Wireless LAN Proposal

Wireless LAN ProposalLimkokwing Executive Leadership College (LELC)

This proposal is a wireless LAN proposal for Limkokwing Executive Leadership college. WLANs are very popular these days put most of the WLAN implementation are buggy and unsecure. We in this proposal are recommending a secure wireless LAN deployment.

BASHIR ABDU MUZAKKARI108021156


INTRODUCTION

An unsecured wireless network is an open invitation to hackers to walk right in to your computer

and steal your personal information, upload malware onto your computer, and otherwise terrorize

you.

Aside from the threat of unauthorized users accessing your network and eaves-dropping your

internal network communications by connecting with your wireless LAN (WLAN), there are a

variety of threats posed by insecure or improperly secured WLAN such as Rogue WLAN,

Spoofing internal communication, and information theft.

This can be protected through:

Changing Administrator Passwords and Usernames

After you've taken your Wi-Fi router out of the box and started the setup process, you will be

asked to sign on to a specific Web page and are required to enter information such as your

network address and account information. In theory, this Wi-Fi setup page is protected with a

login screen (username and password).

The Problem: Though the username and password are intended to allow only you to get access

to your Wi-Fi setup and the personal information you have entered, the fact remains that the

logins provided are usually given to everyone with the same model router, and because most

people never change them, they remain an easy target for hackers and identity thieves. In fact,

there are sites that list the default usernames and passwords for wireless routers, making a

hackers job even easier.

The Solution: Change the username and password for your Wi-Fi setup immediately after the

first login. And if you are going to spend the time changing your password, make sure it is

difficult to guess. Your name, birth date, anniversary date, child's name, spouse's name, or pet's

name are going to be among the hacker's first guesses. And because many hackers use a

Page | 2


technique called 'dictionary hacking,' (running a program that tries common English words as

passwords) you should make sure that your password isn't just a common English word, but

rather is a combination of letters and numbers.

Upgrading your Wi-Fi Encryption

If the information sent back and forth over your Wi-Fi network isn't adequately encrypted, a

hacker can easily tap into the network and monitor your activity. When you type personal or

financial information into a Web site, that hacker can then steal that information and use it to

steal your identity.

The old encryption standard Wired Equivalent Privacy (WEP) can be hacked within 30 seconds,

no matter the complexity of the passphrase you use to protect it. Unfortunately, millions of Wifi

users are still using WEP encryption technology to encrypt their information, despite the

availability of the vastly superior WPA2 encryption standard.

The Problem: Despite the superior encryption protection that WPA2 provides, most Wifi home

users have failed to upgrade their protection because they were unaware of the problem, or

simply felt overwhelmed by the technical prospects of upgrading. As a result, many continue to

use WEP encryption, which is now so simple to hack that it is widely regarded as little better

than no encryption at all.

The Solution: The solution, of course, is to upgrade your Wi-Fi encryption to WPA2. But before

you can add WPA2 protection, you will have to complete a few steps in order to update your

computer. The first step is to download and install Microsoft's WPA2 hotfix for Windows XP.

You will also likely need to update your wireless card driver. These updates, if needed, will be

listed in Microsoft's Windows Update page under the subheading "Hardware Optional".

Now that your computer and wireless card are up to date, you will need to log into your router's

administration page through your web browser (this is the page you signed into in order to setup

the Wi-Fi router the first time you opened it up, the specific URL can be found in your router's

instruction manual.) Once signed in, change the security settings to "WPA2 Personal" and select

Page | 3


the algorithm "TKIP+AES". Finally, enter your password into the "Shared Key" field and save

your changes.

Changing the Default System ID

When you got your Linksys or D-Link router home from the store and set it up, it came with a

default system ID called the SSID (Service Set Identifier) or ESSID (Extended Service Set

Identifier). This ID is also commonly referred to as the name of your Wi-Fi setup.

The Problem: Usually, manufacturers assign identical SSID sets to their devices, and 80 percent

of Wi-Fi home users leave their system on the default setting. So that means that 80 percent of

homes have Wi-Fi systems titled, "Default" or "LinkSys" or whatever your provider sets as the

default name.

The problem with these default settings is that they serve as strong signals to hackers who have

been known to just cruise neighborhoods looking for Wi-Fi networks with default names to hack

into. Though knowing the SSID does not allow anyone to break into your network, it usually

indicates that the person hasn't taken any steps to protect their network, thus these networks are

the most common targets.

The Solution: Change the default SSID immediately when you configure your LAN. This may

not completely offer any protection as to who gains access to your network, but configuring your

SSID to something personal, e.g. "The Smith House Wi-Fi Network", will differentiate you from

other unprotected networks, and discourage hackers from targeting you. As an added bonus,

having a Wi-Fi network with a unique name also means that neither you or your family will

make the mistake of connecting through a neighbor's Wi-Fi network, and thus exposing your

computers through their unprotected setup.

MAC Address Filtering

If you've had an unsecured Wi-Fi setup in your home in the past, you can be fairly certain that at

least one of your neighbors is mooching off your Wi-Fi to connect to the Internet. While

everyone loves a friendly neighbor, providing an easy resource for others to steal Internet access

Page | 4


is morally and legally questionable, but even scarier is the harm those moochers can do to your

computer.

In order to check who has been using your network, you'll need to check the MAC address.

Every Wi-Fi gadget is assigned a unique code that identifies it called the "physical address" or

"MAC address." Your Wi-Fi system automatically records the MAC addresses of all devices that

connect to them. But busting your Internet-stealing neighbors isn't all that MAC addresses are

good for, they can actually be a great help in securing your WLAN.

The Problem: You are not sure who or what is accessing and endangering your Wi-Fi network,

and once you find out that someone or something is mooching off your network, you want to

stop them. But how?

The Solution: Checking the MAC address long for your Wi-Fi network will give you a quick

view of all the devices accessing your network. Anything that isn't yours, you will want to keep

out. To do this, you will need to manually key in the MAC addresses of your home equipment.

This way, the network will allow connections only from these devices, so your mooching

neighbors will be out of luck. Caution: This feature is not as powerful as it may seem. While it

will stop your average neighborhood moocher or amateur hacker, professional hackers use

advanced software programs to fake MAC addresses.

Stop Publicly Broadcasting your Network

By now you've renamed your Wi-Fi so that hackers won't see the default name as they sweep for

unprotected Wi-Fi setups. But wouldn't it be even better if hackers and curious neighbors didn't

know you had a Wi-Fi setup at all? Usually, your access point or router is programmed to

broadcast the network name (SSID) over the air at regular intervals. While broadcasting is

essential for businesses and mobile hotspots to let people find the network, it isn't needed at

home, so eliminate it.

The Problem: Why broadcast to the world that you have a wireless connection? You already

know it; why do strangers need to know? For most personal uses, you are better off without this

feature, because it increases the likelihood of an unwelcome neighbor or hacker trying to log in

Page | 5


to your home network. The broadcast works like an invitation to the hackers who're searching for

just that opportunity.

The Solution: Most Wi-Fi access points allow the SSID broadcast feature to be disabled by the

network administrator. If you are using a Linksys router, instructions to disable your SSID

broadcast are here, and for those of you using D-Link, your instructions are here (See Figure 1.6

on page 4). Otherwise, you will need to check the manual for your hardware for specific

instructions on how to disable broadcasting for your router.

Positioning of the Router or Access Point

Wi-Fi signals don't know where your house ends and where your neighbor's begins. This Wi-Fi

signal leakage gives hackers and neighbors the opportunity to find your wireless network and

attempt to access it.

The Problem: While a small amount of overflow outdoors is not a problem, it is important to

keep this leakage to a minimum. This is important because the further your signal reaches into

the neighborhood, the easier it is for others to detect and exploit.

The Solution: If you haven't yet installed your wireless home network, make sure to position the

router or access point in the center of the home rather than near windows or doors. If you live in

an apartment, consider that a Wi-Fi network is restricted in part based upon the materials that it

must pass through, the more walls, doors, and metal the signal passes through, the weaker it is.

So if your goal is to reduce leakage, you might consider mounting your Wi-Fi in a closet in order

to reduce signal strength.

When to Turn Off the Network

Most of us know that it is impractical to constantly turn devices on and off. Having a Wi-Fi

connection is in large part a device of convenience, and having to turn it off every time you aren't

using it, eliminates much of that convenience. Unfortunately, a Wi-Fi connection is vulnerable

when it is on; therefore shutting off your wireless signal when not in use would be a huge boon

to its security.

Page | 6


The Problem: There is an inherent tension between convenience and security in deciding

whether to turn off a wireless access point between connections.

The Solution: Just as you take extra home security measures when taking a vacation, like asking

your neighbors to pick up the mail and leaving a light on, so also should you take extra Wi-Fi

security measures when your network will not be in use for expended periods of time. Shutting

down the network is a basic but effective security measure that can protect your network when

you are not around to protect it, and hackers may take the opportunity to mount their attack.

Putting your Improvements to the Test

Now that you've made all these changes to your Wi-Fi setup, it would be nice to know that you

are secure. Unfortunately, the only surefire test for how secure you are is to wait to see if you get

hacked. Trial by fire is no way to test your security, however, so thankfully there is a program to

help audit your Wi-Fi security.

The Problem: There is no way for the average home Wi-Fi user to know if the changes they

made to upgrade their wireless security will really prove successful in keeping them safe.

The Solution: The Netstumbler utility, by Marius Milner will both determine your network's

vulnerabilities and unauthorized access points. In addition to these security concerns, the

downloadable program will also reveal the sources of network interference and weak signal

strength, so that you can improve the strength of your Wi-Fi signal. Netstumbler is free for

download, although the author asks that those who find the tool helpful make a donation to

support the creation of future utilities.

Page | 7

42m

14m

36m

14m

12m

Figure 1: Site Measurements (aprox.)


SITE SURVEYOne of the single most important steps in implementing a wireless network is performing a site

survey. The findings from the site survey could mean the success or failure of the wireless LAN

implementation. The key factor in this site survey is to make sure all the class rooms and staff

rooms receive a proper wireless range. In our site survey we mostly emphasized on the following

topics:

Facility DiagramA current floor plan was sketched and approximate measurements were taken. Below is the site

diagram. According to the floor plan class room 12 and class room 7 are the largest. And both

rooms are next to one another partitioned by a brick wall.

We also

noticed

that most

of the

walls are

constructed with standard brick. And some of the walls had glass windows attached. Some

windows cover half the wall while other windows are attached at the top of the walls near the

ceilings. The bigger windows are tinted so as to block the internal view of the class room. We

Page | 8


have taken some pictures of the site for visual inspection. Some of the class rooms are

partitioned with plywood, for example class room 1 and 2.

Page | 9

Figure 2: Class Room , with tinted window Figure 1: Hall way of c4, c12 and c7

Figure 5: c1 and c2, with small windows at the topFigure 4: Hall way to main staff room and c12

High Usage, with relatively high number of users

Relatively low usage

Low number of users, with low usage

Figure 6: User area chart


The inside of the class rooms and hall ways doesn’t have much RF barriers other than the walls separating them. We did not have a chance to check the staff rooms and management rooms as they are out of bound to students. There might be RF frequency interruption devices such as cordless phones or other microwave devices.

Main User AreasWe have identified the user areas and the areas where usage is most likely to be heavy and areas

where most number of users will be using the wireless network. Below is a diagram marking the

above mentioned areas. The dimmer the color the lesser the usage or the number of users.

According to our

prediction the

most number of

users that will use

the wireless

network

simultaneously

will be in the area marked in red. Class room 12 and class room 7 are relatively larger than the

rest of the class rooms in the facility. Each of these classes can accommodate 100 students.

Also the student lounge is a hot area where students

tend to do their research when they don’t have a class.

It is also one of the areas where demand might go high

in certain periods.

Page | 10

AP1: Inside C-12 on wall separating C-7

AP2: Inside C-1 Near Staff room

AP3: Outside staff room


Access Point Locations and CoverageBased on our finding we have plotted the access point locations on the floor plan below.

Table 1: Access Point Locations

Access

Point

Location Description

AP1 Inside C-12 on wall separating

C-7

This Access point will cover the largest

two class rooms in the facility. Even

though the class rooms are separated by a

brick wall both have big class windows

where signals can travel easily.

AP2 Inside C-1 Near Staff room This access point will cover c-1, c2, c3,

c4, main staff room and the walk way in

front of the class rooms.

AP3 Outside staff room This AP will cover the rest of the facility.

Page | 11

Figure 8: Student lounge


The purpose of this AP is to provide

greater coverage to the student lounge

while still covering the less usage areas

like class 9,10 and 11.

Obstacles to signal strengthWalls: Most of the walls are constructed with brick. In some class rooms one room is separated

from the other by merely plywood partitions. Most walls have windows attached to them. So

there might not be much impact on the signal strength due to this.

Furniture: All the class rooms are equipped with plastic chairs with minimal steel, white boards

and projectors and speakers for multimedia. There is nothing much that could affect the signal

strength in an adverse manner. Since we did not have a chance to check the Staff Rooms we will

consider those places out of scope of signal strength and obstacles.

Coated Glass: The larger windows attached to some class room walls are tinted. But it does not

have any wire mesh embedded in it. Therefore generally these glasses should not be of much

obstacle to the signal strength.

IEEE 802.11 STANDARDSHome and business networkers looking to buy wireless local area network (WLAN) gear face an

array of choices. Many products conform to the 802.11a, 802.11b, 802.11g, or 802.11n wireless

standards collectively known as Wi-Fi technologies. Additionally, Bluetooth and various other

non Wi-Fi technologies also exist, each also designed for specific networking applications.

The standards 802.11a, 802.11b, 802.11g, or802.11n are the ones most wireless products

conform to, a comparison between them will show which is the most beneficial to have.

The 802.11b was the first standard, it supported max bandwidth of 2mbps and therefore is now

obsolete. The 802.11b supports a bandwidth of 11mbps, and uses unregulated radio signaling

Page | 12


frequency of 2.4 GHz, this is a good bet as it is cheap and has good signal strength, however it is

slow and prone to interference form other appliances.

In contrast 802.11a has a speed of 54mbps, but it is expensive and is therefore more popular for

business networks. It uses a frequency of 5 GHz. Some vendors offer hybrids but these are

mutually dependent on the other working properly. The speed is much better and interference is

lessened, but it is more expensive and the range of the signal is shorter.

The 802.11g has a bandwidth of 54 Mbps, it utilizes a 2.4 GHz frequency and hence has a

greater range. It is backwards compatible with 802.11b, so their respective access points and

adapters can work with each other. It is faster and has a better signal but is very costly and is

prone to interference from similar frequency appliances.

The 802.11n, which supports data rates of over 100 Mbps. It has a better range than earlier Wi-Fi

standards because of improved signal strength and in addition is compatible with 802.11g

equipment. It has the best speed and signal and is resistant to interference. However it happens to

be the most costly and has interference problems with 802.11b and g networks.

Page | 13


STANDALONE & CENTRAL WLANS

Standalone Wireless NetworkA Standalone access point in wireless network depends on the integrated functionalities of each

access point to enable wireless services, authentication and security. Standalone network is

characterized by:

i. Access points in the network are independent of each other in terms of operations.

ii. Encryption and decryption is done at the access point.

iii. Each access point has its own configuration file.

iv. Larger networks normally rely on different management.

v. The network configuration is static and does not respond to changing network

conditions such as interfering rogue access points or failures of neighboring APs.

Wireless Network with Standalone Access Points (ProCurve Networking by HP)

Page | 14


Centrally Coordinated Wireless NetworkCentrally Coordinated wireless network or often called thin access points or radio ports, have

much simpler responsibilities; most of the heavy lifting is performed by a centralized controller,

which handles functions such as roaming, authentication, encryption/decryption, load balancing,

RF monitoring, performance monitoring and location services. Because configuration is done

once, at the controller, adding additional radios to cover new office areas is as simple as plugging

them in. As shown in Figure 3, this kind of network can be characterized as follows:

i. Access point activity is coordinated by a wireless centralized controller.

Encryption/decryption and authentication are performed at the controller, instead of at

the individual access points.

ii. To maintain the health of the network, the controller can reconfigure access point

parameters as needed, providing a self-healing WLAN.

iii. The wireless LAN controller performs tasks such as configuration control, fault

tolerance and network expansion.

iv. Redundancy can be provided through redundant controllers in separate locations that

can assume control in the event of a switch or controller failure.

Wireless Network with Coordinated Access Points (ProCurve Networking by HP)

Page | 15


IMPLEMENTATION CONSIDERATIONS

Which type of Wireless Network: Standalone or Central AP?Which type of Wireless Network: Centrally Coordinated or Standalone AP?

Both the standalone and centrally coordinated architectures have advantages and disadvantages,

depending on the age of the wired infrastructure, deployment area, building architecture, and

types of applications that you want to support. Regardless which approach you choose, it is

essential that your architecture provide you with a way to manage your network efficiently and

effectively.

Standalone Access Point WLANA standalone access point WLAN is particularly well suited in environments where:

i. There is a smaller isolated wireless coverage area that requires only one or a few access points.

ii. There is a need for wireless bridging from a main site building to a branch office or to a remote portable or temporary building such as a portable classroom.

However, the operational overhead to manage and maintain a wireless LAN increases with the size of the wireless LAN deployment.

Centrally Coordinated Access Point WLANA Centrally Coordinated WLAN is well suited to deployments where:

i. There are one or more large wireless coverage areas that require multiple radio ports

possibly accompanied by several smaller isolated coverage areas.

ii. RF network self-healing is required.

iii. A redundant stateful-failover solution is required.

In conclusion, a centrally coordinated network offers many benefits, including:

i. Lower operational costs. Centralized management facilitates ease of deployment and

ongoing management.

ii. Greater availability. In this architecture, it’s easier to respond in real-time to changes

in the network performance and spikes in user demand.

Page | 16


iii. Better return on investment. Fast client roaming and enhancements in Quality of

Service enable traffic-sensitive applications such as voice over wireless LAN.

Coordinated AP deployments are most appropriate in larger organizations with a wireless

overlay throughout the facility, campus-wide. This kind of deployment allows a facility to

address operational concerns, simplify network management, and assure availability and

resiliency.

Dual-band radios and dual radio access802.11a/b/g dual-band access points with two radios can simultaneously support both 2.4 GHz

(802.11b/g) and 5 GHz (802.11a) RF bands. They offer backward compatibility (to preserve

existing investments) along with a larger number of channels and consequently increased

throughput. A wireless station with a dual-band radio typically looks first for an 802.11a access

point. If it cannot find one, it then scans for an 802.11g, and ultimately for an 802.11b.

802.11a and 802.11g dual radio support (ProCurve Networking by HP)

Dual-band access points are well suited to a wide range of network topologies. In addition to the

benefits of increased bandwidth, it is fairly common to find deployments that use dual-band

access points to segregate data types onto the different RF bands. The access point’s 802.11a

radio can service wireless traffic from data clients (such as notebooks), while the 802.11b/g radio

supports time-sensitive voice traffic from VoWLAN handsets, thus reducing data and voice

traffic contention by creating two separate RF networks.

Page | 17


REFERENCESBrian P. Crow, I. W. (1997, 09). IEEE 802.11 Wireless Local Area Networks. IEEE Communications

Magazine.

Business WLAN. (n.d.). Retrieved 06 April, 2011, from

http://www.dlink.com/products/category.asp?cid=1&sec=2

Color Laser Printers. (n.d.). Retrieved 06 April, 2011, from

http://h10010.www1.hp.com/wwpc/us/en/sm/WF02a/18972-18972-3328060.html

Geier, J. (2002, 04 18). Defining WLAN Requirements: In Depth. Retrieved 06 01, 2008, from

http://www.wi-fiplanet.com/tutorials/article.php/1011991

Geier, J. (2002, May 22). WLAN Deployment Risks. Retrieved 05 29, 2008, from http://www.wi-

fiplanet.com/tutorials/article.php/1142791

Hewlett-Packard Development Company. (2003). Wireless LANs: Planning the Site Assessment.

Retrieved 06 April, 2011, from

http://www.hp.com/rnd/pdf_html/wirelessLANsite_assessment.htm

HP. (2003). Planning a Wireless Network. Hewlett-Packard Development Company.

HP ProLiant ML Servers. (n.d.). Retrieved 06 April, 2011, from

http://h10010.www1.hp.com/wwpc/pscmisc/vac/us/en/sm/proliant/proliant-ml.html

IEEE Computer Society. (2007). Part 11: Wireless LAN Medium Access Control (MAC) and

Physical Layer (PHY) Specifications. LAN/MAN Standards Committee.

McGraw-Hill. (1995). The McGraw-Hill Internetworking Handbook.

Tri-Mode Dualband 802.11a/b/g (2.4/5GHz) Wireless 108Mbps1 Access Point with PoE. (n.d.).

Retrieved 06 03, 2008, from http://www.dlink.com/products/?sec=2&pid=356

Page | 18


Wi-Fi. What is it? (n.d.). Retrieved 06 April, 2011, from http://www.wilcorpinc.com/Wi-

Fi_history.htm

ProCurve Networking by HP: Planning a Wireless Network, retrieved 06 April, 2011, from

www.accountingweb-cgi.com/.../hp_planning_wireless_network.pdf

Page | 19

Documents

Wireless LAN Proposal