Please create an account to participate in the Slashdot moderation system

 


Forgot your password?
Close
typodupeerror
×
Technology

Building a Wireless Network for an Apartment Complex? 309

Posted by Cliff from the wave-of-the-future dept.
itwerx asks: "I've been asked to design a wireless infrastructure for an apartment complex. Tenants will pay an 'access deposit' and a monthly surcharge to get a PCMCIA/PCI/USB network card along with free installation and, of course, wireless Internet access. The buildings are arranged such that 2 WAP's per building should cover all the tenants (one WAP per side, far enough away to get line-of-sight through the windows). I do have a few concerns, however. All help is appreciated and when we're done we'll put up a HOWTO!"

"My concerns are the following:

  • Interference between WAP's (there's several buildings) - there are enough channels if we go 802.11a but cost is a concern.
  • Management of 'hitchhikers' - we're planning on manual assignment via DHCP/MAC address for tenants with others having all their HTTP requests get directed to an info page. Anybody done something different?
  • Interference from WAP's and other devices that may be owned by tenants! Should we just avoid the default channel and hope for the best?!?
What other things might I need to worry about?"
This discussion has been archived. No new comments can be posted.

Building a Wireless Network for an Apartment Complex? More

Building a Wireless Network for an Apartment Complex?

Comments Filter:

  • interference.. (Score:5, Interesting)

    by molo ( 94384 ) on Wednesday May 22, 2002 @08:53PM (#3569507) Journal
    Interference between the two WAPs is not really what you have to worry about. Put them on different channels on opposite ends of the chunk of 802.11b spectrum and its done.

    The real issue is interference from other devices. I hope no one has a 2.4GHz phone.. or a microwave.. or X11.. or one of the other dozens of devices on the (unregulated) 2.4GHz band. It can knock your 11Mbit down to 1.

    • Re:interference.. (Score:3, Funny)

      by molo ( 94384 )
      er.. um.. I meant X10. <slap> Bad Geek!
    • I couldnt use 2.4ghz remote video (computer display in livingroom), because of all the 2.4ghz interferance. Thou my 2.4ghz phone seems to work perfectly. Neighbors have X11 stuff too. Good luck.

    • X10 And WAP (Score:3, Informative)

      by K'tohg ( 115837 )

      My father is a big Radio Shack Remote lighting finatic. (X10) Every Light is hooked up with a remote switch. All his laps have the plugin appliance system. Even his Cristmas lights are X10 enabled.

      Well I needed to toss a cablle modem to me LAN which BTW was Wireless. And the only spot I had was down in the basement. Infact exactly 4 inches (yes I just mesured) away from the X10 modual controling the christmass lights.

      My laptop is now on the third floor on the other side of the house. Almost the furthest point without going outside. Well on avarage I get about an 80% signal strength considering the amount of plaster and copper pipes between me and the basement. (For some reason tonight I have a 60% strength).

      So, that being the case I'll go check the x-mass lights

      . . .

      Yup it worked... I'll place my bet that the interferance if any is not that big a deal!!!

      • Is your wireless gear 802.11a or 802.11b...?

      • Re:X10 And WAP (Score:3, Informative)

        by TeknoDragon ( 17295 )
        We recieve our internet access from TsunamiUSA.com, they put an access point in a central location in our appartment complex. We THOUGHT we were getting a land line. Our signal is running through a couple walls, some metal, and even with an antenna our signal strength is a paltry 28 of 92. (signal -67dbm, noise -98dbm, 2.412 GHz)

        First, the Entarasys drivers that we ran with windows sucked. After moving to the Linux 2.4 Orinoco drivers our upload was 5x better and download was 2x better. (antenna in the same location)

        Second, we have a 2.4Ghz digital spread spectrum phone. Channels 1 and 2 of this phone knock out our connection completely.

        We haven't noticed an AP side outage since switching to the linux drivers.

        I have one suggestion: DO NOT OVERSUBSCRIBE YOUR NETWORK! We have sporradic port 80 (while other ports work fine) and DNS failures all over the place as well as storms of very high packetloss during prime time. Tennants will start buying cable modems or DSL... as we're about to do.
    • I hope no one has a 2.4GHz phone..

      Exactly. :) I was at a friends place last weekend doing some programming, and before I went over I asked if he had all the cabling I needed to "plug-in". He told me to "get with the 90's" and grab a wireless card as he was running a wireless network at his place. I figured it was about time to upgrade and get rid of some wires at my own place, so not only did I pick up a card, I also picked up a WAP.

      Went over to his place, and things were going ducky, except occasionally the signal would drop from 90% to about 3%. When I asked him, he said that it happened occasionally, but he didn't know what was causing it.

      Turns out that it was his 2.4 GHz phone... his wife (who ran an at-home business) would be using the phone without him knowing it. The thing that twigged me was that Linksys was plastering the "2.4GHz" label all over the packaging of the WAP I just bought.

      We messed around a bit with phone base station and WAP placement, and eventually got rid off the problem when he dug out his old 900 MHz phone.

  • MAC Address/DHCP (Score:5, Informative)

    by dbarry ( 458863 ) on Wednesday May 22, 2002 @08:56PM (#3569522)
    mac addresses are fairly easy to spoof (at least in OpenBSD), and any two-bit prism based sniffer can tell the mac addresses of other nodes on the network. It would probably be better to go with a different scheme, such as login/passphrase authentication, rather than MAC address. I know UC berkeley is using some sort of program like that check out Calnet [berkeley.edu]
    • There are some products on the market, possibly under the name of Virtual Community Network solutions. I know my old company (before we crashed and burned) was developing a product for just this type of situation and I was coming up against most of these security concerns.

      From what I know of the different solutions most were a central server that all the access points connected to, that would then proxy/forward all requests to the internet.

      If you want to go for the extra evil points you could force ads to your clients with this type of solution as well.

    • Re:MAC Address/DHCP (Score:3, Informative)

      by sirket ( 60694 )
      The poster mentioned 802.11a not b. As a result, the product will be operating in the 5 GHz spectrum instead of 2.4.

      -sirket

    • Re:MAC Address/DHCP (Score:4, Funny)

      by Alan Cox ( 27532 ) on Wednesday May 22, 2002 @09:27PM (#3569644) Homepage
      WEP is worthless, MAC based authentication is worthless, basically treat the cards as a public shouting space no more.

      You need end to end encryption for the users. That is easy for the Unix crowd but for "what does this button do" level folks something like PoPTOP and getting them to use PPTP may work out easier (although early PPTP isnt terribly secure either)

      • Re:MAC Address/DHCP (Score:2, Insightful)

        by Anonymous Coward
        That point is debateable - this is a residential network. He will need stronger login security (maybe PPPoE would work for you - you'd just need a linux box somewhere acting as a radius server).

        Basically the people that need/are concerened about encryption can set it up, but why enforce an extra level of difficulty on the everday users who are checking out cnn.com and pr0n?

        • Re:MAC Address/DHCP (Score:3, Insightful)

          by Bishop ( 4500 )
          Strong authentication is needed for this network. A VPN is a pretty good way to insure strong authentication. PPPoE is no easier to setup then a VPN really. PPP authentication has problems anyway. Besides I think people are warming up to the idea of protecting their privacy.
        • first off, email passwords could easily be sniffed, passwords of all kinds can be collected.

          but most importantly, he doesnt want NONpaying customers on the network. He needs a way to authenticate a client, and prevent others from getting the mac address and spoofing etc.

          The users may not care about their security, but thats their problem. he cares about people abusing the network
  • once you are done with the physical layout you should consider a vpn-type solution along with WEP and an ACL to prevent passer-by's from hacking the tenant's machines...

    • Re:Security is the biggest issue... (Score:4, Insightful)

      by Anonymous Coward on Wednesday May 22, 2002 @09:43PM (#3569694)
      WEP is weak. Especially in situations where there is a lot of use and lots of bits flying around. All that one needs to do to crack a WEP key is accumulate data sent using said key.

      See: AirSnort

      Rather than worry about people having their sh*t sniffed, here are a couple other solutions:

      #1. Set up a portal that uses HTTPS and fetches web pages for the user, then presents these pages to them.

      Pros: Simple
      Cons: Doesn't really work all that well with some sites

      #2. Use IPSec

      Pros: Damn secure.
      Cons: CPU intensive, limited software support outside of the OSS crowd.

      #3. Keep it insecure, but keep the users educated. Let them know their data may be sniffed easily, but also let them know what HTTPS is. Show them how to sign into their Yahoo mail so that their password won't get sent in the clear, etc etc.

      Pros: Cheap ;)
      Cons: Depends on the intelligence of users. You never want to do that ;)
      • I think you missed his original idea, which is that you should implement a VPN, and still turn on WEP and ACL matching. This way, they'll break the ACL match, break WEP, and then go "Ahh crap! A VPN!", which at that point they may decide it's just too much to break. A VPN by itself, makes the job to break it easier, (even if not too much easier).

        Would you still leave your car doors unlocked if you had an engine immobilizer?

      • #2. Use IPSec
        Pros: Damn secure.
        Cons: CPU intensive, limited software support outside of the OSS crowd.

        OSS only? Win2k has support for it in its default configuration. I use this [ebootis.de] procedure to get win2k to connect to my frees/wan gateway using x.509 certificates. Piece of cake (it looks convoluted but it really easy once you do it once or twice) to set up, and lets anybody (linux, windows, mac, anyone with IPSec and x.509) on in a secure fashion.

        CPU intensive? Not that I'm aware of. I'm pushing about half a T1 to another frees/wan server using a P100 on one side and a P200 on the other. Now I imagine this scales less than linearly for each client that connects, but I've been pleased with the throughput of this little computer.

  • Answers (Score:5, Informative)

    by LowneWulf ( 210110 ) on Wednesday May 22, 2002 @09:00PM (#3569547)
    - 802.11 manages devices in a friendly way, and is designed specifically to play nice with lots of other 802.11 devices in the area. In fact, infrastructure networks assume it WILL work that way. Put your entire complex on one SSID and one channel - each WAP will form a BSS, and devices should seamlessly roam between them.
    - Other peoples' devices shouldn't interfere with yours unless there is a LOT of devices. If they do, too bad for them, they can choose a new channel. Or you can choose a new channel. But it shouldn't be a problem unless there's a ton of networks.
    - I would suggest leaving your network entirely open (no WEP, etc.) then putting a router at the edge which authenticates MAC/IP addresses, provides DHCP, and only routes those who enter a password of some sort. This leaves the internal network open to hackers unfortunately, but WEP management for an apartment will be hell, and the alternate solutions all tend to be non-standardized.

    • Re:Answers (Score:3, Informative)

      by swillden ( 191260 )

      WEP management for an apartment will be hell

      I don't think it should be too bad. After all, the network operators are handing out all of the cards; if they use cards that store the keys in firmware and they load up the keys before issuing the cards, then management is no problem at all.

      If they decided to *change* the keys, then they'd have a problem, but the purpose of WEP in this case would be to provide a small additional hurdle to potential hitchhikers, not to provide real security, so I don't see a problem with a permanent key.

    • Re:Answers (Score:3, Informative)

      by essdodson ( 466448 )
      You do _NOT_ want the entire complex running under the same channel. The proper way to set things up is to blanket the entire area, then set channels so that no two access points within range of each other will be on the same channel. This will provide for seamless movement from one zone to the other. Also if you need more bandwidth setup two access points in the same location on different channels and you instantly double the ammount of wireless bandwidth in that area. Keep in mind that payload for wireless is typically around 8Mbit/sec or so. The card will then determine which channel is least saturated and pick that.

      I agree with the no security issue. You should make it clear that there is absolutely no security implied or promised. You'll shoot yourself in the foot as soon as someone's credit card number is sniffed after you told them it was all good. If you must setup security start with the assumption that every packet can and will be sniffed, with that in mind build VPN/IPSEC on top of that.

  • Wi-Fi (Score:5, Informative)

    by dsmey ( 193342 ) on Wednesday May 22, 2002 @09:01PM (#3569549)
    I am an assistant network engineer at a large midwestern university. Currently, like you we're in the process of figuring out how to deploy wireless access points. Our campus's Engineering Computer Network let us borrow a mobile testing appratus that has a WAP and an Antenna on it (looks like a camera tripod). We take it to different parts of our residence halls and, with a laptop, we take SNR readings from different parts of the surrounding rooms and record our measurements on the building blueprints. We figure we need about 6 WAP's to sufficiently cover the lounge areas of the older dormitories (with their steel and concrete infrastructure), but for your sake 2 WAP's should sufficiently cover a medium-sized apartment building and more. We also plan to cover several large outdoor areas, a library, and our Union right off the bat. The equipment we are using is Enterasys Roamabouts ($1000 a pop), [link] [enterasys.com] and they are highly configurable and have a ton of management features. We figure each WAP will get connected to a switch port on the Cisco Catalysts in our buildings. So far, we haven't done much in terms of the deployment because it is a long process, where the Physical Facilities department has to do the actual installation of the equipment, data jacks, etc. I assume in your case you can better coordinate this without all the red tape. We figure that by the time these are all installed and our userbase is well-informed of the network, we will have a great system that will scale to thousands of students and staff in the future.
    http://www.purdue.edu/ITaP/projects/wireless.shtml [purdue.edu]
    • Sweet, I'm attending purdue in the fall (Computer Engineering). Gonna have to get me the hookup :)

    • Re:Wi-Fi (Score:5, Funny)

      by gmkeegan ( 160779 ) <{moc.oohay} {ta} {nageekmg}> on Wednesday May 22, 2002 @10:27PM (#3569832)
      I am an assistant network engineer at a large midwestern university...

      I never thought a wireless project like this would happen to me. I was sitting in the study lounge in my dorm when this sexy coed network engineer walks up and asks, "I see you have a seven layer OSI model. That really turns me on..."

    • Re:Wi-Fi (Score:2, Informative)

      by Kunta Kinte ( 323399 )

      I'm a network admin as well. I'm working on implementing a wireless network as well at my day job ( small campus ). We just completed testing our initial vendors, and basically enterasys got it's butt kicked by cisco and agere ( formally lucent wifi division ) orinoco.

      Cisco came out to be the most powerful. No fair though since they transmit at 100w while the others come in about 30. But for value orinoco rose to the top. $75 nics, dual radio models for $600. checkout http://warehouse.com/ for some discent prices.

      both agere and enterasys have removeable radios on their APs, in fact the radios are just wifi pcmcia cards. The enterasys pc cards are OEMed orinocos.

      My recommendation is orinoco. But your findings might be different, so definately check it out for yourself

  • Concerns... (Score:2, Informative)

    by MarkKomus ( 71304 )
    - Interference between WAP's

    If you have WAP's on different sides of buildings they most likely won't interfere with each other. Just keep the WAPs with the same channel as far apart as possible. If you can get your hands on some a few to test with it would be worth while to mock up a few layouts and wander around with a laptop to measure single strength and interference.

    - Management of 'hitchhikers'

    In addition you could run WEP, it is breakable but its another layer or security. Sorta like the car theif will go for the car without the club.

    - Interference from WAP's and other devices that may be owned by tenants!

    Here could be your big problem. As someone else mentioned there are lots of 2.4Ghz devices. Most would only cause a local disturbence, but if I decided to set up a WAP in my apartment you have no grounds to stop me from doing so. Some WAPs are smart enough to work nicely together though so it might not be as big a deal as microwaves and cordless phones.

    • Can't you guys agree? (Score:5, Funny)

      by lycono ( 173768 ) on Wednesday May 22, 2002 @09:21PM (#3569621)
      Gotta love 'em.

      LowneWulf states:

      Put your entire complex on one SSID and one channel - each WAP will form a BSS, and devices should seamlessly roam between them.
      To which MarkKomus replies:
      If you have WAP's on different sides of buildings they most likely won't interfere with each other. Just keep the WAPs with the same channel as far apart as possible.
      LowneWulf states:
      Other peoples' devices shouldn't interfere with yours unless there is a LOT of devices.
      Which is rebutted by MarkKomus:
      Interference from WAP's and other devices that may be owned by tenants! Here could be your big problem.
      I need to know who has more money or a bigger house so I can know who to believe!
      • Actually believe him, its been a while since I did this stuff. My brain forgot about the SSID stuff. You could still run into problems if I put my access point up on the same SSID as the main network. WEP can partly solve this. But as has been said before its breakable.

        Actually most wireless cards I saw will seemlessly switch channels to match a given SSID. So channel assignment usually is more based on local interference.
      • Couldn't have said it better myself! :)

  • Screw It... (Score:2, Insightful)

    by mogrefy ( 538023 )
    Just make it free (included in rent) and let everyone have internet... great for our communist society!

  • Berkeley wireless LAN (Score:3, Interesting)

    by minesweeper ( 580162 ) on Wednesday May 22, 2002 @09:01PM (#3569556) Homepage
    U.C. Berkeley has been working on implementing a wireless network around campus. You can read up on the project here [berkeley.edu]. It mentions some of the technical issues they face like 2.4GHz cordless phones and even interference from old microwave ovens.

  • Hitchhikers (Score:3, Interesting)

    by brunes69 ( 86786 ) <`gro.daetsriek' `ta' `todhsals'> on Wednesday May 22, 2002 @09:07PM (#3569569)

    If you are worried about data sniffing, IPSec / WEP is your answer. If however, as I assume, you are worried about "free rides" on your bandwidth, I'd suggest PPPoE. That way no one gets on the network unless they have an account. Seeing how it is a relatively small number pf tenants I assume (less than 500 or so) it should be simple to keep a list of names / logins so as to provide a tenant with two logins should he get a second PC. This method saves you the hassle of managing a bunch of fixed IPs and MAC addresses with everyone on the network.

  • Our experience (Score:5, Informative)

    by The Ape With No Name ( 213531 ) on Wednesday May 22, 2002 @09:09PM (#3569575) Homepage
    We deployed the largest campus wireless (to date) network here [utk.edu]. Which involved a lot of the issues you bring up and then some. Was it a pain? Yup. Did we have to backtrack and reengineer (esp. security and client access)? Yup. Check out this stuff for some info:



    I hope this helps. Our wireless guys pulled this off in 130 buildings over a several square kilometer area. Good Luck!

    PS. Cracks about Redneck Rocky Top and such ilk should be modded -1! ;-p
    • Our wireless guys pulled this off in 130 buildings over a several square kilometer area.

      But what they didn't tell you is exactly how they managed to pulled it off. Let's just say that I'll be looking at a nice influx of WiFi-Tech talent in about 50-60 years. I think I'll start them off with a nice simple job at the Electronic CounterMeasures factory.

      Signed,
      Satan
  • Everybody must be watching celebrity boxing II (truly what television was invented for!)

  • Security matters. (Score:3, Interesting)

    by dfeldman ( 541102 ) on Wednesday May 22, 2002 @09:10PM (#3569586) Homepage
    I have just one word of advise here: don't do it.

    Back at my alma mater, one of the students (who thought he was clever) founded an ISP that provided 802.11b wireless access to apartments on campus. Inevitably, the WEP key he used was compromised, and student account passwords were sniffed and abused. Now, common sense would dictate that he shouldn't be responsible for what a criminal does with his network; but common sense does not reign supreme in the ivory tower of academia. What happened next was shocking: the student was disciplined, expelled, and sued for damages by the state college. Although he certainly could have won his case in front of a jury, he settled because he could not afford $15k to hire a good trial lawyer. Right now he has no degree, can't get into a good school, and is pumping gas for a living.

    So, if you are considering rolling out a notoriously insecure network architecture (such as 802.11[ab]), consider the fact that you may be personally liable for anything bad that a crook does with your network. Be afraid.

    df

    • Re:Security matters. (Score:4, Insightful)

      by Alex ( 342 ) on Wednesday May 22, 2002 @09:25PM (#3569640)
      I'll assume that he was running this ISP off of university bandwidth?

      Has it occurred that this may have been a SERIOUS breach of AUP?

      Alex
    • So, if you are considering rolling out a notoriously insecure network architecture (such as 802.11[ab]), consider the fact that you may be personally liable for anything bad that a crook does with your network. Be afraid.

      This is what Limited Liability Companies (LLC's) are for. You create an LLC to run the network, which can cost as little as $50 depending on what state you are in, and then the only thing anyone can go after for liability is the LLC and its assets, not you or yours.

  • what is your job at the complex? (Score:5, Insightful)

    by edrugtrader ( 442064 ) on Wednesday May 22, 2002 @09:16PM (#3569608) Homepage
    are you just the fix-it guy that has computer knowledge, or a private contractor?

    if you are expected to stay in house and manage the thing once it is up, get ready for a lot of sleepless nights and angry users.

    it is probably MUCH more cost effective for the complex to just pay for the DSL in all the buildings and keep them hooked up forever. ~$60 a month including a phone line and you have no hassles what-so-ever. then pass the cost onto the tennant

    your month cost per tennant will probably be $20-30/month in hardware depreciation and bandwidth usage. plus you would have a HUGE (you didn't give building or unit numbers so i'll guess) setup fee of $10,000+ assuming you get a couple T1s and all the wireless hardware.

    as a tenant i won't pay you more than $50 a month (standard DSL cost) so you have to figure out if you can provide all this service and not spend $20 a month per user of your time. i don't think you can.
    • your month cost per tennant will probably be $20-30/month in hardware depreciation and bandwidth usage

      While amortization of assets is technically net worth lost, it's not cash outflow per se, and thus as long as the hardware keeps working, it's not applicable to the monthly cost. If you can keep it to the point it's worth nothing, I'd be quite surprised.

      What I would go for is 9 megabit SDSL if it's offered by the telco, or multiple DSL lines if not. You can provide the same theoretical bandwidth as a T1 (downstream, anyway) with one DSL connection, and there's no point getting a hardcore-business class line for residential-class users. This is also a great place for FTTH to take hold - run a fibre line to an apartment complex, branch off gigabit fibre to the buildings, run 10/100 up the buildings and out along the floors, and voila, instant high-speed network. Run the lot of them through a caching proxy server, and whee.

      That being said, how do the phone lines get into the building? A T1 is a great way to get a good 64 phone lines into a building. It's possible (to my limited knowledge) that they already have the equipment and technical expertese. Then again, I seriously doubt it.

      Anyway, that's my uneducated input on the subject. I'm going to go pretend to know enough to give medical advice now.

      --Dan
  • WEP is easily broken. There are several tools that make war driver's life really easy.

    I would set up the wireless network ouside a firewall, and then probably hook up a couple of machines with FreeSWAN or poptop (linux vpn servers) that will connect to the access points.

    See this paper [cigitallabs.com] for a good discussion on wireless security.

  • How I'd do it (Score:4, Insightful)

    by Xenophon Fenderson, ( 1469 ) <xenophon+slashdot@irtnog.org> on Wednesday May 22, 2002 @09:18PM (#3569616) Homepage

    There's several ways to go about this.

    1. Buy CheckPoint FireWall-1 in addition to your access points. There are SOHO versions of FW1 [checkpoint.com] on dedicated hardware (e.g. Nokia IP71 [checkpoint.com]) that retail for less than $1000 and can accomodate up to 50 users. Use its Session Authentication agent to arbitrate access to anything other than DHCP and don't bother with enabling WEP. Unfortunately, the agent seems to be only available for Windows 9X/ME/NT/2K/XP.
    2. Buy Cisco access points and Cisco ACS software and enable LEAP. While non-standard, you are probably forcing them to buy a wireless card anyway, and Cisco's client devices aren't all that expensive. The Aironet device is supported [cisco.com] in Windows [cisco.com] and Windows CE [cisco.com], Linux [cisco.com], and MacOS 9.x and 10.x [cisco.com]. My employer uses LEAP and it works great.
    3. Hack your own. Set up Linux and Squid and Apache and transparent forwarding to redirect unauthenticated web traffic to a HTTPS login form. Have the form automatically add the necessary firewall rules to allow them out, and have a cron job remove them after a delay. Upside: A five banana problem once you've mirrored enough of CPAN to write the Perl scripts. Downside: Easily spoofed/hacked with a copy of AirSnort, Kismet, and Ettercap.
    WEP key management sucks so hard that relying on it is stupid. I'd probably go the LEAP route just because it is so damn easy on both the client side and on the server side, even though I hate Cisco. The build-it-yourself solution would be a complete kludge and would be totally unsupportable except by the author, i.e. lots of work. The CheckPoint firewall is in between the Cisco (easy) and do-it-yourself (really hard) in terms of difficulty.

    Anyway, I'm rambling now, so hopefully this helps and makes sense. If you have questions, post 'em here.

  • Some real help (Score:3, Informative)

    by mrst3v3n ( 581058 ) on Wednesday May 22, 2002 @09:18PM (#3569617)
    Wireless network that spanned several different buildings, and required a few different AP's. Toughy, but not impossible. First, set each AP on its own channel. Second, enable MAC Address security for each Card on the network. Then instead of using DHCP to give out IPs you should assing each computer an IP and Subnet mask. Turn off DHCP server on the AP to try and stop any hitchhikers. The next thing you should do is enable WEP on the AP and the cards. Use the highest possible key. This should keep most of the standard users out of the network and force them to pay. As far as hardware, I suggest Linksys cards as they allow for the "any" SSID to be used allow each resident to use the best AP. Also, for desktops use USB so that you dont have to open up the computers. That could be a BIG liability for you and your employer. Only use PCI cards if they sign a letter releasing you from all liability. You can do this on 802.11b for the cost reasons. If you need further help with this project email me. If this works out please let me know.

  • IPSEC (Score:5, Informative)

    by SealBeater ( 143912 ) on Wednesday May 22, 2002 @09:24PM (#3569637) Homepage
    I don't know if it's been mentioned, but I would use IPSEC if I were you,
    simply because 802.11a/b sniffing is trivial now and mac address spoofing is
    even easier. Also, I would probably recommend against going with an
    established commercial wap product, as they all almost definately aren't going
    to have the flexibility you need in the future and are probably way too
    expensive. I would roll a couple of OpenBSD boxes with wireless cards, that
    way you have an all in one solution with lots of nifty stuff like traffic
    shaping per mac, monthly bandwidth accounting capablities via pf, syslog, and
    tons of other stuff that commercial vendors just don't offer. And I do mean,
    don't offer, regardless of price. This page [uni-erlangen.de]
    offers a good howto regarding ipsec on openbsd and this page [rt.fm]
    give a pretty good read on replacing wep with ipsec on openbsd as well. Good
    luck.

    SealBeater

    • Re:IPSEC (Score:3, Informative)

      by swillden ( 191260 )

      I don't know if it's been mentioned, but I would use IPSEC if I were you, simply because 802.11a/b sniffing is trivial now and mac address spoofing is even easier.

      Three points: First, "use IPSec" is easy to say, but have you ever actually set it up? It's far easier said than done. Installing the needed software on all of the users' machines would be a bitch. And key management would be far, far worse.

      Second, using IPSec doesn't really solve your security problems, because every IPSec client has the secrets needed to access the network. That means a hacker only has to penetrate one host (and they're all hooked up to *radios*) and he's into the network as a whole. In addition to IPSec you also need firewalls on every machine to make sure that *only* IPSec traffic can get through to them.

      Third, and most important, who gives a rat's ass? This guy doesn't need real security, he just needs to make it a little bit harder for hitchhikers to use his Internet connection. If someone does get on, so what? They can sniff? Big deal, anything you send unencrypted over the net can be sniffed at every hop. Do you have some particular reason to trust all of those admins between you and wherever you're going? Of course not. And what about all of your neighbors? So use SSL and ssh to protect important data like credit card numbers and passwords and don't sweat the rest. The biggest danger here is that someone will score some free net access. 128-bit WEP, MAC filtering, hardwired DCHP assignments and maybe a little auditing of the DHCP logs should do the trick just fine. And maybe toss in a router with QoS extensions to make sure that neither hitchhikers not legitimate users can hog the whole pipe.

      The single most common mistake people make when discussing security is to forget to consider the level of security that is actually required before picking a solution. There's a reason that banks have armed security guards but self-pay boxes in parking lots don't.

      • Re:IPSEC (Score:2, Offtopic)

        by SealBeater ( 143912 )
        This guy doesn't need real security

        That's the problem, attitudes like yours. I could care less about sniffing
        traffic, that's not the point, the point is to replace WEP with something
        better, and the goal isn't to stop people from grabbing credit card details,
        it's to prevent Joe Hacker from having an easy leap off point to lauch attacks
        against others. In addition, you don't need firewalls on the machines to
        prevent traffic sniffing, ipsec tunnels set up on the boxes that pass IP traffic though
        the wireless link work just as well. here [microsoft.com]
        and here [securityfocus.com].

        It sounds like if you had your way, he should just put up a couple of apple
        airports and forget about it. What myself and others are doing is trying to
        implement a reasonable amount of security when it should be implemented, at the
        beginning, and not as a duct tape fix after there is an incident and this guy
        has to explain why attacks were launched from his network. At any rate, the
        openbsd boxes with wireless cards is still the ideal solution, both from a cost
        perspective and a security perspective. There have been attacks against all
        the commercial wireless access points, ranging from expensive Ciscos to
        Breezecom to Linksys. The point isn't to have a totally locked down B1 and
        above security implementation, it's to make it the kid with the laptop decide
        to move on to Joe User's unsecured Linksys and not this guys network. I also
        assume that this guy is looking for a way to keep costs low, and this is the
        best way to do it. Somebody earlier mentioned Cisco Catalysts, yea
        right

        SealBeater

      • Re:IPSEC (Score:3, Informative)

        by tzanger ( 1575 )

        First, "use IPSec" is easy to say, but have you ever actually set it up? It's far easier said than done.

        <cough>bullshit<cough>

        I just went through it. Linux-Linux IPSec is literally a walk in the park. Linux-Win2k IPSec is proving more difficult but not by much. The trick is to use x.509 certificates and use Win2k/XP's built in IPSec. vpn.ebootis.de [ebootis.de] has a little package which wraps around Win2k/XP's MMC and makes setting up certificate-based IPSec a walk in the park. The best part is that your server doesn't change as you add clients; you just add their public keys to your ipsec.d directory and tell ipsec to reread the dir.

  • NoCatAuth (Score:2, Informative)

    by ekalb ( 537624 )
    NoCatAuth [nocat.net] is a project that attempts to address the security concerns of running subscription based wireless services. AFAIK though, it's designed so that you must build linux boxes to act as access points, it would take some hacking to get it to work with existing access points (most of which can be administered through snmp).
  • You probably do not want to use 802.11b wireless networking in an apartment complex, considering that a cordless phone can interfere with the signal and destroy all connections within. It happens all the time at my house.
  • If someone is determined enough, they can get on your WLAN. MAC addresses can be spoofed, WEP keys can be sniffed [shmoo.com]. All you can do is authenticate and log.

    I recently spoke to some keen fellows from Baylor University [baylor.edu] that have created an OpenBSD-based firewall/logging/authentication system that takes the poster's info page one step further. Everyone authenticates via an SSL-encrypted web site in order to join the network. DHCP leases are handed out in conjunction with a login session, so you can track who does what. Logging in also opens up your firewall to allow the newly-leased IP address through.

  • HomeRF 2 (Score:2, Informative)

    by Anonymous Coward
    We set up a small wireless network (5 hosts) at our apartment building to share internet. One of our biggest concerns was interference from other devices. On our limited budget we didn't have the luxury of buying signal testing equipment and AP's to see if 802.11b would be reliable in our building. So in the end, we went with HomeRF 2.0 equipment made by Proxim [proxim.com] which has a better range and is much better at avoiding interference than 802.11b and transmits at a similar 10Mbps.

    We bought the USB adaptors (for around $80) from Provantage [provantage.com] for less than any USB 802.11b adaptors we could find at the time.

    There are some limitations with HomeRF, (I don't think roaming between AP's is supported and only drivers for Windows and Mac are provided) but in our situation it was just what we needed and it's worked flawlessly. We've had no network downtime due to interference.

  • Don't bother with WiFi... (Score:5, Insightful)

    by YuppieScum ( 1096 ) on Wednesday May 22, 2002 @09:41PM (#3569685) Journal
    The whole point about using wireless LANs is to enable environments where you either need to support roaming/migrant users or you have little/no control over the local infrastructure.

    Neither is the case here.

    You also need to remember that the 11MB/s provided by WiFi is shared between all users. If you have 50 "dwelling units" and two WiFi access points, you'll be offering a service with less maximum bandwidth than bottom-of-the-range xDSL... and you'll be charging for $100 WiFi NICs instead of $10 PCI ethernet NICs (which many PCs now have as standard anyway)... and for a service subject to atmospheric outages (ever use a WiFi network during a thunderstorm) as well as interference from a multitude of other devices like microwaves, cordless headphones and DECT telephones...

    I'd recommend taking a bit of up-front hit and running CAT5 to each apartment. Put a switch on each floor (unmanaged 16-port switches are less than $80), and run each floor-switch to a central switch, and from there to the T1 router, squid server and whatever other infrastructure you've going to value-add into the equation.

    This is what business-class hotels now do - just provide an ethernet RJ-45 jack and a DHCP server... all a guest has to do is plug in, configure for DHCP, and reboot.

    If nothing else, support costs for a wired network are trivial... but for a WiFi? How do you explain to a user that they can't get their mail because the guy in apartment 2B is listening to a CD?

    • Re:Don't bother with WiFi... (Score:4, Informative)

      by insomniak1 ( 265450 ) on Wednesday May 22, 2002 @10:55PM (#3569952)
      Here are a few truths about 802.11b gear (and a couple of tips):

      1) 11mbit/sec actually turns into about 5mbit/sec because of error correction. (if I remember correctly, the 802.11b standard does errorchecking in a manner where it sends 12 bits and half of that is check sum.)

      2) The top speed of the wireless wan is affected by the number of people on it. Just because each client connects to the AP at 11mbit/sec, it doesn't mean that the 11mbit will be guaranteed speeds.

      3) you'll most likely require more than a 'couple' of access points to achieve building-wide coverage. Even the number of people in the facility that you're trying to cover affects the cell coverage size. (water absorbs and reflects RF - make sure you keep that in mind if you have plenty of foliage in and around the buildings.)

      4) load-balancing is possible, but I've only seen it with the higher-end gear (ie. ciscos, etc.) That'll help with multiple people.

      5) RF is prone to SERIOUS interference and even the waves are affected by the structures. This is very evident when you are a few metersaway from a radio (not line of sight) and you get a strong signal, then suddenly you walk into a RF null. not fun.

      6)Make sure you use decent antennae (and make sure that the radios can handle the power requirements of the antennae you're using.)

      7)Make sure that your cables and the like are properly made if you're doing them youself. If your cables suck, your signal will go to hades.

      tip: make sure you have secure authentication systems and xmission security. it's no fun when someone gets 'smart' and steals free bandwidth... or worse, account data.

      tip: make sure you have something there that can protect your arse should something REALLY go wrong with the network. Hell hath no fury like a geek bereft of network access.

      tip: take the time to do the surveys. If you do proper surveys, you will be a much happier person in the long run.

      Anyhow -- There you go. I'm sure there's some more stuff I missed. Let's hear them. :)
    • I agree with you mostly except for...


      Put a switch on each floor (unmanaged 16-port switches are less than $80)


      No. You want a really spiffy switch. It needs to a) be able to do mac-port mapping, b) be able to remotely enable-disable ports, and c) support rmon/snmp. Maybe you dont need c) if you have netflow configured/running correctly, but a) and b) will save you tons of time (and therefore labor costs) longrun by doing these two things. Unless you want to walk to the place at 3am because some dumbass got rooted and you need to go unplug him because he's pingflooding efnet (it's going to happen, trust me.)

      • Re:Don't bother with WiFi... (Score:4, Insightful)

        by tzanger ( 1575 ) on Thursday May 23, 2002 @02:35AM (#3570695) Homepage

        No. You want a really spiffy switch. It needs to a) be able to do mac-port mapping, b) be able to remotely enable-disable ports, and c) support rmon/snmp. Maybe you dont need c) if you have netflow configured/running correctly, but a) and b) will save you tons of time (and therefore labor costs) longrun by doing these two things.

        Um, no.

        Nice 24-port unmanaged switches are best here. You will have a fat managed switch as the uplink for all of these floor-level switches, and you will have a decent router between that and your bandwidth provider. Use the managed switch to localize which floor the disturbance is coming from, then use the sniffer port to find out the IP. Finally, log in to the router and change the ACLs so that that user (or MAC addy) is simply not allowed to go anywhere. No need to blow enormous gobs of money on managed switches for every floor.

        • "Um, no." Or, at least, "Um, maybe."

          Sure, you can cut the bad box off at the router, but that's not going to help the other people in the building, or sharing the switch. One needs to decide whether the value of that functionality (being able to remotely turn off a particular node, w/o affecting anyone else) is worth the expense, or that need will be rare enough that you're willing to go the switch closet and physically unplug the node.

    • You also need to remember that the 11MB/s provided by WiFi is shared between all users. If you have 50 "dwelling units" and two WiFi access points, you'll be offering a service with less maximum bandwidth than bottom-of-the-range xDSL...

      Wrong.

      Ever heard of contention ratio? Contention ratio is the ration between the actual bandwidth and the bandwidth available to each user. In this case you are providing 11 Mb/s of backbone for 50 users. Assuming a contention ratio of 50:1, which is fairly normal entry level ADSL, this wireless system can provide for ~3-11 Mb/s each for about 50 users. Or ~1-3 Mb/s per user at a contention ratio of 20:1.

      and you'll be charging for $100 WiFi NICs instead of $10 PCI ethernet NICs (which many PCs now have as standard anyway)... and for a service subject to atmospheric outages (ever use a WiFi network during a thunderstorm)

      Plenty of people have used it over multi-km distances with no problem.

  • Why not wired? (Score:2, Informative)

    by coyote-san ( 38515 )
    Have you considered going with a wired solution instead of a wireless one?

    I assume that the units already have cable TV. If they do, you should be able to run a cat-5 cable beside the cable coax and replace the wall plates with one that includes both a coax port and cat-5 port. You then run the cables to a centralized 10base2 switch for each building, and thence to a central switch for the complex. You shouldn't skimp on these - get hubs with real VLANs. Commodity switches still leak information between the ports.

    This will initially be more expensive than tossing up some WAPs, but it will probably save you a lot of headaches down the road because you don't need to worry about people running AirSnort, or interference from common household electronics, or any other crap like that. If people really want wireless access, let them set up their own WAP, but make sure they know their access will be cut off if it's abused.

  • Use IPSEC or Kerberos with *at least* 1024-bit key (Score:4, Informative)

    by SailFly ( 560133 ) on Wednesday May 22, 2002 @09:50PM (#3569713) Homepage

    I setup a small AP in my apartment, only used by me, so far ;)

    I used an old 486 laptop running Linux 2.4.18 (RedHat base) with an Orinoco Silver card, using 40-bit WEP (which to a cracker, is slightly inconvenient at best) and IPTABLES, MAC filtering with IPSEC 3DES and 1024-bit keys.

    Be sure to use some kind of encryption better than WEP (like Checkpoint VPN, IPSEC, etc.) otherwise, it's only a matter of time before your users' account info is stolen.

    Also consider the kinds of antennas used on the AP. I actually bought the 3 dB loop antenna (size of a 10" plastic ruler) but I don't even need it within my own apartment (100' radius). I use both 2.4GHz phone and microwave with no major problems in my access. Mind you, I'm not using the link for heavy-use or Internet/media streaming. Here are some links to sites that helped me:

    Good luck with it, please post a link to your HOWTO when you get it running!

  • http://www.linksys.com/products/product.asp?grid=3 2&prid=416

    PLEBR10 - ethernet via powerline

    Are the apartments all on the same side of the transformer?

    Does the aprartment own the power lines in the complex?

    Better solution IMO no new wires, 12meg of
    data vs like 3-4 for 11.b stuff AND
    you can move it from outlet to outlet....

    No broadcasting via airwaves so people won't even think about checking the powerline for internet
    (for awhile).

    If the distance between the buildings is too great, or they are seperated by a transformer,
    I would think about doing a cat 5 or fiber run
    between the buidings. If not, the put
    a couple 11.a points up to interconnect.

  • Currently I am in the situation where I am trying to talk an office out of spending $6000 from one contractor on a wireless network. Their office is small and has absolutely no need for a wireless network (yet alone at the $6000 price tag). The lady in charge of this decission has no idea what she is talking about and has been brainwashed by her "personal technician" (who has qutie the cush job - $500/mo consultant wether he does something or not).

    But the point of my post is this: just because you can go wireless does not mean you always SHOULD - there are times when a wired network makes a hell of a lot more sense.

  • Think Security First! (Score:2, Informative)

    by vaughnch ( 581068 )
    Wireless 802.11b is riddled with insecurities. In addition to various improprieties within WEP (see attached), 802.11b access association scheme is inherantly insecure. The University of Maryland Study found that "while the current access points provide several security mechanisms,[their] work combined with the work of others show that ALL of these mechanisms are completely in-effective."
    The mechanisms they are referring to are :
    • WEP (Wired Equivalent Protocol)
    • Open Systems Authentication
    • Shared Key Authentication
    • Access Control Lists (MAC Address Lists)
    • Closed Network Access Control (LUCENTS Proprietary Access Control)
    The important thing to note here is that EVERY one of these mechanisms can be worked around.
    • WEP has known vulnerabilities allowing someone to decrypt information in real-time after capturing about a days worth of traffic.
    • Open Systems Authenticationhas "shown that the authentication management frames are sent in the clear even when WEP is enabled."
    • Shared Key Authenitication has shown that it is rudimentary to capture the Initialization Vector since it is sent in the clear as part of a WEP frame.
    • Standard Access Control Lists are easily circumvented by an attacker sniffing the network for a valid MAC and thus reprogramming their network card to an appropriate value to gain access to the network.
    • The proprietary Closed Network Access Control list that LUCENT (and others)touts as "a system that will not send the network identification (SSID) as a broadcast, thereby mandating that someone KNOW the SSID before they can associate to the network," is inherently flawed since:
    "Several management messages contain the network name, or SSID, and these messages are broadcast in the clear by access points and clients. The actual message containing the SSID depends on the vendor of the access point. The end result, however, is that an attacker can easily sniff the network name, determining the shared secret and gaining access to the "protected" network. This flaw exists even with WEP enabled because the management messages are broadcast in the clear."
    When setting up a wireless 802.11b network, you MUST consider it to be publicly accessible. Anyone who is motivated can gain access to your physical network. They need not be within 300 meters, and through the use of a Yagi antenna or some other directional device could gain access from miles away. If setting up a wireless network despite the vulnerabilities please follow the following suggestions:
    1. The most effective strategy would be to put your wireless access points into aIPSEC enabled DMZ, and have your wireless users tunnel into your network using a VPN. If your corporation doesn't already have a VPN infrastructure in place, it's going to cost you some money to implement. Even if you do have a VPN in place, and all of your clients already have the VPN software, there's going to be an extra effort associated with setting up a VLAN for your DMZ. But this solution adds a layer of encryption and authentication that could make a wireless network suitable for sensitive data.
    2. Consider using an additional level of authentication, such as RADIUS, before you permit an association with your access points. While it's not part of the 802.11b standard, a number of companies are optionally including some provision for RADIUS authentication. Orinoco access points, for example, can enforce RADIUS authentication of MAC addresses to an external RADIUS server. Intermec access points include a built-in RADIUS server for up to 128 MAC addresses.( EAP (Extensible Authentication Protocol) is used to allow wireless clients to authenticate to RADIUS servers using a single sign-on. )
    3. At an absolute minimum, even with it's vulnerabilities, you should enable WEP. Whether you implement 64-bit or 128-bit doesn't really matter too much, as it's not the encryption scheme that's determining how long it takes to crack it, but the number of possible Initialization Vectors. WEP is only a low barrier to entry, but it will keep out many of the casual hackers because there are so many other wireless networks that are wide open and easier targets.
    REFERENCES

    University of Maryland Study: http://www.cs.umd.edu/~waa/wireless.pdf [umd.edu]

    Fluhrer, Mantin and Shamir Study: http://www.eyetap.org/~rguerra/toronto2001/rc4_ksa proc.pdf [eyetap.org]

    AT&T Labs and Rice University Study: http://www.cs.rice.edu/~astubble/wep/wep_attack.ht ml [rice.edu]

  • You may consider deploying BOTH 802.11b and 802.11a. There are devices that support both, such as the Cisco 1200, but no wireless cards for 802.11a yet (due August/September 2002). There are also devices that work with your existing Access Point, such as Symbol's Mobius 5224, which sits over an existing Symbol 802.11b access point, uses the same network cable (provides a second network port for the 802.11b AP) and even provides power for the old AP.

    If you go with 802.11a for any reason though, be warned, the cell sizes are MUCH smaller. The slowest 802.11a speed of 5 Mbit/s gives you coverage to about the same distance as 802.11b does at 5.5 Mbit/s. At least with 802.11b you can go slower in areas where the coverage is marginal.

    Antennas can make a big difference to your coverage pattern, and should not be underestimated. Using semi-directional antennas is also a good way to avoid or reduce outside coverage on a building, which makes it that little bit harder for carpark hackers to get in. If you have a lot of metal around, look at using diversity (2 antennas seperated by a small distance - each antennas signals are compared and the best signal is used), which will improve coverage and reduce dropouts.

    You will also want to consider the number and type of client radio's connecting to your 802.11b network. While 2 AP's might provide coverage, you may find the density of users brings everything to a crawl. Decent AP/Client card combo's will load balance across multiple AP's if the signal strength is there. Some AP's (particularly Cisco's) have a real problem delivering speed to more than 2 clients from a single AP at the same time, as they don't load balance (internally) properly. You will find 2 clients will get almost all the bandwidth, and the rest will get a tiny amount (eg: 4-10Kbit/sec). This is totally unacceptable for high user densities.

    As for security, there are a number of authentication systems out there that seem reasonable, such as EAP/TLS, and Kerberos based implementations, all implemented in the AP. Authenticating using DHCP and MAC addresses is not worth it, as you can fake MAC addresses easily, and you can always use a fixed IP. That said, if the AP has MAC level Access Lists, USE THEM where possible, with other security methods. Just makes it that little bit harder.

    EAP/TLS is the newcomer on the market, and usually relies on a Radius server for it's back end authentication. This is OK, as long as your users don't roam about at all. If they roam from one AP to the next, you will get delays of ~300ms as the AP re-authenicates itself with the Radius server. This might be OK if your users don't move around much, but is totally unacceptable if they are mobile in any way. All the Kerberos authentication systems I have seen distribute details to all the AP's at authentication time, so that roaming is about 50ms or less.

    With encryption, if you have WEP, enable it. Once again, like with MAC level ACL's, it's just one more thing for them to get through. Many AP's now support Dynamic WEP, or TKIP (Temporal Key Integrity Protocol). There are also some devices that support AES based encryption methods, and I wouldn't be surprised to see TKIP implemented with AES instead of WEP out there as well.

    Of course, you could also use a VPN solution like IPSec. I'd also recommend to use large keysizes, simply because you can. If you do use a VPN, STILL use WEP/TKIP/AES and ACL's, as it'll make it just that little bit harder to try and get into.

    Remember, the object is deter them from trying to break into your network. If they try long enough, they'd probably still eventually break in. But if they can break into another system in 1/100th of the time, then unless they have a major grudge or very specific reason, they'll go that way.

    Good luck!
  • I always get flamed when I post stuff like this but... Throughout college and for the next few years of my life I am going to live in an apartment complex and I really don't understand why newer apartment complexes aren't taking into consideration high speed internet access.

    Run some Cat5 through the walls and build a telephone/wiring closet into each building.

    Then raise the rent about $10 a month which will absorb the cost of a T-1 and a part-time techie. 25 buildings x 12 tenants x $10 = $3000. $1500 for the T-1 connection and $1500 to keep the techie happy.

    Wireless would be great, but I'll agree with the person who posted up above and say there is way too much junk out there interfering with the 2.4 GHz spectrum.

    Flame away....
    • Good idea, but your numbers are wrong. T1s btwn 25 buildings = 24 * (linecost of t1 between them). which is more then $3k already. Frame relay can get it a bit cheaper, but you're not gonna get it under the 1500 you need for profitability.

      The idea works if you have large-occupancy buildings, ie 100+, however doing internet connectivity to an apartment correctly is very hard. There's always going to be like 30 people with their kazaa [or thing like it] on at all times, that's going to make the connection unbearable. Then there's going to be the irc dumbass who is getting synflooded for insulting some 1337 h4x0ring group. Then there's .... on and on. Apt. connectivity requires a lot of babying that other clients dont, and that means much lower margins... and a lot of the time it just isnt worth it.

      I spent over a month setting up the architure to actually do an apt building correctly. Accounting, bandwidth monitoring, priority queueing, rate limiting, etc. This required a rather large infrastructure upgrade. The cost of that plus my labor costs will put us at break-even with the proposal in two-years time. While not necessarily a bad investment, it's a lot worse than your typical insurance company that just wants email and a webpage with their t1.
      • I'll ask you what I asked somebody else above. :) Could you post more info on your project, or, if you'd rather not broadcast the details to the world, send them to me @ sd-at-itwerx-dot-net?

        Thanks!

      • Good idea, but your numbers are wrong. T1s btwn 25 buildings = 24 * (linecost of t1 between them). which is more then $3k already. Frame relay can get it a bit cheaper, but you're not gonna get it under the 1500 you need for profitability.

        Why route a T1 to every building? If they're close enough you can do quick optical or even PTP wired links. If they're farther you could put unidirectional antennas on some 802.11 gear and do PTP links that way. You only need one T1 up to the bandwidth provider.

        Hell for that matter you could run DSL or cable to each of the buildings and link them together over a VPN but that's increasing your problems (telco/cableco goes down, etc.)

  • 802.1x authentication. 802.1x is a port based authentication method that can be backed up to a radius server, or any other type of authentication device. It is based on EAP, and allows an encryption algorithm to be specified to be used in conjunction with a client app, and the server. When manufacturers start sending APs with 802.1x support in the next month or so, this will be the preferred solution for wireless security. Oh yeah, Windows XP already has built in support for 802.1x too. This will be the next round of wireless security, at least until TKIP is deployed.
  • I use an old ThinkPad as my access point. It runs Linux. I assume that most of your clients are going to be running Windows. Anyone else should be clever enough to emulate PPTP.

    I first chose a random WEP key. I don't consider this secure at all.

    I have my ThinkPad play DHCP server (so anyone with the WEP key can get a DHCP addr), and firewall everything other than DHCP and PPTP from the wireless interface. I then use slirp with PoPToP to provide stateless 128-bit MPPE, and assign each windows box a unique password (this is where the security comes from). All real traffic is encrypted; all the user has to do is "dial-in". Of course, everything is NAT'ed; hope that's what you wanted anyways :)

    Obviously this works with 2 APs and one computer behind them.


  • Your abount to walk into support nightmare. Ever heard the term you touch it you own it. Never ever give your time away for free, period. Your free installation with become in a matter of days "you touched my computer and now the printer does not work". I am by no means telling you not to move forward with the idea, this has been pushed around a good bit by many people I know. I have even helped build out a full push for a new development. Pulls, switches, and the t's. All pre-wired, DHCP, and the price was included in the rent as a "plus" to moving into the new place. I wish you the best of luck, but figure out how to make your time worth it because once they get it for free and you have touched "their" system your going to get pointed at for all kinds of things.

  • re: WLAN for Apartment complex (Score:3, Informative)

    by Doc Wireless ( 581059 ) on Thursday May 23, 2002 @02:27AM (#3570679)
    Hello Cliff: While I have never posted on Slashdot I felt compelled to register and reply. PLEASE READ THIS CAREFULLY Allow me to explain that I am a network consultant and have learned the hard way on wireless--very hard and many sleepless nights. My first WLAN installation reminds me of where I think you may be right now, but I had done six months of research and had had endless hours of conversations with engineers from several manufacturers. Before we get to the problems I had, lets start with what you have missed overall: a site survey. NEVER even agree to take on a task like a WLAN unless you have done an extensive site survey. First, you will need blueprints if possible or will need to take fairly exact measurements of each apartment, know materials used in construction etc. You'll also need to have floor plans and more. That said, you should then know the maximum number of users and throw all the specs the manufacturer gave you out the window as regards range, distance and AP's required. And, I am assuming you will have over 20 users. In two different buildings? Don't go with consumer grade stuff like SMC for the AP's. SMC is the best of it but still lacks signal strength in many installs. Go with Cisco for AP's and routers, and ONLY Orinoco Gold cards for laptops and equivalent for desktops. You'll also need a portable spectrum analyzer and know how to intrepret the data it provides. Not sure if they can be rented but I paid $3,000 for mine and it was a deal. You'll need to set up the AP's and then go to every location and check SNR etc.--and record all the data. There's a mountain of paperwork on a project like this, just for the site survey alone. After that's done you will still need to go to each apartment with a mid-range laptop and again record signal strength etc. There will be dead spots, and God only knows where a tenant will put their PC. Now, you will have to roam about again with the spectrum analyzer AND a laptop to look for both multipath interference and to check for other 802.211b nets in the area. And did I mention if you are in a congested urban area or near a university or hospital you will also need to contact the admins at those institutions and hope they will cooperate and give you a map of their devices, antennae and locations? They generally will but may not even know where it all is if it's a large institution--and that can be yet another nightmare to solve. And, forget about promised scalability. Most AP's will really only handle 10 users or so, especially the consumer grade gear. At least unless things have changed drastically since November of 2001, my last nightmare install. You also have another problem: lack of a homogeneous hardware environment. On the Nigthmare Project 2001 (as I call it now) I had some PC's that never worked right if at all on the WLAN (30 users in one university residence, off-campus.) I spent an average of 8 hrs a day on the phone with high-level engineers from Cisco and SMC. Both companies were good but had to admit at times they had no idea why some problems happened. And I had their home and cell phone numbers. I know. Was dealing with a mix of Macs, Linux boxen and Windows PC's running anything from 98 to XP. And some were old Gateways, others new Dells. Gateways were the worst. Forget about the idea that your big worry will be with other 2.4 Ghz devices. Microwaves and phones have seldom been a problem for me on a project unless within 6 ft of the AP or wireless NIC. One stark exception is Panasonic phones, but this is a known issue fopr professionals. I am NOT anti-wireless but do think you should know that the obstacles you face are severe. I do this for a living and can say that I would not take on a project like this unless I had a very tight contract (you do have a lawyer, right.) CAT 5 and other options are cheaper and more reliable--and I haven't even touched on servers or security issues. Wireless is NOT cheaper, is more difficult to roll out and is a real headache--especially in historical buildings and those "impossible to wire" locations. I still do a lot of it but only for corporate installs where I have an open floor plan and decent line of sight. I also refuse to do an install now unless I know the company has skilled admins and will allow me indemnification. Do what you like but don't go into this believing all you have read from manufacturers or home users. Hope you don't have to learn as painfuly as I did. OK to email me at wavelanexperts@yahoo.com and I will be happy to chat on the phone or get you my real email. Good Luck!

  • Some Points (Score:3, Informative)

    by banadushi_ ( 168358 ) on Thursday May 23, 2002 @03:49AM (#3570872)
    I am in the process of developing a city-wide wireless network. Here are some of the thing I am doing in my lab to prepare for rollout.

    1. PPPoE
    Yes its anoying to users, and I'm not to fond of it myself, but it is a hell of alot better than any other auth method, IMHO, and it allows me to do some cool stuff with radius.

    2. Amps are your friend
    Most interference can be weeded out just by drownding it out. Pick a channel, and stay with it, when and if you have problems with interference amp it. Other devices that don't need as much as a spectrum in the 2.4 range, such as phones will just look for another clearer channel. At the ITECH i beamed in a signal into the convension center from a nearby hotel and ran an IP phone over it, I found out the morning of the show that lots of other people were using wireless inside the building, i just ran up to the roof of the hotel and stuck on an amp, and bamo 11Mbs, nailed.

    3. Channel Selection
    Most devices i've played with will either defaul to channel 1 or 6, put your signal on a high number like 9 to avoid killing your clients internal wireless network.

    4. Saturation
    The one concern I had is saturation, with only 11Mbs on 802.11b several power users could suck up alot of that. I would expect that more technical clients will realize that they are on an ethernet segment together and start setting up shared folders for their buddy 2 doors down so he can get all of his mp3s/porn. with enough users it could turn into a problem. I am remiding this by creating a backbone of 802.11a and then distriuting it with 802.11b

    just my $.02

Slashdot Top Deals

For God's sake, stop researching for a while and begin to think!

Close