, third-party replacement firmware for LinkSys WRT54G and other consumer-grade access points, is planned to support this capability in its next version release, providing access to this enterprise-grade feature in consumer-grade hardware. Currently, no consumer-grade vendor that we know of offers this capability in its stock firmware, but we anticipate that this capability is not far off. Although home users have less need for multiple SSID support than corporate users, the feature is not completely wasted on them. For example, a generous home user might offer a bandwidth-limited open SSID to his or her neighbors, while providing a high-security SSID to him or herself. As VoIP phones move from the office into the home, separating the devices onto unique SSIDs might become more desired.
An Overview of Mesh Routing
If you’ve read any recent magazine or web articles about 802.11 Wi-Fi wireless networking you’ve probably encountered the term “Mesh Routing” somewhere along the line. Whenever you hear about wireless systems in cities like Tempe, AZ, Philadelphia, PA, or Chaska, MN, you hear about how they installed a “mesh network” to provide Wi-Fi services to their communities. Security cameras and inter-building wireless links use “mesh” equipment for interconnectivity. What then is a “mesh router”, and why is there so much interest in this technology in today’s wireless network market – and how can you apply this technology in your work? These are the questions that will now be discussed.
The term “mesh router” refers to a self-contained Wi-Fi radio unit, not dramatically unlike a typical Wi-Fi “access point” that you might buy to create a wireless network in your home or business. The difference is that the mesh router does two jobs. First, it can work exactly like a standard Wi-Fi access point. When a person has a wireless notebook computer or other 802.11 Wi-Fi device, they can connect to the access point part of the mesh router to surf the Web or check their email. Secondly, the mesh router listens for, and becomes aware of, other mesh routers within range. When the mesh router finds another mesh router the two radios create a point-to-point connection between themselves.
One (or more) of these mesh routers is connected to the Internet through an Ethernet connection to a broadband modem. The broadband connection could be using a DSL line, a cable modem, or a higher capacity Internet link. Software in the mesh routers determines the best path through the interconnected mesh to get from any point to the Internet connection. In this way, a network system can be created in which there is no need for an Ethernet cable between all of the devices. When you think about building out a network in a community, across a corporate campus, inside a large manufacturing facility, or around a large parking lot (perhaps for interconnecting security cameras), you see the advantage that a mesh router system can provide. In these situations it isn’t feasible to run CAT 5 or CAT 6 cable between the required locations. Instead, simply install mesh routers and they’ll find their own paths between points in the network.
The term “mesh node” is commonly used to describe a single mesh router. Each mesh node allows users with notebook computers to connect into the mesh, and allows other equipment (like video cameras, computer kiosks in a retail store, or any Ethernet device) to connect back to the Internet, and each mesh node makes intelligent decisions as to how to efficiently forward data traffic through the system. Some links actively carry data traffic while others enter a standby mode in anticipation of possible link degradation or failure (in which case these standby links will become active).
A simple mesh system might be used to interconnect two buildings at a warehouse. In this case a total of four mesh routers would be used. Two would be on one building, and two on the other. If a large truck were to block one of the transmission paths between the buildings then the mesh routers would automatically use the other path. A more complicated mesh system could interconnect multiple buildings in a corporate campus or shopping district. If one mesh node failed, the mesh would automatically adjust and route data traffic though an alternative path. Ultimately, each end user has a specific path by which they connect to the Internet, as shown in Diagram 2.
In summary, a mesh router creates a wireless “cloud” of connectivity, where each node is aware of its neighbors and automatically routes data traffic back to the node, or nodes that are connected to the Internet. At the same time, each node serves as a Wi-Fi access point, allowing authorized users with Wi-Fi wireless devices to connect to the system.
Having started with a description and definition of “mesh routing”, let’s make things a little more interesting. Let’s explore the way actual products are described by various manufacturers. You will now discover that two very different types of logical systems exist, and they are both often referred to as “mesh routing” systems. The two types of systems are actually: mesh routing and a wireless distribution system (WDS). If you were to walk around and look at an installed mesh router system and compare it to what you would find if you were looking at a WDS system you would find that the two look the same. In both cases there are Wi-Fi radios mounted on poles and buildings, and in both cases users with Wi-Fi devices connect to the nearest radio, and their data traffic is then forwarded back to the Internet through a series of wireless point-to-point connections through the system.
It’s the method by which a mesh router and a WDS radio find their partners, and the logic by which they forward data back to the Internet that makes them different. It also changes their respective price points. A mesh router may have a retail price point of anywhere from $3000.00 to as much as $8000.00 for each node. A WDS radio may be priced as low as $300.00 for a NEMA-rated outdoor unit. As with so many things, you get what you pay for, and you should only pay for the features and capabilities that you need.
In a nutshell, mesh routers provide essentially automatic, basically unattended operation while WDS radios are manually configured and many are unable to respond to failed nodes (by finding alternative paths) without manual intervention from the network administrator. All the other differences between the two types of equipment can be traced back to this fundamental difference: automatic versus manual.
The 802.11 Wi-Fi radio circuits found in a mesh router and those in a WDS unit aren’t significantly different. It’s the software that sets them apart. Consequently, the manual configuration requirements of a WDS system limit its scalability. Nobody would want to manually configure thirty, fifty, or two hundred radios. As a result, WDS systems are typically smaller, perhaps only two nodes used to create a single link across the street, or four nodes used to interconnect four adjacent buildings. The generally smaller size of a WDS system makes the WDS market very price conscious. The systems are small and simple so the price point must be kept low. Mesh router systems are typically larger, and demand more sophisticated add-on features. The larger size of the systems allows the price point to creep up, as customers are willing to pay a premium for the automatic capabilities inherent in mesh routers. The price creep isn’t arbitrary, however. A typical mesh router will have at least two separate radios in a single box. The most expensive mesh routers may have six radios in a single box, and may use sophisticated antenna array systems that can aim the radio signal directly at a number of different targets.
We said we would explore the way these products are described by the various manufacturers. WDS vendors correctly identify the fact that mesh routers create a series of point-to-point connections to provide paths back to the Internet. The logical structure of the system is a “mesh” of nodes. Then the WDS manufacturers correctly observe that their systems also end up with a series of point-to-point connections, which (after it’s manually configured) looks just like the mesh of nodes created by the mesh routers. It’s not uncommon to find that the term “mesh” is then used to describe equipment using WDS technology. Some descriptions allude to the “mesh” that can be created; others come right out and call their WDS systems, “mesh routers”. OK, they form a mesh, and they “route” data packets through to the Internet – it’s not an outright lie, but it can be very confusing. How can you uncover the truth behind a manufacturer’s description? It all comes back to manual configuration versus automatic peer discover and route establishment. If you have to enter 6-byte hardware addresses into each node to identify which peers are present, you’ve got a WDS system. If you have to specify, by device configuration, which nodes are adjacent to which other nodes, you’ve got a WDS system. In this case your system requirements must be limited to the capabilities of WDS, and (as we’ll see next) these capabilities can be very simple (read that as “inexpensive”) or they can actually begin to approach some of the basic capabilities of a true mesh system (read that as “more expensive, but still not as expensive as a true mesh router.”)
What has been left unsaid is, “If a node fails then, to establish a new path, you’ve got to…” There is yet another technical aspect to this discussion that underlies some WDS systems. A well established method of managing multiple paths through a network (wired and wireless) is called Spanning Tree Algorithm (STA). STA has been used with wired Ethernet switches for many years. In a nutshell, the algorithm is a set of software rules (active in every node) whereby each possible path is assigned (by manual configuration or default value) a “cost”. The nodes then exchange information about the various path costs that they each can see, and the best path is selected. If a node fails, STA recalculates the new best path cost and uses the new path through the system.
When a WDS system implements STA it begins to take on much of the automatic behavior that is associated with mesh routing. If a link fails, a new link is established. And that’s the key point of consideration to continue to differentiate WDS from mesh routing. In a WDS system the identification and establishment of an alternate path through the system occurs only when a link fails, and the new path is based on a fixed path cost value for every point-to-point connection. A mesh router dynamically evaluates the quality of each path. Path quality could change due to radio noise or interference, traffic loads, or a failed node. In every case, the mesh router can decide to use a new, more effective path, without the loss of a previously used path. Hence, the mesh router dynamically responds to real-time changes in the characteristics of the system, and not just to a failed node. The WDS system with STA only changes its path when a node fails.
The interest that’s being generated in the marketplace related to “mesh routers” (which include true mesh routers, simple WDS systems, and WDS system with STA) stems from the growth in public access Wi-Fi, and the need to create interconnected systems across large areas (including communities, parking lots, and large warehouse buildings). While each node still needs to have a power connection, the need to run Ethernet cable between the nodes goes away.
The actual design and implementation of a mesh or WDS system is really very straightforward. The entire design is based on a calculation called the link budget. The link budget incorporates the following elements of a point-to-point connection:
Transmitting Antenna Cable Loss
Transmitting Antenna Gain
Free Space Path Loss (signal loss due to the distance between radios)
Terrain Roughness Loss (signal loss when transmitting over the tops of buildings versus trees versus water, etc).
Rain Fade (signal loss due to the heaviest rainfall)
Receiving Antenna Gain
Receiving Antenna Cable Loss
Receiving Radio’s Circuit Sensitivity
The essence of the link budget calculation is to begin with some particular transmitter power, increase it by the gains in the path and decrease it by the losses in the path, and have it end up greater than the receiving radios circuit sensitivity for a desired transmission bit rate. Manufacturers specify their radio’s transmitter power and provide tables of required receiver sensitivity for the various 802.11 modulation rates (from 1 Mbps 802.11b to 54 Mbps 802.11g).
There are three typical approaches to calculating a link budget. Two of these involve the use of your scientific calculator (square roots and logarithms) and the third simply uses an on-line calculator or spreadsheet to plug-and-chug through all the math.
In the first algorithmic method, you know the distance between two radios and you must determine the transmitter power and gain required to get to the receiver with a particular signal level. The most challenging number to calculate in this example would be the free space path loss. Terrain roughness and rain fade are computed based on a specified loss per mile (or kilometer). Free space path loss is computed using a complicated formula involving logarithms and square roots.
The second (and less commonly required) method is to know everything except the maximum distance that can be used between the two radios. You say, “I’ve got two radios with such-and-such transmitter power and antenna gain. Given a particular value for terrain roughness and rain fade, how far apart can I mount these two radios and still end up with 18 Mbps?” Normally a link budget calculation of this type involves applying the first method, and simply “guessing” at a possible distance. Then the distance is made greater or smaller until you approach the desired values to meet the specified receiver sensitivity.
The most common method is to use an on-line calculator where you simply plug in the values and get the answers to the link budget calculations. An example may be found at http://www.connect802.com/designer. Some manufacturers provide Microsoft Excel spreadsheets into which you plug the unknown values and compute the missing parts of the link budget.
Ultimately, you know the required antenna gain and the inter-radio mounting distance. Then you can look at a floorplan or satellite image and map to create a Bill of Materials. Talk this through with the hardware vendor of you choice (or with several if you’re in the research stage). They’ll provide you with “rule-of-thumb” guidelines for creating a Bill of Materials. Of course, a number of companies offer design consulting either as a stand-alone service or in conjunction with equipment distribution.
You can find opportunities to utilize mesh (and WDS) technology as part of many projects in which you might be engaged. When you can’t run an Ethernet cable or fiber optic link between two locations – think WDS. When you need a small number of redundant, fault-tolerant links – think WDS with STA. When you need a larger scale, sophisticated system to interconnect multiple locations – think mesh routing.
Access Point Bill of Materials Secrets: The “Integer” Nature Of Indoor RF Design
When the signal strength threshold for a wireless design changes, it stands to reason that the number of access points will change too. After all, shouldn’t it require more access points to provide a higher signal strength and fewer access points to provide a lower signal strength throughout a given coverage area? In general, yes, but not always. In some cases, especially in indoor environments, changing design requirements doesn’t necessarily require changing the number of access points and their locations.
A simplified floor plan of an hotel's guest room wing
The graphic above shows a simplified floor plan of an hotel's guest room wing. This type of regular, repeating floor plan is ideal for demonstrating the effect that is being presented this month. Let’s say that the administrator desires to provide -70 dBm signal strength throughout this floor. In addition, overlap between access points’ coverage is desired, for redundancy, and to facilitate roaming.
The first AP is placed
In the image above, an AP has been placed to provide the required signal strength to the left-most five rooms. The red contour represents the area for which the AP is able to provide -70 dBm signal strength.
This location for AP02 is too far to the right.
Next, the correct location for the next AP must be determined. The image above shows that the indicated location for AP02 is too far to the right. Notice the coverage gap in the room halfway between the two APs (indicated by an arrow).
Moving AP02 to the left provides the desired coverage.
When AP02 is moved two rooms to the left, the desired coverage is achieved. There no coverage holes, and at least one full room has overlapping coverage from both access points. This area is indicated by the green line in the image above. Notice, however, that the right-most room does not have any coverage. Under the current design parameters, a third access point will be required in order to provide coverage there.
Where should the final AP locations be?
If a third access point must be added to provide coverage to this row of rooms (AP03, shown above), then it makes sense to go back and reconsider the locations of the other access points in the design. The image above shows what would happen if we left AP01 and AP02 in their original locations and simply added AP03. The rooms on the right side of the design are getting more coverage since they are closer to two APs, while the rooms on the right side of the design are getting less coverage. Granted, the rooms on the left side of the design are still meeting the current design goals. On the other hand, the rooms on the right side of the design are exceeding the design goals.
Final AP locations and coverage predictions
Since three APs are going to be required anyway, it makes sense to space them evenly across the required coverage area, as shown above. When this is done, the resulting RF coverage is actually better than the requirements of the design. Notice that the green lines showing the coverage overlap indicate that now there are two rooms worth of overlap between the access points, instead of the one room of overlap required by the design. Signal strength throughout these rooms will be higher than the design requires, but there’s no way around that. Coverage predictions showed that two access points were not enough to cover all of the required area. With two access points, one room was left totally un-covered. A third access point had to be added, at which point the coverage was somewhat better than required.
We refer to this quality as “the integer nature of RF design”. If you have ten hotel rooms in a hallway, and a single access point can cover four hotel rooms, the perfect number of access points to cover that area would be 10 / 4 = 2.5. But you can't buy half an AP. You’re going to have to round up to three access points. That’s actually enough access points to cover twelve hotel rooms, but what can you do?
The integer nature of RF design means that many indoor wireless designs have a certain amount of extra signal strength built in, above and beyond the design requirements. It’s not that the design is wasteful, it’s just that sometimes an extra AP is required to cover that one little room in the corner, and as a result, there’s extra signal strength in other areas. This explains why, if design requirements change, the number of access points and their location might not change.
Ask the Expert
Do I Need To Worry About Dynamic Frequency Selection?
I’ve heard some discussions about an FCC rules change related to “Dynamic Frequency Selection”.
How will this change affect me?
The rule you’re referring to is FCC Rule # 15.407(h)(2), which requires that products operating in the UNII-2 and UNII-2 extended bands (5.25-5.35 GHz and 5.47-5.725 GHz) must support Dynamic Frequency Selection (DFS), to detect and automatically adjusts channels to protect WLAN communications from interfering with military or weather radar systems. All WLAN products that ship in Canada and the US on or after July 20, 2007 must meet the DFS for FCC requirements. Products that ship before that data might support DFS. Products that don’t support DFS will probably be able to support DFS via a firmware update.
Access points that support DFS can be configured to use any 802.11a channel. Access points that don’t support DFS can still be used, but they should be configured to use only channels in the UNII-1 (channels 34, 36, 38, and 40) and UNII-3 (channels 149, 153, 157, and 161) bands. Since UNII-3 is reserved for outdoor use only, this means that indoor 802.11a access points will be limited to just four channels if they don’t support DFS.
This ruling has no effect on 802.11b and 802.11g access points operating in the 2.4 GHz band.
WEP Usage Leads to Up To 200 Million Stolen Credit Card Numbers
In case you needed any more convincing that WEP should be avoided at all costs, here’s a story wherein as many as 200 million credit card numbers were stolen from a database owned by TJX, which owns Marshalls, TJ Maxx, and Home goods. The attackers broke the encryption of a WEP-based wireless network outside a Marshall’s store, then learned login information by monitoring transactions sent to and from inventory-tracking handhelds. Several lessons can be taken from this story, including: Use something stronger than WEP, such as WPA or WPA2, and don’t rely exclusively on your wireless network’s encryption to protect your major databases. Because passwords were carried in the clear over the wireless networks, once the attackers broke the WEP encryption, they were able to easily access the credit card database. If additional security measures had been in place, cracking the WEP encryption would have just been the first step of many.
At Connect802 we're your PAGE ONE resource for wireless networking!
Connect802 has the experience, expertise, and resources to help you with your wireless network system. Use your favorite search engine and see what Connect802 is doing. Each month we give you some suggested search terms for you to explore. Here's this month's list. As you look down the search engine results you'll find Connect802 either at the top, or on the first page (true for Google and Excite, unknown for the rest).