Why Wireless? (+) No wires. Convenience, flexible. But… –(-) Relatively slow speeds, typically 5 Mbps with 802.11b. Nowhere near the 100 Mbps of typical wired connection. –(-) Wireless access points are hubs, not switches. Bandwidth is shared among wireless users. Think of it as phone party lines. –(-) Data is freely available “in the air”. Traffic is easily sniffed. Data is not encrypted unless the protocol is encrypted (e.g., SSL and Kerberos). Stanford does not use WEP, because it can be cracked.
Wireless Terms Access Point (or AP): device that sends and receives wireless signals. Usually directly connected to the wired net. –ITSS uses Cisco Aironet 350 AP’s. SSID: the network name that Access Points broadcast. –ITSS uses “Stanford”. –Departments and home users may want to use other names. –Users can roam between access points with the same SSID. Channel: radio frequency used by AP’s. –AP’s near one another should use different channels to minimize noise. –802.11b: Channels 1, 6, and 11 don’t overlap. Channels 1, 4, 8, and 11 have only a little bit of overlap
Wireless “Alphabet Soup” 802.11b: –Most common wireless protocol. Uses 2.4GHz frequency, with 11 Mbps bandwidth. (5 Mbps is more typical). ITSS wireless net and most other campus wireless is based on this. 802.11a: –Uses 5.5GHz range, 54 Mbps bandwidth (~20 Mbps is typical performance). Produces to much radio power to be certified in medical areas. Unlikely to become a standard at Stanford. 802.11g: –Uses 2.4GHz band and is compatible with 802.11b. Also 54 Mbps bandwidth (~20 Mbps typical). An emerging standard, but likely to grow in the future.
ITSS Wireless Net Overview Coverage map at http://wirelessnet.stanford.eduhttp://wirelessnet.stanford.edu Wireless net uses separate physical and logical network. (Separate switches, fiber, and address space.) –Prevents layer 2 attacks (e.g., broadcasts, IP/MAC spoofing) on wired net –Prevents wired broadcasts/multicasts from saturating wireless bandwidth –Don’t have to dedicate department roaming IP’s for wireless users You still have to register wireless cards in NetDB. –provide the hardware address of the wireless card –enable “DHCP” and “roaming”. Wireless card recommendations –Recommend Cisco and Apple cards which are available at the Bookstore. –Any “WiFi” certified card should work.
ITSS Wireless Net Security Wireless networks are inherently insecure –Even with encryption, the data between client and AP’s are available for anyone to capture. –Most corporate wireless nets lie outside of firewalls. ITSS Wireless doesn’t use WEP –Consumes client resources –Well-known security vulnerabilities Other methods of wireless encryption are vendor-specific. Stanford uses wireless authentication to protect campus resources.
ITSS Wireless Net Authentication Protects the institution, not the user S/ident integration –If you have PC/Mac-Leland, you’re all set –First net activity should bring up PC/Mac-Leland automatically Web-based authentication backup –First web page you get is the authentication page –Automatically redirects you to your requested page after login Future Guest Login feature –Any SUNet ID user will be able to sponsor a guest wireless account
My Department Wants Wireless! Net-to-jack clients are eligible for 1 AP for every 16 wired ports. “Wireless net-to-jack”: For non-net-to-jack clients, ITSS will do a survey, install, monitor, maintain, and upgrade your wireless network. Price is $31/month per AP. Or….
Do-It-Yourself Options Option 1: ITSS can place a “wireless entrance” switch in your building and that carries the ITSS Wireless net. Option 2: Departments can put their wireless devices on their existing building net. Both options require departments to purchase AP’s and switches. ITSS can recommend equipment, but departments will need to do their own survey and place access points.
Department Wireless Setup ITSS Wireless net always uses “Stanford” as the SSID. AP’s plugged into the building net shouldn’t use “Stanford” –This has caused problems when users roam between access points. –Putting the department/group/lab name as the SSID makes it clear to users who to call in case of trouble.
Recommended Cards and AP’s 802.11b cards: –Apple Airport card, Cisco Aironet 350 PC Card –In principle, any card that adhere to the “WiFi” certification should work. Access Points: –Cisco Aironet 350 AP’s for departments.
Keeping Your Neighbors Out The range of wireless means that it’s very possible that your neighbors can use your wireless net too. And see all your traffic… Precautions: –Most AP’s have MAC address filters so that only specific cards can associate. This is the most important thing to enable! –Most AP’s can also be set to not broadcast the SSID. (e.g., Apple Airports call this “Create a closed network”) That way, people have to know the name of your network in order to join. –Definitely want to use encrypted protocols whenever possible. –If available, consider turning down the power of your AP to restrict the range.
Setup 1: Stanford DSL and Stanford West In both cases, you can request multiple IP addresses for home machines. You don’t need a DSL router. We suggest that you purchase access points that do “bridging”, where traffic is simply forwarded between the wired and wireless sides of the access point without alteration. –Examples: Cisco Aironet 350, Linksys WAP11, Apple Airport. We’ve seen a number of people on the campus or Stanford West who have installed Airport base stations with DHCP enabled on the Ethernet side, disrupting DHCP service. –Breaks DHCP for other users. –We shut down their connections…
Setup 2: Non-Stanford DSL or Cable Modem In many cases, you only get one IP address. Network Address Translation (NAT -- often provided by “DSL/wireless routers”) can be used to hide a network behind a single IP address: –Some wireless units do this by default. E.g., Apple Airport. –Note that NAT disrupts some Stanford services, especially WebAuth. –Also interferes with some VPN setups.