First security: the only secure way of operating wireless (and the least bandwidth/labour intensive) is to drop WEP, SSIDs and MAC filters; put the APs on their own VLAN and then onto their own zone on your firewall, then use NoMachine NXServer/client (or any equivalent solution utilising the same standards) to operate the wireless devices as effective thin clients to whatever desktop OS you want to use. This uses about 40kb per client and leaves crackers with nowhere to go (well, apart from all over the client OS...).
Then reality: wireless was not designed for the use schools/colleges are trying to use it for - unless you adopt the NoMachine model above, only 802.11a will cope with the sort of intensive use you describe as there is enough frequency separation. There's also less range, which helps eliminate interference between APs, but will leave you needing rather more APs...
The other alternative is political - anyone with influence want to get the EC/UK regs on radio devices changed? There's a switched wireless solution from a company called Vivato which uses beamed signals to client devices, greatly increasing range and more or less eliminating interference. Unfortunately it exceeds the permitted ERP (effective radiated power) so we can't have it.
From: Tony Whitmore [mailto:firstname.lastname@example.org]
Sent: Mon 2/2/2004 6:11 PM
To: Alan Davies; Suse Schools
Subject: Re: [suse-linux-uk-schools] Wireless stuff
Alan Davies wrote:
You shouldn't need to worry about these other devices - they shouldn't
interfere with the 802.11 standards. However, the overlapping channel
problem is significant. Through popularity, Channels 1, 6 and 11 are
generally used. (There's no huge benefit to the extra channels we have
in the EU, as we can't get another non-overlapping field out them!)
This gets to be more of a problem when you have a building that might
have heavy wireless usage, but is relatively "permeable". We have a
building that (somehow) can be covered by two WAPs. Yet there's a
possibility of having a great number of laptops in this building. They
would, of course, all be sharing that 54Mbps. Adding a third WAP would
alleviate the situation slightly, but not to a revolutionary degree. If
anyone has any ideas about this sort of problem, I'd be glad to hear them!
> Then there is security. We've all heared of those tin cans used as aerials
> by hackers driving around in cars. So I set up 128bit WEP in the APs.
IIRC, crackers (this being a Linux list, after all :) ) only need to
sniff about 2GB-worth of net traffic to have a stab at getting your WEP
key - even for a 128-bit key.
That doesn't mean don't use it, but make sure you use MAC filters as
well. (OK, so you can spoof MACs too....)
> Why does the AP give me 4 keys? (but only transmit one?) Is it a random
> choice for me? Do I assign keys to different user groups so that I
> can forbid groups for connecting? What's the idea? Should I have the same key
> in the mobile (which only accepts one?) Can it be any of the 4 keys?
The theory is that you can set up 4 static keys on your WAP and enter
all four keys on the client machines. When you switch between one key
and another on the WAP, you then switch to the same numbered key on the
If that all sounds fiddly, you're right. A friend on mine wrote a couple
of scripts to help under Linux, one of which was run by a LAN-side
server as a cron job - it used wget to send the appropriate HTTP request
to his D-link WAP to change the key to a different value. In fact, this
script enabled the use of many more than four WEP keys :) He then had a
client-side script that rotated keys at the same time via a cron job.
Unfortunately, I don't know a way of doing this automatically on Windows.
The "proper" way of doing dynamic keys is to use a RADIUS server at the
centre of your network. (There are Free RADIUS servers available.) These
assign a random and unique key to a client that passes a valid set of
credentials. This means that the keys change at a configurable interval,
often enough to make sniffing a pointless passtime. You will need to
ensure that your WAPs support RADIUS (my D-link one's all do) and,
obviously, configure the RADIUS server.
> Should I set the SSID to be the same for the whole campus? Does this
> make moving between access points easier (no need to select as you migrate?)
Yes, this is what we do. Students pick up a laptop and move to a
hot-spot. The laptop does the rest.
> (I don't think its quite as transparent as mobile phone cells there seems to
> a a gap of several seconds while it changes - and tends to stick with existing
> weak signal even if you are right next to another)
Yes, this is right - most cards will only look for a new WAP when it
loses contact with its "current" WAP completely. (There are some cards
that claim to do this dynamically, but I'm willing to bet that this is a
vendor-specific feature, and probably not supported with Linux drivers.)
> Or should I give a descriptive name to each AP?
Nah - see above :)
> If lots of users are in an area covered my more than one AP do the clients
> share out the connections? Do they pick the lowest channel or highest? At random?
> Or do they pick on the strength of the signal? Or the loading of the Access points?
Again, I've seen claims that some kit will choose a more distant
underloaded WAP against a closer higher loaded one. Generally, it just
seems to be which ever WAP responds first. However, I also would be
interested if someone knows more about this part.
To unsubscribe, e-mail: suse-linux-uk-schools-unsubscribe(a)suse.com
For additional commands, e-mail: suse-linux-uk-schools-help(a)suse.com
This message may contain information and/or data that is confidential and legally privileged. It is intended solely for the addressee(s) only. If you are not the intended recipient you are notified that any use, publication, reproduction or dissemination is strictly prohibited and may violate certain laws.
If you are not the intended recipient, please contact the sender by return e-mail and destroy this and all copies of this message and/or data.
The content of this message has been scanned by MailPatrol for unacceptable language and inappropriate content.
European Electronique limited thanks you in anticipation of your co-operation.
MailPatrol is a fully managed service that offers your organisation the ability to monitor and enforce your Acceptable Usage Policy.
For further information regarding the MailPatrol services contact the European Electronique Sales Enquiry line on 0845 345 8340 (local rate) or email sales(a)euroele.com
No - I haven't got as far as making our Suse box to do
wirelesss - yet. But its a small part of the plan....
We have decided to cover our campus with Wireless acces points.
We went for 801.11g at a potential of 54Mb/s but with the
longer range of the old 801.11b standard. At the moment this
gives us more compatibility with existing kit - especially
PDAs which only seem to have 801.11b cards.
Of course I soon discover there is much to learn...
Channels 1 to 14 in the UK. I set my AP to channel 12. Our
PDAs would not pick it up. Why? Because only channels 1 to 11
are 'universal'; channels 12 to 14 are only available in UK (EEC?)
In the process I also discover that although the channels are 5MHz
apart each channel is 22MHz wide so there are only 3 effective non
overlapping channels - so some though must be given to channel
settings on adjacent APs to get maximum benefit vs coverage. I'm not
sure as so decide which channel to use - if some channels are used
peramanently by DECT phones, BlueTooth, etc how will I know? Is
there any reporting software utilties?
Then there is security. We've all heared of those tin cans used as aerials
by hackers driving around in cars. So I set up 128bit WEP in the APs.
Agh...the PDAs only cater for 64bit (not that it told me anywhere - it
was just impossible to type in the key - and they wouldn't connect..)
Why does the AP give me 4 keys? (but only transmit one?) Is it a random
choice for me? Do I assign keys to different user groups so that I
can forbid groups for connecting? What's the idea? Should I have the same key
in the mobile (which only accepts one?) Can it be any of the 4 keys?
Should I set the SSID to be the same for the whole campus? Does this
make moving between access points easier (no need to select as you migrate?)
(I don't think its quite as transparent as mobile phone cells there seems to
a a gap of several seconds while it changes - and tends to stick with existing
weak signal even if you are right next to another)
Or should I give a descriptive name to each AP?
If lots of users are in an area covered my more than one AP do the clients
share out the connections? Do they pick the lowest channel or highest? At random?
Or do they pick on the strength of the signal? Or the loading of the Access points?
Anyone with experience in these matters?
If so, what else would you draw my attention to?
Head of Computing
Mmmm! He's had me in the hunt now! Evidently it's a pointer on a web page to
a tar for a VNC type prog, but all of the liks are dead. He's now rummaging
in RPMFind.net and is sounding excited so I think he may have found it. I'll
sign off now as his noise might wake the rest of the list! :-)
Thanks for your help
----- Original Message -----
From: Thomas Adam <thomas_adam16(a)yahoo.com>
To: adrian.wells <adrian.wells(a)sidcot.org.uk>
Sent: Monday, February 02, 2004 4:27 PM
Subject: Re: [suse-linux-uk-schools] File please
> --- "adrian.wells" <adrian.wells(a)sidcot.org.uk> wrote: > My assistant has
> just asked me to ask if anyone knows where he can
> > download
> > the following file - he's had a search of the net...
> > x0rfbserver
> Double check that, would you, Adrian? How is it your collegue came by that
> -- Thomas Adam
> "The Linux Weekend Mechanic" -- http://linuxgazette.net
> "TAG Editor" -- http://linuxgazette.net
> "<shrug> We'll just save up your sins, Thomas, and punish
> you for all of them at once when you get better. The
> experience will probably kill you. :)"
> -- Benjamin A. Okopnik (Linux Gazette Technical Editor)
> BT Yahoo! Broadband - Free modem offer, sign up online today and save £80
Subject: Re: [suse-linux-uk-schools] .htaccess
> > How do I make KDE show them? I've had a mooch about, but no joy.
> I presume you mean within KDE's konqueror file/web manager? Umm, I do not
> use KDE so I have no idea per se. I would imagine there is an option for
> it in one of the menus when you launch konqueror to browse say $HOME
Indeed! I'd had a look, but did not know that the options change when in
home directory (if I read you right), I'll have a play when I'm next on
side of the campus - It's raining now! :-(