By Rob Flickenger
Price: $29.95 USD
£20.95 GBP

Cover | Table of Contents | Colophon

Table of Contents

Chapter 1: Wireless Community Networks

Content preview·Buy PDF of this chapter|Buy reprint rights for this chapter

A year is an eternity in networking.

—Anonymous

In the time since the first edition of this book was published, millions of wireless networking components have shipped into the eagerly waiting hands of consumers. We've seen consumer-grade wireless equipment prices fall dramatically as more and more manufacturers integrate wireless into their own products. Articles about various aspects of wireless networking have made international news, including strange tales of WarChalking, WarDriving, and Pringles can-wielding Secret Service agents (as reported at http://www.securityfocus.com/news/899). Wireless access is now available in many coffeehouses, parks, schools, offices, and homes.

What is it about wireless networking that has so many people worked into such a frenzy? I believe that people's fascination with wireless is simple to understand. Wireless data networking is probably the most "magical" technology to evolve in recent times. Think of it: by installing an inexpensive PC card, your laptop can suddenly send and receive data at a very high speed, to anyone in range, even through walls! Many laptops have dispensed with the PC card altogether, and seem to magically just "be" online. Combined with the power of the Internet, your tiny battery-powered computer can now communicate globally, wherever an otherwise invisible wireless network happens to exist. More than any other networking technology, people just think it's cool to use wireless (never mind that it is extremely useful, cheap, and can do things that wired networks will never be able to do).

In the past year and a half, we have also seen more than a few wireless start-ups come and go. Wireless networking may be cheap and easy for the individual, but it has certainly proven to be far from a "slam-dunk" business for would-be wireless ISPs. In the same time period, the project list at PersonalTelco (available on their site at http://www.personaltelco.net/index.cgi/WirelessCommunities) has grown to five times the size, now listing over 250 active community networking efforts. While public wireless networks haven't yet proven to be a stunning commercial success,

Additional content appearing in this section has been removed.
Purchase this book now or read it online at Safari to get the whole thing!

Why Now?

Content preview·Buy PDF of this chapter|Buy reprint rights for this chapter

In recent times, the velocity of technology development has exceeded "blur" and is now moving at speeds that defy description. Internet technology in particular has made astounding strides in the last few years. Where only a few short years ago 56Kbps modems were all the rage, many tech heads now find themselves complaining about how slow their company's T1 connection seems compared to their 6MBps DSL connection at home.

Never before have so many had free and fast access to so much information. As more people get a taste of millisecond response times and megabit download speeds, they seem to only hunger for more. In most places, the service that everyone is itching for is DSL, or Digital Subscriber Line service. It provides relatively high bandwidth (anywhere from 128Kbps to 6Mbps) over standard copper telephone lines, if your installation is within about three miles of the telephone company's CO, or central office (this is a technical constraint of the technology). DSL is generally preferred over cable modems, because a DSL connection provides guaranteed bandwidth (at least to the telephone company) and thus is not directly affected by the traffic habits of everyone else in your neighborhood. It isn't cheap (ranging anywhere from $40 to $300 per month, plus ISP and equipment charges), but that doesn't seem to be discouraging demand.

Telephone companies, of course, are completely enamored with this state of affairs. In fact, the intense demand for high-bandwidth network access has led to so much business that enormous lead times for DSL installations are the rule in many parts of the country. In many areas, if you live outside of the perceived "market" just beyond range of the CO, lead times are sometimes quoted at "two to three years" (marketing jargon for "never, but we'll take your money anyway if you like"). Worse than that, in the wake of widespread market consolidation, some customers who were quite happy with their DSL service are finding themselves stranded when their local ISP goes out of business.

Additional content appearing in this section has been removed.
Purchase this book now or read it online at Safari to get the whole thing!

The WISP Approach

Content preview·Buy PDF of this chapter|Buy reprint rights for this chapter

Visions of license-free, monopoly-shattering, high-bandwidth networks are certainly dancing through the heads of some business-minded individuals these days. On the surface, it looks like sound reasoning: if people are conditioned into believing that 6Mb DSL costs $250 per month to provide, then they'll certainly be willing to pay at least that much for an 11Mb wireless connection that costs pennies to operate, particularly if it's cleverly packaged as an upgrade to a brand name they already know. The temptation of high profits and low operating costs seems to have once again allowed marketing to give way to good sense. Thus, the "Wireless DSL" phenomenon was born. (Who needs an actual technology when you can market an acronym, anyway?)

In practice, many WISPs are finding out that it's not as simple as throwing some antennas up and raking in the cash. To start with, true DSL provides a full-duplex, switched line. Most DSL lines are asymmetric, meaning that they allow for a higher download speed at the expense of slower upload speed. This difference is hardly noticeable when most of the network traffic is incoming (i.e., when users are browsing the web), but it is present. Even with the low-speed upload limitation, a full-duplex line can still upload and download data simultaneously. Would-be wireless providers that build on consumer-grade wireless technology are limited to half-duplex, shared bandwidth connections. That means that to actually provide the same quality of service as a wired DSL line, they would need four radios for each customer: two at each end, using one for upstream and one for downstream service. If the network infrastructure plan is to provide a few (or even a few dozen) wireless access sites throughout a city, these would need to be shared between all of the users, further degrading network performance, much like the cable modem nightmare. Additional access sites could help, but adding equipment also adds to hardware and operating costs.

Speaking of access points, where exactly should they be placed? Naturally, the antennas should be located wherever the greatest expected customer base can see them. Unless you've tried it, I guarantee this is trickier than it sounds. Trees, metal buildings, chain-link fences, and the natural lay of the land make antenna placement an interesting challenge for a hobbyist, but a nightmare for a network engineer. As we'll see later, an antenna site at least needs power and a sturdy mast to mount equipment on, and, preferably, it also has access to a wired backbone. Otherwise, even more radio gear is needed to provide network service to the tower.

Additional content appearing in this section has been removed.
Purchase this book now or read it online at Safari to get the whole thing!

The Cooperative Approach

Content preview·Buy PDF of this chapter|Buy reprint rights for this chapter

The difficulties of a commercial approach to wireless access exist because of a single social phenomenon: the customer is purchasing a solution and is therefore expecting a reasonable level of service for their money. In a commercial venture, the WISP is ultimately responsible for upholding their end of the agreement or otherwise compensating the customer.

The "last mile" problem has a very different outlook if each member of the network is responsible for keeping his own equipment online. Like many ideas whose time has come, the community access wireless network phenomenon is unfolding right now, all over the planet. People who are fed up with long lead times and high equipment and installation costs are pooling their resources to provide wireless access to friends, family, neighbors, schools, and remote areas that will likely never see broadband access otherwise. As difficult as the WISP nightmare example has made this idea sound, people everywhere are learning that they don't necessarily need to pay their dues to the telco to make astonishing things happen. They are discovering that it is indeed possible to provide very high bandwidth connections to those who need it for pennies—not hundreds of dollars—a month.

Of course, people who are expected to run a wireless gateway need access either to highly technical information, or to a solution that is no more difficult than plugging in a connector and flipping a switch. While bringing common experiences together can help find an easy solution more quickly, only a relatively small percentage of people on this planet know that microwave communications are even possible. Even fewer know how to effectively connect a wireless network to the Internet. As we'll see later, ubiquity is critical if wide area wireless access is going to be usable (even to the techno über-elite). It is in everyone's best interest to cooperate, share what they know, and help make bandwidth as pervasive as the air we breathe.

The desire to end this separation of "those in the know" from "those who want to know" is helping to bring people away from their computer screens and back into their local neighborhoods. In the last year, hundreds of independent local groups have formed with a very similar underlying principle: get people connected to each other for the lowest possible cost. Web sites, mailing lists, community meetings, and even IRC channels are being set up to share information about extending wireless network access to those who need it. Wherever possible, ingeniously simple and inexpensive (yet powerful) designs are being drawn up and given away. Thousands of people are working on this problem not for a personal profit motive, but for the benefit of the planet.

Additional content appearing in this section has been removed.
Purchase this book now or read it online at Safari to get the whole thing!

About This Book

Content preview·Buy PDF of this chapter|Buy reprint rights for this chapter

The ultimate goal of this book is to get you excited about this technology, and arm you with the information you need to make it work in your community. We will demonstrate various techniques and equipment for connecting wireless networks to wired networks, and look at how others "in the know" are getting their neighborhoods, schools, and businesses talking to each other over the air. Along the way, we will visit the outer limits of what is possible with wireless networking, including how to stretch the range to miles and provide access for hundreds. If your budget won't allow for all of the networking gear you need, we'll show you how to build some of your own.

Through the efforts of countless volunteers and hobbyists, more bits are being moved more cheaply and easily than at any other time in history. There is more happening in the wireless world right now than is practical to put down on paper. Get online and find out what others in your area are doing with this technology (extensive online references are provided throughout, and in the Appendixes).

I hope you will find this book a useful and practical tool on your journey toward your own wireless utopia.

Additional content appearing in this section has been removed.
Purchase this book now or read it online at Safari to get the whole thing!

Chapter 2: Defining Project Scope

Content preview·Buy PDF of this chapter|Buy reprint rights for this chapter

The nice thing about standards is that there are so many to choose from.

—Andrew S. Tanenbaum, c.1980

What do you want to accomplish? As a system administrator, this is a question I ask whenever a user comes to me with a new request. It's easy to get wrapped up in implementation details while forgetting exactly what it is you set out to do in the first place. As projects get more complex, it's easy to find yourself "spinning your wheels" without actually getting anywhere.

The most common questions I've encountered about wireless networking seem to be the simplest:

• What is the difference between 802.11a/b/g, 802.16, and 802.1x?
• How much does it cost?
• How far will it go?
• Can I use it to do [fill in the blank]?

The first question is by far the most straightforward to answer—the rest all depend on your application and circumstances. Before we can start building networks, we need to have a clear idea of what we have to work with.

Here's a brief overview of the current (and future) standards that all fall under the 802 family:

802.11

The first wireless standard to be defined in the 802 family was 802.11. It was approved by the IEEE in 1997, and defines three possible physical layers: FHSS at 2.4GHz, DSSS at 2.4GHz, and Infrared. 802.11 could achieve data rates of 1 or 2Mbps. 802.11 radios that use DSSS are interoperable with 802.11b and 802.11g radios at those speeds, while FHSS radios and Infrared are obviously not.

802.11a

According to the specifications available from the IEEE (http://standards.ieee.org/getieee802/), both 802.11a and 802.11b were ratified on September 16, 1999. Early on, 802.11a was widely touted as the "802.11b killer," as it not only provides significantly faster data rates (up to 54Mbps), but operates in a completely different spectrum, the 5GHz UNII band. It uses an encoding technique called Orthogonal Frequency Division Multiplexing (OFDM). While the promise of higher speeds and freedom from interference with 2.4GHz devices made 802.11a sound promising, it came to market much later than 802.11b. 802.11a also suffers from range problems: at the same power and gain, signals at 5GHz appear to travel only half as far as signals at 2.4GHz, presenting a real technical hurdle for designers and implementers. The rapid adoption of 802.11b only made matters worse, since users of 802.11b gear didn't have a clear upgrade path to 802.11a (the two are incompatible). As a result, 802.11a isn't nearly as ubiquitous or inexpensive as 802.11b, although client cards and dual-band access points (which essentially incorporate two radios, or a single radio with a dual-band chipset) are coming down in price.

Additional content appearing in this section has been removed.
Purchase this book now or read it online at Safari to get the whole thing!

The Standards

Content preview·Buy PDF of this chapter|Buy reprint rights for this chapter

Here's a brief overview of the current (and future) standards that all fall under the 802 family:

802.11

The first wireless standard to be defined in the 802 family was 802.11. It was approved by the IEEE in 1997, and defines three possible physical layers: FHSS at 2.4GHz, DSSS at 2.4GHz, and Infrared. 802.11 could achieve data rates of 1 or 2Mbps. 802.11 radios that use DSSS are interoperable with 802.11b and 802.11g radios at those speeds, while FHSS radios and Infrared are obviously not.

802.11a

According to the specifications available from the IEEE (http://standards.ieee.org/getieee802/), both 802.11a and 802.11b were ratified on September 16, 1999. Early on, 802.11a was widely touted as the "802.11b killer," as it not only provides significantly faster data rates (up to 54Mbps), but operates in a completely different spectrum, the 5GHz UNII band. It uses an encoding technique called Orthogonal Frequency Division Multiplexing (OFDM). While the promise of higher speeds and freedom from interference with 2.4GHz devices made 802.11a sound promising, it came to market much later than 802.11b. 802.11a also suffers from range problems: at the same power and gain, signals at 5GHz appear to travel only half as far as signals at 2.4GHz, presenting a real technical hurdle for designers and implementers. The rapid adoption of 802.11b only made matters worse, since users of 802.11b gear didn't have a clear upgrade path to 802.11a (the two are incompatible). As a result, 802.11a isn't nearly as ubiquitous or inexpensive as 802.11b, although client cards and dual-band access points (which essentially incorporate two radios, or a single radio with a dual-band chipset) are coming down in price.

802.11b

Additional content appearing in this section has been removed.
Purchase this book now or read it online at Safari to get the whole thing!

Hardware Requirements

Content preview·Buy PDF of this chapter|Buy reprint rights for this chapter

The total cost of your project is largely dependent on your project goals and how much work you're willing to do for yourself. While you can certainly spend tens of thousands on outdoor, ISP-class equipment, you may find that you can save money (and get more satisfaction) building similar functionality yourself, from cheaper off-the-shelf hardware.

If you simply want to connect your laptop to someone else's 802.11b network, you'll need only a client card and driver software (at this point, compatible cards cost between $30 and $100). Like most equipment, the price typically goes up with added features, such as an external antenna connector, higher output power, a more sensitive radio, and the usual bells and whistles. Once you select a card, find out what the network settings are for the network you want to connect to and hop on. If you need more range, a small omnidirectional antenna (typically $50-$100) can significantly extend the roaming range of your laptop.

If you want to provide wireless network access to other people, you'll need an access point (AP). This has become something of a loaded term, and can refer to anything from a low-end "residential gateway" class box (about $100) to high-end, commercial quality, multi-radio equipment ($1000+). They are typically small, standalone boxes that contain at least one radio and another network connection (such as Ethernet or a dialup modem). For the rest of this book, we'll use the term "access point" (or the acronym AP) to refer to any device capable of providing network access to your wireless clients. As we'll see in Chapter 5, this can even be provided by a conventional PC router equipped with a wireless card.

While a radio and an access point can provide a simple short-range network, you will more than likely want to extend your coverage beyond what is possible out of the box. The most effective way of extending range is to use external antennas. Antennas come in a huge assortment of packages, from small omnidirectional tabletop antennas to large, mast-mounted parabolic dishes. There isn't one "right" antenna for every application; you'll need to choose the antenna that fits your needs (if you're trying to cover just a single building, you may not even need external antennas). Take a look at Chapter 6 for specific antenna descriptions.

Additional content appearing in this section has been removed.
Purchase this book now or read it online at Safari to get the whole thing!

Site Survey

Content preview·Buy PDF of this chapter|Buy reprint rights for this chapter

The most efficient wireless network consists of a single client talking to a single access point a few feet away with an absolutely clear line of sight between them and no other noise on the channel being used (either from other networks or from equipment that shares the 2.4GHz spectrum). Of course, with the possible exception of the home wireless LAN, these ideal conditions simply aren't feasible. All of your users will need to "share the airwaves," and it's more than likely that they won't be able to see the access point from where they are located. Fortunately, 802.11b gear is very tolerant of less than optimal conditions at close range. When planning your network, be sure to look out for the following:

• Objects that absorb microwave signals, such as trees, earth, brick, plaster walls, and people
• Objects that reflect or diffuse signals, such as metal, fences, tinted windows, mylar, pipes, screens, and bodies of water
• Sources of 2.4GHz noise, such as microwave ovens, cordless phones, wireless X-10 cameras and automation equipment, and other 802.11b networks

The more you can eliminate from the path between your access points and your clients, the happier you'll be. You won't be able to get rid of every obstacle, but you should be able to minimize their impact by working around them.

You may have total control over your own access points and other 2.4GHz equipment, but what about your neighbors? How can you tell what channels are in use in your local area?

While a spectrum analyzer (and an engineer to run it) is the ultimate survey tool, such things don't come cheap. Fortunately, you can get a lot of useful information using a good quality client radio and software. Take a look at the tools that come with your wireless gear. Lucent's Site Monitor tool (shown in Figure 2-1), which ships with Orinoco/Agere/Avaya/Proxim cards, is particularly handy. You should be able to get an overview map of all networks in range, and which channels they're using.

Additional content appearing in this section has been removed.
Purchase this book now or read it online at Safari to get the whole thing!

802.11b Channels and Interference

Content preview·Buy PDF of this chapter|Buy reprint rights for this chapter

The IEEE 802.11b specification details 11 possible overlapping frequencies on which communications can take place. Much like the different channels on a cordless phone, changing the channel can help eliminate noise that degrades network performance and can even allow multiple networks to coexist in the same physical space without interfering with each other.

Rather than attempting to set up a single central access point with a high-gain omnidirectional antenna, you will probably find it more effective to set up several low-range, overlapping cells. If you use access point hardware, and all of the APs are connected to the same physical network segment, users can even roam seamlessly between cells.

This spectrum's 11 overlapping channels are shown in Table 2-1.

Table 2-1: 802.11b channel frequencies

Channel	Center frequency (GHz)
1	2.412
2	2.417
3	2.422
4	2.427
5	2.432
6	2.437
7	2.442
8	2.447
9	2.452
10

Additional content appearing in this section has been removed.
Purchase this book now or read it online at Safari to get the whole thing!

Topographical Mapping 101

Content preview·Buy PDF of this chapter|Buy reprint rights for this chapter

As you roll out wireless equipment, you'll find yourself looking at your environment in a different way. Air conditioning ducts, pipes, microwave ovens, power lines, and other sources of nastiness start leaping into the foreground as you walk around. By the time you've set up a couple of nodes, you will most likely be familiar with every source of noise or reflection in the area you're trying to cover. But what if you want to extend your range, as in a several mile point-to-point link? Is there a better way to survey the outlying environment other than walking the entire route of your link? Maybe.

Topographical surveys have been made (and are constantly being revised) by the USGS in every region of the United States. Topo (short for topographical) maps are available on both paper and CD-ROM from a variety of sources. If you want to know how the land lies between two points, the USGS topos are a good starting point.

The paper topo maps are a great resource for getting an overview of the surrounding terrain in your local area. You can use a ruler to quickly gauge the approximate distance between two points, and to determine whether there are any obvious obstructions in the path. While they're a great place to start assessing a long link, topographical maps don't provide some critical information: namely, tree and building data. The land may appear to cooperate on paper, but if there's a forest or several tall buildings between your two points, there's not much hope for a direct shot.

The USGS also provides DOQs (or Digital Orthophoto Quadrangles) of actual aerial photography. Unfortunately, freely available versions of DOQs tend to be out of date (frequently 8 to 10 years old), and recent DOQs are not only expensive but often aren't even available. If you absolutely must have the latest aerial photographs of your local area, the USGS will let you download them for $30 per order and $7.50-$15 per file. You will probably find it cheaper and easier to make an initial estimate with topo maps and then simply go out and try the link.

Additional content appearing in this section has been removed.
Purchase this book now or read it online at Safari to get the whole thing!

Chapter 3: Network Layout

Content preview·Buy PDF of this chapter|Buy reprint rights for this chapter

A common mistake that peoplemake when trying to design somethingcompletely foolproof is to underestimatethe ingenuity of complete fools.

—Douglas Adams

As we saw in Chapter 2, there is an astounding variety of wireless networking equipment available on the consumer market today. While the champion technology of wireless community networks is still 802.11b, simply choosing equipment that is "Wi-Fi" compliant won't necessarily guarantee a successful network project.

While equipment features, capabilities, and prices tend to change drastically in a short time, the essential network functions that they perform are still very straightforward. Let's look at what your devices need to provide in order to fulfill your wireless networking dreams.

Before any two components of your network can talk to each other, they must share a common physical medium through which they communicate. In the wired world, this is obvious; you would never try to connect a copper CAT5 cable to a piece of fiber and expect it all to "just work."

In the wireless world, every device from your network to your cordless phone to your garage door opener must share the same physical medium: electromagnetic waves radiating through the air. It is possible for all of these devices to communicate without interfering with each other because they can be made sensitive to a particular portion of the vast electromagnetic spectrum. This is analogous to tuning channels on a radio or TV—many channels are broadcasting simultaneously, but they are well-coordinated and only use a portion of the available spectrum, to avoid interfering with each other.

So before any other considerations, devices that need to intercommunicate on your network must be able to send signals in the same frequency range. Obviously, an 802.11b card operating at 2.4GHz doesn't have a chance of carrying on a conversation with an 802.11a Access Point speaking at 5GHz. In addition to using a particular frequency range, each wireless protocol also defines a plan for using that range. For example, the original 802.11 specification defines two RF modulation schemes, FHSS and DSSS. Both operate at 2.4GHz, but use the spectrum differently. Frequency Hopping Spread Spectrum (FHSS) breaks the available spectrum into 77 channels, each 1MHz wide. It uses a time-based, pseudo-random algorithm to quickly skip between all of the available channels in an attempt to avoid noise from other 2.4GHz devices. As we saw in Chapter 2, Direct Sequence Spread Spectrum (DSSS) breaks the same frequency range into 11 overlapping channels, each 5MHz apart (but 22MHz wide). It uses one channel at a time and employs more sophisticated encoding techniques to avoid noise and increase the data rate. Although FHSS and DSSS devices both operate "at 2.4GHz," they have no hope of being able to communicate with each other.

Additional content appearing in this section has been removed.
Purchase this book now or read it online at Safari to get the whole thing!

Layer 1 (Physical) Connectivity

Content preview·Buy PDF of this chapter|Buy reprint rights for this chapter

Before any two components of your network can talk to each other, they must share a common physical medium through which they communicate. In the wired world, this is obvious; you would never try to connect a copper CAT5 cable to a piece of fiber and expect it all to "just work."

In the wireless world, every device from your network to your cordless phone to your garage door opener must share the same physical medium: electromagnetic waves radiating through the air. It is possible for all of these devices to communicate without interfering with each other because they can be made sensitive to a particular portion of the vast electromagnetic spectrum. This is analogous to tuning channels on a radio or TV—many channels are broadcasting simultaneously, but they are well-coordinated and only use a portion of the available spectrum, to avoid interfering with each other.

So before any other considerations, devices that need to intercommunicate on your network must be able to send signals in the same frequency range. Obviously, an 802.11b card operating at 2.4GHz doesn't have a chance of carrying on a conversation with an 802.11a Access Point speaking at 5GHz. In addition to using a particular frequency range, each wireless protocol also defines a plan for using that range. For example, the original 802.11 specification defines two RF modulation schemes, FHSS and DSSS. Both operate at 2.4GHz, but use the spectrum differently. Frequency Hopping Spread Spectrum (FHSS) breaks the available spectrum into 77 channels, each 1MHz wide. It uses a time-based, pseudo-random algorithm to quickly skip between all of the available channels in an attempt to avoid noise from other 2.4GHz devices. As we saw in Chapter 2, Direct Sequence Spread Spectrum (DSSS) breaks the same frequency range into 11 overlapping channels, each 5MHz apart (but 22MHz wide). It uses one channel at a time and employs more sophisticated encoding techniques to avoid noise and increase the data rate. Although FHSS and DSSS devices both operate "at 2.4GHz," they have no hope of being able to communicate with each other.

Additional content appearing in this section has been removed.
Purchase this book now or read it online at Safari to get the whole thing!

Wired Wireless

Content preview·Buy PDF of this chapter|Buy reprint rights for this chapter

Presumably, no matter how many wireless clients you intend to support, you will eventually need to "hit the wire" in order to access other networks (such as the Internet). There are a number of different kinds of physical devices you can use to jump from wireless back to your wired infrastructure.

APs are widely considered ideal for "campus" coverage. They provide a point of entry to the wired infrastructure that can be configured by a central authority. They typically allow for one or two radios per AP, theoretically supporting hundreds of simultaneous wireless users at a time. They must be configured with an ESSID (Extended Service Set ID, also known as the Network Name or WLAN Service Area ID, depending on who you talk to); it's a simple string that identifies the wireless network. Many APs use a client program for configuration and a simple password to protect their network settings. All hardware access points provide BSS master services.

Most APs also provide a number of enhanced features. External antennas (or antenna connectors), advanced link status monitoring, and extensive logging and statistics are now common on many APs. In addition, most access points provide two additional security measures: MAC address filtering and closed networks. With MAC filtering enabled, a client radio attempting access must have its MAC address listed on an internal table before it can associate with the AP. In a closed network, the AP doesn't beacon its ESSID at regular intervals. This means that each client must know the ESSID ahead of time, which makes it more difficult for people using programs such as NetStumbler to detect the network.

Other enhanced modes include dynamic WEP key management, public encryption key exchange, channel bonding, and other fun toys. Unfortunately, these extended modes are entirely manufacturer- (and model-) specific, are not covered by any established standard, and do not interoperate with other manufacturers' equipment.

Additional content appearing in this section has been removed.
Purchase this book now or read it online at Safari to get the whole thing!

Vital Services

Content preview·Buy PDF of this chapter|Buy reprint rights for this chapter

A network can be as simple as a PPP dialup to an ISP, or as grandiose and baroque as a multinational corporate MegaNet. But every node on a multimillion dollar network in Silicon Valley needs to address the same fundamental questions that a dialup computer must answer: who am I, where am I going, and how do I get there from here? In order for wireless clients to easily access a network, the following basic services must be provided.

The days of static IP addresses and user-specified network parameters are thankfully far behind us. Using DHCP (Dynamic Host Configuration Protocol), it is possible (and even trivial) to set up a server that responds to client requests for network information. Typically, a DHCP server provides all of the information that a client needs to begin routing packets on the network, including the client's own IP address, the default Internet gateway, and the IP addresses of the local DNS servers. The client configuration is ridiculously easy and is, in fact, configured out of the box for DHCP in all modern operating systems.

While a thorough dissection of DHCP is beyond the scope of this book, a typical DHCP session goes something like this: a client boots up, knowing nothing about the network it is attached to except its own hardware MAC address. It broadcasts a packet saying effectively, "I am here, and this is my MAC address. What is my IP address?" A DHCP server on the same network segment is listening for these requests, and responds with "Hello MAC address, here is your IP address, and by the way here is the IP address to route outgoing packets to, and some DNS servers are over there. Come back in a little while and I'll give you more information." The client, now armed with a little bit of knowledge, goes about its merry way. Figure 3-3 shows how this conversation takes place.

Figure 3-3: DHCP lets a node get its network settings dynamically and easily

Additional content appearing in this section has been removed.
Purchase this book now or read it online at Safari to get the whole thing!

Security Considerations

Content preview·Buy PDF of this chapter|Buy reprint rights for this chapter

Although the differences between tethered and untethered are few, they are significant. For example, everyone has heard of the archetypal "black-hat packet sniffer," a giggling sociopath sitting on your physical Ethernet segment, surreptitiously logging packets for his own nefarious ends. This could be a disgruntled worker, a consultant with a bad attitude, or even (in one legendary case) a competitor with a laptop, time on his hands, and a lot of nerve. Although switched networks, a reasonable working environment, and conscientious reception staff can go a long way to minimize exposure to the physical wiretapper, the stakes are raised with wireless. Suddenly, one no longer needs physical presence to log data: why bother trying to smuggle equipment onsite when you can crack from your own home or office two blocks away with a high-gain antenna?

Visions of cigarette smoking, pale-skinned über-crackers in darkened rooms aside, there is a point that many admins tend to overlook when designing networks: the whole reason that the network exists is to connect people to each other! Services that are difficult for people to use will simply go unused. You may very well have the most cryptographically sound method on the planet for authenticating a user to the system. You may even have the latest in biometric identification, full winnow and chaff capability, and independently verified and digitally signed content assurance for every individual packet. But if the average user can't simply check their email, it's all for naught. If the road to hell is paved with good intentions, the customs checkpoint must certainly be run by the Overzealous Security Consultant.

The two primary concerns when dealing with wireless clients are these:

• Who is allowed to access network services?
• What services can authorized users access?

As it turns out, with a little planning, these problems can be addressed (or neatly sidestepped) in most real-world cases. In this section, we'll look at some tools that can help keep your data flowing to where it belongs, as quickly and efficiently as possible.

Additional content appearing in this section has been removed.
Purchase this book now or read it online at Safari to get the whole thing!

Summary

Content preview·Buy PDF of this chapter|Buy reprint rights for this chapter

In order to maintain maximum compatibility with available 802.11b client hardware and yet still provide responsible access to the Internet, you can apply a combination of inexpensive hardware and freely available software to strike an acceptable balance between access and security.

In the following chapters, I'll show you how to set up basic wireless access to augment your existing wired network. I'll describe a workable method for providing wireless services to your local community, for minimal cost, while promoting community participation and individual responsibility.

Additional content appearing in this section has been removed.
Purchase this book now or read it online at Safari to get the whole thing!

Chapter 4: Using Access Points

Content preview·Buy PDF of this chapter|Buy reprint rights for this chapter

As we discussed in Chapter 3, an access point (AP) is a piece of hardware that connects your wireless clients to a wired network (and usually on to the Internet from there). As with any piece of bridging hardware, it has at least two network connections and shuffles traffic between them. The wireless interface is typically an on-board radio or an embedded PCMCIA wireless card. The second network interface can be Ethernet, a dialup modem, or even another wireless adapter. Many access points now even include multiple Ethernet ports, which simplifies the creation of a trusted network segment.

The access point hardware controls access to and from both networks. On the wireless side, most vendors have implemented 802.11b access control methods (such as WEP encryption keys, "closed" networks, and MAC address filtering). Some have added proprietary extensions to provide additional security, such as more sophisticated encryption. Many access points also allow control over what the wired network can send to the wireless clients, through simple firewall rules. Much of this functionality is accessible through either a Java-based tool or a simple web page interface.

In addition to providing access control, the access point also maintains its own network connections. This includes functions such as dialing the phone and connecting to an ISP on demand, or using DHCP on the Ethernet interface to get a network lease. Most access points can provide NAT and DHCP service to the wireless clients, thereby supporting multiple wireless users while requiring only a single IP address from the wire. Some support direct bridging, allowing the wired and wireless networks to exchange data as if they were physically connected together. If the access point has multiple radios, it can bridge them together with the wire, allowing for a very flexible, extendable network.

Another important service provided by APs is the ability to "hand off" clients as they wander between access points. This lets users seamlessly walk around a college campus, for example, without ever dropping their network connection. Current AP technology allows roaming only between access points on the same physical subnet (that is, APs that aren't separated by a router). Unfortunately, the roaming protocol was left unimplemented in the 802.11 spec, so each manufacturer has implemented its own method. This means that hand-offs between access points of different manufacturers aren't currently possible.

Additional content appearing in this section has been removed.
Purchase this book now or read it online at Safari to get the whole thing!

Access Point Caveats

Content preview·Buy PDF of this chapter|Buy reprint rights for this chapter

You should seriously consider how to balance ease of use with essential security when adding APs to your existing wired network. Even with WEP encryption and other access control methods in effect, AP security is far from perfect. Since an access point is by definition within range of all wireless users, every user associated with your access point can see the traffic of every other user. Unless otherwise protected (for example, with application layer encryption), all email, web traffic, and other data is easily readable by anyone running protocol analysis tools such as tcpdump or ethereal . As we saw in Chapter 3, relying on WEP alone to keep people out of your network may not be enough protection against a determined black hat.

In terms of establishing a community network, access points do provide one absolutely critical service: they are an easy, standard, and inexpensive tool for connecting wireless devices to a wired network. Once the wireless traffic hits the wire, it can be routed and manipulated just like any other network traffic, but it has to get there first.

Wireless access points that are on the consumer market today were designed to connect a small group of trusted people to a wired network and lock out everyone else. The access control methods implemented in the APs reflect this philosophy; if that is how you intend to use the gear, it should work very well for you. For example, suppose you want to share wireless network access with your neighbor, but not with the rest of the block. You could decide on a mutual private WEP key and private ESSID and keep them a secret between you. Since you presumably trust your neighbor, this arrangement could work for both of you. You could even make a list of all of the radios that you intend to use on the network and limit the access point to allow only them to associate. This would require more administrative overhead, as one of you would have to make changes to the AP each time you wanted to add another device, but it would further limit who could access your wireless network.

Additional content appearing in this section has been removed.
Purchase this book now or read it online at Safari to get the whole thing!

The Apple AirPort Base Station

Content preview·Buy PDF of this chapter|Buy reprint rights for this chapter

The AirPort is a tremendously popular access point (so popular, in fact, that there are a number of variations available: AirPort Graphite, AirPort Snow, and Airport Extreme). It looks like a slick, retro-futuristic prop from "War of the Worlds," and is very portable and rugged. While designed for use with the Mac platform, it works very well as a general-purpose access point (and you don't even need a Mac to configure it; see the next section). As I write this, the original Graphite AirPort sells retail for about $140. What does that get you?

• Direct Ethernet bridging
• DHCP / NAT
• 56k dialup modem port
• User-definable ESSID
• Roaming support
• MAC address filtering
• 40-bit WEP encryption

The Snow AirPort introduced an additional Ethernet port and more firewall options, as well as 104-bit WEP and completely redesigned internals. The new AirPort Extreme (about $199) comes equipped with all sorts of goodies, including two Ethernet ports, and most importantly, a draft 802.11g "Extreme" card. For $50 more, they throw in a USB port (for sharing a printer) and an external antenna connector.

All of the APs in the AirPort family have only one radio (an embedded Orinoco Silver card in the Graphite, an AirPort card in the Snow, and an "Extreme" mini-PCI card in the Extreme model). If you are thinking of adding a do-it-yourself antenna to a Graphite or Snow model, you definitely aren't the first. Take a look at the following URLs for details on how to retrofit an antenna onto the Graphite or Snow:

• http://www.vonwentzel.net/ABS/ExtendedGraphite/index.html
• http://www.wwc.edu/~frohro/Airport/Airport.html

Additional content appearing in this section has been removed.
Purchase this book now or read it online at Safari to get the whole thing!

Access Point Management Software

Content preview·Buy PDF of this chapter|Buy reprint rights for this chapter

If you have a Mac handy, you are in luck. The AirPort Admin utility that ships with the AirPort is excellent. As with their entire product line, Apple has gone out of their way to make the whole AirPort system easy to set up, even for beginners. If you don't own a Mac, you have a couple of options. It turns out that the innards of the Graphite AirPort are virtually identical to the Orinoco RG-1000 (previously, the Lucent Residential Gateway). That means that the RG configuration utility for Linux (called cliproxy) also works fine with the AirPort. Unfortunately, as the Lucent product family has been sold and resold several times in the past couple of years (the same product line has been called Lucent, Orinoco, Agere, Avaya, and Proxim, and probably a couple of others that I've missed), the cliproxy utility seems to have disappeared from the Proxim web site. Copies of it are still floating around on various message boards; it is a tremendously useful utility if you can find it. Jon Sevy has done extensive work with the AirPort, and has released an open source Java client that configures the AirPort (both Graphite and Snow) and the RG-1000. You can get a copy from http://edge.mcs.drexel.edu/GICL/people/sevy/airport/. He has also compiled a tremendous amount if information on the inner workings of the AirPort, and has many resources online at this site. Since his utility is open source, cross-platform, and works very well, we'll use it in the following examples. Figure 4-1 shows the main screen of the Java Configurator.

Figure 4-1: The AirPort Java Configurator

To use the Java Configurator application, you'll need a copy of the Java Runtime Environment. Download it from http://java.sun.com/, if you don't already have it. You can start the utility by running the following in Linux:

$ java -jar AirportBaseStationConfig.jar &

In Windows, start by double-clicking the AirportBaseStationConfig icon.

Additional content appearing in this section has been removed.
Purchase this book now or read it online at Safari to get the whole thing!

Local LAN Access

Content preview·Buy PDF of this chapter|Buy reprint rights for this chapter

As stated earlier, the default AirPort configuration enables LAN access by default. If you're using DSL or a cable modem, or if you are installing the AirPort on an existing Ethernet network, this is what you want to use. In the Java Configurator, take a look at the Network Connection tab and check the Connect to network through Ethernet port radio button.

From here, you can configure the IP address of the AirPort, either via DHCP, by entering the IP information manually, or by using PPPoE. You'll probably want to use DHCP, unless your ISP requires a manual IP address or PPPoE.

Additional content appearing in this section has been removed.
Purchase this book now or read it online at Safari to get the whole thing!

Configuring Dialup

Content preview·Buy PDF of this chapter|Buy reprint rights for this chapter

There is also a radio button on the Network Connection tab marked Connect to network through modem. Use this option if your only network connection is via dialup. Yes, it's very slow, but at least you're wireless. Note that the dialup and Ethernet choices are exclusive, and can't be used at the same time.

When you check Connect to network through modem, the pane prompts you for phone number, modem init string, and other dialup-related fields. Make sure that Automatic dialing is checked, so it will dial the phone when you start using the AirPort. Click on the Username/Password/Login Script button to enter your login information. On this screen, you can also define a custom login script, if you need to. The default script has worked fine for me with a couple of different ISPs.

Once the AirPort is configured for dialup, it will dial the phone and connect any time it senses Internet traffic on the wireless port. Just start using your wireless card as usual, and after an initial delay (while it's dialing the phone), you're online.

Additional content appearing in this section has been removed.
Purchase this book now or read it online at Safari to get the whole thing!

NAT and DHCP

Content preview·Buy PDF of this chapter|Buy reprint rights for this chapter

By default, the AirPort acts as both a NAT server and a DHCP server for your wireless clients. DHCP service is controlled by the DHCP Functions tab. To turn DHCP on, check the Provide DHCP address delivery to wireless hosts box. You can specify the range of IPs to issue; by default, the AirPort hands out leases between 10.0.1.2 and 10.0.1.50. You can also set a lease time here. The lease time specifies the lifetime (in seconds) of an issued IP address. After this timer expires, the client reconnects to the DHCP server and requests another lease. The default of 0 (or unlimited) is probably fine for most installations, but you may want to set it shorter if you have a large number of clients trying to connect to your AirPort.

If you don't have another DHCP server on your network, the AirPort can provide service for your wired hosts as well. Check the Distribute addresses on Ethernet port, too box if you want this functionality.

Check this box only if you don't have another DHCP server on your network! More than one DHCP server on the same subnet is a bad thing, and will bring the wrath of the sysadmin down upon you. Watching two DHCP servers duke out who gets to serve leases may be fun in your spare time, but can take down an entire network, and leave you wondering where your job went. What were you doing connecting unauthorized gear to the company network, anyway?

If you have more than one AirPort on the same wired network, make sure that you enable DHCP to the wire on only one of them and, again, only if you don't already have a DHCP server.

NAT is very handy if you don't have many IP addresses to spare (and these days, few people do). It also gives your wireless clients some protection from the wired network, as it acts as an effective one-way firewall (see Chapter 3 for the full story of NAT and DHCP). In the Configurator, NAT is set up in the Bridging Functions tab. To enable NAT, click the Provide network address translation (NAT) radio button. You can either specify your own private address and netmask, or leave the default (

Additional content appearing in this section has been removed.
Purchase this book now or read it online at Safari to get the whole thing!

Bridging

Content preview·Buy PDF of this chapter|Buy reprint rights for this chapter

A big disadvantage to running NAT on your wireless hosts is that they become less accessible to your wired hosts. While the wireless users can make connections to any machine on the wire, connecting back through a NAT is difficult (the AirPort provides some basic support for this by allowing for static port mappings, but this is far from convenient). For example, if you are running a Windows client on the wireless, the Network Neighborhood will show other wireless clients only and not any machines on the wire, since NAT effectively hides broadcast traffic (which the Windows SMB protocol relies on). If you already have a DHCP server on your wired network, and are running private addresses, the NAT and DHCP functions of the AirPort are redundant, and can simply get in the way.

Rather than duplicate effort and make life difficult, you can disable NAT and DHCP and enable bridging to the wire. Turn off DHCP under DHCP Functions (as we saw previously), and check the Act as transparent bridge (no NAT) under the Bridging Functions tab. When the AirPort is operating in this mode, all traffic destined for your wireless clients that happens on the wire gets broadcast over wireless, and vice versa. This includes broadcast traffic (such as DHCP requests and SMB announcement traffic). Apart from wireless authentication, this makes your AirPort seem completely invisible to the rest of your network.

Once bridging is enabled, you may find it difficult to get the unit back into NAT mode. If it seems unresponsive to the Java Configurator (or Mac AirPort Admin utility) while in bridging mode, there are a couple of ways to bring it back.

If you have a Mac, you can do a manual reset. Push the tiny button on the bottom of the AirPort with a paper clip for about two seconds. The green center light on top will change to amber. Connect the Ethernet port on your AirPort to your Mac and run the admin utility. The software should let you restore the AirPort to the default settings. You have five minutes to do this before the amber light turns green and reverts to bridged mode.

Additional content appearing in this section has been removed.
Purchase this book now or read it online at Safari to get the whole thing!

WEP, MAC Filtering,and Closed Networks

Content preview·Buy PDF of this chapter|Buy reprint rights for this chapter

If you really want to lock down your network at the access point, you have the following tools at your disposal: WEP encryption, filtering on MAC address (the radio card's serial number), and running a closed network. The three services are completely separate, so you don't necessarily have to run MAC filtering and a closed network, for example. Combining all of these features may not make your network completely safe from a determined miscreant, but will discourage the vast majority of would-be network hijackers.

To set the WEP keys, click the Wireless LAN Settings tab, and enter the keys in the fields provided. Also check Use encryption and uncheck Allow unencrypted data to require WEP on your network. Give a copy of this key to each of your wireless clients.

With MAC filtering enabled, the AirPort keeps an inter