Wireless LAN Security

Centralized Encryption Key Servers

For enterprise wireless LANs using WEP as a basic security mechanism, centralized encryption key servers should be used if possible for the following reasons:

• Centralized key generation
• Centralized key distribution
• Ongoing key rotation
• Reduced key management overhead

Any number of different devices can act as a centralized key server. Usually a server of
some kind such as a RADIUS server or a specialized application server for the purpose of
handing out new WEP keys on a short time interval is used. Normally, when using WEP, the keys (made up by the administrator) are manually entered into the stations and access points. When using a centralized key server, an automated process between stations, access points, and the key server performs the task of handing out WEP keys. Figure 10.3 illustrates how a typical encryption key server would be setup.


Centralized encryption key servers allow for key generation on a per-packet, per-session or other method, depending on the particular manufacturer’s implementation. Per-packet WEP key distribution calls for a new WEP key to be assigned to both ends of the connection for every packet sent, whereas per-session WEP key distribution uses a new WEP key for each new session between nodes.


WEP Usage

When WEP is initialized, the data payload of the packet being sent using WEP is encrypted; however, part of the packet header – including MAC address – is not encrypted. All layer 3 information including source and destination addresses is encrypted with WEP. When an access point sends out its beacons on a wireless LAN using WEP, the beacons are not encrypted. Remember that the beacons do not include any layer 3 information.

When packets are sent using WEP encryption, those packets must be decrypted. This decryption process consumes CPU cycles and reduces the effective throughput on the wireless LAN, sometimes significantly. Some manufacturers have implemented additional CPUs in their access points for the purpose of performing WEP encryption and decryption. Many manufacturers implement WEP encryption/decryption in software and use the same CPU that's used for access point management, packet forwarding, etc. These access points are generally the ones where WEP will have the most significant effects if enabled. By implementing WEP in hardware, it is very likely that an access point can maintain its 5 Mbps (or more) throughput with WEP enabled. The disadvantage of this implementation is the added cost of a more advanced access point.

WEP can be implemented as a basic security mechanism, but network administrators should first be aware of WEP’s weaknesses and how to compensate for them. The administrator should also be aware of the fact that each vendor’s use of WEP can and may be different, hindering the use of multiple vendor hardware.


Advanced Encryption Standard

The Advanced Encryption Standard (AES) is gaining acceptance as an appropriate replacement for the RC4 algorithm used in WEP. AES uses the Rijndale (pronounced ‘RINE-dale’) algorithm in the following specified key lengths:

• 128-bit
• 192-bit
• 256-bit

AES is considered to be un-crackable by most cryptographers, and the National Institute of Standards and Technology (NIST) has chosen AES for the Federal Information Processing Standard, or FIPS. As part of the effort to improve the 802.11 standard, the 802.11i working committee is considering the use of AES in WEPv2.

AES, if approved by the 802.11i working group to be used in WEPv2, will be implemented in firmware and software by vendors. Access point firmware and client station firmware (the PCMCIA radio cards) will have to be upgraded to support AES. Client station software (drivers and client utilities) will support configuring AES with secret key(s).


Filtering

Filtering is a basic security mechanism that can be used in addition to WEP and/or AES. Filtering literally means to keep out that which is not wanted and to allow that which is wanted. Filtering works the same way as access lists on a router: by defining parameters to which stations must adhere in order to gain access to the network. With wireless LANs, it is not so much what the stations do, but rather who they are and how they are configured. There are three basic types of filtering that can be performed on a wireless LAN:

• SSID filtering
• MAC address filtering
• Protocol filtering

This section will explain what each of these types of filtering are, what each can do for the administrator, and how to configure each one.


SSID Filtering

SSID filtering is a rudimentary method of filtering, and should only be used for the most basic access control. The SSID (service set identifier) is just another term for the network name. The SSID of a wireless LAN station must match the SSID on the access point (infrastructure mode) or of the other stations (ad hoc mode) in order for the client to authenticate and associate to the service set. Since the SSID is broadcast in the clear in every beacon that the access point (or set of stations) sends out, it is very simple to find out the SSID of a network using a sniffer. Many access points have the ability to take the SSID out of the beacon frame. When this is the case, the client must have the matching SSID in order to associate to the access point. When a system is configured in this manner, it is said to be a "closed system." SSID filtering is not considered a reliable method of keeping unauthorized users out of a wireless LAN.

Some manufacturer's access points have the ability to remove the SSID from beacons and/or probe responses. In this case, in order to join the service set, a station must have the SSID configured manually in the driver configuration settings. Some common mistakes that wireless LAN users make in administering SSIDs are listed below:

• Using the default SSID - This setting is yet another way to give away information about your wireless LAN. It is simple enough to use a sniffer to see that MAC addresses originating from the access point and then look up the MAC address in the OUI table hosted by IEEE. The OUI table lists the different MAC address prefixes that are assigned to each manufacturer. Until Netstumbler came along, this process was manual, but now Netstumbler performs this task automatically. If you don't know how to use Netstumbler or are unfamiliar with network sniffers, then looking for default SSIDs also works well. Each wireless LAN manufacturer uses their own default SSID, and, since there are still a manageable number of wireless LAN manufacturers in the industry, obtaining each of the user manuals from the support section of each manufacturer's website and looking for the default SSID and default IP subnet information is a simple task. Always change the default SSID.

• Making the SSID something company-related – This type of setting is a security risk because it simplifies the process of a hacker finding the company's physical location. When looking for wireless LANs in any particular geographic region, finding the physical location of the wireless LAN is half the battle. Even after detecting the wireless LAN using tools such as Netstumbler, finding where the signal originates takes time and considerable effort in many cases. When an administrator uses an SSID that names the company or organization, it makesfinding the wireless LAN very easy. Always use non-company-related SSIDs.
  

• Using the SSID as a means of securing wireless networks – This practice is highly discouraged since a user must only change the SSID in the configuration setting is his workstation in order to join the network. SSIDs should be used as a means of segmenting the network, not securing it. Again, think of the SSID as the network name. Just as with Windows' Network Neighborhood, changing the workgroup your computer is a part of and is as simple as changing a configuration setting on the client station.

• Unnecessarily Broadcasting SSIDs - If your access points have the ability to remove SSIDs from beacons and probe responses, configure them that way. This configuration aids in deterring casual eavesdroppers from tinkering with or using your wireless LAN.

MAC Address Filtering

Wireless LANs can filter based on the MAC addresses of client stations. Almost all access points (even very inexpensive ones) have MAC filter functionality. The network administrator can compile, distribute, and maintain a list of allowable MAC addresses and program them into each access point. If a PC card or other client with a MAC address that is not in the access point’s MAC filter list tries to gain access to the wireless LAN, the MAC address filter functionality will not allow that client to associate with that access point. Figure 10.4 illustrates this point.

Of course, programming every wireless client's MAC address into every access point across a large enterprise network would be impractical. MAC filters can be implemented on some RADIUS servers instead of in each access point. This configuration makes MAC filters a much more scalable security solution. Simply entering each MAC address into RADIUS along with user identity information, which would have to be input anyway, is a good solution. RADIUS servers often point to another authentication source, so that other authentication source would need to support MAC filters.

MAC filters can work in reverse as well. For example, consider an employee who left a company and took their wireless LAN card with them. This wireless LAN card holds the WEP key and MAC filters, which, for the sake of this example, are not used. The administrator could then create a filter on all access points to disallow the MAC address of the client device that was taken by the employee. If MAC filters were already being used on this network when the wireless LAN card was stolen, removing the particular client's MAC address from the allow list would work as well.

Although MAC filters may seem to be a good method of securing a wireless LAN in some instances, they are still susceptible to the following intrusions:

• Theft of a PC card that is in the MAC filter of an access point
• Sniffing the wireless LAN and then spoofing with the MAC address after business hours

MAC filters are great for home and small office networks where there are a small number of client stations. Using WEP and MAC filters provides an adequate security solution in these instances. This solution is adequate because no intelligent hacker is going to spend the hours it takes to break WEP on a low-use network and expend the energy to circumvent a MAC filter for the purpose of getting to a person's laptop or desktop PC at home.


Circumventing MAC Filters

MAC addresses of wireless LAN clients are broadcast in the clear by access points and bridges, even when WEP is implemented. Therefore, a hacker who can listen to traffic on your network can quickly find out most MAC addresses that are allowed on your wireless network. In order for a sniffer to see a station's MAC address, that station must transmit a frame across the wireless segment.

Some wireless PC cards permit the changing of their MAC address through software or even operating system configuration changes. Once a hacker has a list of allowed MAC addresses, the hacker can simply change the PC card’s MAC address to match one of the PC cards on your network, instantly gaining access to your entire wireless LAN.

Since two stations with the same MAC address cannot peacefully co-exist on a LAN, the hacker must find the MAC address of a mobile station that is removed from the premises at particular times of the day. It is during this time when the mobile station (notebook computer) is not present on the wireless LAN that the hacker can gain access into the network. MAC filters should be used when feasible, but not as the sole security mechanism on your wireless LAN.


Protocol Filtering

Wireless LANs can filter packets traversing the network based on layer 2-7 protocols. In many cases, manufacturers make protocol filters independently configurable for both the wired segment and wireless segment of the access point.

Imagine a scenario where a wireless workgroup bridge is placed on a remote building in a campus wireless LAN that connects back to the main information technology building's access point. Because all users in the remote building are sharing the 5 Mbps of throughput between these buildings, some amount of control over usage must be implemented. If this link was installed for the express purpose of Internet access for these users, then filtering out every protocol except SMTP, POP3, HTTP, HTTPS, FTP, and any instant messaging protocols would limit users from being able to access internal company file servers for example. The ability to set protocol filters such as these is very useful in controlling utilization of the shared medium. Figure 10.5 illustrates how protocol filtering works in a wireless LAN.

Wireless LAN Security

Wireless LANs are not inherently secure; however, if you do not take any precautions or configure any defenses with wired LAN or WAN connections, they are not secure either. The key to making a wireless LAN secure, and keeping it secure, is educating those who implement and manage the wireless LAN. Educating the administrator on basic and advanced security procedures for wireless LANs is essential to preventing security breaches into your wireless LAN.

In this very important chapter, we will discuss the much-maligned 802.11 specified security solution known as Wired Equivalent Privacy, or WEP. As you may already know, WEP alone will not keep a hacker out of a wireless LAN for very long. This chapter will explain why, and offer some steps for how WEP can be used with some level of effectiveness.

We will explain the various methods that can be used to attack a wireless LAN so that as an administrator you will know what to expect and how to prevent it. Then we will discuss some of the emerging security solutions that are available, but not yet specified by any of the 802.11 standards. Finally, we will offer some recommendations for maintaining wireless LAN security and discuss corporate security policy as it pertains specifically to wireless LANs.


Wired Equivalent Privacy

Wired Equivalent Privacy (WEP) is an encryption algorithm used by the Shared Key
authentication process for authenticating users and for encrypting data payloads over only the wireless segment of the LAN. The IEEE 802.11 standard specifies the use of WEP.

WEP is a simple algorithm that utilizes a pseudo-random number generator (PRNG) and the RC4 stream cipher. For several years this algorithm was considered a trade secret and details were not available, but in September of 1994, someone posted the source code in the cypherpunks mailing list. Although the source code is now available, RC4 is still trademarked by RSADSI. The RC4 stream cipher is fast to decrypt and encrypt, which saves on CPU cycles, and RC4 is also simple enough for most software developers to code it into software.

When WEP is referred to as being simple, it means that it is weak. The RC4 algorithm was inappropriately implemented in WEP, yielding a less-than-adequate security solution for 802.11 networks. Both 64-bit and 128-bit WEP (the two available types) have the same weak implementation of a 24-bit Initialization Vector (IV) and use the same flawed process of encryption. The flawed process is that most implementations of WEP initialize hardware using an IV of 0 - thereafter incrementing the IV by 1 for each packet sent. For a busy network, statistical analysis shows that all possible IVs (224) would be exhausted in half a day, meaning the IV would be reinitialized starting at zero at least once a day. This scenario creates an open door for determined hackers. When WEP is used, the IV is transmitted in the clear with each encrypted packet. The manner in which the IV is incremented and sent in the clear allows the following breaches in security:

• Active attacks to inject new traffic- Unauthorized mobile stations can inject packets onto the network based on known plaintext
  

• Active attacks to decrypt traffic - Based on tricking the access point

• Dictionary-building attacks - After gathering enough traffic, the WEP key can be cracked using freeware tools. Once the WEP key is cracked, real-time decryption of packets can be accomplished by listening to broadcasts packets using the WEP key
  

• Passive attacks to decrypt traffic - Using statistical analysis, WEP traffic can be decrypted.

Why WEP Was Chosen

Since WEP is not secure, why was it chosen and implemented into the 802.11 standard? Once the 802.11 standard was approved and completed, the manufacturers of wireless LAN equipment rushed their products to market. The 802.11 standard specifies the following criteria for security:

• Exportable
• Reasonably Strong
• Self-Synchronizing
• Computationally Efficient
• Optional

WEP meets all these requirements. When it was implemented, WEP was intended to
support the security goals of confidentiality, access control, and data integrity. What actually happened is that too many early adopters of wireless LANs thought that they could simply implement WEP and have a completely secure wireless LAN. These early adopters found out quickly that WEP wasn't the complete solution to wireless LAN security. Fortunately for the industry, wireless LAN hardware had gained immense popularity well before this problem was widely known. This series of events led to many vendors and third party organizations scrambling to create wireless LAN security solutions.

The 802.11 standard leaves WEP implementation up to wireless LAN manufacturers, so each vendor’s implementation of WEP keys may or may not be the same, adding another weakness to WEP. Even WECA's Wi-Fi interoperability standard tests include only 40-bit WEP keys. Some wireless LAN manufacturers have chosen to enhance (fix) WEP, while others have looked to using new standards such as 802.1x with EAP or Virtual Private Networks (VPN). There are many solutions on the market addressing the weaknesses found in WEP.



WEP Keys

The core functionality of WEP lies in what are known as keys, which are the basis for the encryption algorithm discussed in the previous section of this chapter. WEP keys are implemented on client and infrastructure devices on a wireless LAN. A WEP key is an alphanumeric character string used in two manners in a wireless LAN. First, a WEP key can be used to verify the identity of an authenticating station. Second, WEP keys can be used for data encryption.

When a WEP-enabled client attempts to authenticate and associate to an access point, the access point will determine whether or not the client has the correct WEP key. By “correct”, we mean that the client has to have a key that is part of the WEP key distribution system implemented on that particular wireless LAN. The WEP keys must match on both ends of the wireless LAN connection.

As a wireless LAN administrator, it may be your job to distribute the WEP keys manually, or to setup a more advanced method of WEP key distribution. WEP key distribution systems can be as simple as implementing static keys or as advanced as using centralized encryption key servers. Obviously, the more advanced the WEP system is, the harder it will be for a hacker to gain access to the network.

WEP keys are available in two types, 64-bit and 128-bit. Many times you will see them referenced as 40-bit and 104-bit instead. This reference is a bit of a misnomer. The reason for this misnomer is that WEP is implemented in the same way for both encryption lengths. Each uses a 24-bit Initialization Vector concatenated (linked end-toend) with a secret key. The secret key lengths are 40-bit or 104-bit yielding WEP key lengths of 64 bits and 128 bits.


The number of characters entered for the secret key depends on whether the configuration software requires ASCII or HEX and whether 64-bit or 128-bit WEP is being used. If your wireless card supports 128-bit WEP, then it automatically supports 64-bit WEP as well. If entering your WEP key in ASCII format, then 5 characters are used for 64-bit WEP and 13 characters are used for 128-bit WEP. If entering your WEP key in HEX format, then 10 characters are used for 64-bit WEP and 26 characters are used for 128-bit WEP.


Static WEP Keys

If you choose to implement static WEP keys, you would manually assign a static WEP key to an access point and its associated clients. These WEP keys would never change, making that segment of the network susceptible to hackers who may be aware of the intricacies of WEP keys. For this reason, static WEP keys may be an appropriate basic security method for simple, small wireless LANs, but are not recommended for enterprise wireless LAN solutions.

When static WEP keys are implemented, it is simple for network security to be compromised. Consider if an employee left a company and "lost" their wireless LAN card. Since the card carries the WEP key in its firmware, that card will always have access to the wireless LAN until the WEP keys on the wireless LAN are changed.


When static WEP keys are implemented, it is simple for network security to be compromised. Consider if an employee left a company and "lost" their wireless LAN card. Since the card carries the WEP key in its firmware, that card will always have access to the wireless LAN until the WEP keys on the wireless LAN are changed.

If a WEP key were compromised, it would mean changing 25 stations and an access point or two instead of the entire network.

Another reason for multiple WEP keys is in case there is a mix of 64-bit and 128-bit cards on the network. Since an administrator might want to use as strong an encryption scheme as possible for nodes that support 128-bit WEP, being able to segment users into groups of 64-bit and 128-bit WEP ensures the use of the maximum encryption available for each without affecting the other group.

Troubleshooting Wireless LAN Installations

Range Considerations

When considering how to position wireless LAN hardware, the communication range of the units must be taken into account. Generally, three things will affect the range of an RF link: transmission power, antenna type and location, and environment. The maximum communication range of a wireless LAN link is reached when, at some distance, the link begins to become unstable, but is not lost.


Transmission Power

The output power of the transmitting radio will have an effect on the range of the link. A higher output power will cause the signal to be transmitted a greater distance, resulting in a greater range. Conversely, lowering the output power will reduce the range.


Antenna Type

The type of antenna used affects the range either by focusing the RF energy into a tighter beam transmitting it farther (as a parabolic dish antenna does); or by transmitting it in all directions (as an omni-directional antenna does), reducing the range of communication.


Environment

A noisy or unstable environment can cause the range of a wireless LAN link to be decreased. The packet error rate of an RF link is greater at the fringes of coverage due to a small signal to noise ratio. Also, adding interference effectively raises the noise floor, lessening the likelihood of maintaining a solid link.


The range of an RF link can also be influenced by the frequency of the transmission. Though not normally a concern within a wireless LAN implementation, frequency might be a consideration when planning a bridge link. For example, a 2.4 GHz system will be able to reach further at the same output power than a 5 GHz system. The same holds true for an older 900 MHz system: it will go further than a 2.4 GHz system at the same output power. All of these bands are used in wireless LANs, but 2.4 GHz systems are by far the most prevalent.

Types of Interference

Adjacent Channel and Co-Channel Interference

Having a solid understanding of channel use with wireless LANs is imperative for any good wireless LAN administrator. As a wireless LAN consultant, you will undoubtedly find many wireless networks that have many access points, all of them configured for the same channel. In these types of situations, a discussion with the network administrator that installed the access points will divulge that he or she thought it was necessary for all access points and clients to be on the same channel throughout the network in order for the wireless LAN to work properly. This configuration is very common, and often incorrect. This section will build on your knowledge of how channels are used; explaining how multiple access points using various channels can have a detrimental impact on a network.


Adjacent Channel Interference

Adjacent channels are those channels within the RF band being used that are, in essence, side-by-side. For example, channel 1 is adjacent to channel 2, which is adjacent to channel 3, and so on. These adjacent channels overlap each other because each channel is 22 MHz wide and their center frequencies are only 5 MHz apart. Adjacent channel interference happens when two or more access points using overlapping channels are located near enough to each other that their coverage cells physically overlap. Adjacent channel interference can severely degrade throughput in a wireless LAN.

It is especially important to pay attention to adjacent channel interference when colocating access points in an attempt to achieve higher throughput in a given area. Colocated access points on non-overlapping channels can experience adjacent channel interference if there is not enough separation between the channels being used, as illustrated in Figure 9.16.


In order to find the problem of adjacent channel interference, a spectrum analyzer will be needed. The spectrum analyzer will show you a picture of how the channels being used overlap each other. Using the spectrum analyzer in the same physical area as the access points will show the channels overlapping each other.

There are only two solutions for a problem with adjacent channel interference. The first is to move access points on adjacent channels far enough away from each other that their cells do not overlap, or turn the power down on each access point enough to where the cells do not overlap. The second solution is to use only channels that have no overlap whatsoever. For example, using channels 1 & 11 in a DSSS system would accomplish this task.


Co-channel Interference

Co-channel interference can have the same effects as adjacent channel interference, but is an altogether different set of circumstances. Co-channel interference as seen by a spectrum analyzer is illustrated in Figure 9.17 while how a network configuration would produce this problem is shown in Figure 9.18.



To illustrate co-channel interference, assume a 3-story building, with a wireless LAN on each floor, with the wireless LANs each using channel 1. The access points’ signal ranges, or cells, would likely overlap in this situation. Because each access point is on the same channel, they will interfere with one another. This type of interference is known as co-channel interference.

In order to troubleshoot co-channel interference, a wireless network sniffer will be needed. The sniffer will be able to show packets coming from each of the wireless LANs using any particular channel. Additionally, it will show the signal strength of each wireless LAN's packets, giving you an idea of just how much one wireless LAN is interfering with the others.

The two solutions for co-channel interference are, first, the use of a different, nonoverlapping channel for each of the wireless LANs, and second, moving the wireless LANs far enough apart that the access points’ cells do not overlap. These solutions are the same remedy as for adjacent channel interference.

In situations where seamless roaming is required, a technique called channel reuse is used in order to alleviate adjacent and co-channel interference while allowing users to roam through adjacent cells. Channel reuse is the side-by-side locating of non-overlapping cells to form a mesh of coverage where no cell on a given channel touches another cell on that channel. Figure 9.19 illustrates channel reuse.

Types of Interference

Due to the unpredictable behavioral tendencies of RF technology, you must take into account many kinds of RF interference during implementation and management of a wireless LAN. Narrowband, all-band, RF signal degradation, and adjacent and cochannel interference are the most common sources of RF interference that occur during implementation of a wireless LAN. In this section, we will discuss these types of interference, how they affect the wireless LAN, how to locate them, and in some cases how to work around them.


Narrowband

Narrowband RF is basically the opposite of spread spectrum technology. Narrowband signals, depending on output power, frequency width in the spectrum, and consistency, can intermittently interrupt or even disrupt the RF signals emitted from a spread spectrum device such as an access point. However, as its name suggests, narrowband signals do not disrupt RF signals across the entire RF band. Thus, if the narrowband signal is primarily disrupting the RF signals in channel 3, then you could, for example, use Channel 11, where you may not experience any interference at all. It is also likely that only a small portion of any given channel might be disrupted by narrowband interference. Typically, only a single carrier frequency (a 1 MHz increment in an 802.11b 22 MHz channel) would be disrupted due to narrowband interference. Given this type of interference, spread spectrum technologies will usually work around this problem without any additional administration or configuration.


To identify narrowband interference, you will need a spectrum analyzer, shown above in Figure 9.12. Spectrum analyzers are used to locate and measure narrowband RF signals, among other things. There are even handheld, digital spectrum analyzers available that cost approximately $3,000. That may seem like quite a bit of money to locate a narrowband interference source, but if that source is disabling your network, it might be well worth it.

As an alternative, some wireless LAN vendors have implemented a software spectrum analyzer into their client driver software. This software uses a FHSS PCMCIA card to scan the useable portion of the 2.4 GHz ISM band for RF signals. The software graphically displays all RF signals between 2.400 GHz and 2.4835 GHz, which gives the administrator a way of "seeing" the RF that is present in a given area. An example of the visual aid provided by such a spectrum analyzer is shown in Figure 9.13.


In order to remedy a narrowband RF interference problem, you must first find where the interference originates by using the spectrum analyzer. As you walk closer to the source of the RF signal, the RF signal on the display of your spectrum analyzer grows in amplitude (size). When the RF signal peaks on the screen, you have located its source. At this point, you can remove the source, shield it, or use your knowledge as a wireless network administrator to configure your wireless LAN to efficiently deal with the narrowband interference. Of course, there are several options within this last category, such as changing channels, changing spread spectrum technologies (DSSS to FHSS or 802.11b to 802.11a), and others that we will discuss in later sections.


All-band Interference

All-band interference is any signal that interferes with the RF band from one end of the radio spectrum to the other. All-band interference doesn't refer to interference only across the 2.4 GHz ISM band, but rather is the term used in any case where interference covers the entire range you're trying to use, regardless of frequency. Technologies like Bluetooth (which hops across the entire 2.4 GHz ISM band many times per second) can, and usually do, significantly interfere with 802.11 RF signals. Bluetooth is considered all-band interference for an 802.11 wireless network. In Figure 9.14 a sample screen shot of a spectrum analyzer recording all-band interference is shown.


A possible source of all-band interference that can be found in homes and offices is a microwave oven. Older, high-power microwave ovens can leak as much as one watt of power into the RF spectrum. One watt is not much leakage for a 1000-watt microwave oven, but considering the fact that one watt is many times as much power as is emitted from a typical access point, you can see what a significant impact it might have. It is not a given that a microwave oven will emit power across the entire 2.4 GHz band, but it is possible, depending on the type and condition of the microwave oven. A spectrum analyzer can detect this kind of problem.

When all-band interference is present, the best solution is to change to a different technology, such as moving from 802.11b (which uses the 2.4 GHz ISM band) to 802.11a (which uses the 5 GHz UNII bands). If changing technologies is not feasible due to cost or implementation problems, the next best solution is to find the source of the all-band interference and remove it from service, if possible. Finding the source of all-band interference is more difficult than finding the source of narrowband interference because you're not watching a single signal on the spectrum analyzer. Instead, you are looking at a range of signals, all with varying amplitudes. You will most likely need a highly directional antenna in order to locate the all-band interference source.

Weather
Severely adverse weather conditions can affect the performance of a wireless LAN. In general, common weather occurrences like rain, hail, snow, or fog do not have an adverse affect on wireless LANs. However, extreme occurrences of wind, fog, and perhaps smog can cause degradation or even downtime of your wireless LAN. A radome can be used to protect an antenna from the elements. If used, radomes must have a drain hole for condensation drainage. Yagi antennas without radomes are vulnerable to rain, as the raindrops will accumulate on the elements and detune the performance. The droplets actually make each element look longer than it really is. Ice accumulation on exposed elements can cause the same detuning effect as rain; however, it stays around longer. Radomes may also protect an antenna from falling objects such as ice falling from an overhead tree.

2.4 GHz signals may be attenuated by up to 0.05 dB/km (0.08 dB/mile) by torrential rain (4 inches/hr). Thick fog produces up to 0.02 dB/km (0.03 dB/mile) attenuation. At 5.8 GHz, torrential rain may produce up to 0.5 dB/km (0.8 dB/mile) attenuation, and thick fog up to 0.07 dB/km (0.11 dB/mile). Even though rain itself does not cause major propagation problems, rain will collect on the leaves of trees and will produce attenuation until it evaporates.


Wind

Wind does not affect radio waves or an RF signal, but it can affect the positioning of outdoor antennas. For example, consider a wireless point-to-point link that connects two buildings that are 12 miles apart. Taking into account the curvature of the Earth (Earth bulge), and having only a five-degree vertical and horizontal beam width on each antenna, the positioning of each antenna would have to be exact. A strong wind could easily move one or both antennas enough to completely degrade the signal between the two antennas. This effect is called "antenna wind loading", and is illustrated in Figure 9.15.


Other similarly extreme weather occurrences like tornadoes or hurricanes must also be considered. If you are implementing a wireless LAN in a geographic location where hurricanes or tornadoes occur frequently, you should certainly take that into account when setting up any type of outdoor wireless LAN. In such weather conditions, securing antennas, cables, and the like are all very important.


Stratification

When very thick fog or even smog settles (such as in a valley), the air within this fog becomes very still and begins to separate into layers. It is not the fog itself that causes the diffraction of RF signals, but the stratification of the air within the fog. When the RF signal goes through these layers, it is bent in the same fashion as visible light is bent as it moves from air into water.

Lightning

Lightning can affect wireless LANs in two ways. First, lightning can strike either a wireless LAN component such as an antenna or it may strike a nearby object. Lightning strikes of nearby objects can damage your wireless LAN components as if these components are not protected by a lightning arrestor. A second way that lightning affects wireless LANs is by charging the air through which the RF waves must travel after striking an object lying between the transmitter and receiver. The affect of lightning is similar to the way that the Aurora Borealis Northern Lights provide problems for RF television and radio transmissions.

Troubleshooting Wireless LAN Installations

Solutions for Co-location Throughput Problems

As a wireless LAN installer or administrator, you really have two choices when considering access point co-location. You can accept the degraded throughput, or you can attempt a workaround. Accepting the fact that your users will not have 5 Mbps of actual throughput to the network backbone on each access point may be an acceptable scenario. First, however, you must make sure that the users connecting to the network in this situation can still be productive and that they do not actually require the full 5 Mbps of throughput. The last thing you want to be responsible for as a wireless LAN administrator is a network that does not allow the users to do their jobs or achieve the connections that they require. An administrator's second option in this case is to attempt a workaround. Below, we describe some of the alternatives to co-location problems.


Use Two Access Points

One option, which is the easiest, is to use channels 1 and 11 with only 2 access points, as illustrated in Figure 9.11. Using only these two channels will ensure that you have no overlap between channels regardless of proximity between systems, and therefore, no detrimental effect on the throughput of each access point. By way of comparison, two access points operating at the maximum capacity of 5.5 Mbps (about the best that you can expect by any access point), give you a total capacity of 11 Mbps of aggregate throughput, whereas three access points operating at approximately 4 Mbps each (degraded from the maximum due to actual channel overlap) on average yields only 12 Mbps of aggregate throughput. For an additional 1 Mbps of throughput, an administrator would have to spend the extra money to buy another access point, the time and labor to install it, and the continued burden of managing it.


In certain instances, the extra 1 Mbps of bandwidth might still be advantageous, but in a small environment, it might not be practical. Don't forget that this scenario applies only to access points located in the same physical space serving the same client base, but using different, non-overlapping channels. This configuration does not apply to channel reuse, where cells on different non-overlapping channels are alternately spread throughout an area to avoid co-channel interference.


Use 802.11a Equipment

As a second option, you could use 802.11a compliant equipment operating in the 5 GHz UNII bands. The 5 GHz UNII bands, which are each wider than the 2.4 GHz ISM band, have three usable bands, and each band allows for four non-overlapping channels. By using a mixture of 802.11b and 802.11a equipment, more systems can be co-located in the same space without fear of interference between systems. With two (or three) colocated 802.11b systems and up to 8 co-located 802.11a systems, there is the potential for an incredible amount of throughput in the same physical space. The reason that we specify 8 instead of 12 co-located access points with 802.11a is that only the lower and middle bands (with 4 non-overlapping channels each) are specified for indoor use. Therefore, indoors, where most access points are placed, there's normally only the potential for up to 8 access points using 802.11a compliant devices.

Issues with 802.11a Equipment

802.11a equipment is now available from only a few vendors, and is more expensive than equipment that uses the 2.4 GHz frequency band. However, the 5 GHz band has the advantage of many more non-overlapping channels than the 2.4 GHz band (8 vs. 3), allowing you to implement many more co-located access points. You must keep in mind that while the 2.4 GHz band allows for less expensive gear, the 2.4 GHz band is much more crowded, which means you are more likely to encounter interference from other nearby wireless LANs. Remember that 802.11a devices and 802.11b devices are incompatible. These devices do not see, hear, or communicate with one another because they utilize different frequency bands and different modulation techniques.

Troubleshooting Wireless LAN Installations

System Throughput

Throughput on a wireless LAN is based on many factors. For instance, the amount and type of interference may impact the amount of data that can be successfully transmitted. If additional security solutions are implemented, such as Wired Equivalent Privacy (WEP—discussed in depth in Chapter 10, Wireless LAN Security), then the additional overhead of encrypting and decrypting data will also cause a decrease in throughput. Using VPN tunnels will add additional overhead to a wireless LAN system in the same manner as will turning on WEP.

Greater distances between the transmitter and receiver will cause the throughput to decrease because an increase in the number of errors (bit error rate) will create a need for retransmissions. Modern spread spectrum systems are configured to make discrete jumps
to specified data rates (1, 2, 5.5, and 11 Mbps). If 11 Mbps cannot be maintained, for example, then the device will drop to 5.5 Mbps. Since the throughput is about 50% of the data rate on a wireless LAN system, changing the data rate will have a significant impact on the throughput.

Hardware limitations will also dictate the data rate. If an IEEE 802.11 device is communicating with an IEEE 802.11b device, the data rate can be no more than 2 Mbps, despite the 802.11b device’s ability to communicate at 11 Mbps. Correspondingly, the actual throughput will be less still—about 50%, or 1 Mbps. With wireless LAN hardware, another consideration must be taken into account: the amount of CPU power given to the access point. Having a slow CPU that cannot handle the full 11 Mbps data rate with128-bit WEP enabled will affect throughput.


The type of spread spectrum technology used, FHSS or DSSS, will make a difference in throughput for two specific reasons. First, the data rates for FHSS and DSSS systems are quite different. FHSS systems are typically in compliance with either the OpenAir standard and can transmit at 800 kbps or 1.6 Mbps, or the IEEE 802.11 standard, which allows them to transmit at 1 Mbps or 2 Mbps. Currently, DSSS systems comply with either the IEEE 802.11 standard or the 802.11b standard, supporting data rates of 1, 2, 5.5, & 11 Mbps. The second reason that the type of spread spectrum technology will affect throughput is that FHSS incurs the additional overhead of hop time.

Other factors limiting the throughput of a wireless LAN include proprietary data-link layer protocols, the use of fragmentation (which requires the re-assembly of packets), and packet size. Larger packets will result in greater throughput (assuming a good RF link) because the ratio of data to overhead is better.

RTS/CTS, a protocol used on some wireless LAN implementations and which is similar to the way that some serial links communicate, will create significant overhead because of the amount of handshaking that takes place during the transfer.

The number of users attempting to access the medium simultaneously will have an impact. An increase in simultaneous users will decrease the throughput each station receives from the access point.

Using PCF mode on an access point, thereby invoking polling on the wireless network, will decrease throughput. Polling causes lower throughput by introducing the extra overhead of a polling mechanism and mandatory responses from wireless stations even when no data needs to be sent by those stations.


Co-location Throughput (Theory vs. Reality)

Co-location is a common wireless LAN implementation technique that is used to provide more bandwidth and throughput to wireless users in a given area. RF theory, combined with FCC regulations, allows wireless LAN users in the United States three nonoverlapping RF channels (1, 6, and 11). These 3 channels can be used to co-locate multiple (3) access points within the same physical area using 802.11b equipment, as can be seen in Figure 9.9.


When co-locating multiple access points, it is highly recommended that you:

1. Use the same Spread Spectrum technology (either Direct Sequence or Frequency Hopping, but not both) for all access points

2. Use the same vendor for all access points

The portion of the 2.4 GHz ISM band that is useable for wireless LANs consists of 83.5 MHz. DSSS channels are 22 MHz wide, and there are 11 channels specified for use in the United States. These channels are specifically designated ranges of frequencies within the ISM band. According to the center frequency and width given to each of these channels by the FCC, only three non-overlapping channels can exist in this band. Colocation of access points using non-overlapping channels in the same physical space has advantages in implementing wireless LANs, so we will first explain what should happen when you co-locate these access points properly, and then we will explain what will happen.

Theory: What Should Happen

For purposes of simplicity in this explanation, we will assume that all access points being used in this scenario are 802.11b-compliant, 11Mbps access points. When using only one access point in a simple wireless LAN, you should experience actual throughput of somewhere between 4.5 Mbps and 5.5 Mbps. You will never see the full 11 Mbps of rated bandwidth due to the half-duplex nature of the RF radios and overhead requirements for wireless LAN protocols such as CSMA/CA.

The RF theory of 3 non-overlapping channels should allow you to setup one access point on channel 1, one access point on channel 6, and one access point on channel 11 without any overlap in these access points' RF band usages. Therefore, you should see normal throughput of approximately 5 Mbps on all co-located access points, with no adjacentchannel interference. Adjacent-channel interference would cause degradation of throughput on one or both of the other access points.

Reality: What Does Happen

What actually happens is that channel 1 and channel 6 actually do have a small amount of overlap, as do channel 6 and channel 11. Figure 9.10 illustrates this overlap. The reason for this overlap is typically that both access points are transmitting at approximately the same high output power and are located relatively close to each other. So, instead of getting normal half-duplex throughput on all access points, a detrimental effect is seen on all three. Throughput can decrease to 4 Mbps or less on all three access points or may be unevenly distributed where the access points might have 3, 4, and 5 Mbps respectively.


The portion of the theory that holds true is that adjacent channels (1, 2, 3, 4, and 5, for example) have significant overlap, to the point that using an access point on channel 1 and another on channel 3, for example, results in even lower throughput (2Mbps or less) on the two access points. In this case, in particular, a partial overlapping of channels occurs. It is typically seen that a full overlap results in better throughput for the two systems than does a partial overlap between systems.

All this discussion is not to say that you simply cannot co-locate three access points using channels 1, 6, and 11. Rather, it is to point out that when you do so, you should not expect the theory to hold completely true. You will experience degraded throughput that is significantly less than the normally expected rate of approximately 5 Mbps per access point unless care is taken to turn down the output power and spread the access points across a broader amount of physical space.

Wireless LAN Implementation Challenges

Near/Far

The near/far problem in wireless LAN implementation results from the scenario in which there exists multiple client nodes that are (a) very near to the access point and (b) have high power settings; and then at least one client that is (a) much farther away from the access point than the aforementioned client nodes, and (b) is using much less transmitting power than the other client nodes. The result of this type of situation is that the client(s) that are farther away from the access point and using less power simply cannot be heard over the traffic from the closer, high-powered clients, as illustrated in Figure 9.8.


Near/far is similar in nature to a crowd of people all screaming at one time into a microphone, and one person whispering from fifty feet away from that same microphone. The voice of the person 50 feet away is not going to reach the microphone over the noise of the crowd shouting near the microphone. Even if the microphone is sensitive enough to pick up the whisper under silent conditions, the high-powered close-range conversations have effectively raised the noise floor to a point where low-amplitude inputs are not heard.

Getting back to wireless LANs, the node that is being drowned out is well within the normal range of the access point, but it simply cannot be heard over the signals of the other clients. What this means to you as an administrator is that you must be aware of the possibility of the near/far problem during site surveys and understand how to overcome the problem through proper wireless LAN design and troubleshooting techniques.


Troubleshooting Near/Far

Troubleshooting the near/far problem is normally as simple as taking a good look at the network design, locations of stations on the wireless network, and transmission output power of each node. These steps will give the administrator clues as to what is likely going on with the stations having connectivity problems. Since near/far prevents a node from communicating, the administrator should check to see if the station has drivers loaded properly for the wireless radio card and has associated with the access point (shown in the association table of the access point).

The next step in troubleshooting near/far is use of a wireless sniffer. A wireless sniffer will pick up transmissions from all stations it hears. One simple method of finding nodes whose signals are not being heard by the access point is to move around the network looking for stations with a faint signal in relation to the access point and nodes near the access point. Using this method, it should not be too time-consuming to locate such a node, depending on the size of the network and the complexity of the building structure. Locating this node and comparing its signal strength to that of nodes near the access point can solve the near/far problem fairly quickly.

Solutions for Near/Far

Although the near/far problem can be debilitating for those clients whose RF signals get drowned out, near/far is a relatively easy problem to overcome in most situations. It is
imperative to understand that the CSMA/CA protocol solves much of the near/far problem with no intervention of the administrator. If a node can hear another node transmitting, it will stop its own transmissions, complying with shared medium access rules of CSMA/CA. However, if for any reason the near/far problem still exists in the network, below is a list of remedies that are easily implemented and can overcome the near/far problem.

• Increase power to remote node (the one that is being drowned out)

• Decrease power of local nodes (the close, loud ones)

• Move the remote node closer to the access point

One other solution is moving the access point to which the remote node is associated. However, this solution should be viewed as a last resort, since moving an access point will likely disrupt more clients than it would help. Furthermore, the need to move an access point likely reveals a flawed site survey or network design, which is a much bigger problem.

Troubleshooting Hidden Node

The primary symptom of a hidden node is degraded throughput over the wireless LAN. Many times you will discover that you have a hidden node by hearing the complaints of users connected to the wireless LAN detecting an unusual sluggishness of the network. Throughput may be decreased by up to 40% because of a hidden node problem. Since wireless LANs use the CSMA/CA protocol, they already have an approximate overhead of 50%, but, during a hidden node problem, it is possible to lose almost half of the remaining throughput on the system.

Because the nature of a wireless LAN increases mobility, you may encounter a hidden node at any time, despite a flawless design of your wireless LAN. If a user moves his computer to a conference room, another office, or into a data room, the new location of that node can potentially be hidden from the rest of the nodes connected to your wireless LAN.


Solutions for Hidden Node

Once you have done the troubleshooting and discovered that there is a hidden node problem, the problem node(s) must be located. Finding the node(s) will include a manual search for nodes that might be out of reach of the main cluster of nodes. This process is usually trial and error at best. Once these nodes are located, there are several remedies and workarounds for the problem.

• Use RTS/CTS

• Increase power to the nodes

• Remove obstacles

• Move the node

Use RTS/CTS
The RTS/CTS protocol is not necessarily a solution to the hidden node problem. Instead, it is a method of reducing the negative impact that hidden nodes have on the network. Hidden nodes cause excessive collisions, which have a severely detrimental impact on network throughput. The RTS/CTS (request-to-send/clear-to-send) protocol involves sending a small packet (RTS) to the intended recipient to prompt it to send back a packet (CTS) clearing the medium for data transmission before sending the data payload. This process informs any nearby stations that data is about to be sent, having them delay transmissions (and thereby avoiding collisions). Both the RTS and the CTS contain the length of the impending data transmission so that stations overhearing either the RTS or CTS frames know how long the transmission will take and when they can start to transmit again.

There are three settings for RTS/CTS on most access points and clients: On, Off, and On with Threshold. The network administrator must manually configure RTS/CTS settings. The Off setting is the default in order to reduce unnecessary network overhead caused by the RTS/CTS protocol. The threshold refers directly to the packet size that will trigger use of the RTS/CTS protocol. Since hidden nodes cause collisions, and collisions mainly affect larger packets, you may be able to overcome the hidden node problem by using the packet size threshold setting for RTS/CTS. What this setting essentially does is tell the access point to transmit all packets that are greater in size than “x” (your setting) using RTS/CTS and to transmit all other packets without RTS/CTS. If the hidden node is only having a minor impact on network throughput, then activating RTS/CTS might have a detrimental effect on throughput.

Try using RTS/CTS in the “On” mode as a test to see if your throughput is positively affected. If RTS/CTS increases throughput, then you have most likely confirmed the hidden node problem. You will encounter some additional overhead when using RTS/CTS, but your overall throughput should increase over what it was when the hidden node problem occurred.


Increase Power to the Nodes
Increasing the power (measured in milliwatts) of the nodes can solve the hidden node problem by allowing the cell around each node to increase in size, encompassing all of the other nodes. This configuration enables the non-hidden nodes to detect, or hear, the hidden node. If the non-hidden nodes can hear the hidden node, the hidden node is no longer hidden. Because wireless LANs use the CSMA/CA protocol, nodes will wait their turn before communicating with the access point.


Remove Obstacles
Increasing the power on your mobile nodes may not work if, for example, the reason one node is hidden is that there is a cement or steel wall preventing communication with other nodes. It is doubtful that you would be able to remove such an obstacle, but removal of the obstacle is another method of remedy for the hidden node problem. Keep these types of obstacles in mind when performing a site survey.


Move the Node
Another method of solving the hidden node problem is moving the nodes so that they can all hear each other. If you have found that the hidden node problem is the result of a user moving his computer to an area that is hidden from the other wireless nodes, you may have to force that user to move again. The alternative to forcing users to move is extending your wireless LAN to add proper coverage to the hidden area, perhaps using additional access points.

Troubleshooting Multipath

An in-phase or out-of-phase RF wave cannot be seen, so we must look for the effects of multipath in order to detect its occurrence. When doing a link budget calculation, in order to find out just how much power output you will need to have a successful link between sites, you might calculate an output power level that should work, but doesn't. Such an occurrence is one way to determine that multipath is occurring.

Another common method of finding multipath is to look for RF coverage holes in a site survey (discussed in Chapter 11). These holes are created both by lack of coverage and by multipath reflections that cancel the main signal. Understanding the sources of multipath is crucial to eliminating its effects.

Multipath is caused by reflected RF waves, so obstacles that more easily reflect RF waves, such as metal blinds, bodies of water, and metal roofs, should be removed from or avoided in the signal path if possible. This procedure may include moving the transmitting and receiving antennas. Multipath is likely the most common "textbook" wireless LAN problem. Administrators and installers deal with multipath daily. Even wireless LAN users - because they are mobile - experience problems with multipath. Users may roam into an area with high multipath, not knowing why their RF signal has been so significantly degraded.


Solutions for Multipath

Antenna diversity was devised for the purpose of compensating for multipath. Antenna diversity means using multiple antennas, inputs, and receivers in order to compensate for the conditions that cause multipath. There are four types of receiving antenna diversity, one of which is predominantly used in wireless LANs. The type of transmission diversity used by wireless LANs is also described below.

• Antenna Diversity - not active

• Switching Diversity

• Antenna Switching Diversity – active

• Phase Diversity

• Diversity Transmission

Figure 9.6 illustrates an access point with multiple antennas to compensate for multipath.


Antenna diversity is made up of the following characteristics that work together to compensate for the effects of multipath:

1. Antenna diversity uses multiple antennas on multiple inputs to bring a signal to a single receiver.

2. The incoming RF signal is received through one antenna at a time. The receiving radio is constantly sampling the incoming signals from both antennas to determine which signal is of a higher quality. The receiving radio then chooses to accept the higher quality signal.

3. The radio transmits its next signal out of the antenna that was last used to receive an incoming signal because the received signal was a higher quality signal than from the other antenna. If the radio must retransmit a signal, it will alternate antennas until a successful transmission is made.

4. Finally, each antenna can be used to transmit or receive, but not both at the same time. Only one antenna may be used at a time, and that antenna may only transmit or receive, but not both, at any given instant.


Most access points in today’s wireless LANs are built with dual antennas for exactly this purpose: to compensate for the degrading effects of multipath on signal quality and throughput.


Hidden Node

Multiple access protocols that enable networked computing devices to share a medium, such as Ethernet, are well developed and understood. However the nature of the wireless medium makes traditional methods of sharing a common connection more difficult.

Collision detection has caused many problems in wired networking, and even more so for wireless networks. Collisions occur when two or more nodes sharing a communication medium transmit data simultaneously. The two signals corrupt each other and the result is a group of unreadable packet fragments. Collisions have always been a problem for computer networks, and the simplest protocols often do not overcome this problem. More complex protocols such as CSMA/CD and CSMA/CA check the channel before transmitting data. CSMA/CD is the protocol used with Ethernet and involves checking the voltage on the wire before transmitting. However, the process is considerably more difficult for wireless systems since collisions are undetectable. A condition known as the hidden node problem has been identified in wireless systems and is caused by problems in transmission detection.

Hidden node is a situation encountered with wireless LANs in which at least one node is unable to hear (detect) one or more of the other nodes connected to the wireless LAN. In this situation, a node can see the access point, but cannot see that there are other clients also connected to the same access point due to some obstacle or a large amount of distance between the nodes. This situation causes a problem in medium access sharing, causing collisions between node transmissions. These collisions can result in significantly degraded throughput in the wireless LAN, as illustrated in Figure 9.7.


Figure 9.7 illustrates a brick wall with an access point sitting on top. On each side of the wall is a wireless station. These wireless stations cannot hear each other's transmissions, but both can hear the transmissions of the access point. If station A is transmitting a frame to the access point, and station B cannot hear this transmission, station B assumes that the medium is clear and can begin a transmission of its own to the access point. The access point will, at this point, be receiving transmissions that have originated at two points and there will be a collision. The collision will cause retransmissions by both stations A & B, and again, since they cannot hear each other, they will transmit at will thinking the medium is clear. There will likely be another collision. This problem is exacerbated with many active nodes on the wireless LAN that cannot hear one another.