First security: the only secure way of operating wireless (and the least bandwidth/labour intensive) is to drop WEP, SSIDs and MAC filters; put the APs on their own VLAN and then onto their own zone on your firewall, then use NoMachine NXServer/client (or any equivalent solution utilising the same standards) to operate the wireless devices as effective thin clients to whatever desktop OS you want to use. This uses about 40kb per client and leaves crackers with nowhere to go  (well, apart from all over the client OS...).

Then reality: wireless was not designed for the use schools/colleges are trying to use it for - unless you adopt the NoMachine model above, only 802.11a will cope with the sort of intensive use you describe as there is enough frequency separation. There's also less range, which helps eliminate interference between APs, but will leave you needing rather more APs...

The other alternative is political - anyone with influence want to get the EC/UK regs on radio devices changed? There's a switched wireless solution from a company called Vivato which uses beamed signals to client devices, greatly increasing range and more or less eliminating interference. Unfortunately it exceeds the permitted ERP (effective radiated power) so we can't have it.

Cheers

Chris

-----Original Message-----
From:   Tony Whitmore [mailto:tonywhitmore@users.sourceforge.net]
Sent:   Mon 2/2/2004 6:11 PM
To:     Alan Davies; Suse Schools
Cc:    
Subject:        Re: [suse-linux-uk-schools] Wireless stuff
Alan Davies wrote:

<snip>

You shouldn't need to worry about these other devices - they shouldn't
interfere with the 802.11 standards. However, the overlapping channel
problem is significant. Through popularity, Channels 1, 6 and 11 are
generally used. (There's no huge benefit to the extra channels we have
in the  EU, as we can't get another non-overlapping field out them!)

This gets to be more of a problem when you have a building that might
have heavy wireless usage, but is relatively "permeable". We have a
building that (somehow) can be covered by two WAPs. Yet there's a
possibility of having a great number of laptops in this building. They
would, of course, all be sharing that 54Mbps. Adding a third WAP would
alleviate the situation slightly, but not to a revolutionary degree. If
anyone has any ideas about this sort of problem, I'd be glad to hear them!

> Then there is security.  We've all heared of those tin cans used as aerials
> by hackers driving around in cars.  So I set up 128bit WEP in the APs.

IIRC, crackers (this being a Linux list, after all :) ) only need to
sniff about 2GB-worth of net traffic to have a stab at getting your WEP
key - even for a 128-bit key.

That doesn't mean don't use it, but make sure you use MAC filters as
well. (OK, so you can spoof MACs too....)

> QUESTIONS:
> Why does the AP give me 4 keys? (but only transmit one?)  Is it a random
> choice for me?  Do I assign keys to different user groups so that I
> can forbid groups for connecting?  What's the idea?  Should I have the same key
> in the mobile (which only accepts one?) Can it be any of the 4 keys?

The theory is that you can set up 4 static keys on your WAP and enter
all four keys on the client machines. When you switch between one key
and another on the WAP, you then switch to the same numbered key on the
client.

If that all sounds fiddly, you're right. A friend on mine wrote a couple
of scripts to help under Linux, one of which was run by a LAN-side
server as a cron job - it used wget to send the appropriate HTTP request
to his D-link WAP to change the key to a different value. In fact, this
script enabled the use of many more than four WEP keys :) He then had a
client-side script that rotated keys at the same time via a cron job.
Unfortunately, I don't know a way of doing this automatically on Windows.

The "proper" way of doing dynamic keys is to use a RADIUS server at the
centre of your network. (There are Free RADIUS servers available.) These
assign a random and unique key to a client that passes a valid set of
credentials. This means that the keys change at a configurable interval,
often enough to make sniffing a pointless passtime. You will need to
ensure that your WAPs support RADIUS (my D-link one's all do) and,
obviously, configure the RADIUS server.

> Should I set the SSID to be the same for the whole campus?  Does this
> make moving between access points easier (no need to select as you migrate?)

Yes, this is what we do. Students pick up a laptop and move to a
hot-spot. The laptop does the rest.

> (I don't think its quite as transparent as mobile phone cells there seems to
> a a gap of several seconds while it changes - and tends to stick with existing
> weak signal even if you are right next to another)

Yes, this is right - most cards will only look for a new WAP when it
loses contact with its "current" WAP completely. (There are some cards
that claim to do this dynamically, but I'm willing to bet that this is a
vendor-specific feature, and probably not supported with Linux drivers.)

> Or should I give a descriptive name to each AP?

Nah - see above :)

> If lots of users are in an area covered my more than one AP do the clients
> share out the connections? Do they pick the lowest channel or highest? At random?
> Or do they pick on the strength of the signal? Or the loading of the Access points?

Again, I've seen claims that some kit will choose a more distant
underloaded WAP against a closer higher loaded one. Generally, it just
seems to be which ever WAP responds first. However, I also would be
interested if someone knows more about this part.

Cheers,

Tony

--
To unsubscribe, e-mail: suse-linux-uk-schools-unsubscribe@suse.com
For additional commands, e-mail: suse-linux-uk-schools-help@suse.com