* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
Download Wireless Local Area Networks (WLAN)
Survey
Document related concepts
Zero-configuration networking wikipedia , lookup
TV Everywhere wikipedia , lookup
Wake-on-LAN wikipedia , lookup
Computer security wikipedia , lookup
Computer network wikipedia , lookup
Airborne Networking wikipedia , lookup
Power over Ethernet wikipedia , lookup
Network tap wikipedia , lookup
Wireless USB wikipedia , lookup
Policies promoting wireless broadband in the United States wikipedia , lookup
Cracking of wireless networks wikipedia , lookup
Wireless security wikipedia , lookup
Transcript
Technical paper | Wireless local area networks (WLAN) Wireless Local Area Networks (WLAN) Contents Introduction ....................................................................................................................... 2 What is a WLAN? .............................................................................................................. 2 How does a WLAN work? ................................................................................................. 2 What are the advantages and disadvantages of a WLAN? .............................................. 3 Where are WLANs being used? ....................................................................................... 4 Becta specifications for WLANs ........................................................................................ 5 What are the standards relating to Wireless LANs? ......................................................... 5 Current standards ..................................................................................................... 5 IEEE 802.11b ....................................................................................................... 5 Wi-Fi Alliance (WFA)............................................................................................ 6 IEEE 802.11g ....................................................................................................... 6 IEEE 802.11a ....................................................................................................... 7 IEEE 802.11h ....................................................................................................... 7 IEEE 802.11e ....................................................................................................... 7 Channels and roaming ......................................................................................... 8 Which standard to choose ................................................................................................ 8 Becta specifications: ............................................................................................ 9 Standards Plus and pre-standard equipment .................................................... 10 Security standards .......................................................................................................... 10 WPA (Wi-Fi Protected Access) .......................................................................... 10 WPA2/802.11i .................................................................................................... 11 Becta specifications for WLAN security ............................................................. 12 Other standards .............................................................................................................. 12 802.11n .............................................................................................................. 12 802.11r ............................................................................................................... 12 802.11s .............................................................................................................. 13 802.16/ WiMAX .................................................................................................. 13 Wireless Personal Area Networks (WPANs) .................................................................. 13 Bluetooth ............................................................................................................ 13 Ultra-Wideband .................................................................................................. 14 ZigBee/ 802.15.4 ................................................................................................ 14 Implementing a WLAN .................................................................................................... 15 Planning ............................................................................................................. 15 Site survey ......................................................................................................... 15 Positioning APs .................................................................................................. 15 Power over Ethernet (PoE) ................................................................................ 15 Network Management ..................................................................................................... 16 WLAN Issues .................................................................................................................. 16 Security .............................................................................................................. 16 Performance ...................................................................................................... 18 Prices ................................................................................................................. 18 Safety issues ...................................................................................................... 19 Other sources of information........................................................................................... 19 © Becta 2006 Updated March 2006 page 1 of 19 Becta | Technical paper | Wireless local area networks (WLAN) Introduction Wireless Local Area Networks (WLANs) have moved quickly to the mainstream and are now found in many educational institutions, homes, businesses and public areas. Organisations and consumers have been keen to take advantage of the flexibility adding wireless networks can offer. A recent report from In-Stat predicts that the wireless market will grow from 140 million wireless chipsets a year in 2005 to 430 million in 2009 1. The emergence of new security standards has also increased confidence in WLANs. Users are becoming more familiar with the technology and are increasingly expecting wireless access to be available. There is a wide range of products and standards involved in WLAN technology and more continue to emerge. This paper will focus on wireless LANs and the issues surrounding their implementation. What is a WLAN? A wireless local area network (WLAN) is two or more computers joined together using radio frequency (RF) transmissions. This differs from a wired LAN, which uses cabling to link together computers in a room, building, or site to form a network. Although WLANs can be independent they are more typically an extension to a conventional wired network. They can allow users to access and share data, applications, internet access or other network resources in the same way as wired networks. Currently, Wireless LAN technology is significantly slower than wired LAN. Wireless LANs have a nominal data transfer rate of between 11 and 54 Megabits per second (Mbps) compared to most wired LANs in schools which operate at 100Mbps or 1000Mbps. Wireless LANs are typically used with wireless enabled mobile devices such as notebook computers, PDAs and Tablet PCs. This allows users to take advantage of the flexibility, convenience and portability that WLANs can provide. Wireless networking is also appearing on other devices such as mobile phones, digital cameras, handheld games consoles and other consumer electronics. There are several wireless technologies in existence, but most wireless LANs use wireless Ethernet technologies based on IEEE 802.11 standards (see: Current Standards). The term Wi-Fi (Wireless Fidelity) is often used to refer to 802.11 wireless networks. It comes from the testing and certification programme run by the Wi-Fi Alliance (see below) to ensure wireless products from different manufacturers comply with standards and are interoperable. How does a WLAN work? To access a wireless network all devices will need to have a wireless network interface card (NIC) either built in, or installed separately. Wireless NICs are available in various forms and with different interfaces to suit different devices e.g. PCMCIA and PCI cards; CF (Compact Flash) and SD (Secure Digital) cards; and USB wireless network adaptors. In all cases the necessary software drivers may also need installing. Increasingly, portable devices are being sold with wireless LAN connectivity as a standard feature. Most new laptop and tablet PC models for example have in-built wireless and this is also now included on many PDAs. Builtin wireless adapter cards have now overtaken external wireless adapter cards in the market. There are two main types of wireless network configuration: ad-hoc mode and infrastructure mode. Ad-hoc networks are the simplest form of wireless network created by two or more wireless enabled computers communicating with each other directly. These types of WLANs are useful for creating small dynamic networks. However, these ad-hoc networks have similar limitations 1 http://www.in-stat.com/press.asp?ID=1598&sku=IN0501813NT © Becta 2006 Updated March 2006 page 2 of 19 Becta | Technical paper | Wireless local area networks (WLAN) as wired peer to peer networks and are only really suitable for occasional, small networks of a few computers. Ad-hoc networks cannot provide the same security as properly implemented infrastructure mode networks. Infrastructure mode requires one or more access points (APs) through which the network cards communicate. In a typical wireless LAN, a transmitter/receiver (transceiver) device, called an access point, is normally physically connected to the wired network using standard Ethernet cabling. It acts as a bridge between the wired network and the remote computer(s). At a minimum, the access point receives, buffers, and transmits data between the wireless LAN and the wired network infrastructure, using radio frequencies to transmit data to each user. Access points can have a varying amount of intelligence and functionality built-in. There are two main types of AP. “Thick” APs are fully functional and can handle all processes. “Thin” APs only include radios and antennas and rely on controllers (WLAN switches/appliances) for other functionality including managing APs, security and authentication. There is also a third hybrid category with some limited radio frequency management functionality, but that still need controllers to function fully. The vast majority of WLANs use fully functional (thick) APs in a decentralised architecture. The APs are usually deployed in stand-alone mode, but in larger networks where the communication between APs poses an unacceptable load, a controller can be used to handle load balancing and roaming. There is a management overhead in configuring and managing each access point, although overlay management tools are available (see Managing WLANs). Centralised architectures are less common. In these networks all traffic passes through the controllers (WLAN switches/WLAN Appliances), which handle load balancing and other management functions. The APs deal with RF access and often enforce policies set by the controller. Various manufacturers balance the functionality between controllers and APs differently. Centralized networks are generally considered easier to manage than decentralized networks. They can also allow seamless roaming of users across subnets. However, these tend to be single vendor solutions and the increased cost of centralized equipment is usually only justified in larger, complex or multi-site deployments. What are the advantages and disadvantages of a WLAN? A wireless LAN has some specific advantages over wired LAN: • Access to the network can be from anywhere in the school within range of an access point, giving users the freedom to use ICT where and when it is needed. • It is typically easier and quicker to add or move devices on the network (once in place, a wired LAN can be difficult to move and expensive to change.) Increasing the overall network coverage of the wireless LAN can often be achieved by adding further access points. • Small dynamic ad hoc networks can be created very quickly and relatively easily. • It is typically easier and quicker to provide connectivity to the network in areas where it is difficult or undesirable to lay cable or drill through walls. Instances might be:-where a school is located on more than one site or is made up of several buildings. -when implementation is anticipated to be temporary or semi-permanent -when only one device is required at a remote part of a building or site -in historic buildings where traditional cabling would be difficult to install or inappropriate • Where wireless enabled laptop computers are used, any classroom in range of an access point(s) can become a ‘computer suite’, potentially increasing the use of ICT across the curriculum • While the initial investment required for wireless LAN hardware can be similar to the cost of wired LAN hardware, installation expenses can be significantly lower © Becta 2006 Updated March 2006 page 3 of 19 Becta | Technical paper | Wireless local area networks (WLAN) • Wireless provides increased flexibility for teachers. A teacher with a wireless enabled laptop can access the wireless network to show students work, share resources, obtain information from the internet from anywhere within range of an AP, without being tied to a wired PC. This flexibility is further enhanced when combined with a wireless projector. • Portability. They allow computer devices to move around the school with the pupil rather than the pupil going to a specific place to use a device. This allows for outdoor field work and work in non-classroom spaces (common areas, library, canteen, gymnasium/sports hall, playground). Wireless LANs also have some issues: • The current data rates of wireless networks means that high bandwidth activities are better done on wired networks • As the number of devices using the network increases, the data transfer rate to each device will decrease accordingly. • As wireless standards change, it may be necessary, or at least desirable, to upgrade to higher specifications of wireless which could mean replacing wireless equipment (wireless NICs, access points etc). Currently, wireless standards are changing more quickly than wired standards. • Security is more difficult to guarantee. • Devices will only operate at a limited distance from an access point, with the distance largely determined by the standard used. Obstacles between the access point and the user, like walls, glass, water, trees and leaves can also determine the distance of operation. Poor signal reception has been experienced around reinforced concrete school buildings; these may require higher numbers of access points which in turn increases overall cost. • In practice, a wireless LAN on its own is not a complete solution and will still require a wired LAN to be in place to provide a network backbone. • Data speeds drop as the user moves further away from the access point • It is generally easier to make a wired network ‘future proof’ for future requirements • As the number of people using wireless devices increases, there is the risk that certain radio frequencies used for wireless will become congested and prone to interference; particularly the 2.4GHz.frequency. Where are WLANs being used? The DfES ‘Survey of Information and Communications Technology in Schools 2004’ report indicated that, of the secondary schools with a network, 54% had some wireless LAN provision. For primary and special schools this figure was 21% 2. In business: WLANs are increasingly being installed by business to provide flexible access, or for specific tasks such as stock taking in warehouses. In the wider community: Wireless networks can be used for public access to the internet. Commercially available public access wireless networks are more commonly known as ‘hotspots’ and there are now thousands of these throughout the UK; located at railway stations, airports, hotels, in certain public libraries and in cafés and eating establishments. Some local authorities and commercial providers are installing Wi-Fi networks to cover larger areas, such as city centres. 2 DfES ICT in Schools Survey 2004: http://www.becta.org.uk/research/research.cfm?section=1&id=3466 © Becta 2006 Updated March 2006 page 4 of 19 Becta | Technical paper | Wireless local area networks (WLAN) On transport: Several airlines have in-flight WLAN availability. Wireless access is available on certain trains in many countries of the World. In the UK, several train operators have started on board wireless services Becta specifications for WLANs These specifications are taken from Becta’s Functional Specification - Institutional Infrastructure,3 which sets out the functional requirements for institutions to aim to achieve. Secure wireless networks shall4 complement rather than replace an institution’s wired network While wireless technologies allow a high degree of flexibility in accessing the institution’s network, they are still widely viewed as technologies that support the institution’s wired network. It is anticipated that in the medium term, media-rich applications and services that place high demands on the institution’s network will be best met via a wired network. Institutions should provide secure wireless access to curriculum and administration resources from a wide range of work spaces in the institution In order to achieve complete flexibility of working within the institution, a learner or educator needs to be able to gain access to networked resources from all work spaces. To allow flexible access to the institution’s ICT services, it is anticipated that a wide area of wireless coverage of the institution will be needed. Wireless networking technologies allow access to networked resources when fixed access to the network is not possible, practical or even desirable. Careful planning of what areas need wireless coverage will be required to ensure that flexible working via wireless technologies is achieved. What are the standards relating to Wireless LANs? The Institute of Electrical and Electronics Engineers (IEEE) [http://www.ieee.org/portal/index.jsp] is the leading authority in the specification and ratification of standards relating to technology. Current Wireless standards have originated from the IEEE; thus IEEE 802.11a, IEEE 802.11b etc. In the field of wireless LAN there are currently three main operational standards: IEEE 802.11a, 802.11b and 802.11g. There are also a number of other standards relating to security, functionality and interoperability. Further WLAN standards are still in development. For example the IEEE has set up a Working Group to develop the 802.11n standard for higher bandwidths over wireless LAN. Current standards IEEE 802.11b 802.11b is the most mature and widely deployed wireless network standard. It is also the standard used by most public wireless “hotspots”. The 802.11b standard derived from the 802.11 standard, and was ratified by the IEEE in 1999. 3 The 802.11b standard operates in the 2.4GHz spectrum Has a nominal data transfer rate of 11Mbps. In practice the actual data transmission rate is approximately 4-7Mbps, which is shared by all clients using an access point. Provides 3 non-overlapping channels (see below) http://www.becta.org.uk/schools/techstandards 4 The word "shall” defines a mandatory requirement of this specification. The word "should" defines a highly recommended but not a mandatory requirement of this specification. © Becta 2006 Updated March 2006 page 5 of 19 Becta | Technical paper | Wireless local area networks (WLAN) This is adequate for accessing most data or applications, including internet access, but might be insufficient for multimedia applications or for instances when a large number of simultaneous users want to access data from a single access point. The 2.4GHz frequency is also used by other electronic devices, notably Bluetooth devices, cordless telephones, microwave ovens and some lighting. 802.11b can encounter electromagnetic interference in the presence of these devices or other 802.11b equipment. Wi-Fi Alliance (WFA) Initially, not all 802.11b items of equipment were compatible with each other. To rectify this, an alliance of manufacturers and interested parties was set up (Wireless Ethernet Compatibility Alliance – (WECA). WECA officially changed its name to the Wi-Fi Alliance in December 2002) and a distinct Wi-Fi certification mark was established. In principle, any item with the Wi-Fi certification mark has been tested for compliance with IEEE standards and should be interoperable with other equipment (even from other manufacturers) bearing the Wi-Fi certification mark. In practice, this may not always be the case. It is advisable to ensure that all wireless equipment purchased is Wi-Fi certified. The Wi-Fi mark has now been extended to the 802.11a and 802.11g standards and denotes that equipment of the same standard is compatible. The Wi-Fi label now also states which standard(s) is supported by that particular piece of equipment. From August 2003, to receive Wi-Fi approval, new 802.11b and 802.11g products were required to conform to the WPA (WiFi Protected Access) security standard. This also applied to all 802.11a products from September 2003. The Wi-Fi Alliance began testing and issuing certificates for products conforming to WPA 2 (see below) in September 2004. IEEE 802.11g The 802.11g standard was ratified in June 2003 and the first devices to receive Wi-Fi approval were announced in July 2003. It is intended to offer the same data rates as 802.11a (54Mbps), whilst working in the same frequency range as 802.11b (2.4GHz) for backwards compatibility. 802.11g is widely used in consumer wireless equipment and has also been installed by many organizations. 802.11g: operates in the 2.4GHz spectrum has nominal data speeds of 54Mbps has actual data speeds of 18-30Mbps. These drop to around 60% of the available data rate in the presence of 802.11b equipment offers three non-overlapping channels (see below) is backwards compatible with 802.11b equipment. (All Wi-Fi certified 802.11g equipment should permit the use of 802.11b equipment, however it is possible to configure access points to only allow 802.11g clients.) can suffer from interference from other devices in the 2.4GHz frequency 802.11g is less power efficient than 802.11b, so 802.11b may continue to be more common in some mobile devices such as PDAs uses Orthogonal Frequency Division Multiplexing (OFDM), so benefits from some resiliency to RF interference and multi-path distortion © Becta 2006 Updated March 2006 page 6 of 19 Becta | Technical paper | Wireless local area networks (WLAN) IEEE 802.11a The 802.11a standard was ratified by the IEEE in 1999 and adopted in the USA and other parts of the World. However, 802.11a equipment was restricted in the UK and the rest of Europe because it uses the 5GHz frequency, parts of which are traditionally used by national governments for defence purposes. This slowed adoption of the standard, especially with the emergence of 802.11g. 802.11a was made available without licence in February 2003. Band A for indoor use (5.15GHz to 5.35 GHz, 200mW EIRP5) and Band B for indoor and outdoor use (5.47 GHz to 5.725 GHz 1W, EIRP) are open for wireless LAN services. Multiband a/g or a/b/g wireless cards are increasingly common and falling in price. 802.11a has: Nominal data rate of 54Mbps with actual rates of between 17-28Mbps. 802.11a has a signal range of about 50 metres from an access point and data rates begin to drop at a range of 10-15 metres from the access point (dependent on environment and equipment). The 802.11a standard uses OFDM The 5 GHz band provides much greater spectrum than the 2.4 GHz band. This results in 802.11a being able to deploy eight non-overlapping channels in the UK compared to only three in an 802.11b/g environment (see below) 802.11a is particularly suited to environments with multiple users using applications with high data throughput. IEEE 802.11h This is an addition to the 802.11a standard that meets European requirements for use of 5 GHz frequencies. It includes Transmit Power Control (TPC) to limit transmission power and Dynamic Frequency Selection (DFS) to protect sensitive frequencies. These changes protect security of military and satellite radar networks sharing some of this spectrum. It is possible to use 802.11h to reduce AP cell sizes to increase the density of AP coverage. The standard was finalized in September 2003 and has been included in some wireless equipment. IEEE 802.11e Quality of Service (QoS) WLANs operate on a contended basis meaning all devices on a particular AP share the bandwidth and data packets are dealt with in the order received. This is usually sufficient for data applications such as office suite and basic internet browsing, as users will not be continuously accessing the network. However, voice and streaming media can be seriously disrupted. There are proprietary QoS solutions available, but an IEEE standard, 802.11e was ratified in September 2005 and is now being incorporated into products. There are two strands to the standard. 1) Enhanced Distributed Channel Access (EDCA) 2) HCF Controlled Channel Access (HCCA). EDCA prioritises transmission of packets and reduces transmission times according to different access categories, but provides no service guarantees. HCCA centrally manages access by polling clients and scheduling a time for transmission, reducing contention. HCCA uses traffic classes and precise QoS parameters can be set for individual applications. 5 Effective Isotropic Radiated Power © Becta 2006 Updated March 2006 page 7 of 19 Becta | Technical paper | Wireless local area networks (WLAN) EDCA is expected to be implemented on all equipment, but HCCA may be reserved for particularly time sensitive applications such as VoIP. In September 2004 the Wi-Fi Alliance launched an interim Quality of Service certification for wireless products called WMM (Wi-Fi Multimedia). WMM is mainly aimed at consumer electronics devices and classifies data packets into voice, video, best effort and background. WMM shortens the time between transmitting packets for higher priority traffic. WMM devices can be configured to prioritise different types of traffic as required. Currently, WMM only stipulates the use of EDCA. However, the Wi-Fi Alliance is developing WMM Scheduled Access certification for products including both QoS methods. WMM Power Save Wi-Fi WMM Power Save is an extension to WMM (based on an optional strand of 802.11e) intended to extend the battery life of wireless mobile devices. Through improved signaling capabilities, the efficiency and flexibility of wireless transmissions has been improved. WMM Power Save certified devices transmit data in less time and devices can stay in “sleep” mode longer. Access points, NICs and other devices are certified under the program. Channels and roaming The 802.11b and 802.11g standards working in the 2.4 GHz frequency range have 13 channels available in the UK. However, to avoid crosstalk and interference there are effectively only 3 non-overlapping channels that can be used (usually set at 1, 6 and 11). Adjacent APs need to be set to different channels. This means that only 3 access points can be used in parallel. 802.11a has 8 non-overlapping channels allowing many more APs to be used in parallel. Typical channel setting of adjacent access points on 802.11b/g WLANs Channel 1 Channel 6 Channel 11 Roaming is the ability of a client to seamlessly switch between access points while moving or for load balancing purposes. The client should associate with the access point with the strongest signal. To do this APs need to be on the same subnet (to avoid needing to acquire a new IP address) and have the same SSID and encryption keys. Which standard to choose The choice of which wireless standard to deploy will be based on a range of factors including: what equipment is already in use; the size of area to be covered by the network; the number of users to support; the applications to be used on the network; environmental conditions; and any interference present. A site survey (see below) will help determine some of these factors. © Becta 2006 Updated March 2006 page 8 of 19 Becta | Technical paper | Wireless local area networks (WLAN) Manufacturers now provide dual mode and tri-mode equipment (access points, NICs), which support 802.11a/b, 802.11a/g and 802.11a/b/g. While slightly more expensive, this does provide considerable flexibility. Most new notebooks, laptop and Tablet PCs ship with wireless connectivity as standard. Schools should consider this when purchasing new equipment and ensure that it is compatible with their existing wireless set up. As 802.11b/g and 802.11a operate in a different frequency range they are not compatible with each other. However, 802.11b/g and 802.11a networks can be used side by side to increase capacity. In general both 802.11b and 802.11g (as they work in the 2.4GHz frequency) have a greater range than 802.11a. In practice, to obtain the same network coverage, the user may require up to four times as many access points when using an 802.11a network. This may be more expensive as not only do you require more access points, but 802.11a access points are still currently more expensive than both 802.11b and 802.11g devices. However, the smaller range and greater number of channels of 802.11a allow more access points to be used in any given area improving network performance. The 5GHz frequency of 802.11a is also less congested than the 2.4GHz frequency used by 802.11b/g, reducing the chance of interference. Schools or organisations that have already deployed 802.11b networks have several choices if they want to improve their wireless data rates: purchase Wi-Fi approved 802.11g equipment increase the number of APs in order to lower contention ratios (although 802.11b should be being phased out by institutions) build a new 802.11a wireless LAN alongside/replacing their existing 802.11b network purchase new dual or tri band access points to allow for equipment with different wireless cards to co-exist If schools need to run a mixed 802.11b/g network there are a couple of issues relating to data rates, notably that the actual data rates for 802.11g devices drop in the presence of 802.11b equipment. If 802.11g devices and 802.11b devices are in dialogue with each other then the data rates will be dictated by the 802.11b device. If two or more 802.11g devices are in dialogue with each other but there are 802.11b devices in the same network, then 802.11g data rates will drop but may well still be more than the practical rates of 802.11b. There are 802.11g access points, or dual or tri-band access point incorporating 802.11g which can be set to only recognize 802.11g equipment. This obviously prevents the 802.11b equipment from working on the 802.11g network but there are times when this may be desirable. Becta specifications6: Design criteria Wireless networking equipment shall7 conform to the IEEE 802.11a/b/g standards. New wireless networking equipment shall conform to IEEE 802.11a or 802.11g standards. Wireless networks shall be secured. taken from Becta’s Technical Specification - Institutional Infrastructure http://www.becta.org.uk/schools/techstandards 6 7 The word "shall” defines a mandatory requirement of this specification. The word "should" defines a highly recommended but not a mandatory requirement of this specification. © Becta 2006 Updated March 2006 page 9 of 19 Becta | Technical paper | Wireless local area networks (WLAN) Upgrade path Current Network No Wireless Network installed. Base Upgrade Install 802.11a or 802.11g compliant access points and Wireless NICs 802.11b equipment installed Access points upgraded to dual 802.11b/g equipment New wireless NICs to be 802.11g compliant. Phase out 802.11b equipment when possible. 802.11a or 802.11g equipment installed Access points and wireless NICs retained Advanced Upgrade Dual (Tri) band equipment installed to provide 802.11a/b/g functions Wireless management tool implemented Access points and wireless NICs upgraded to dual (tri) band equipment Wireless management tool implemented Replace 802.11b equipment with 802.11g compliant equipment Access points and wireless NICs retained Wireless management tool implemented Standards Plus and pre-standard equipment Various manufacturers offer wireless equipment that exceeds the speeds capable by standard devices (standards plus). Often, to provide the speed boost, all infrastructure and client equipment must be bought from the same vendor. Pre-standard equipment is released by manufacturers based on early drafts of a standard before final ratification. For example many vendors launched 54Mbps access points to market before final ratification of 802.11g. The same is now happening with 802.11n. The Wi-Fi Alliance is discouraging this kind of activity. Neither standards plus or pre-standard equipment is generally recommended due to vendor lock-in, increased risk of interference, and non-compliance with future standards. However, Wi-Fi certified standards plus and pre-standard equipment should work with standards based WLAN equipment, but without the full performance gains. Security standards Originally, Wireless LAN equipment shipped with a security mechanism called Wireless Equivalent Privacy (WEP), which was often not activated as a default. When activated, WEP provided a certain level of security. However, WEP has weak key management and weak endpoint authentication. Manufacturers have addressed many of the published WEP attacks and WEP should be used if other solutions are not available. However, organizations should plan to move to WPA/WPA2 (see below). WPA (Wi-Fi Protected Access) An interim solution called Wi-Fi Protected Access (WPA) was introduced by the Wi-Fi Alliance in mid 2003. WPA is a sub set of the IEEE 802.11i Security Standard for Wireless LAN that was finally ratified in June 2004. From August 2003, to receive Wi-Fi approval, new 802.11b and 802.11g products were required to conform to the new WPA security standard. This also applied to all 802.11a products from September 2003. In many cases, equipment bought with WEP security can be upgraded to WPA with a software upgrade. WPA incorporates features of the IEEE 802.11i standard. WPA runs in either enterprise mode or pre-shared key (PSK) mode. © Becta 2006 Updated March 2006 page 10 of 19 Becta | Technical paper | Wireless local area networks (WLAN) - Enterprise Mode requires an authentication server for authentication and dynamic key distribution - Personal Mode (pre-shared key) does not require an authentication server. A shared key is entered once on the access point and the wireless client, to act as a starting point for the dynamic encryption process. WPA includes three main elements. Authentication using the 802.1x protocol (only in enterprise mode) data encryption through Temporal Key Integrity Protocol (TKIP) data validation with Message Integrity Check (MIC). 802.1x is a protocol for secure mutual authentication of users and networks. 802.1x uses Extensible Authentication Protocols (EAPs) to provide a secure link between the client, AP and Authentication server. There are three parts to an 802.1x solution. The supplicant (software on the client device incorporating 802.1x and at least one EAP); an authenticator (usually the AP, which communicates between the client and authentication server); an authentication server (typically a RADIUS server to validate the client). WPA allows for several different EAPs to be used. EAP-TLS is one of the major versions that has been tested by the Wi-Fi Alliance, but it requires Public Key Infrastructure (PKI) certificates on the server and clients. 802.1x is currently not widely implemented in networks. Organisations may wish to consider a plan to move the whole network (wired and wireless) to 802.1x authentication. TKIP enhances WEP and securely alters the key with every data packet sent using Per Packet Keying (PPK). It uses 128 bit encryption, although it still employs the RC4 encryption algorithm used by WEP. MIC provides data validity to prevent deliberate or accidental changes to data sent across the network. It replaces the Cyclic Redundancy Check (CRC). It should be noted though that WPA offers no support for devices in ad hoc mode. For encryption to take place in this mode WEP will still need to be used. WPA2/802.11i The 802.11i security standard ratified in June 2004 provides a very secure mechanism for wireless networks. The Wi-Fi Alliance started testing and issuing certificates to products for 802.11i compatibility in September 2004 under the name WPA2. WPA2 adds a stronger encryption algorithm based on the Advanced Encryption Standard (AES). It also reduces the number of data packets involved in key management. It is advisable to ensure that all future purchases are WPA2 compliant. Due to the processing demands of AES, many older APs will have to be replaced in order to handle 802.11i/WPA2. However, some APs will only need a software upgrade. Users will need to check with the manufacturer to determine whether this is possible. Both WPA and WPA2 can be used in a ‘mixed mode’ which allows a WPA device to be backwards compatible with another device using a previous wireless security protocol. Unfortunately, this means that if a WPA device interacts with one using WEP, this greatly reduces the security, so is not recommended. © Becta 2006 Updated March 2006 page 11 of 19 Becta | Technical paper | Wireless local area networks (WLAN) Becta specifications for WLAN security8 Design criteria Institutions shall9 use as high a standard of authentication for WLANs as they do for their wired networks. Institutions shall use WPA encryption and should use WPA2/802.11i security where possible. Institutions should not use mixed mode in WPA. Institutions waiting to upgrade to WLAN equipment using WPA/WPA2 should authenticate individual devices via MAC address recognition or should consider using a separate network segment policed by a dedicated firewall. (See section WLAN issues: security, below) Other standards 802.11n Increasingly, users are expecting wireless connectivity to be available and as the number of wireless devices grows, faster data rates will be needed. This, coupled with more bandwidth hungry applications such as video and voice, has created the need for wireless technology capable of extra speed, capacity and reliability. To meet this need the IEEE formed 802.11 Task Group N (TGn) in September 2003 to develop a wireless standard capable of real world speeds greater than 100 Mbits/sec. However, products using 802.11n are not expected until 2007. Once launched, 802.11n products should be backwards compatible with existing standards. A draft 802.11n standard was finally agreed in January 2006 and final ratification by IEEE is expected at the end of 2006 or early 2007. 802.11n will use Multiple Input Multiple Output (MIMO) technology. MIMO involves the use of at least 2 antennas for transmitting data and an equal or greater number for receiving. The multiple antennas are tuned to the same channel, but each transmits a different data stream. This method of setting up multiple parallel data paths within the same channel requires the use of sophisticated algorithms to reassemble the data at the receiving end. MIMO allows for more efficient use of the spectrum and greater transmission ranges. However, there are cost and power implications in having multiple RF units. 802.11n should also allow the doubling of the channel bandwidth to 40 MHz to further increase throughput. Several manufacturers have launched pre-standard “802.11n” wireless networking equipment using MIMO technology. The pre-standard equipment claims to offer better coverage and throughput even when used with existing 802.11b/g devices. However, the “n” label is misleading and these products may not be compliant with the final ratified standard. 802.11r IEEE 802.11r is a standard in development for fast roaming between access points. In secure WLANs the requirement to reauthenticate with each access point as a user moves around creates a delay that can disrupt low latency applications such as voice and video. The standard should allow devices to pre-authenticate with other access points before hand over takes place. The standard is not expected to be ratified until 2007. taken from Becta’s Technical Specification - Institutional Infrastructure http://www.becta.org.uk/schools/techstandards 8 9 The word "shall” defines a mandatory requirement of this specification. The word "should" defines a highly recommended but not a mandatory requirement of this specification. © Becta 2006 Updated March 2006 page 12 of 19 Becta | Technical paper | Wireless local area networks (WLAN) 802.11s The IEEE ESS Mesh Networking Task Group (TGs) is developing a standard for wireless mesh networks (IEEE 802.11s). Although outdoor Wi-Fi mesh networks are already in use, particularly to cover large areas of towns and cities, or in rural areas, there is currently no standard. 802.11s is not expected to be ratified until late 2007. A wireless mesh network is a series of wirelessly connected devices (nodes) such as routers, access points and computers. Network traffic is routed through these devices ‘hopping’ from node to node until it reaches its destination. In order to do this each node has dynamic routing information and can work out the best route for data to take. Mesh networks are selfconfiguring and new nodes can be automatically discovered and added to the network. The multi-path nature of mesh networks means that there is no single point of failure, as data can usually be routed around a failed node. Mesh networks are flexible (easily expanded) and resilient, as well as being suitable for covering large areas, especially where line-of-sight connections are not possible. 802.16/ WiMAX WiMAX is a high speed wireless technology based on IEEE 802.16 standards. The WiMAX (Worldwide Interoperability for Microwave Access) Forum is the industry group that promotes and oversees the technology in much the same way as the Wi-Fi Alliance does for IEEE 802.11. WiMAX is intended to provide wireless broadband coverage over a large area and has built in quality of service (QoS) and security features. WiMAX can work in licensed and unlicensed spectrum and in-line of-sight and non-line-of-sight implementations. There are two main standards: 1) IEEE 802.16-2004 was ratified in June 2004 and is intended to provide fixed/nomadic wireless broadband access at a theoretical shared peak rate of 72Mbps and a maximum range of 50km. However, real world performance will be much lower, and depend on the frequencies and channels used by service providers. This is likely to vary from country to country. The first WiMAX implementations are expected to provide a wireless alternative to DSL/cable broadband internet access or backhaul for other solutions such as Wi-Fi. WiMAX base stations are likely to cover cells of 310KM with maximum speeds of 40Mbps (shared between all connected users in the cell). The first WiMAX certified equipment appeared in January 2006, although many service providers have been offering services using uncertified “pre-WiMAX” equipment for some time. 2) IEEE 802.16e-2005 for mobile wireless broadband was ratified in December 2005 and the first products are expected to go through the WiMAX certification process during 2006. Mobile WiMAX cells are expected to be up to 3km with speeds of 15Mbps (shared between all connected users in the cell). Mobile WiMAX network interface cards may be available from late 2006. http://www.wimaxforum.org/home Wireless Personal Area Networks (WPANs) There are a number of other wireless technologies which are used over a short distance (usually up to about 10 metres) to connect devices to each other. As such networks are based on the immediate area around the individual user; they are called Wireless Personal Area Networks. Examples of WPAN technologies are Bluetooth, Ultra wideband and Infrared. Bluetooth This is a low-cost radio solution that can provide links between devices. Originally, and more typically the range of these devices is up to 10 metres. Bluetooth has access speeds of up to 721 Kbps; considerably slower than the various 802.11 Wireless LAN standards. Bluetooth © Becta 2006 Updated March 2006 page 13 of 19 Becta | Technical paper | Wireless local area networks (WLAN) technology is embedded in a wide range of devices, e.g. mobile phones, printers, video cameras, PDAs, computer mice and keyboards etc. Bluetooth, as a Wireless Personal Area Network (WPAN), should not be confused with 802.11 wireless as it is not intended to do the same job. Bluetooth is primarily used as a wireless replacement for a cable to connect devices assuming they are configured to share data. Although Bluetooth was not originally intended to be used for 802.11 wireless networking, it is now possible to buy access points for Bluetooth LAN and combined 802.11b/ Bluetooth access points. The Bluetooth standard is relatively complex and it is therefore not always easy to determine if any two devices will communicate. Any devices should be seen to communicate successfully before purchasing. Bluetooth operates in the 2.4GHz band so can cause interference with Wireless LAN (802.11b and 802.11g) equipment. A newer Bluetooth standard (November 2004) called Bluetooth 2 (Enhanced Data Rate), has a maximum data rate of 2.1Mbps and more efficient power usage. In the future Bluetooth may adopt ultra wideband technology (see below). Ultra-Wideband Ultra-Wideband (UWB) is an emerging wireless technology intended to provide high speed, low power wireless connections (100Mbps-2Ghz) over short distances (10m). It is expected to be used for cable replacement applications and for multimedia networking in the home. UltraWideband is based on pulsing a signal in very short bursts across a very wide bandwidth. Data is sent by altering the amplitude, phase or position of the pulses. OFDM and frequency hopping techniques have also been developed. The IEEE standards process for Ultra-Wideband (IEEE 802.15.3a) has now been stopped due to lack of agreement between industry groups proposing two different solutions: 1) MultiBand Orthogonal Frequency Division Multiplexing (MB-OFDM) UWB, backed by the WiMedia Alliance 2) Direct sequence-UWB (DS-UWB), backed by the UWB Forum Companies that are members of the WiMedia Alliance and the UWB Forum are now developing and launching UWB products based on the two incompatible solutions. UWB is likely to be used to provide wireless versions of existing cable technologies such as USB 2, 1394 (FireWire), Bluetooth and video connections (eg DVI). Wireless versions of Hi-Speed USB (USB 2.0) will be the first consumer application of UWB technology. CableFree USB (UWB Forum solution) products were shown at the Consumer Electronics Show in January 2006 and Wireless USB (WiMedia Alliance solution) enabled devices are likely to appear later in the year. The WiMedia Alliance USB solution is backed by the USB Implementers Forum and will be called Certified Wireless USB. Currently, only the USA has given regulatory approval for the use of UWB. The European Conference of Postal and Telecoms Administrators (CEPT) is in the process of developing harmonized regulations for UWB use in Europe. ZigBee/ 802.15.4 ZigBee is a wireless sensor network technology specification based on the IEEE 802.15.4 standard. The ZigBee Alliance is a trade body that oversees testing and certification for ZigBee products. ZigBee is intended to be a low cost, low power, low data rate wireless networking standard for sensor and control networks. The technology will primarily be used for industrial and home sensor networks and building control systems, such as security systems, smoke detectors/alarms, and heating and lighting controls. ZigBee enabled products can create mesh networks, routing traffic via other ZigBee devices. ZigBee works in the 2.4GHz band and provides maximum data rates of 250 Kbps. http://www.zigbee.org/en/ © Becta 2006 Updated March 2006 page 14 of 19 Becta | Technical paper | Wireless local area networks (WLAN) Implementing a WLAN Planning As wireless network technology has matured there has been a proliferation in manufacturer offerings of both equipment and management tools. There are various factors that need to be considered before deploying a wireless network. These include what it is to be used for, the requirements for applications intended to be run on the network, the number of users and the size and location of the area to be covered. It is also important to have a good understanding of the technologies and standards involved. It is recommended that a small pilot wireless network is set up to test applications and use before widespread deployment. WLANs vary in their size and complexity. Schools may decide to cover a small area such as a classroom/classrooms or to have blanket coverage over a wide area or entire site. The amount of coverage can be increased over time, but clearly defined aims need to be set out at the start of any WLAN project. Alternatively, many schools use “mobile” APs instead of fixed APs. These are usually fitted to a laptop trolley, which can be wheeled into a classroom and connected to a free network port. This provides an inexpensive way of delivering wireless connectivity to a suite of laptops, which can be moved around the school. However, it does not provide the flexibility of “blanket” wireless coverage and relies on there being fixed wired network ports in classrooms. Site survey To determine the location of access points for infrastructure networks, it is recommended that a site survey is undertaken by a specialist. A site survey will also determine the number of access points required to give the desired coverage, the range of each access point, and its channel designation, signal strength and the presence of interference. Before a site survey is undertaken, it is advisable to prepare a floor plan to show where coverage is required. Precise details should be sought from suppliers of ‘network coverage’ and ‘data transfer rates’ particularly towards the edge of the coverage area. You should specify the level of coverage you require, as a supplier’s definition may be as low as 1Mbps. It is also a good idea, if possible, to ensure that the site survey is carried out with the equipment anticipated to be used in the school. It is also advisable to build in some redundancy to provide better performance and reliability. This can be achieved with extra access points or by moving access points closer together. For schools upgrading from an existing 802.11b wireless network, a further site survey may be required since the coverage is likely to be different when compared to 802.11b. Positioning APs The access point, or the antenna attached to the access point, will usually be mounted high in a classroom or in the ceiling space However, an access point may be mounted anywhere that is practical as long as the desired radio coverage is obtained. Larger spaces generally require more access points. APs will also need a power supply and this needs to be taken into consideration when planning the location and cost of installations. It is advisable for electrical installations to include remote power switches, so that APs in awkward locations can be easily powered down or rebooted. Power over Ethernet (PoE) Many enterprise class access points now support Power over Ethernet. Power over Ethernet (PoE) is a network standard (IEEE 802.3af) for sending DC power over data cabling to provide power for networked devices. The standard allows for 15.4 W, but only 12.95 W is available at any device. PoE allows for greater flexibility in WLAN deployment as access points can be installed in places away from power outlets and easily moved to meet requirements. Another key consideration is potential cost savings on installation and management. Using PoE devices reduces the financial and time costs of employing a qualified electrician to install mains sockets and cabling. The reduction in wiring and lack of © Becta 2006 Updated March 2006 page 15 of 19 Becta | Technical paper | Wireless local area networks (WLAN) mains voltage can also improve safety. Although PoE can be used over existing fast Ethernet Cat 5 and Cat 6 cabling, the costs of mid-span PoE expansion modules, UPS, power supply units (PSU) and air conditioning to cope with the extra heat are not insignificant. PoE is not yet a widely used technology and the costs are a barrier to take up. However, it could be considered for larger WLAN deployments. A new emerging standard for PoE, known as PoE Plus, is in development as IEEE 802.3at. It should offer higher power throughput (somewhere between 30 W and 60 W) and therefore should support a wider variety of devices. It should be backwards compatible with IEEE 802.3af. The new standard is not expected to be ratified until late 2007/8. Network Management Schools will need to allocate resources for network management in the same way as they would for a wired network. Tasks such as configuring MAC and IP addresses, changing security keys, managing radio strength, monitoring network performance, upgrading access points and generally ensuring system integrity, will need to be undertaken on a relatively regular basis. Most access points will allow a certain amount of configuration, usually via a browser interface. In networks of more than a handful of access points, manual configuration of APs can become unmanageable. Enterprise class APs provide some management tools and will often allow some remote management using Simple Network Management Protocol (SNMP) via Management Information Bases (MIB). However, these management tools are proprietary and rely on all APs being from the same vendor. Alternatively, third party management and WLAN monitoring tools that can work with products from a variety of manufacturers are increasingly available. The Wi-Fi Alliance is considering introducing a new certification for Wi-Fi equipment to make setting up secure wireless networks easier. Imposing easy to use setup schemes on Wi-Fi equipment is seen as important for the increasing number of non-technical users using the technology. Some vendors have already introduced proprietary set-up solutions. The WFA has set up a working group to look at the problem. WLAN Issues Security Wireless LAN security problems have been widely publicised and have been a key barrier to take up. Security is always a balance between perceived risks and costs. Various factors need to be considered including the vulnerability of the network, the threat of attack, the value of the data to be secured and the costs involved. Securing WLANs, as with all networks, needs to be seen as a continuous process rather than a one-off step. Any security solution needs to be consistently and properly implemented with regular monitoring. Anyone with a compatible wireless device can detect the presence of a wireless LAN, however if appropriate security mechanisms are put in place, this does not mean that they can access any data. The wireless LAN should be configured so that anyone trying to access the wireless LAN has at least the same access restrictions as they would if they sat down at a wired network workstation. Schools should be implementing a comprehensive security policy and incorporating standards like WPA/WPA2. However, there are a number of other security measures that can be taken. © Becta 2006 Updated March 2006 page 16 of 19 Becta | Technical paper | Wireless local area networks (WLAN) All the suggestions below are practical steps that institutions can put in place to improve wireless LAN security. An institution can: ensure that the devices with WEP security are upgraded to WPA/WPA2 where possible and that the encryption is enabled. WPA provides a high level of security for a wireless network. If an upgrade to WPA is not possible, schools should ensure that WEP is enabled. educate users about security and implement an organisation wide policy. Ensure that users know not to plug in their own access points that could leave the network open restrict access to the Wireless network by only permitting devices with a recognised MAC (Media Access Control) address. Every computer has an individual alphanumeric identifier known as a MAC address. Within the software accompanying the access point, there is an Access Control List (ACL), which as its name suggests, controls access to the network. The access point can be configured to only permit recognised devices. This only gives an additional layer of security to the network; it is not a secure solution in itself as MAC addresses can be easily “spoofed”. It should be noted that the management of these ACLs can become burdensome in larger networks. Change default settings on access points. The default usernames and passwords on access points are widely known and should be changed. change the default Service Set Identifier (SSID or network name) (SSID is the method wireless networks use to identify or name an individual wireless LAN.) Access points may be set to broadcast the SSID, this should be turned off where possible. This only adds an additional layer of security and is not a solution in itself. On access points where this is not possible, the network name can be made less recognisable by including non alphanumeric characters (like _*# etc). avoid wireless accessibility outside buildings where it is not required; directional aerials can be obtained to restrict the signal to 180° or 90° from the access point. switch off the power to the access point(s) 'out of hours' making the wireless LAN unavailable at those times. make sure that the network is regularly checked to ensure that only legitimate wireless access points and devices are connected to the network. This can be done by walking around with a wireless device and software tools like Netstumbler. put the Wireless LAN into its own DMZ so that all wireless nodes pass though a firewall to access the educational network. The security measures a school would consider for a standard LAN implementation can also be incorporated in to a WLAN (e.g. installing a firewall, using a DMZ, administrator file restrictions etc) Implement firewalls on client devices Regularly update the firmware of all wireless equipment Set an appropriate maximum number of clients that can associate with an AP Disable the ability to manage APs over the WLAN incorporate a Virtual Private Network (VPN). A VPN is a secure (encrypted) private network created over a public network. Anyone wishing to access files on the WLAN would first need to log on to the network via the VPN using a user name and password. Data sent between the client device and the network is secure as it is encrypted / decrypted using VPN encryption (for further information on VPNs see the Becta technical paper ‘Virtual Private Networks’ http://www.becta.org.uk/technicalpapers). Most VPN solutions entail installing VPN software on the client devices. A VPN for wireless would provide a relatively high level of security for a school. Users would need to ensure they use sensible (i.e. not obvious) password and log-on details otherwise this level of security is easily compromised. Several companies now offer third party security tools and management systems. These can provide various functions such as intrusion detection systems (IDS) that actively © Becta 2006 Updated March 2006 page 17 of 19 Becta | Technical paper | Wireless local area networks (WLAN) monitor airwaves for rogue access points/devices and disable any found. Some systems can limit the area from which devices are allowed to connect to the network using location based technology. These solutions add to the cost of WLAN deployment. Performance It is important to remember that transmission speeds for all wireless LANs vary with file size, number of users, distance from the access point, the environment and any interference present. As the distance from the access point increases, the nominal data rate for 802.11a and 802.11g standard equipment drops from 54Mbps to 48, 36, 24, 18, 12, 9, or 6 Mbps. 802.11b standard equipment drops from 11Mbps to 5.5Mps, 2Mbps or 1Mbps. It is possible to boost the range of some access points by installing specialized antennae. Wireless clients will only send data when other devices are not transmitting. Interference from other wireless signals can cause clients to wait before sending data or cause dropped packets that have to be retransmitted, slowing down the network. The environment of a WLAN can also affect the range and throughput. Buildings with many girders, thick walls, and concrete will often shorten the effective range and there may be areas that are effectively 'dead zones'. Water, glass and paper can also reduce a network’s range. Prices The cost of access points depends on the quality and on built-in functionality, and includes: the quality of the antennae antennae directionality encryption included in the access point whether the access point has DHCP (Dynamic Host Configuration Protocol – allows automatic assignment of IP addresses to new devices on the network) built in DSL access (which allows internet access direct from the access point) this is designed for small home network or small business use the number of user devices that can be listed in the Access Control Lists; is the number limited and if so is it sufficient for your network? the ability to centralise the control and management of access points over the network whether the access point can act as a bridge between other access points and the network support for Power over Ethernet (PoE) Enterprise class access points are significantly more expensive than consumer/SOHO class devices. They tend to include more features, more robust radios and better support and management tools. Prices for WLAN equipment have fallen significantly in a short period. Access points are available from between £40 and £800. Wireless cards for notebooks start at around £10. In general 802.11a equipment is slightly more expensive than 802.11b of 802.11g. However, Multiband access points and cards that support 802.11a/b/g are increasingly common and as a result prices for 802.11a connectivity should continue to fall. © Becta 2006 Updated March 2006 page 18 of 19 Becta | Technical paper | Wireless local area networks (WLAN) Safety issues For information on safety issues regarding wireless equipment, contact the Health Protection Agency: http://www.hpa.org.uk/radiation/ and Ofcom: http://www.ofcom.org.uk/. Other sources of information Becta: Functional specification: Institutional infrastructure This 'Functional specification: Institutional Infrastructure' sets out Becta's vision for Institutional infrastructure. It sets out the vision primarily from a functional stance providing a detailed view of what learners, educators and administrators need to expect from the institution's infrastructure and what functions need to be in place in order for these expectations to be met. http://www.becta.org.uk/schools/techstandards Technical specification: Institutional infrastructure In this document Becta has addressed the technical specifications that underpin the requirements outlined in Becta's 'Functional specification: Institutional infrastructure'. It covers four key areas: institutional networks, institutional services and applications, institutional ICT security, and ICT hardware requirements. It provides recommendations on the standards and procedures institutions should use for WLANs. http://www.becta.org.uk/schools/techstandards Becta School’s website: http://schools.becta.org.uk/index.php?section=te&catcode=as_net_lan_03 Becta’s TechNews A regular technology news and analysis service that will keep users informed of developments in technology, including wireless networking http://www.becta.org.uk/technews Standards and organisations: Institute of Electrical and Electronics Engineer (IEEE): http://www.ieee.org http://standards.ieee.org/wireless Wi-Fi Alliance http://www.wi-fi.org Ofcom: http://www.ofcom.org.uk European Telecommunications Standards Institute (ETSI): http://www.etsi.org Communications Electronics Security Group (CESG): http://www.cesg.gov.uk Other Wireless technologies: WiMAX Forum: http://www.wimaxforum.org UWB Forum: http://www.uwbforum.org/ WiMedia Alliance: http://www.wimedia.org/ Bluetooth: https://www.bluetooth.org/ ZigBee Alliance: http://www.zigbee.org © Becta 2006 Updated March 2006 page 19 of 19