3852 wlan revised

of 14 /14
an Networking eBook ® Deploying and Securing a Wireless LAN

Author: steven-habuda

Post on 13-Jan-2015




0 download

Embed Size (px)




  • 1. Deployingand Securinga Wireless LAN an Networking eBook

2. ContentsDeploying and Securing a Wireless LAN This content was adapted from Internet.coms Wi-Fi Planet, eSecurity Planet, Enterprise Net- working Planet, and Practically Networked Web sites. Contributors: Jim Geier and Michael Horowitz.22Define Your Wireless LAN Deployment Risks4Minimize WLAN Interference477How to Secure Your WLAN9Twelve Key Wireless Network Security Policies912 12 Troubleshooting Poor WLAN Performance12 3. Deploying and Securing a Wireless LANDefine Your Wireless LAN Deployment Risks By Jim Geier W hen planning a wireless network installa-cause damaging RF interference that impedes the perfor- tion, be sure to carefully assess and resolvemance of a wireless network. To minimize the risk of RF risks. Otherwise unforeseen implications,interference, perform a wireless site survey to detect the such as RF interference, poor performance, presence of interference, and define countermeasures be-and security holes will wreak havoc. By handling risks dur- fore installing the access points.ing the early phases of the deployment, youll significantlyincrease the success of a wireless The problem with RF inter-network. ference is that its not always controllable. For example, youThe following are common risks tomay deploy a 2.4 GHz 802.11nconsider:wireless network in an office complex, then three monthsUnclear Requirements later the company next doorIf you deploy a wireless network installs a wireless network setwithout first clarifying requirements, to the same channels. This re-then the wireless network may notsults in both wireless networkssatisfy the needs of the users. In interfering with each other. Afact, poor requirements are oftenpossible solution to minimizethe reason why information systemthis risk is to utilize directive an-projects are unsuccessful. As a re-tennas that ensure transmit andsult, always define clear require- receive power of your wirelessments before getting too far withnetwork falls only within yourthe deployment.facility. This would limit the im- pact of the interfering wirelessFor example, you may install 802.11g today to support network. You could also specify the use of 5 GHz 802.11n,needs for a moderate number of users accessing e-mail which offers more flexibility in choosing channels that dontand browsing the Web. Ten months from now, your orga- conflict with others.nization may increase the density of users or need to utilizemultimedia applications demanding a higher-performing Security Weaknessessolution. The organization would then be facing a decisionThe potential for an unauthorized person accessing cor-to migrate to 802.11n. Start off right after carefully consid-porate information is a significant threat for wireless net-ering requirements so that you choose the right technolo- works. An eavesdropper can use a freely-available wirelessgies from the beginning.network analyzer, such as WireShark, to passively receiveand view contents of 802.11 data frames. This could dis-RF Interference close credit card numbers, passwords, and other sensitiveDevices such as 2.4 GHz and 5 GHz cordless phones, mi-information.crowave ovens, and neighboring wireless networks, can 2 Back to ContentsDeploying and Securing a Wireless LAN, an Internet.com Networking eBook. 2009, Internet.com, a division of QuinStreet, Inc. 4. Deploying and Securing a Wireless LANAvoid security risks by carefully assessing the vulnerabil- For example, a user may be using an inventory applicationities of a wireless network, and define effective securityby scanning items and entering total counts via a keypadpolicies based on the value of information you need toon the scanner. If loss of connectivity occurs after scan-protect. In some cases, you may simply need firewall pro- ning the bar code and before entering the count, the host-tection. Other applications may require effective forms ofbased application could log the use out without complet-encryption. 802.1x port-based authentication will also pro- ing the inventory transaction. As a result, the applicationvide added security.on the host may record an incorrect or invalid value for theinventory item.Well discuss security more in depth later in this eBook.To avoid these types of risks, carefully define the types ofApplications Interfaces applications the wireless user devices will interface with. IfIn some cases, interfaces with applications located on vari-needed, incorporate solutions such as wireless middlewareous hosts and servers can bring about major problems(such as NetMotion) to provide adequate handle recoverywhen using a wireless network. A relatively short loss of mechanisms related to wireless networks.connectivity due to RF interference or poor coverage areacauses some applications to produce errors. This occurs By identifying and solving these potential risks, youll havemostly with legacy applications lacking error recoverya much more successful wireless network deployment.mechanisms for wireless systems. 3 Back to ContentsDeploying and Securing a Wireless LAN, an Internet.com Networking eBook. 2009, Internet.com, a division of QuinStreet, Inc. 5. Deploying and Securing a Wireless LANMinimize WLAN InterferenceBy Jim Geier R adio frequency (RF) interference can lead to To make matters worse, RF interference doesnt abide by disastrous problems on wireless LAN deploy-the 802.11 protocols, so the interfering signal may start ments. Many companies have gotten by with- abruptly while a legitimate 802.11 station is in the process out any troubles, but some have installationsof transmitting a packet. If this occurs, the destination sta-that dont operate nearly as well as planned. The perils of tion will receive the packet with errors and not reply to theinterfering signals from external RF sources are often thesource station with an acknowledgement. In return, theculprit. As a result, its important that youre fully aware of source station will attempt retransmitting the packet, add-RF interference impacts and avoidance techniques. ing overhead on the network.Impacts of RF interferenceAll of this leads to network latency and unhappy users. InAs a basis for understanding thesome causes, 802.11 protocolsproblems associated with RF in- will attempt to continue opera-terference in wireless LANs, letstion in the presence of RF inter-quickly review how 802.11 stationsference by automatically switch-(client radios and access points) ing to a lower data rate, whichaccess the wireless (air) medium. also slows the use of wireless ap-Each 802.11 station only transmitsplications. The worst case, whichpackets when there is no otheris fairly uncommon, is that thestation transmitting. If another802.11 stations will hold off untilstation happens to be sending a the interfering signal goes com-packet, the other stations will waitpletely away, which could be min-until the medium is free. The actu- utes, hours, or days.al 802.11 medium access protocolis somewhat more complex, but Sources ofthis gives you enough of a start- RF Interferenceing basis. With 2.4 GHz wireless LANs, there are several sources of in-RF interference involves the pres- terfering signals, including micro-ence of unwanted, interfering RF signals that disrupt normalwave ovens, cordless phones, Bluetooth-enabled devices,wireless operations. Because of the 802.11 medium accessFHSS wireless LANs, and neighboring wireless LANs. Theprotocol, an interfering RF signal of sufficient amplitudemost damaging of these are 2.4 GHz cordless phones thatand frequency can appear as a bogus 802.11 station trans- people use extensively in homes and businesses. If one ofmitting a packet. This causes legitimate 802.11 stations to these phones is in use within the same room as a 2.4GHzwait for indefinite periods of time before attempting to ac-(802.11b or 802.11g) wireless LAN, then expect poor wire-cess the medium until the interfering signal goes away. less LAN performance when the phones are in operation. 4 Back to ContentsDeploying and Securing a Wireless LAN, an Internet.com Networking eBook. 2009, Internet.com, a division of QuinStreet, Inc. 6. Deploying and Securing a Wireless LANA microwave operating within 10 feet or so of an accessThis clearly shows relatively high-level signals emanat-point may also cause 802.11b/g performance to drop.ing from the microwave oven in the upper portion of theThe oven must be operating for the interference to occur,2.4GHz frequency band, which indicates that you shouldwhich may not happen very often depending on the usage tune any access points near this microwave oven to lowerof the oven. Bluetooth-enabled devices, such as laptopschannels. To simplify matters, MetaGeek has an interfer-and PDAs, will cause performance degradations if operat- ence identification guide that you can use with Wi-Spy toing in close proximately to 802.11 stations, especially if the help pinpoint interfering sources. The benefit of using a802.11 station is relatively far (i.e., low signal levels) fromspectrum analyzer in this manner is that you can identifythe station that its communicating with. The presence ofthe interference faster and avoid guessing if a particularFHSS wireless LANs is rare, but when theyre present, ex-device is (or may) cause interference.pect serious interference to occur. Other wireless LANs,such as one that your neighbor may be operating, can Take Action to Avoid RF Interferencecause interference unless you coordinate the selection ofThe following are tips you should consider for reducing RF802.11b/g channels.interference issues:Use Tools to See RF Interference 1.Analyze the potential for RF interference.Unless youre Superman, you cant directly see RF interfer-Do this before installing the wireless LAN by performingence with only your eyes. Sure, you might notice problemsan RF site survey. Also, talk to people within the facilityin using the network that coincide with use of a deviceand learn about other RF devices that might be in use.that may be causing the interference, such as turning on This arms you with information that will help whena microwave oven and noticing browsing the Internet slow deciding what course of action to take in order to reducedramatically, but having tools to confirm the source of thethe interferenceRF interference and possibly investigate potential sourcesof RF interference is crucial. For example, MetaGeeks Wi- 2. Prevent the interfering sources fromSpy is a relatively inexpensive USB-based Wi-Fi spectrum operating.analyzer that indicates the amplitude of signals across theOnce you know the potential sources of RF interference,2.4GHz frequency band. Figure 1 is a screenshot of the you may be able to eliminate them by simply turningWi-Spy display with a microwave oven operating 10 feet them off. This is the best way to counter RF interference;away.however, its not always practical. For example, you cant usually tell the company in the office space next to you to stop using their cordless phones; however, you might be able to disallow the use of Bluetooth-enabled devices or microwave ovens where your 802.11 users reside. 3.Provide adequate wireless LAN coverage. A good practice for reducing impacts of RF interference is to ensure the wireless LAN has strong signals throughout the areas where users will reside. If signals get to weak, then interfering signals will be more troublesome, similar to when youre talking to someone and a loud plane flies over your heads. Of course this means doing a thorough RF site survey to determine the Figure 1most effective number and placement of access point. 5 Back to Contents Deploying and Securing a Wireless LAN, an Internet.com Networking eBook. 2009, Internet.com, a division of QuinStreet, Inc. 7. Deploying and Securing a Wireless LAN4. Set configuration parameters properly.The problem with RF interference is that it will likely change If youre deploying 802.11g networks, tune access pointsover time. For example, a neighbor may purchase a cord-to channels that avoid the frequencies of potentialless phone and start using it frequently, or the use of wire-interfering signals. This might not always work, but itsless LANs in your area may increase. This means that theworth a try. For example, as pointed out earlier in this resulting impacts of RF interference may grow over time,tutorial, microwave ovens generally offer interference inor they may come and go. As a result, in addition to sus-the upper portion of the 2.4GHz band. As a result, you pecting RF interference as the underlying problem for poormight be able to avoid microwave oven interference byperformance, investigate the potential for RF interferencetuning the access points near the microwave oven toin a proactive manner.channel 1 or 6 instead of 11. Dont let RF interference ruin your day. Keep a continual5. Deploy 5GHz wireless LANs.close watch on the use of wireless devices that might causeMost potential for RF interference today is in the 2.4 GHz a hit on the performance of your wireless LAN.band (i.e., 802.11b/g). If you find that other interferenceavoidance techniques dont work well enough, thenconsider deploying 802.11a or 802.11n networks. Inaddition to avoiding RF interference, youll also receivemuch higher throughput. 6Back to ContentsDeploying and Securing a Wireless LAN, an Internet.com Networking eBook. 2009, Internet.com, a division of QuinStreet, Inc. 8. Deploying and Securing a Wireless LAN How to Secure Your WLANBy Michael Horowitz Securing a wireless network isnt a hard task. Wi-Fi networks offer three security options: WEP, WPA,The cheat sheet is relatively small. However, and WPA2. As a simplistic introduction, think of WEP asthe technical press continues to be flooded withbad, WPA as just fine, and WPA2 as great.articles and blogs containing technical mistakes.WEP is the oldest security option and it has been shown toTake, for example, everyones trusted information source, be very weak. It may be better than no security at all, butConsumer Reports magazine. Im a big fan of the maga- not by much. Dont use it. Other than Consumer Reportszine, having subscribed to the hard copy edition for years. magazine, the last recommendation to use WEP was is-But they seem out of their league when it comes to com- sued in 2005.puters.WPA is technically a certification,On Aug. 6, 2009, a blog posting atnot a security standard, but sincethe magazines Web site suggest-it includes only one security pro-ed using WEP security for wirelesstocol, TKIP, they are often con-networks. This is very poor advice. fused. When people refer to WPAA week after the posting, an edi- security, they are really referringtor corrected it to say they recom- to the TKIP protocol.mend WPA security. This too, isnot the best option. Even after The combination of WPA and TKIPbeing shamed into a correction, is not the best, but its reasonablythey still got it wrong.good. If you have a choice, youshould opt for the best securityLet me try to offer up just what(next topic), but if you dont havemost people (and Consumer Re- a choice (more later) TKIP is rea-ports) need to know about secur-sonably strong.ing a wireless network. WPA2 is also, technically, a certifi-Starting at the Beginning cation rather than a security standard. WPA2 includes twoTo begin with, there are four types of Wi-Fi networks (a, b,security standards: TKIP and CCMP. If you are using TKIP,g, and n). But the security is not tied to any one type.it doesnt matter whether the router is WPA or WPA2. TKIPis TKIP either way.If you can connect to a wireless network without enteringcontinueda password, then there is no security. In this context, the The best security option is CCMP and its only available interm security refers to encrypting data as it travels overWPA2. Here again, the security protocol is often confusedthe air. The idea being to prevent a bad guy from captur- with the certification. When people refer to WPA2 security,ing all the information coming into and out of a victims they are really referring to CCMP.computer and, in effect, looking over their shoulder de-spite being a few hundred feet away. 7 Back to Contents Deploying and Securing a Wireless LAN, an Internet.com Networking eBook. 2009, Internet.com, a division of QuinStreet, Inc. 9. Deploying and Securing a Wireless LANBut no one refers to CCMP (dont ask what it stands for). radio, or whatever other device you want to use with yourFor whatever reason, the CCMP security protocol is re-wireless network.ferred to, incorrectly, as AES. When you are configuringa router, you need to first select WPA2, then you need to For example, Windows XP SP2 does not support WPA2,select AES (rather than TKIP) to get the best possible se-even if it has been kept up to date on patches. A hotfixcurity and encryption.(KB893357) needs to be installed to add WPA2 support toWindows XP SP2.WPA TKIP FlawsThe TKIP security protocol (often referred to as WPA) isA WPA2 router may offer both TKIP and AES simultane-flawed. The first flaw came to light in November 2008, theously. Start with AES only and hope for the best. Onlysecond one just recently. But neither flaw is serious.choose this option if you have to in order to support anolder device.The first flaw can be defended against simply by disablingQuality of Service (QoS) in your router. Very few peopleThe AES-CCMP security protocol was a long time coming.make use of QoS.Rather than wait, some hardware manufacturers addedearly versions of the protocol to WPA routers. Since theseThe second flaw was described by security expert Stevewere based on draft, rather than final versions of the pro-Gibson as mostly theoretical. For example, it requires that tocol, they may or may not work with newer hardware andthe victims computer be out of radio reception range fromsoftware.the router. The bad guy has to connect to the router onone side and the victim on the other side. The bad guyStill, if replacing an old WPA router is a big deal, I supposehas to be logically and physically positioned between the its worth a try.victim and the router.Two Other Aspects of SecurityNeither flaw lets the bad guy recover the password, and WPA and WPA2 both come in two flavors, Personal and En-they only support decrypting very small data packets. terprise. In the Personal version there is a single password;None of these small packets will contain any of your data.in the Enterprise version each user of the wireless networkIts not the flaws themselves that make WPA2-AES the best gets his or her own password. The Personal version is alsooption, but the fact that they are cracks in the dam. Who known as Pre-Shared Key, or PSK for short.knows what will turn up next? There are no known flawsin WPA2-AES, which was developed last and built on andTechnically, the best security for consumers and small busi-improved the work in the earlier security protocols.nesses is WPA2-PSK-AES-CCMP. This entire alphabet soupfalls down, however, if you chose a poor password.Problems Getting to WPA2Everyone who can should opt for WPA2-AES, but there Data is still traveling over the air and can be captured andmay be roadblocks.saved by a bad guy who can then try to guess the pass-word offline thousands of guesses a second for days onWPA2-AES requires more computational horsepower thanend.WPA-TKIP. Older routers may not have sufficient horse-power. If your router does not offer WPA2, you can checkPerhaps no one will attack the network you connect to thisfor a firmware update, but most likely youll have to buy way, but if they do, the only defense is a long, reasonablya new router to get the best security. Then too, since it israndom password. WPA and WPA2 support passwords upthe latest and greatest, WPA2-AES may not be supportedto 63 characters long. Better yet, think pass sentenceon the computer, smartphone, gaming machine, Internet rather than password. 8 Back to ContentsDeploying and Securing a Wireless LAN, an Internet.com Networking eBook. 2009, Internet.com, a division of QuinStreet, Inc. 10. Deploying and Securing a Wireless LAN Twelve Key Wireless Network Security Policies By Jim Geier WUtilize IPSec-Based Virtual Privateith a wireless network, you must consider se-curity policies that will protect resources fromNetwork (VPN) Technology forunauthorized people. Lets take a look at whatyou should include in a wireless network secu-End-to-End SecurityIf users need access to sensitive applications from Wi-Firity policy for an enterprise.hotspots, you should definitely utilize a VPN system to pro-vide sufficient end-to-end encryption and access control.Consider the following recommendations:Some companies require VPNs for all wireless client devic-es, even when theyre connecting from inside the securedActivate 802.11 Encryption to Make Data walls of the enterprise. A full-throttle VPN solution suchUnintelligible to Unauthorized Usersas this offers good security, but it becomes costly and dif-As mention earlier, WEP has weaknesses that make it in- ficult to manage when there are hundreds of wireless usersadequate for protecting networks(mainly due to the need for VPNcontaining information extremelyservers). As a result, considervaluable to others. There are someimplementing 802.11 encryp-good hackers out there who cantion when users are operatingcrack into a WEP-protected networkinside the enterprise and VPNsusing freely-available tools. The for the likely fewer users whoproblem is that 802.11 doesnt sup- need access from hotspots.port the dynamic exchange of WEPkeys, leaving the same key in use forweeks, months, and years.For encryption on enterprise net- Utilize 802.1X-Basedworks, aim higher and choose WPA,Authenticationwhich is now part of the 802.11i to Control Accessstandard. Just keep in mind that to Your NetworkWPA (and WEP) only encrypts data There are several flavors oftraversing the wireless link between 802.1x port-based authentica-the client device and the access tion systems. Choose one thatpoint. That may be good enough if your wired network is meets the security requirements for your company. For ex-physically secured from hackers. If not, such as when users ample, EAP-TLS may be a wise choice if you have Micro-are accessing important information from Wi-Fi hotspots,soft servers. continuedyoull need more protection. 9 Back to Contents Deploying and Securing a Wireless LAN, an Internet.com Networking eBook. 2009, Internet.com, a division of QuinStreet, Inc. 11. Deploying and Securing a Wireless LANEstablish the Wirelesshowever, you can also deploy power-over-Ethernet (PoE)equipment that provides this feature in a more practicalNetwork on a Separate VLANmanner via centralized operational support tools.A firewall can then help keep hackers located on the VLANassociated with the wireless network from having easy ac-cess to corporate servers located on different, more se-Assign Strong Passwordscured VLANs (i.e., not accessible from the wireless net-to Access Pointswork). In this manner, the wireless network is similar to a Dont use default passwords for access points becausepublic network, except you can apply encryption and au- they are also well known, making it easy for someone tothentication mechanisms to the wireless users.change configuration parameters on the access point totheir advantage. Be sure to alter these passwords periodi-Ensure Firmware is Up-to-Date cally. Ensure passwords are encrypted before being sentover the network.in Client Cards and Access PointsVendors often implement patches to firmware that fix se-curity issues. On an ongoing basis, make it a habit to checkDont Broadcast SSIDsthat all wireless devices have the most recent firmware re- If this feature is available, you can avoid having user devic-leases. es automatically sniff the SSID in use by the access point.Most current computer operating systems and monitoringtools will automatically sniff the 802.11 beacon frames toEnsure Only Authorized Peopleobtain the SSID.Can Reset the Access PointsSome access points will revert back to factory default set-With SSID broadcasting turned off, the access point willtings (i.e., no security at all) when someone pushes the re-not include the SSID in the beacon frame, making mostset button on the access point. Weve done this when per-SSID sniffing tools useless. This isnt a foolproof methodforming penetration testing during security assessmentsof hiding the SSID, however, because someone can stillto prove that this makes the access point a fragile entrymonitor 802.11 association frames (which always carry thepoint for a hacker to extend their reach into the network.SSID, even if SSID broadcasting is turned off) with a packetAs a result, provide adequate physical security for the ac-tracer. At least shutting off the broadcast mechanism willcess point hardware. For example, dont place an accesslimit access.point within easy reach. Instead, mount the access pointsout of view above ceiling tiles. Some access points donthave reset buttons and allow you to reset the access pointReduce Propagation ofvia an RS-232 cable through a console connection. To min- Radio Waves Outside the Facilityimize risks of someone resetting the access point in this Through the use of directional antennas, you can direct themanner, be sure to disable the console port when initiallypropagation of radio waves inside the facility and reduceconfiguring the access point. the spillage outside the perimeter. This not only opti-mizes coverage, it also minimizes the ability for a hackerlocated outside the controlled portion of the companyDisable Access Points Duringto eavesdrop on user signal transmissions and interfaceNon-Usage Periods with the corporate network through an access point. ThisIf possible, shut down the access points when users dontalso reduces the ability for someone to jam the wirelessneed them. This limits the window of opportunity for aLAN a form of denial-of-service attack from outsidehacker to use an access point to their advantage as a weakthe perimeter of the facility. In addition, consider settinginterface to the rest of the network. To accomplish this,access points near the edge of the building to lower trans-you can simply pull the power plug on each access point;mit power to reduce range outside the facility. This testingshould be part of the wireless site survey.10 Back to ContentsDeploying and Securing a Wireless LAN, an Internet.com Networking eBook. 2009, Internet.com, a division of QuinStreet, Inc. 12. Deploying and Securing a Wireless LANImplement Personal FirewallsControl the DeploymentIf a hacker is able to associate with an access point, whichof Wireless LANsis extremely probable if there is no encryption or authen-Ensure that all employees and organizations within thetication configured, the hacker can easily access (via thecompany coordinate the installation of wireless LANs withWindows operating system) files on other users devices the appropriate information systems group. Forbid thethat are associated with an access point on the same wire-use of unauthorized access points. Mandate the use of ap-less network. As a result, its crucial that all users disableproved vendor products that youve had a chance to verifyfile sharing for all folders and utilize personal firewalls.appropriate security safeguards. Maintain a list of autho-These firewalls are part of various operating systems, such rized radio NIC and access point MAC addresses that youas Windows XP and Vista, and third-par ty applica-can use as the basis for identifying rogue access points.tions as well.With these recommendations in mind, you have a basis forforming a solid security policy. When deciding on whichtechniques to implement, however, be sure to consider ac-tual security needs. 11Back to ContentsDeploying and Securing a Wireless LAN, an Internet.com Networking eBook. 2009, Internet.com, a division of QuinStreet, Inc. 13. Deploying and Securing a Wireless LAN Troubleshooting Poor WLAN PerformanceBy Jim GeierA fter installing a wireless LAN, you might find that it doesnt support applications as well as you expected. Users may complain of erratic connections and slow performance, whichhampers the use and benefits of applications. When thishappens, youll need to do some troubleshooting. Start byfinding the root cause of the problems.The table below gives you some pointers on what to lookfor, specifically the characteristics of signal level, noiselevel, and retry rate that relate to the root causes of poorwireless LAN performance. Signal LevelNoise Level Retry RateRF Interferencen/a HighHighHigh Utilization n/a n/a HighCoverage HoleLow n/a HighOnce you diagnose the problem as being RF interference,Bad Access Point Nonen/a Not Connected then figure out where its coming from and eliminate the cause. If the symptoms only occur when the microwave oven or cordless phone is operating, then try setting theRF Interferenceaccess point to a different channel. That sometimes elimi-RF interference occupies the air medium, which delays us-nates the interference.ers from sending/receiving data and causes collisions andresulting retransmissions. The combination of high noise Take a quick scan of other wireless LANs operating in yourlevels and high retry rates generally indicates that RF inter- area. If you see that others are set to the same channel asference is impacting your wireless LAN. You can use toolsyours, then change your network to non-conflicting chan-such as AirMagnet Analyzer or NetStumbler to measure nels. Keep in mind that there are only three channels (1, 6,noise. AirMagnet also has tools for testing retry rates, and and 11) in the 2.4GHz band that dont conflict with eachmost access points store retry statistics that you can viewother. Most homes and small offices will have their accessthrough the admin console. point set to channel 6 because thats the most common factory default channel. For this reason you may need toIf the noise level is above -85dBm in the band where users avoid using channel 6 with the access points near the pe-are operating, then RF interference has the potential to rimeter of your enterprise.hurt performance. In this case, the retry rates of users willbe above 10 percent, which is when users start feeling the If you cant seem to reduce RF interference to acceptableeffects. This can occur, for example, when wireless userslevels, then try increasing RF signal strength in the affect-are in the same room as an operating microwave oven. ed areas. You can do this by increasing transmit power, 12Back to ContentsDeploying and Securing a Wireless LAN, an Internet.com Networking eBook. 2009, Internet.com, a division of QuinStreet, Inc. 14. Deploying and Securing a Wireless LANreplacing default antennas with units that have a higherIndications of a coverage hole include low signal level (lessgain, or placing the access points closer to each other. This than -75dBm) and high retry rates (greater than 10 per-increases the signal-to-noise ratio (SNR), which improves cent), regardless of noise levels. The signal in this situationperformance.is so low that the receiver in the radio card has difficul-ties recovering the data, which triggers retransmissions,High Utilizationexcessive overhead, and low throughput. For instance, aWhen there are large numbers of active wireless users, or user will likely experience a 75 percent drop in throughputthe users are operating high-end applications such as Wi- when operating from an area having low signal levels.Fi phones or downloading large files, the utilization of thenetwork may be reaching the maximum capacity of the To counter coverage holes, you need to improve the signalaccess point. With this condition, the retry rates will bestrength in the affected areas. Try increasing transmit pow-relatively high (greater than 10 percent), even if signal lev-er, replacing the antennas with ones having higher gain,els are high and noise levels are low (i.e., high SNR). The or moving access points around to better cover the area.result is lower throughput per user due to the additional Keep coverage holes from popping up unexpectedly inoverhead necessary to retransmit data frames. the future by performing a periodic RF site survey, possiblyevery few months.You can increase the capacity and resolve this problemby placing access points closer together with lower trans-Bad Access Pointmit power to create smaller radio cells. This micro-cellIn some cases, the root cause of poor performance mayapproach reduces the number of users per access point,be an access point that has failed. Check applicable accesswhich enables more capacity per user. points for broken antennas, status lights indicating faultconditions, and insufficient electrical power. Try rebootingAnother method for handling high utilization is to move the access points, which often resolves firmware lockups.some of the applications to a different frequency band. Make sure that the firmware is up to date, however, to mini-For example, you might consider having Wi-Fi phones in- mize lockups in the future.terfacing with a 5GHz 802.11a network and data applica-tions running over 2.4GHz 802.11b/g.Coverage HolesAfter installing a wireless LAN, changes may take placeinside the facility that alter RF signal propagation. Forexample, a company may construct a wall, which offerssignificant attenuation that wasnt there before. Worse,perhaps an RF site survey was not done prior to install-ing the network. These situations often result in areas ofthe facility having limited or no RF signal coverage, whichdecreases the performance and disrupts the operation ofwireless applications. 13Back to ContentsDeploying and Securing a Wireless LAN, an Internet.com Networking eBook. 2009, Internet.com, a division of QuinStreet, Inc.