5-Minute Security Advisor - Integrating WLANs with Your Wired LANs
|Archived content. No warranty is made as to technical accuracy. Content may contain URLs that were valid when originally published, but now link to sites or pages that no longer exist.|
Wireless LANs (WLANs) can be used for several worthy purposes; my favorites include the folks who put WLANs in airport terminals,Starbucks, and other public spaces. However, there's a big difference between building a stand-alone WLAN and integrating WLANs with your existing LAN. Whether you're adding wireless capability to your home LAN or rolling out wireless for a Fortune 500 corporation, there are several points you need to consider before you plug in your access points (APs) and start surfing wirelessly.
On This Page
What's Different About WLANs?
It's really tempting to consider a WLAN as a LAN without the wires, but that's not quite accurate. Sure, WLANs use the same basic CSMA/CD protocol that wired Ethernet networks do, and you run TCP/IP over them without caring about the physical transport medium. However, there are some fundamental differences between WLANs and LANs that you need to consider:
WLANs are slower, in general, than LANs. The 802.11b standard provides connectivity at up to 11Mb/sec, while 802.11a and 802.11g provides up to 54Mb/sec. Compare this speed with the 100Mb/sec speed of common LAN hardware or the 1000Mb/sec of Gigabit Ethernet, and it looks pretty puny—especially when you remember that the speed of a WLAN connection can be reduced (down to 2Mb/sec) as a result of signal interference.
WLANs have different footprints. Wired LANs depend on the familiar star topology: Every port connects to a hub or switch, and those devices in turn can connect to others. WLANs extend that topology, but because of signal strength and range limitations, providing complete coverage in a building (or in many buildings, as at Microsoft's campus) can require many APs, possibly with additional antennas.
WLANs require configuration. With LAN switches and hubs, you just plug them in and you're ready to go. WLAN APs, on the other hand, need to be configured. Although configuring APs isn't hard, it does mean that you must pay attention to their configuration, to the passwords assigned to them, and to changes in your network that can require that you change the configuration at some time in the future.
Preparing to Deploy your WLAN
Before you actually deploy your WLAN, there are preparatory steps you should take. Not every step must be completed before you throw the switch on your first AP, but all of them must be completed at some point.
Choose a security-minded hardware vendor. Cisco, Agere, and others vendors support 802.1x, Wired Equivalent Privacy (WEP) rekeying, and 128-bit WEP in their hardware, but other vendors might not. Before you start buying anything, make sure that the hardware you buy has the security features you want.
Decide what kind of encryption and authentication you want to use. If at all possible, use 802.1x.
Decide whether the WLAN will be tightly or loosely integrated with your LAN. Will the two networks share a common address space? Think about how you want to assign IP addresses to clients: Does each AP have its own DHCP range, or would you be better off with a centralized DHCP server?
Perform a site survey. This survey can be a complex, expensive effort (e.g., you're providing WLAN access to an entire corporate campus or downtown area) or a simple one (e.g., setting up a single AP, then wandering around to see what kind of signal strength you get at various locations.). Be sure to check outside the structures where you're providing access to make sure your signal doesn't go too far afield.
Decide how many concurrent wireless users you want to support. If you have only a few users, no problem; if you have more than 25 or so users, you might need multiple APs even in a relatively small space. The nice thing about WLANs is that you can always add more APs as necessary to scale up your network.
Set up a single AP and verify that your authentication and encryption settings work properly. This step is very important, because improperly configured WLANs allow passers-by to get an address on your network and use it, possibly for bad purposes.
Tying Together WLANs and LANs
Other articles in this series have briefly mentioned the idea of putting your WLAN APs outside your network firewall, or at least in the network perimeter, or a DMZ. The physical location of your APs is important for clients, because it determines range and accessibility, but the network location is more important from a security and performance standpoint.
In principle, putting the APs inside the firewall means that any user who can authenticate to the AP can access any system on your internal network. You probably have access controls on your most sensitive systems (and if you don't, why not?), but it's better to screen out unwanted traffic at the network perimeter. Putting the APs outside the firewall just forces WLAN users to VPN in, which admittedly is less convenient for them than using an ordinary connection. There's another disadvantage to this approach, too: Heavy WLAN-generated traffic might overwhelm your firewall or VPN server. One common approach is to split the difference and put one AP outside the firewall and put the rest inside. The "outside" AP can be used by guests or untrusted users (but trusted users can VPN to the internal network), while the "inside" APs can be used by authenticated users. Naturally, this configuration isn't recommended unless you're using strong authentication (e.g., 802.1x) on the "inside" APs.