I.com Deploying and Securing a Wireless LAN

8/2/2019 I.com Deploying and Securing a Wireless LAN

1/14an Networking eBook

Deploying

and Securinga Wireless LAN


2/14

Deploying and Securing a Wireless LAN

2 Dene Your Wireless LAN Deployment Risks

4 Minimize WLAN Intererence

7 How to Secure Your WLAN

9 Twelve Key Wireless Network Security Policies

12 Troubleshooting Poor WLAN Perormance

4

2

7

9

12

12

Contents

This content was adapted from Internet.coms Wi-Fi Planet, eSecurity Planet, Enterprise Net-working Planet, and Practically Networked Web sites. Contributors: Jim Geier and Michael

Horowitz.


3/14

2 Deploying and Securing a Wireless LAN, an Internet.com Networking eBook. 2009, Internet.com, a division of QuinStreet, IncBack to Contents


hen planning a wireless network installa-

tion, be sure to careully assess and resolve

risks. Otherwise unoreseen implications,

such as RF intererence, poor perormance,

and security holes will wreak havoc. By handling risks dur-

ing the early phases o the deployment, youll signicantly

increase the success o a wirelessnetwork.

The ollowing are common risks to

consider:

Unclear RequirementsI you deploy a wireless network

without rst clariying requirements,

then the wireless network may not

satisy the needs o the users. In

act, poor requirements are otenthe reason why inormation system

projects are unsuccessul. As a re-

sult, always dene clear require-

ments beore getting too ar with

the deployment.

For example, you may install 802.11g today to support

needs or a moderate number o users accessing e-mail

and browsing the Web. Ten months rom now, your orga-

nization may increase the density o users or need to utilize

multimedia applications demanding a higher-perormingsolution. The organization would then be acing a decision

to migrate to 802.11n. Start o right ater careully consid-

ering requirements so that you choose the right technolo-

gies rom the beginning.

RF InterferenceDevices such as 2.4 GHz and 5 GHz cordless phones, mi-

crowave ovens, and neighboring wireless networks, can

cause damaging RF intererence that impedes the peror

mance o a wireless network. To minimize the risk o RF

intererence, perorm a wireless site survey to detect the

presence o intererence, and dene countermeasures be

ore installing the access points.

The problem with RF inter-erence is that its not always

controllable. For example, you

may deploy a 2.4 GHz 802.11n

wireless network in an oce

complex, then three months

later the company next doo

installs a wireless network set

to the same channels. This re-

sults in both wireless networks

interering with each other. A

possible solution to minimizethis risk is to utilize directive an-

tennas that ensure transmit and

receive power o your wireless

network alls only within you

acility. This would limit the im-

pact o the interering wireless

network. You could also speciy the use o 5 GHz 802.11n

which oers more fexibility in choosing channels that don

confict with others.

Security WeaknessesThe potential or an unauthorized person accessing cor-

porate inormation is a signicant threat or wireless net-

works. An eavesdropper can use a reely-available wireless

network analyzer, such as WireShark, to passively receive

and view contents o 802.11 data rames. This could dis-

close credit card numbers, passwords, and other sensitive

inormation.

Dene Your Wireless LAN Deployment RisksBy Jim Geier

W


4/14



Avoid security risks by careully assessing the vulnerabil-

ities o a wireless network, and dene eective security

policies based on the value o inormation you need to

protect. In some cases, you may simply need rewall pro-

tection. Other applications may require eective orms o

encryption. 802.1x port-based authentication will also pro-

vide added security.

Well discuss security more in depth later in this eBook.

Applications InterfacesIn some cases, interaces with applications located on vari-

ous hosts and servers can bring about major problems

when using a wireless network. A relatively short loss oconnectivity due to RF intererence or poor coverage area

causes some applications to produce errors. This occurs

mostly with legacy applications lacking error recovery

mechanisms or wireless systems.

For example, a user may be using an inventory application

by scanning items and entering total counts via a keypad

on the scanner. I loss o connectivity occurs ater scan-

ning the bar code and beore entering the count, the host

based application could log the use out without complet

ing the inventory transaction. As a result, the application

on the host may record an incorrect or invalid value or the

inventory item.

To avoid these types o risks, careully dene the types o

applications the wireless user devices will interace with. I

needed, incorporate solutions such as wireless middleware

(such as NetMotion) to provide adequate handle recovery

mechanisms related to wireless networks.

By identiying and solving these potential risks, youll have

a much more successul wireless network deployment.


5/14



adio requency (RF) intererence can lead to

disastrous problems on wireless LAN deploy-

ments. Many companies have gotten by with-

out any troubles, but some have installations

that dont operate nearly as well as planned. The perils o

interering signals rom external RF sources are oten the

culprit. As a result, its important that youre ully aware oRF intererence impacts and avoidance techniques.

Impacts of RF interferenceAs a basis or understanding the

problems associated with RF in-

tererence in wireless LANs, lets

quickly review how 802.11 stations

(client radios and access points)

access the wireless (air) medium.

Each 802.11 station only transmits

packets when there is no otherstation transmitting. I another

station happens to be sending a

packet, the other stations will wait

until the medium is ree. The actu-

al 802.11 medium access protocol

is somewhat more complex, but

this gives you enough o a start-

ing basis.

RF intererence involves the pres-

ence o unwanted, interering RF signals that disrupt normal

wireless operations. Because o the 802.11 medium access

protocol, an interering RF signal o sucient amplitude

and requency can appear as a bogus 802.11 station trans-

mitting a packet. This causes legitimate 802.11 stations to

wait or indenite periods o time beore attempting to ac-

cess the medium until the interering signal goes away.

To make matters worse, RF intererence doesnt abide by

the 802.11 protocols, so the interering signal may start

abruptly while a legitimate 802.11 station is in the process

o transmitting a packet. I this occurs, the destination sta-

tion will receive the packet with errors and not reply to the

source station with an acknowledgement. In return, the

source station will attempt retransmitting the packet, add-ing overhead on the network.

All o this leads to network latency and unhappy users. In

some causes, 802.11 protocols

will attempt to continue opera

tion in the presence o RF inter-

erence by automatically switch

ing to a lower data rate, which

also slows the use o wireless ap-

plications. The worst case, which

is airly uncommon, is that the802.11 stations will hold o unti

the interering signal goes com-

pletely away, which could be min-

utes, hours, or days.

Sources ofRF InterferenceWith 2.4 GHz wireless LANs

there are several sources o in-

terering signals, including microwave ovens, cordless phones, Bluetooth-enabled devices

FHSS wireless LANs, and neighboring wireless LANs. The

most damaging o these are 2.4 GHz cordless phones that

people use extensively in homes and businesses. I one o

these phones is in use within the same room as a 2.4GHz

(802.11b or 802.11g) wireless LAN, then expect poor wire-

less LAN perormance when the phones are in operation.

Minimize WLAN InterferenceBy Jim Geier

R


6/14



This clearly shows relatively high-level signals emanat-

ing rom the microwave oven in the upper portion o the

2.4GHz requency band, which indicates that you should

tune any access points near this microwave oven to lowe

channels. To simpliy matters, MetaGeek has an interer-

ence identication guide that you can use with Wi-Spy to

help pinpoint interering sources. The benet o using a

spectrum analyzer in this manner is that you can identiy

the intererence aster and avoid guessing i a particular

device is (or may) cause intererence.

Take Action to Avoid RF InterferenceThe ollowing are tips you should consider or reducing RF

intererence issues:

1. Analyze the potential or RF intererenceDo this beore installing the wireless LAN by perorming

an RF site survey. Also, talk to people within the acility

and learn about other RF devices that might be in use

This arms you with inormation that will help when

deciding what course o action to take in order to reduce

the intererence

2. Prevent the interering sources rom

operating.Once you know the potential sources o RF intererence

you may be able to eliminate them by simply turning

them o. This is the best way to counter RF intererence

however, its not always practical. For example, you

cant usually tell the company in the oce space next to

you to stop using their cordless phones; however, you

might be able to disallow the use o Bluetooth-enabled

devices or microwave ovens where your 802.11 users

reside.

3. Provide adequate wireless LAN coverage.A good practice or reducing impacts o RF intererence

is to ensure the wireless LAN has strong signals

throughout the areas where users will reside. I signals

get to weak, then interering signals will be more

troublesome, similar to when youre talking to someone

and a loud plane fies over your heads. O course this

means doing a thorough RF site survey to determine the

most eective number and placement o access point.

A microwave operating within 10 eet or so o an access

point may also cause 802.11b/g perormance to drop.

The oven must be operating or the intererence to occur,

which may not happen very oten depending on the usage

o the oven. Bluetooth-enabled devices, such as laptops

and PDAs, will cause perormance degradations i operat-

ing in close proximately to 802.11 stations, especially i the

802.11 station is relatively ar (i.e., low signal levels) rom

the station that its communicating with. The presence o

FHSS wireless LANs is rare, but when theyre present, ex-

pect serious intererence to occur. Other wireless LANs,

such as one that your neighbor may be operating, can

cause intererence unless you coordinate the selection o

802.11b/g channels.

Use Tools to See RF InterferenceUnless youre Superman, you cant directly see RF interer-

ence with only your eyes. Sure, you might notice problems

in using the network that coincide with use o a device

that may be causing the intererence, such as turning on

a microwave oven and noticing browsing the Internet slow

dramatically, but having tools to conrm the source o the

RF intererence and possibly investigate potential sources

o RF intererence is crucial. For example, MetaGeeks Wi-

Spy is a relatively inexpensive USB-based Wi-Fi spectrumanalyzer that indicates the amplitude o signals across the

2.4GHz requency band. Figure 1 is a screenshot o the

Wi-Spy display with a microwave oven operating 10 eet

away.

Figure 1


7/14



4. Set conguration parameters properly.I youre deploying 802.11g networks, tune access points

to channels that avoid the requencies o potentialinterering signals. This might not always work, but its

worth a try. For example, as pointed out earlier in this

tutorial, microwave ovens generally oer intererence in

the upper portion o the 2.4GHz band. As a result, you

might be able to avoid microwave oven intererence by

tuning the access points near the microwave oven to

channel 1 or 6 instead o 11.

5. Deploy 5GHz wireless LANs.Most potential or RF intererence today is in the 2.4 GHz

band (i.e., 802.11b/g). I you nd that other intererenceavoidance techniques dont work well enough, then

consider deploying 802.11a or 802.11n networks. In

addition to avoiding RF intererence, youll also receive

much higher throughput.

The problem with RF intererence is that it will likely change

over time. For example, a neighbor may purchase a cord-

less phone and start using it requently, or the use o wire

less LANs in your area may increase. This means that the

resulting impacts o RF intererence may grow over time

or they may come and go. As a result, in addition to sus-

pecting RF intererence as the underlying problem or poo

perormance, investigate the potential or RF intererence

in a proactive manner.

Dont let RF intererence ruin your day. Keep a continua

close watch on the use o wireless devices that might cause

a hit on the perormance o your wireless LAN.


8/14



continued

ecuring a wireless network isnt a hard task.

The cheat sheet is relatively small. However,

the technical press continues to be fooded with

articles and blogs containing technical mistakes.

Take, or example, everyones trusted inormation source,

Consumer Reports magazine. Im a big an o the maga-zine, having subscribed to the hard copy edition or years.

But they seem out o their league when it comes to com-

puters.

On Aug. 6, 2009, a blog posting at

the magazines Web site suggest-

ed using WEP security or wireless

networks. This is very poor advice.

A week ater the posting, an edi-

tor corrected it to say they recom-

mend WPA security. This too, isnot the best option. Even ater

being shamed into a correction,

they still got it wrong.

Let me try to oer up just what

most people (and Consumer Re-

ports) need to know about secur-

ing a wireless network.

Starting at the BeginningTo begin with, there are our types o Wi-Fi networks (a, b,

g, and n). But the security is not tied to any one type.

I you can connect to a wireless network without entering

a password, then there is no security. In this context, the

term security reers to encrypting data as it travels over

the air. The idea being to prevent a bad guy rom captur-

ing all the inormation coming into and out o a victims

computer and, in eect, looking over their shoulder de-

spite being a ew hundred eet away.

Wi-Fi networks oer three security options: WEP, WPA

and WPA2. As a simplistic introduction, think o WEP as

bad, WPA as just ne, and WPA2 as great.

WEP is the oldest security option and it has been shown to

be very weak. It may be better than no security at all, bu

not by much. Dont use it. Other than Consumer Reportsmagazine, the last recommendation to use WEP was is-

sued in 2005.

WPA is technically a certication

not a security standard, but since

it includes only one security pro

tocol, TKIP, they are oten con

used. When people reer to WPA

security, they are really reerring

to the TKIP protocol.

The combination o WPA and TKIP

is not the best, but its reasonably

good. I you have a choice, you

should opt or the best security

(next topic), but i you dont have

a choice (more later) TKIP is rea

sonably strong.

WPA2 is also, technically, a certi

cation rather than a security standard. WPA2 includes two

security standards: TKIP and CCMP. I you are using TKIPit doesnt matter whether the router is WPA or WPA2. TKIP

is TKIP either way.

The best security option is CCMP and its only available in

WPA2. Here again, the security protocol is oten conused

with the certication. When people reer to WPA2 security

they are really reerring to CCMP.

How to Secure Your WLANBy Michael Horowitz

S


9/14



radio, or whatever other device you want to use with your

wireless network.

For example, Windows XP SP2 does not support WPA2

even i it has been kept up to date on patches. A hotx

(KB893357) needs to be installed to add WPA2 support to

Windows XP SP2.

A WPA2 router may oer both TKIP and AES simultane

ously. Start with AES only and hope or the best. Only

choose this option i you have to in order to support an

older device.

The AES-CCMP security protocol was a long time coming

Rather than wait, some hardware manuacturers added

early versions o the protocol to WPA routers. Since these

were based on drat, rather than nal versions o the pro-

tocol, they may or may not work with newer hardware and

sotware.

Still, i replacing an old WPA router is a big deal, I suppose

its worth a try.

Two Other Aspects of Security

WPA and WPA2 both come in two favors, Personal and En-terprise. In the Personal version there is a single password

in the Enterprise version each user o the wireless network

gets his or her own password. The Personal version is also

known as Pre-Shared Key, or PSK or short.

Technically, the best security or consumers and small busi-

nesses is WPA2-PSK-AES-CCMP. This entire alphabet soup

alls down, however, i you chose a poor password.

Data is still traveling over the air and can be captured and

saved by a bad guy who can then try to guess the pass-word ofine thousands o guesses a second or days on

end.

Perhaps no one will attack the network you connect to this

way, but i they do, the only deense is a long, reasonably

random password. WPA and WPA2 support passwords up

to 63 characters long. Better yet, think pass sentence

rather than password.

But no one reers to CCMP (dont ask what it stands or).

For whatever reason, the CCMP security protocol is re-

erred to, incorrectly, as AES. When you are conguring

a router, you need to rst select WPA2, then you need to

select AES (rather than TKIP) to get the best possible se-

curity and encryption.

WPA TKIP FlawsThe TKIP security protocol (oten reerred to as WPA) is

fawed. The rst faw came to light in November 2008, the

second one just recently. But neither faw is serious.

The rst faw can be deended against simply by disabling

Quality o Service (QoS) in your router. Very ew peoplemake use o QoS.

The second faw was described by security expert Steve

Gibson as mostly theoretical. For example, it requires that

the victims computer be out o radio reception range rom

the router. The bad guy has to connect to the router on

one side and the victim on the other side. The bad guy

has to be logically and physically positioned between the

victim and the router.

Neither faw lets the bad guy recover the password, andthey only support decrypting very small data packets.

None o these small packets will contain any o your data.

Its not the faws themselves that make WPA2-AES the best

option, but the act that they are cracks in the dam. Who

knows what will turn up next? There are no known faws

in WPA2-AES, which was developed last and built on and

improved the work in the earlier security protocols.

Problems Getting to WPA2Everyone who can should opt or WPA2-AES, but there

may be roadblocks.

WPA2-AES requires more computational horsepower than

WPA-TKIP. Older routers may not have sucient horse-

power. I your router does not oer WPA2, you can check

or a rmware update, but most likely youll have to buy

a new router to get the best security. Then too, since it is

the latest and greatest, WPA2-AES may not be supported

on the computer, smartphone, gaming machine, Internet


10/14



continued

ith a wireless network, you must consider se-

curity policies that will protect resources rom

unauthorized people. Lets take a look at what

you should include in a wireless network secu-

rity policy or an enterprise.

Consider the ollowing recommendations:

Activate 802.11 Encryption to Make DataUnintelligible to Unauthorized UsersAs mention earlier, WEP has weaknesses that make it in-

adequate or protecting networks

containing inormation extremely

valuable to others. There are some

good hackers out there who can

crack into a WEP-protected network

using reely-available tools. The

problem is that 802.11 doesnt sup-

port the dynamic exchange o WEP

keys, leaving the same key in use or

weeks, months, and years.

For encryption on enterprise net-

works, aim higher and choose WPA,

which is now part o the 802.11i

standard. Just keep in mind that

WPA (and WEP) only encrypts data

traversing the wireless link between

the client device and the access

point. That may be good enough i your wired network is

physically secured rom hackers. I not, such as when users

are accessing important inormation rom Wi-Fi hotspots,

youll need more protection.

Utilize IPSec-Based Virtual PrivateNetwork (VPN) Technology forEnd-to-End SecurityI users need access to sensitive applications rom Wi-F

hotspots, you should denitely utilize a VPN system to pro

vide sucient end-to-end encryption and access controlSome companies require VPNs or all wireless client devic

es, even when theyre connecting rom inside the secured

walls o the enterprise. A ull-throttle VPN solution such

as this oers good security, but it becomes costly and di

cult to manage when there are hundreds o wireless users

(mainly due to the need or VPN

servers). As a result, conside

implementing 802.11 encryp

tion when users are operating

inside the enterprise and VPNs

or the likely ewer users whoneed access rom hotspots.

Utilize 802.1X-BasedAuthenticationto Control Accessto Your NetworkThere are several favors o

802.1x port-based authentication systems. Choose one tha

meets the security requirements or your company. For ex

ample, EAP-TLS may be a wise choice i you have Micro

sot servers.

Twelve Key Wireless Network Security Policies

By Jim Geier

W


11/14



Establish the WirelessNetwork on a Separate VLAN

A rewall can then help keep hackers located on the VLANassociated with the wireless network rom having easy ac-

cess to corporate servers located on dierent, more se-

cured VLANs (i.e., not accessible rom the wireless net-

work). In this manner, the wireless network is similar to a

public network, except you can apply encryption and au-

thentication mechanisms to the wireless users.

Ensure Firmware is Up-to-Datein Client Cards and Access Points

Vendors oten implement patches to rmware that x se-

curity issues. On an ongoing basis, make it a habit to check

that all wireless devices have the most recent rmware re-

leases.

Ensure Only Authorized PeopleCan Reset the Access PointsSome access points will revert back to actory deault set-

tings (i.e., no security at all) when someone pushes the re-

set button on the access point. Weve done this when per-

orming penetration testing during security assessments

to prove that this makes the access point a ragile entrypoint or a hacker to extend their reach into the network.

As a result, provide adequate physical security or the ac-

cess point hardware. For example, dont place an access

point within easy reach. Instead, mount the access points

out o view above ceiling tiles. Some access points dont

have reset buttons and allow you to reset the access point

via an RS-232 cable through a console connection. To min-

imize risks o someone resetting the access point in this

manner, be sure to disable the console port when initially

conguring the access point.

Disable Access Points DuringNon-Usage PeriodsI possible, shut down the access points when users dont

need them. This limits the window o opportunity or a

hacker to use an access point to their advantage as a weak

interace to the rest o the network. To accomplish this,

you can simply pull the power plug on each access point;

however, you can also deploy power-over-Ethernet (PoE

equipment that provides this eature in a more practica

manner via centralized operational support tools.

Assign Strong Passwordsto Access PointsDont use deault passwords or access points because

they are also well known, making it easy or someone to

change conguration parameters on the access point to

their advantage. Be sure to alter these passwords periodi-

cally. Ensure passwords are encrypted beore being sent

over the network.

Dont Broadcast SSIDsI this eature is available, you can avoid having user devic

es automatically sni the SSID in use by the access point.

Most current computer operating systems and monitoring

tools will automatically sni the 802.11 beacon rames to

obtain the SSID.

With SSID broadcasting turned o, the access point wil

not include the SSID in the beacon rame, making most

SSID sning tools useless. This isnt a oolproo method

o hiding the SSID, however, because someone can stil

monitor 802.11 association rames (which always carry theSSID, even i SSID broadcasting is turned o) with a packet

tracer. At least shutting o the broadcast mechanism wil

limit access.

Reduce Propagation ofRadio Waves Outside the FacilityThrough the use o directional antennas, you can direct the

propagation o radio waves inside the acility and reduce

the spillage outside the perimeter. This not only opti-

mizes coverage, it also minimizes the ability or a hackelocated outside the controlled portion o the company

to eavesdrop on user signal transmissions and interace

with the corporate network through an access point. This

also reduces the ability or someone to jam the wireless

LAN a orm o denial-o-service attack rom outside

the perimeter o the acility. In addition, consider setting

access points near the edge o the building to lower trans-

mit power to reduce range outside the acility. This testing

should be part o the wireless site survey.


12/14



Implement Personal FirewallsI a hacker is able to associate with an access point, which

is extremely probable i there is no encryption or authen-tication congured, the hacker can easily access (via the

Windows operating system) les on other users devices

that are associated with an access point on the same wire-

less network. As a result, its crucial that all users disable

le sharing or all olders and utilize personal rewalls.

These rewalls are part o various operating systems, such

as Windows XP and Vista, and third-party applica-

tions as well.

Control the Deploymentof Wireless LANs

Ensure that all employees and organizations within thecompany coordinate the installation o wireless LANs with

the appropriate inormation systems group. Forbid the

use o unauthorized access points. Mandate the use o ap-

proved vendor products that youve had a chance to veriy

appropriate security saeguards. Maintain a list o autho-

rized radio NIC and access point MAC addresses that you

can use as the basis or identiying rogue access points.

With these recommendations in mind, you have a basis o

orming a solid security policy. When deciding on which

techniques to implement, however, be sure to consider ac

tual security needs.


13/14



ter installing a wireless LAN, you might nd

that it doesnt support applications as well as

you expected. Users may complain o erratic

connections and slow perormance, which

hampers the use and benets o applications. When this

happens, youll need to do some troubleshooting. Start by

nding the root cause o the problems.

The table below gives you some pointers on what to look

or, specically the characteristics o signal level, noise

level, and retry rate that relate to the root causes o poor

wireless LAN perormance.

RF InterferenceRF intererence occupies the air medium, which delays us-

ers rom sending/receiving data and causes collisions and

resulting retransmissions. The combination o high noise

levels and high retry rates generally indicates that RF inter-

erence is impacting your wireless LAN. You can use tools

such as AirMagnet Analyzer or NetStumbler to measure

noise. AirMagnet also has tools or testing retry rates, and

most access points store retry statistics that you can viewthrough the admin console.

I the noise level is above -85dBm in the band where users

are operating, then RF intererence has the potential to

hurt perormance. In this case, the retry rates o users will

be above 10 percent, which is when users start eeling the

eects. This can occur, or example, when wireless users

are in the same room as an operating microwave oven.

Once you diagnose the problem as being RF intererence

then gure out where its coming rom and eliminate thecause. I the symptoms only occur when the microwave

oven or cordless phone is operating, then try setting the

access point to a dierent channel. That sometimes elimi

nates the intererence.

Take a quick scan o other wireless LANs operating in you

area. I you see that others are set to the same channel as

yours, then change your network to non-conficting chan

nels. Keep in mind that there are only three channels (1, 6

and 11) in the 2.4GHz band that dont confict with each

other. Most homes and small oces will have their access

point set to channel 6 because thats the most common

actory deault channel. For this reason you may need to

avoid using channel 6 with the access points near the pe-

rimeter o your enterprise.

I you cant seem to reduce RF intererence to acceptable

levels, then try increasing RF signal strength in the aect-

ed areas. You can do this by increasing transmit power

Troubleshooting Poor WLAN PerformanceBy Jim Geier

A

Signal Level Noise Level Retry Rate

RF Intererence n/a High High

High Utilization n/a n/a High

Coverage Hole Low n/a High

Bad Access Point None n/a Not Connected


14/14


replacing deault antennas with units that have a higher

gain, or placing the access points closer to each other. This

increases the signal-to-noise ratio (SNR), which improves

perormance.

High UtilizationWhen there are large numbers o active wireless users, or

the users are operating high-end applications such as Wi-

Fi phones or downloading large les, the utilization o the

network may be reaching the maximum capacity o the

access point. With this condition, the retry rates will be

relatively high (greater than 10 percent), even i signal lev-

els are high and noise levels are low (i.e., high SNR). The

result is lower throughput per user due to the additionaloverhead necessary to retransmit data rames.

You can increase the capacity and resolve this problem

by placing access points closer together with lower trans-

mit power to create smaller radio cells. This micro-cell

approach reduces the number o users per access point,

which enables more capacity per user.

Another method or handling high utilization is to move

some o the applications to a dierent requency band.

For example, you might consider having Wi-Fi phones in-teracing with a 5GHz 802.11a network and data applica-

tions running over 2.4GHz 802.11b/g.

Coverage HolesAter installing a wireless LAN, changes may take place

inside the acility that alter RF signal propagation. For

example, a company may construct a wall, which oers

signicant attenuation that wasnt there beore. Worse,

perhaps an RF site survey was not done prior to install-

ing the network. These situations oten result in areas o

the acility having limited or no RF signal coverage, whichdecreases the perormance and disrupts the operation o

wireless applications.

Indications o a coverage hole include low signal level (less

than -75dBm) and high retry rates (greater than 10 per-

cent), regardless o noise levels. The signal in this situation

is so low that the receiver in the radio card has dicul-

ties recovering the data, which triggers retransmissions

excessive overhead, and low throughput. For instance, a

user will likely experience a 75 percent drop in throughput

when operating rom an area having low signal levels.

To counter coverage holes, you need to improve the signa

strength in the aected areas. Try increasing transmit pow

er, replacing the antennas with ones having higher gain,

or moving access points around to better cover the area

Keep coverage holes rom popping up unexpectedly in

the uture by perorming a periodic RF site survey, possibly

every ew months.

Bad Access PointIn some cases, the root cause o poor perormance may

be an access point that has ailed. Check applicable access

points or broken antennas, status lights indicating ault

conditions, and insucient electrical power. Try rebooting

the access points, which oten resolves rmware lockups

Make sure that the rmware is up to date, however, to mini

mize lockups in the uture.

Documents

I.com Deploying and Securing a Wireless LAN