As we discussed in Chapter 3, an access point is a piece of hardware that connects your wireless clients to a wired network (and usually on to the Internet from there). As with any piece of bridging hardware, it has at least two network connections and shuffles traffic between them. The wireless interface is typically an onboard radio or an embedded PCMCIA wireless card. The second network interface can be Ethernet, a dialup modem, or even another wireless adapter.
The access point hardware controls access to and from both networks. On the wireless side, most vendors have implemented 802.11b access control methods (like WEP encryption keys, “closed” network ESSIDs, and MAC address filtering). Some have added proprietary extensions to provide additional security, like public key encryption. Many access points also allow control over what the wired network can send to the wireless clients, through simple firewall rules.
In addition to providing access control, the access point also maintains its own network connections. This includes functions like dialing the phone and connecting to an ISP on demand, or using DHCP on the Ethernet interface to get a network lease. Most access points can provide NAT and DHCP service to the wireless clients, thereby supporting multiple wireless users while only requiring a single IP address from the wire. Some support direct bridging, allowing the wired and wireless networks to exchange data as if they were physically connected together. If the access point has multiple radios, it can bridge them together with the wire, allowing for a very flexible, extendable network.
Another important service provided by APs is the ability to “hand off” clients as they wander between access points. This lets users walk around a college campus, for example, without ever dropping their network connection. Current AP technology only allows roaming between access points on the same physical subnet (that is, APs that aren’t separated by a router). Unfortunately, the roaming protocol was left unimplemented in the 802.11 spec, so each manufacturer has implemented their own method. This means that hand-offs between access points of different manufacturers aren’t currently possible.
In the last year, at least 20 different access point hardware solutions have hit the consumer market. Low cost models (intended for home or small office use) like the Linksys WAP11 and D-Link DWL-1000AP currently retail for around $200. Higher-end APs like the Orinoco AP-1000 and Cisco Aironet 350 cost over $1000. Typically, higher-priced equipment includes more features, greater range, and generally more stable operations. While every AP will claim 802.11b (or Wi-Fi) compliance, they are not all alike. Features that set different models apart include:
Direct bridging to the wired network
Multiple radios (to support more users or for use as a repeater)
External antenna connectors
Greater radio output power (most operate at 30mW, while some operate at 100mW or more)
In general, look for an AP in your price range that works for your intended application, with the greatest possible range. Single radio APs can support several users simultaneously, and, as we’ll see in Chapter 6, adding APs to your network is probably preferable to adding higher-gain antennas or amps to your existing AP.
One feature that is in high demand (among users trying to go for distance) is the ability to bridge over the air to another access point. Allegedly, the Intel 2011 can do AP-to-AP bridging (as can the Linksys WAP11 after a firmware upgrade). But reports from the field seem to indicate shaky performance at best, as of this writing. Normally, APs don’t talk to each other over the air; they’re designed to talk to client cards. So on a long distance point-to-point link, you’ll need to either use a client PC router to talk to an AP or use two routers in IBSS mode (with no AP). See the information in Section 7.1 in Chapter 7 if you’re interested in long-distance point-to-point links. By the time this book makes it to press, the manufacturers should have their firmware in better shape (we hope).
You should also seriously consider how to fit APs into your existing
wired network. Even with WEP encryption and other access control
methods in effect, AP security is far from perfect. Because an access
point is, by definition, within range of all wireless users, every
user associated with your access point can see the traffic of every
other user. Unless otherwise protected with application layer
encryption, all email, web traffic, and other data is easily readable
by anyone running protocol analysis tools such as
ethereal. As we saw in Chapter 3, relying on WEP alone to keep people out of
your network may not be enough protection against a determined black
In terms of establishing a community network, access points do provide one absolutely critical service: they are an easy, standard, and inexpensive tool for getting wireless devices connected to a wired network. Once the wireless traffic hits the wire, it can be routed and manipulated just like any other network traffic, but it has to get there first.
Wireless access points that are on the consumer market today were designed to connect a small group of trusted people to a wired network and lock out everyone else. The access control methods implemented in the APs reflect this philosophy, and if that is how you intend to use the gear, it should work very well for you. For example, suppose you want to share wireless network access with your neighbor but not with the rest of the block. You could decide on a mutual private WEP key and private ESSID and keep them a secret between you. Because you presumably trust your neighbor, this arrangement could work for both of you. You could even make a list of all of the radios that you intend to use on the network and limit the access point to only allow them to associate. This would require more administrative overhead, as one of you would have to make changes to the AP each time you wanted to add another device, but it would further limit who could access your wireless network.
While a shared secret WEP key and static table of hardware MAC addresses may be practical for a home or small office, these access control methods don’t make sense in a public access setting. If you intend to offer network services to your local area, this “all or nothing” access control method is unusable. As we’ll see in Chapter 7, it may be more practical to let everyone associate with your access point and use other methods for identifying users and granting further access. These services take place beyond the AP itself, namely, at a router that the AP is directly connected to (see the captive portal discussion in Chapter 7). Such an arrangement requires a bit more equipment and effort to get started, but it can support hundreds of people across any number of cooperative wireless nodes with very little administrative overhead.
 Unfortunately, as is usually the case with proprietary extensions, these services can be used only if all of your network clients are using hardware from the same vendor.