Wireless Networking

TGIF, April 18th, 2003

Alvin Chew (alchew@stanford.edu)
Kent Reuber (reuber@stanford.edu)
 Outline
• Wireless technology overview
• ITSS Wireless Net
• Department wireless nets
• Home wireless nets

• Questions
Wireless Technology Overview
 Why Wireless?
• (+) No wires. Convenience, flexible. But…
– (-) Relatively slow speeds, typically 5 Mbps with 802.11b.
Nowhere near the 100 Mbps of typical wired connection.
– (-) Wireless access points are hubs, not switches.
Bandwidth is shared among wireless users. Think of it as
phone party lines.
– (-) Data is freely available “in the air”.
• Traffic is easily sniffed.
• Data is not encrypted unless the protocol is encrypted (e.g., SSL
and Kerberos).
• Stanford does not use WEP, because it can be cracked.
 Wireless Terms
• Access Point (or AP): device that sends and receives wireless signals.
Usually directly connected to the wired net.
– ITSS uses Cisco Aironet 350 AP’s.
• SSID: the network name that Access Points broadcast.
– ITSS uses “Stanford”.
– Departments and home users may want to use other names.
– Users can roam between access points with the same SSID.
• Channel: radio frequency used by AP’s.
– AP’s near one another should use different channels to minimize noise.
– 802.11b: Channels 1, 6, and 11 don’t overlap. Channels 1, 4, 8, and 11
have only a little bit of overlap
 Wireless “Alphabet Soup”
• 802.11b:
– Most common wireless protocol. Uses 2.4GHz frequency, with 11
Mbps bandwidth. (5 Mbps is more typical). ITSS wireless net
and most other campus wireless is based on this.
• 802.11a:
– Uses 5.5GHz range, 54 Mbps bandwidth (~20 Mbps is typical
performance). Produces to much radio power to be certified in
medical areas. Unlikely to become a standard at Stanford.
• 802.11g:
– Uses 2.4GHz band and is compatible with 802.11b. Also 54 Mbps
bandwidth (~20 Mbps typical). An emerging standard, but likely
to grow in the future.
ITSS Wireless Net
 ITSS Wireless Net
Overview
• Coverage map at http://wirelessnet.stanford.edu
• Wireless net uses separate physical and logical network. (Separate
switches, fiber, and address space.)
– Prevents layer 2 attacks (e.g., broadcasts, IP/MAC spoofing) on wired net
– Prevents wired broadcasts/multicasts from saturating wireless bandwidth
– Don’t have to dedicate department roaming IP’s for wireless users
• You still have to register wireless cards in NetDB.
– provide the hardware address of the wireless card
– enable “DHCP” and “roaming”.
• Wireless card recommendations
– Recommend Cisco and Apple cards which are available at the Bookstore.
– Any “WiFi” certified card should work.
 ITSS Wireless Net
Security
• Wireless networks are inherently insecure
– Even with encryption, the data between client and AP’s are
available for anyone to capture.
– Most corporate wireless nets lie outside of firewalls.
• ITSS Wireless doesn’t use WEP
– Consumes client resources
– Well-known security vulnerabilities
• Other methods of wireless encryption are vendor-specific.
• Stanford uses wireless authentication to protect campus
resources.
 ITSS Wireless Net
Authentication
• Protects the institution, not the user
• S/ident integration
– If you have PC/Mac-Leland, you’re all set
– First net activity should bring up PC/Mac-Leland automatically
• Web-based authentication backup
– First web page you get is the authentication page
– Automatically redirects you to your requested page after login
• Future Guest Login feature
– Any SUNet ID user will be able to sponsor a guest wireless
account
Department Wireless
My Department Wants Wireless!
• Net-to-jack clients are eligible for 1 AP for
every 16 wired ports.
• “Wireless net-to-jack”: For non-net-to-jack
clients, ITSS will do a survey, install,
monitor, maintain, and upgrade your
wireless network. Price is $31/month per
AP.
• Or….
 Do-It-Yourself Options
• Option 1: ITSS can place a “wireless entrance”
switch in your building and that carries the ITSS
Wireless net.
• Option 2: Departments can put their wireless
devices on their existing building net.
• Both options require departments to purchase
AP’s and switches. ITSS can recommend
equipment, but departments will need to do their
own survey and place access points.
 Department Wireless Setup
• ITSS Wireless net always uses “Stanford”
as the SSID.
• AP’s plugged into the building net
shouldn’t use “Stanford”
– This has caused problems when users roam
between access points.
– Putting the department/group/lab name as the
SSID makes it clear to users who to call in case
of trouble.
 Recommended Cards and AP’s
• 802.11b cards:
– Apple Airport card, Cisco Aironet 350 PC Card
– In principle, any card that adhere to the “WiFi”
certification should work.
• Access Points:
– Cisco Aironet 350 AP’s for departments.
Home Wireless Nets
 Keeping Your Neighbors Out
• The range of wireless means that it’s very possible that
your neighbors can use your wireless net too. And see all
your traffic…
• Precautions:
– Most AP’s have MAC address filters so that only specific cards
can associate. This is the most important thing to enable!
– Most AP’s can also be set to not broadcast the SSID. (e.g., Apple
Airports call this “Create a closed network”) That way, people
have to know the name of your network in order to join.
– Definitely want to use encrypted protocols whenever possible.
– If available, consider turning down the power of your AP to
restrict the range.
 Setup 1: Stanford DSL and
Stanford West
• In both cases, you can request multiple IP addresses for
home machines. You don’t need a DSL router.
• We suggest that you purchase access points that do
“bridging”, where traffic is simply forwarded between the
wired and wireless sides of the access point without
alteration.
– Examples: Cisco Aironet 350, Linksys WAP11, Apple Airport.
• We’ve seen a number of people on the campus or Stanford
West who have installed Airport base stations with DHCP
enabled on the Ethernet side, disrupting DHCP service.
– Breaks DHCP for other users.
– We shut down their connections…
 Setup 2: Non-Stanford DSL or
Cable Modem
• In many cases, you only get one IP address.
• Network Address Translation (NAT -- often
provided by “DSL/wireless routers”) can be used
to hide a network behind a single IP address:
– Some wireless units do this by default. E.g., Apple
Airport.
– Note that NAT disrupts some Stanford services,
especially WebAuth.
– Also interferes with some VPN setups.
Questions???