Monday, 12 November 2007

Certified Wireless USB from the USB-IF

With more than 2 billion legacy wired USB connections in the world today, USB is the de facto standard in the personal computing industry. Soon, these same, fast, interoperable connections will become available in the wireless world, with the introduction of Certified Wireless USB from the USB-IF. Certified Wireless USB is the new wireless extension to USB that combines the speed and security of wired technology with the ease-of-use of wireless technology. Wireless connectivity has enabled a mobile lifestyle filled with conveniences for mobile computing users. Certified Wireless USB will support robust high-speed wireless connectivity by utilizing the common WiMedia MB-OFDM Ultra-wideband (UWB) radio platform as developed by the WiMedia Alliance.

UWB technology offers a solution for high bandwidth, low cost, low power consumption, and physical size requirements of next-generation consumer electronic devices.

Certified Wireless USB is the first high-speed wireless personal interconnect technology to meet the needs of multimedia consumer electronics, PC peripherals, and mobile devices.

Certified Wireless USB will preserve the functionality of wired USB while also unwiring the cable connection and providing enhanced support for streaming media CE devices and peripherals.

Certified Wireless USB performance is targeted at 480Mbps at 3 meters and 110Mbps at 10 meters.

Certified Wireless USB from the USB-IF

With more than 2 billion legacy wired USB connections in the world today, USB is the de facto standard in the personal computing industry. Soon, these same, fast, interoperable connections will become available in the wireless world, with the introduction of Certified Wireless USB from the USB-IF. Certified Wireless USB is the new wireless extension to USB that combines the speed and security of wired technology with the ease-of-use of wireless technology. Wireless connectivity has enabled a mobile lifestyle filled with conveniences for mobile computing users. Certified Wireless USB will support robust high-speed wireless connectivity by utilizing the common WiMedia MB-OFDM Ultra-wideband (UWB) radio platform as developed by the WiMedia Alliance.

UWB technology offers a solution for high bandwidth, low cost, low power consumption, and physical size requirements of next-generation consumer electronic devices.

Certified Wireless USB is the first high-speed wireless personal interconnect technology to meet the needs of multimedia consumer electronics, PC peripherals, and mobile devices.

Certified Wireless USB will preserve the functionality of wired USB while also unwiring the cable connection and providing enhanced support for streaming media CE devices and peripherals.

Certified Wireless USB performance is targeted at 480Mbps at 3 meters and 110Mbps at 10 meters.

Certified Wireless USB from the USB-IF

With more than 2 billion legacy wired USB connections in the world today, USB is the de facto standard in the personal computing industry. Soon, these same, fast, interoperable connections will become available in the wireless world, with the introduction of Certified Wireless USB from the USB-IF. Certified Wireless USB is the new wireless extension to USB that combines the speed and security of wired technology with the ease-of-use of wireless technology. Wireless connectivity has enabled a mobile lifestyle filled with conveniences for mobile computing users. Certified Wireless USB will support robust high-speed wireless connectivity by utilizing the common WiMedia MB-OFDM Ultra-wideband (UWB) radio platform as developed by the WiMedia Alliance.

UWB technology offers a solution for high bandwidth, low cost, low power consumption, and physical size requirements of next-generation consumer electronic devices.

Certified Wireless USB is the first high-speed wireless personal interconnect technology to meet the needs of multimedia consumer electronics, PC peripherals, and mobile devices.

Certified Wireless USB will preserve the functionality of wired USB while also unwiring the cable connection and providing enhanced support for streaming media CE devices and peripherals.

Certified Wireless USB performance is targeted at 480Mbps at 3 meters and 110Mbps at 10 meters.

Wireless USB Compliance Testing

Download and review the USB-IF Wireless USB Certification Procedures
Download and review the test specifications and test tools, and pre-test your products
Fill out the Wireless USB Certification Lab visit request form (optional)
Complete the Wireless USB product checklist and submit to the USB-IF
Compliant products will be posted to the USB-IF Integrators List

Wireless USB Compliance Testing

Download and review the USB-IF Wireless USB Certification Procedures
Download and review the test specifications and test tools, and pre-test your products
Fill out the Wireless USB Certification Lab visit request form (optional)
Complete the Wireless USB product checklist and submit to the USB-IF
Compliant products will be posted to the USB-IF Integrators List

Wireless USB Compliance Testing

Download and review the USB-IF Wireless USB Certification Procedures
Download and review the test specifications and test tools, and pre-test your products
Fill out the Wireless USB Certification Lab visit request form (optional)
Complete the Wireless USB product checklist and submit to the USB-IF
Compliant products will be posted to the USB-IF Integrators List

Sunday, 11 November 2007

Is dynamic WEP supported?

According to this article:
http://www.oreillynet.com/pub/wlg/4598
the «popular Hermes-based Orinoco 802.11b cards» don't have driver support
for dynamic keys.

On the other hand, the "802.1X Port-Based Authentication HOWTO" says:
«Many drivers developed outside the kernel, however, support for dynamic
WEP; HostAP, madwifi, Orinoco, and atmel should work without problems.»
(http://oreilly.linux.com/howtos/8021X-HOWTO/dynwep.shtml)

Who is right?
I have searched the Linux ORiNOCO Driver website and it's mailing lists and
I have not found a sinle reference to dynamic WEP. Am I blind or is this a
too esoteric feature for orinoco card users?

Is dynamic WEP supported?

According to this article:
http://www.oreillynet.com/pub/wlg/4598
the «popular Hermes-based Orinoco 802.11b cards» don't have driver support
for dynamic keys.

On the other hand, the "802.1X Port-Based Authentication HOWTO" says:
«Many drivers developed outside the kernel, however, support for dynamic
WEP; HostAP, madwifi, Orinoco, and atmel should work without problems.»
(http://oreilly.linux.com/howtos/8021X-HOWTO/dynwep.shtml)

Who is right?
I have searched the Linux ORiNOCO Driver website and it's mailing lists and
I have not found a sinle reference to dynamic WEP. Am I blind or is this a
too esoteric feature for orinoco card users?

Is dynamic WEP supported?

According to this article:
http://www.oreillynet.com/pub/wlg/4598
the «popular Hermes-based Orinoco 802.11b cards» don't have driver support
for dynamic keys.

On the other hand, the "802.1X Port-Based Authentication HOWTO" says:
«Many drivers developed outside the kernel, however, support for dynamic
WEP; HostAP, madwifi, Orinoco, and atmel should work without problems.»
(http://oreilly.linux.com/howtos/8021X-HOWTO/dynwep.shtml)

Who is right?
I have searched the Linux ORiNOCO Driver website and it's mailing lists and
I have not found a sinle reference to dynamic WEP. Am I blind or is this a
too esoteric feature for orinoco card users?

Is Dynamic WEP Secure Enough enterprise solution ?

Dynamic WEP refers to the combination of 802.1x technology and the EAP. EAP is a flexible Layer 2 authentication protocol and a replacement to PAP and CHAP under Point-to-Point Protocol (PPP). The term dynamic WEP is derived from its unique ability to change (rekey) encryption keys. This prevents an attacker from being able to collect enough data to crack the current encryption keys. Each time a user logs into the network, a new key is created for that session. No other user will have the same session key, and the key lengths are such that reuse of the keys would be impossible to predict. Dynamic WEP also initiates more frequent key updates during the user's session, constantly changing the user's key by periodically renewing the keys every few minutes. This prevents an attacker from capturing significant data with the same key, thereby preventing any meaningful decryption of the WEP key. 

The argument of secure environment using Dynamic WEP comes from the original post written by Mr. Shankar. I forgot the original link which linked back to his original post.


We have all considered how insecure Wireless is using dynamic WEP in the scenario mentioned and I quote - "Due to one of our applications, we will be sending a clear strong signal to the parking lot". As also the mail says "Right now my plan is use PEAP w MSCHAP v2 with dynamic WEP crypto for my corporate SSID" to quote from the mails of Rocko.

My understanding of Dynamic WEP is that, in the case of PEAP or for that matter any other form of EAP derived security, there is no single common WEP key that is derived and used for all the clients. The point I am trying to lay my stress on is "no single common WEP key". In this scenario - if we were to look at this organization where we assume, should I say about 100 Wireless clients, then at an average of 15 people under each Access Point, this translates to 15 different keys - one key per person on the same Access Point. Add to this the probability of people moving from one Access Point to another at every (say) 3hours interval. Add to that the probability that the keys are not all changing at a defined point in time - this implies that based on when the user has derived the first dynamic key - the key changes at configured intervals.

To an external user (sitting in the parking lot) this poses 5 levels of randomness -

1. different users have different keys
2. different users changing their keys at different points in time
3. different users traversing across Access Points and hence changing their keys
4. The physical security that is existing on the ground that can contribute (if not greatly - at least to a reasonable extent) and hence the probability of finding out a parking lot hacker
5. Add again the probability of this guy getting sufficient numbers of weak IV's

Add to this, the number of users that are really sitting down in an area that provides a strong signal to the parking lot. Add also "direction finding capabilities" - (I am not too sure what this direction finding capability of the Access Point is, but based on context I guess it is something that deals with improving security).

SHOULD WE STILL BE AS PARANOID AS THESE MAILS SOUND OR CAN WE RELAX A BIT.

Ofcourse I would also like to add that we have not looked at whether this is a scenario where we have a Patch Antenna/ Parabolic Antenna that transmits signals in a defined direction - in this scenario there is a possibility of the replies above being used as an effective hack

Moreover, most Organizations that have this level of consideration for security should be having some form of IDS/ IPS - NIDS/ HIDS - wouldn't these have detected/ alarmed the Admin in some way or the other if he is on the LAN/ some Server/ workstation

Technically, if we were to sit down in front of a box, it will crack after sometime, but realistically in the scenario - is this possible, I guess this is the outlook that we should take when we discuss on such problems. Moreover, this immediately puts a doubt in the mind of the person about PEAP and EAP related security measures or for that matter any solution when thought from this point angle


I WOULD LIKE TO KNOW THE COMMUNITIES' VIEW IN THIS SCENARIO.

Is Dynamic WEP Secure Enough enterprise solution ?

Dynamic WEP refers to the combination of 802.1x technology and the EAP. EAP is a flexible Layer 2 authentication protocol and a replacement to PAP and CHAP under Point-to-Point Protocol (PPP). The term dynamic WEP is derived from its unique ability to change (rekey) encryption keys. This prevents an attacker from being able to collect enough data to crack the current encryption keys. Each time a user logs into the network, a new key is created for that session. No other user will have the same session key, and the key lengths are such that reuse of the keys would be impossible to predict. Dynamic WEP also initiates more frequent key updates during the user's session, constantly changing the user's key by periodically renewing the keys every few minutes. This prevents an attacker from capturing significant data with the same key, thereby preventing any meaningful decryption of the WEP key. 

The argument of secure environment using Dynamic WEP comes from the original post written by Mr. Shankar. I forgot the original link which linked back to his original post.


We have all considered how insecure Wireless is using dynamic WEP in the scenario mentioned and I quote - "Due to one of our applications, we will be sending a clear strong signal to the parking lot". As also the mail says "Right now my plan is use PEAP w MSCHAP v2 with dynamic WEP crypto for my corporate SSID" to quote from the mails of Rocko.

My understanding of Dynamic WEP is that, in the case of PEAP or for that matter any other form of EAP derived security, there is no single common WEP key that is derived and used for all the clients. The point I am trying to lay my stress on is "no single common WEP key". In this scenario - if we were to look at this organization where we assume, should I say about 100 Wireless clients, then at an average of 15 people under each Access Point, this translates to 15 different keys - one key per person on the same Access Point. Add to this the probability of people moving from one Access Point to another at every (say) 3hours interval. Add to that the probability that the keys are not all changing at a defined point in time - this implies that based on when the user has derived the first dynamic key - the key changes at configured intervals.

To an external user (sitting in the parking lot) this poses 5 levels of randomness -

1. different users have different keys
2. different users changing their keys at different points in time
3. different users traversing across Access Points and hence changing their keys
4. The physical security that is existing on the ground that can contribute (if not greatly - at least to a reasonable extent) and hence the probability of finding out a parking lot hacker
5. Add again the probability of this guy getting sufficient numbers of weak IV's

Add to this, the number of users that are really sitting down in an area that provides a strong signal to the parking lot. Add also "direction finding capabilities" - (I am not too sure what this direction finding capability of the Access Point is, but based on context I guess it is something that deals with improving security).

SHOULD WE STILL BE AS PARANOID AS THESE MAILS SOUND OR CAN WE RELAX A BIT.

Ofcourse I would also like to add that we have not looked at whether this is a scenario where we have a Patch Antenna/ Parabolic Antenna that transmits signals in a defined direction - in this scenario there is a possibility of the replies above being used as an effective hack

Moreover, most Organizations that have this level of consideration for security should be having some form of IDS/ IPS - NIDS/ HIDS - wouldn't these have detected/ alarmed the Admin in some way or the other if he is on the LAN/ some Server/ workstation

Technically, if we were to sit down in front of a box, it will crack after sometime, but realistically in the scenario - is this possible, I guess this is the outlook that we should take when we discuss on such problems. Moreover, this immediately puts a doubt in the mind of the person about PEAP and EAP related security measures or for that matter any solution when thought from this point angle


I WOULD LIKE TO KNOW THE COMMUNITIES' VIEW IN THIS SCENARIO.

Is Dynamic WEP Secure Enough enterprise solution ?

Dynamic WEP refers to the combination of 802.1x technology and the EAP. EAP is a flexible Layer 2 authentication protocol and a replacement to PAP and CHAP under Point-to-Point Protocol (PPP). The term dynamic WEP is derived from its unique ability to change (rekey) encryption keys. This prevents an attacker from being able to collect enough data to crack the current encryption keys. Each time a user logs into the network, a new key is created for that session. No other user will have the same session key, and the key lengths are such that reuse of the keys would be impossible to predict. Dynamic WEP also initiates more frequent key updates during the user's session, constantly changing the user's key by periodically renewing the keys every few minutes. This prevents an attacker from capturing significant data with the same key, thereby preventing any meaningful decryption of the WEP key. 

The argument of secure environment using Dynamic WEP comes from the original post written by Mr. Shankar. I forgot the original link which linked back to his original post.


We have all considered how insecure Wireless is using dynamic WEP in the scenario mentioned and I quote - "Due to one of our applications, we will be sending a clear strong signal to the parking lot". As also the mail says "Right now my plan is use PEAP w MSCHAP v2 with dynamic WEP crypto for my corporate SSID" to quote from the mails of Rocko.

My understanding of Dynamic WEP is that, in the case of PEAP or for that matter any other form of EAP derived security, there is no single common WEP key that is derived and used for all the clients. The point I am trying to lay my stress on is "no single common WEP key". In this scenario - if we were to look at this organization where we assume, should I say about 100 Wireless clients, then at an average of 15 people under each Access Point, this translates to 15 different keys - one key per person on the same Access Point. Add to this the probability of people moving from one Access Point to another at every (say) 3hours interval. Add to that the probability that the keys are not all changing at a defined point in time - this implies that based on when the user has derived the first dynamic key - the key changes at configured intervals.

To an external user (sitting in the parking lot) this poses 5 levels of randomness -

1. different users have different keys
2. different users changing their keys at different points in time
3. different users traversing across Access Points and hence changing their keys
4. The physical security that is existing on the ground that can contribute (if not greatly - at least to a reasonable extent) and hence the probability of finding out a parking lot hacker
5. Add again the probability of this guy getting sufficient numbers of weak IV's

Add to this, the number of users that are really sitting down in an area that provides a strong signal to the parking lot. Add also "direction finding capabilities" - (I am not too sure what this direction finding capability of the Access Point is, but based on context I guess it is something that deals with improving security).

SHOULD WE STILL BE AS PARANOID AS THESE MAILS SOUND OR CAN WE RELAX A BIT.

Ofcourse I would also like to add that we have not looked at whether this is a scenario where we have a Patch Antenna/ Parabolic Antenna that transmits signals in a defined direction - in this scenario there is a possibility of the replies above being used as an effective hack

Moreover, most Organizations that have this level of consideration for security should be having some form of IDS/ IPS - NIDS/ HIDS - wouldn't these have detected/ alarmed the Admin in some way or the other if he is on the LAN/ some Server/ workstation

Technically, if we were to sit down in front of a box, it will crack after sometime, but realistically in the scenario - is this possible, I guess this is the outlook that we should take when we discuss on such problems. Moreover, this immediately puts a doubt in the mind of the person about PEAP and EAP related security measures or for that matter any solution when thought from this point angle


I WOULD LIKE TO KNOW THE COMMUNITIES' VIEW IN THIS SCENARIO.

Securing Wireless LANs with PEAP and Passwords

The wireless local area network (WLAN) solution described in this documentation works equally well with either dynamic Wired Equivalent Privacy (WEP) or Wi-Fi Protected Access (WPA) WLAN protection. The implementation differences between the two are minor and are documented in this appendix.

Currently, there are some potential difficulties with using WPA, which include:

Manual configuration of WPA settings: The support for setting Windows XP client WPA settings using group policy is not available in the versions of Windows earlier than Windows Server™ 2003 Service Pack 1. Until Service Pack 1 is available and you have deployed it in your organization, you will have to configure your clients manually (there is no way to script WLAN settings for Windows XP). You need to install Service Pack 1 only on the server on which you are editing the WLAN settings Group Policy object (GPO); it is not required on the clients, domain controllers, or IAS servers.

Restricted availability of WLAN clients: At the time of writing, Microsoft only provides WPA support for Windows XP Service Pack 1 and later.

Availability of WPA compliant hardware: Although WPA support is now mandatory for all Wi-Fi certified hardware, existing network equipment may need to be upgraded to support WPA. You will need to obtain firmware updates for any access points or network adapters that do not currently support WPA. In some (rare) cases, you may need to replace equipment if the manufacturer does not produce WPA updates.


Using WPA in Place of WEP
Although the majority of the guide is applicable to both WPA and dynamic WEP, there are two main points in the documentation where the instructions differ:

• The “Creating an IAS Remote Access Policy for WLAN” section in Chapter 5, “Building the Wireless LAN Security Infrastructure.”

• The “Creating the WLAN Settings GPO” section in Chapter 6, “Configuring the Wireless LAN Clients.”


Creating an IAS Remote Access Policy for WLAN with WPA
To use WPA WLAN protection in place of dynamic WEP, you should set the client session time–out value to 8 hours instead of 60 minutes. WPA has an in–built mechanism to generate new WLAN encryption keys, so it does not need to force the clients to re–authenticate frequently. Eight hours is a reasonable value to ensure that clients have valid up–to–date credentials (for example, it ensures that a client cannot remain connected for excessive periods after its account has been disabled). In very high security environments, you can reduce this time–out value, if needed.

In the "Modifying the WLAN Access Policy Profile Settings" section in Chapter 5, “Building the Wireless LAN Security Infrastructure,” use the following procedure to set the remote access policy profile settings:

To modify wireless access policy profile settings:

1. In the Internet Authentication Service MMC, open the properties of the Allow Wireless LAN Access policy, and then click Edit Profile.

2. On the Dial-in Contraints tab, in the Minutes clients can be connected (Session-Timeout) field, type the value 480 (480 minutes or 8hours).

3. On the Advanced tab, add the Ignore-User-Dialin-Properties attribute, set it to True, and then add the Termination-Action attribute and set it to RADIUS Request.


You also need to change the session time–out in the wireless access point (AP) to match (or exceed) the time–out value set in this procedure.

Manually Configuring Windows XP WLAN Settings for WPA
Until GPO support becomes available in Windows Server 2003 Service Pack 1, you must configure WPA settings on the client manually. WPA is supported on Windows XP Service Pack 1 with the WPA client download installed (or on Windows XP Service Pack 2).

Note: When GPO support becomes available, you can also use the following procedure to create a Wireless Network Policy using the same settings.

To manually configure WPA WLAN settings:

1. Open the properties of the Wireless Network interface. If the WLAN is displayed in the Available Networks list, select it, and click Configure..., otherwise click Add (in the Preferred Networks section).

2. Type the WLAN name into the Network Name (SSID) field (if it is not already displayed there) and, in the Description field, enter a description of the network.

Note: If you have an existing WLAN and you intend to run this side–by–side with the 802.1X–based WLAN of this solution, you must use a different Service Set Identifier (SSID) for the new WLAN. This new SSID should then be used here.

3. In the Wireless Network Key section, select WPA (not WPA PSK) as the Network Authentication type and TKIP as the Data Encryption type. (If your hardware supports it, you can choose the higher strength Advanced Encryption Standard (AES) in place of TKIP).

4. Click the IEEE 802.1x tab, and select Protected EAP (PEAP) from the EAP Type drop–down list.

5. Click the Settings... button to modify the PEAP settings. From the Trusted Root Certificate Authorities list, select the root CA certificate for the CA. (This is the CA that you installed to issue IAS server certificates—see Chapter 4 for more details).

Important: If you ever need to re–install your CA from scratch (not just restore from backup), you will need to edit the client settings and select the root CA certificate for the new CA.

6. Ensure that Secured Password (EAP-MS-CHAP v2) is selected in the Select Authentication Method and check the Enable Fast Reconnect option.

7. Close each properties window by clicking OK.


Configuring Pocket PC 2003 for WPA
WPA was not supported natively in Pocket PC 2003 at the time of writing; however, this may be implemented in the future. Support for WPA on Pocket PC may also be available from other vendors.

Migrating from WEP to WPA
If you have deployed a secure WLAN solution based on dynamic WEP and want to migrate to WPA, you need to follow the steps in this section. You must ensure that you have deployed WPA software support (for example, the Windows XP WPA component) and hardware support (AP firmware and network adapter driver updates) prior to the migration. References in this procedure to configuring WPA settings in GPOs are only valid when the GPO is edited from Windows Server 2003 Service Pack 1 or later. This service pack had not been released at the time of writing. If you are not using Windows Server 2003 Service Pack 1 or later, follow the instructions given in the “Manually Configuring Windows XP WLAN Settings” section in this appendix.

To migrate from WEP to WPA, if your APs support dynamic WEP and WPA simultaneously:

1. Configure all wireless APs to support both dynamic WEP and WPA.

2. Create a new WLAN client settings GPO. Create a Wireless Network policy that configures the correct settings for WPA (refer to the procedure provided in the "Manually Configuring Windows XP WLAN Settings" section in this appendix). Then disable the existing WEP GPO and enable the WPA GPO so that all WPA settings are sent out to all clients. The clients will start using WPA on the WLAN following the next GPO refresh.

Note: If you are configuring your clients manually, you must disable the GPO that contains the WEP settings; if you do not do this, the manual WPA settings will be overwritten by the GPO.

3. Finally, you should update the IAS remote access policy session time–out and the client session time–out in the AP (as described in the "IAS Remote Access Policy" section earlier in this appendix).

To migrate from WEP to WPA, if your APs do not support simultaneous use of WEP and WPA:

1. Create a new WLAN SSID for the WPA network.

2. Edit the client network settings GPO and add the new SSID using WPA parameters (as described in the "Manually Configuring Windows XP WLAN Settings" section earlier in this appendix). If you are configuring your clients manually, you should configure them with the new SSID and WPA settings for that SSID. Do not remove the settings for the old WEP SSID in either case.

3. Working site–by–site, reconfigure your APs from WEP to WPA support, changing the SSID of the AP. As you reconfigure each AP, the clients will switch to the new SSID and use WPA.

4. Once you have reconfigured all APs, you can update the remote access policies on all IAS servers. You need to increase the session time–out value in the remote access policy (from 60 minutes to 8 hours) and change the same setting in the wireless APs (as described in the "IAS Remote Access Policy" section in this appendix).

5. Once the migration is complete, you can remove the WEP SSID from the GPO.


References
This section provides references to important supplementary information or other background material relevant to this appendix.

• The Cable Guy — March 2003, Wi-Fi Protected Access™ (WPA) Overview, available at the following URL:

http://www.microsoft.com/technet/community/columns/
cableguy/cg0303.mspx

• Microsoft Knowledge Base Article 815485, "Overview of the WPA Wireless Security Update in Windows XP," available at the following URL:

http://support.microsoft.com/?kbid=815485

• Microsoft Press Pass Announcement on WPA Availability, available at the following URL:

http://www.microsoft.com/presspass/press/2003/mar03/03-31WiFiProtectedAccessPR.mspx

• "Wireless 802.11 Security with Windows XP" white paper available at the following URL:

http://www.microsoft.com/windowsxp/pro/techinfo/
administration/wirelesssecurity/

Securing Wireless LANs with PEAP and Passwords

The wireless local area network (WLAN) solution described in this documentation works equally well with either dynamic Wired Equivalent Privacy (WEP) or Wi-Fi Protected Access (WPA) WLAN protection. The implementation differences between the two are minor and are documented in this appendix.

Currently, there are some potential difficulties with using WPA, which include:

Manual configuration of WPA settings: The support for setting Windows XP client WPA settings using group policy is not available in the versions of Windows earlier than Windows Server™ 2003 Service Pack 1. Until Service Pack 1 is available and you have deployed it in your organization, you will have to configure your clients manually (there is no way to script WLAN settings for Windows XP). You need to install Service Pack 1 only on the server on which you are editing the WLAN settings Group Policy object (GPO); it is not required on the clients, domain controllers, or IAS servers.

Restricted availability of WLAN clients: At the time of writing, Microsoft only provides WPA support for Windows XP Service Pack 1 and later.

Availability of WPA compliant hardware: Although WPA support is now mandatory for all Wi-Fi certified hardware, existing network equipment may need to be upgraded to support WPA. You will need to obtain firmware updates for any access points or network adapters that do not currently support WPA. In some (rare) cases, you may need to replace equipment if the manufacturer does not produce WPA updates.


Using WPA in Place of WEP
Although the majority of the guide is applicable to both WPA and dynamic WEP, there are two main points in the documentation where the instructions differ:

• The “Creating an IAS Remote Access Policy for WLAN” section in Chapter 5, “Building the Wireless LAN Security Infrastructure.”

• The “Creating the WLAN Settings GPO” section in Chapter 6, “Configuring the Wireless LAN Clients.”


Creating an IAS Remote Access Policy for WLAN with WPA
To use WPA WLAN protection in place of dynamic WEP, you should set the client session time–out value to 8 hours instead of 60 minutes. WPA has an in–built mechanism to generate new WLAN encryption keys, so it does not need to force the clients to re–authenticate frequently. Eight hours is a reasonable value to ensure that clients have valid up–to–date credentials (for example, it ensures that a client cannot remain connected for excessive periods after its account has been disabled). In very high security environments, you can reduce this time–out value, if needed.

In the "Modifying the WLAN Access Policy Profile Settings" section in Chapter 5, “Building the Wireless LAN Security Infrastructure,” use the following procedure to set the remote access policy profile settings:

To modify wireless access policy profile settings:

1. In the Internet Authentication Service MMC, open the properties of the Allow Wireless LAN Access policy, and then click Edit Profile.

2. On the Dial-in Contraints tab, in the Minutes clients can be connected (Session-Timeout) field, type the value 480 (480 minutes or 8hours).

3. On the Advanced tab, add the Ignore-User-Dialin-Properties attribute, set it to True, and then add the Termination-Action attribute and set it to RADIUS Request.


You also need to change the session time–out in the wireless access point (AP) to match (or exceed) the time–out value set in this procedure.

Manually Configuring Windows XP WLAN Settings for WPA
Until GPO support becomes available in Windows Server 2003 Service Pack 1, you must configure WPA settings on the client manually. WPA is supported on Windows XP Service Pack 1 with the WPA client download installed (or on Windows XP Service Pack 2).

Note: When GPO support becomes available, you can also use the following procedure to create a Wireless Network Policy using the same settings.

To manually configure WPA WLAN settings:

1. Open the properties of the Wireless Network interface. If the WLAN is displayed in the Available Networks list, select it, and click Configure..., otherwise click Add (in the Preferred Networks section).

2. Type the WLAN name into the Network Name (SSID) field (if it is not already displayed there) and, in the Description field, enter a description of the network.

Note: If you have an existing WLAN and you intend to run this side–by–side with the 802.1X–based WLAN of this solution, you must use a different Service Set Identifier (SSID) for the new WLAN. This new SSID should then be used here.

3. In the Wireless Network Key section, select WPA (not WPA PSK) as the Network Authentication type and TKIP as the Data Encryption type. (If your hardware supports it, you can choose the higher strength Advanced Encryption Standard (AES) in place of TKIP).

4. Click the IEEE 802.1x tab, and select Protected EAP (PEAP) from the EAP Type drop–down list.

5. Click the Settings... button to modify the PEAP settings. From the Trusted Root Certificate Authorities list, select the root CA certificate for the CA. (This is the CA that you installed to issue IAS server certificates—see Chapter 4 for more details).

Important: If you ever need to re–install your CA from scratch (not just restore from backup), you will need to edit the client settings and select the root CA certificate for the new CA.

6. Ensure that Secured Password (EAP-MS-CHAP v2) is selected in the Select Authentication Method and check the Enable Fast Reconnect option.

7. Close each properties window by clicking OK.


Configuring Pocket PC 2003 for WPA
WPA was not supported natively in Pocket PC 2003 at the time of writing; however, this may be implemented in the future. Support for WPA on Pocket PC may also be available from other vendors.

Migrating from WEP to WPA
If you have deployed a secure WLAN solution based on dynamic WEP and want to migrate to WPA, you need to follow the steps in this section. You must ensure that you have deployed WPA software support (for example, the Windows XP WPA component) and hardware support (AP firmware and network adapter driver updates) prior to the migration. References in this procedure to configuring WPA settings in GPOs are only valid when the GPO is edited from Windows Server 2003 Service Pack 1 or later. This service pack had not been released at the time of writing. If you are not using Windows Server 2003 Service Pack 1 or later, follow the instructions given in the “Manually Configuring Windows XP WLAN Settings” section in this appendix.

To migrate from WEP to WPA, if your APs support dynamic WEP and WPA simultaneously:

1. Configure all wireless APs to support both dynamic WEP and WPA.

2. Create a new WLAN client settings GPO. Create a Wireless Network policy that configures the correct settings for WPA (refer to the procedure provided in the "Manually Configuring Windows XP WLAN Settings" section in this appendix). Then disable the existing WEP GPO and enable the WPA GPO so that all WPA settings are sent out to all clients. The clients will start using WPA on the WLAN following the next GPO refresh.

Note: If you are configuring your clients manually, you must disable the GPO that contains the WEP settings; if you do not do this, the manual WPA settings will be overwritten by the GPO.

3. Finally, you should update the IAS remote access policy session time–out and the client session time–out in the AP (as described in the "IAS Remote Access Policy" section earlier in this appendix).

To migrate from WEP to WPA, if your APs do not support simultaneous use of WEP and WPA:

1. Create a new WLAN SSID for the WPA network.

2. Edit the client network settings GPO and add the new SSID using WPA parameters (as described in the "Manually Configuring Windows XP WLAN Settings" section earlier in this appendix). If you are configuring your clients manually, you should configure them with the new SSID and WPA settings for that SSID. Do not remove the settings for the old WEP SSID in either case.

3. Working site–by–site, reconfigure your APs from WEP to WPA support, changing the SSID of the AP. As you reconfigure each AP, the clients will switch to the new SSID and use WPA.

4. Once you have reconfigured all APs, you can update the remote access policies on all IAS servers. You need to increase the session time–out value in the remote access policy (from 60 minutes to 8 hours) and change the same setting in the wireless APs (as described in the "IAS Remote Access Policy" section in this appendix).

5. Once the migration is complete, you can remove the WEP SSID from the GPO.


References
This section provides references to important supplementary information or other background material relevant to this appendix.

• The Cable Guy — March 2003, Wi-Fi Protected Access™ (WPA) Overview, available at the following URL:

http://www.microsoft.com/technet/community/columns/
cableguy/cg0303.mspx

• Microsoft Knowledge Base Article 815485, "Overview of the WPA Wireless Security Update in Windows XP," available at the following URL:

http://support.microsoft.com/?kbid=815485

• Microsoft Press Pass Announcement on WPA Availability, available at the following URL:

http://www.microsoft.com/presspass/press/2003/mar03/03-31WiFiProtectedAccessPR.mspx

• "Wireless 802.11 Security with Windows XP" white paper available at the following URL:

http://www.microsoft.com/windowsxp/pro/techinfo/
administration/wirelesssecurity/

Securing Wireless LANs with PEAP and Passwords

The wireless local area network (WLAN) solution described in this documentation works equally well with either dynamic Wired Equivalent Privacy (WEP) or Wi-Fi Protected Access (WPA) WLAN protection. The implementation differences between the two are minor and are documented in this appendix.

Currently, there are some potential difficulties with using WPA, which include:

Manual configuration of WPA settings: The support for setting Windows XP client WPA settings using group policy is not available in the versions of Windows earlier than Windows Server™ 2003 Service Pack 1. Until Service Pack 1 is available and you have deployed it in your organization, you will have to configure your clients manually (there is no way to script WLAN settings for Windows XP). You need to install Service Pack 1 only on the server on which you are editing the WLAN settings Group Policy object (GPO); it is not required on the clients, domain controllers, or IAS servers.

Restricted availability of WLAN clients: At the time of writing, Microsoft only provides WPA support for Windows XP Service Pack 1 and later.

Availability of WPA compliant hardware: Although WPA support is now mandatory for all Wi-Fi certified hardware, existing network equipment may need to be upgraded to support WPA. You will need to obtain firmware updates for any access points or network adapters that do not currently support WPA. In some (rare) cases, you may need to replace equipment if the manufacturer does not produce WPA updates.


Using WPA in Place of WEP
Although the majority of the guide is applicable to both WPA and dynamic WEP, there are two main points in the documentation where the instructions differ:

• The “Creating an IAS Remote Access Policy for WLAN” section in Chapter 5, “Building the Wireless LAN Security Infrastructure.”

• The “Creating the WLAN Settings GPO” section in Chapter 6, “Configuring the Wireless LAN Clients.”


Creating an IAS Remote Access Policy for WLAN with WPA
To use WPA WLAN protection in place of dynamic WEP, you should set the client session time–out value to 8 hours instead of 60 minutes. WPA has an in–built mechanism to generate new WLAN encryption keys, so it does not need to force the clients to re–authenticate frequently. Eight hours is a reasonable value to ensure that clients have valid up–to–date credentials (for example, it ensures that a client cannot remain connected for excessive periods after its account has been disabled). In very high security environments, you can reduce this time–out value, if needed.

In the "Modifying the WLAN Access Policy Profile Settings" section in Chapter 5, “Building the Wireless LAN Security Infrastructure,” use the following procedure to set the remote access policy profile settings:

To modify wireless access policy profile settings:

1. In the Internet Authentication Service MMC, open the properties of the Allow Wireless LAN Access policy, and then click Edit Profile.

2. On the Dial-in Contraints tab, in the Minutes clients can be connected (Session-Timeout) field, type the value 480 (480 minutes or 8hours).

3. On the Advanced tab, add the Ignore-User-Dialin-Properties attribute, set it to True, and then add the Termination-Action attribute and set it to RADIUS Request.


You also need to change the session time–out in the wireless access point (AP) to match (or exceed) the time–out value set in this procedure.

Manually Configuring Windows XP WLAN Settings for WPA
Until GPO support becomes available in Windows Server 2003 Service Pack 1, you must configure WPA settings on the client manually. WPA is supported on Windows XP Service Pack 1 with the WPA client download installed (or on Windows XP Service Pack 2).

Note: When GPO support becomes available, you can also use the following procedure to create a Wireless Network Policy using the same settings.

To manually configure WPA WLAN settings:

1. Open the properties of the Wireless Network interface. If the WLAN is displayed in the Available Networks list, select it, and click Configure..., otherwise click Add (in the Preferred Networks section).

2. Type the WLAN name into the Network Name (SSID) field (if it is not already displayed there) and, in the Description field, enter a description of the network.

Note: If you have an existing WLAN and you intend to run this side–by–side with the 802.1X–based WLAN of this solution, you must use a different Service Set Identifier (SSID) for the new WLAN. This new SSID should then be used here.

3. In the Wireless Network Key section, select WPA (not WPA PSK) as the Network Authentication type and TKIP as the Data Encryption type. (If your hardware supports it, you can choose the higher strength Advanced Encryption Standard (AES) in place of TKIP).

4. Click the IEEE 802.1x tab, and select Protected EAP (PEAP) from the EAP Type drop–down list.

5. Click the Settings... button to modify the PEAP settings. From the Trusted Root Certificate Authorities list, select the root CA certificate for the CA. (This is the CA that you installed to issue IAS server certificates—see Chapter 4 for more details).

Important: If you ever need to re–install your CA from scratch (not just restore from backup), you will need to edit the client settings and select the root CA certificate for the new CA.

6. Ensure that Secured Password (EAP-MS-CHAP v2) is selected in the Select Authentication Method and check the Enable Fast Reconnect option.

7. Close each properties window by clicking OK.


Configuring Pocket PC 2003 for WPA
WPA was not supported natively in Pocket PC 2003 at the time of writing; however, this may be implemented in the future. Support for WPA on Pocket PC may also be available from other vendors.

Migrating from WEP to WPA
If you have deployed a secure WLAN solution based on dynamic WEP and want to migrate to WPA, you need to follow the steps in this section. You must ensure that you have deployed WPA software support (for example, the Windows XP WPA component) and hardware support (AP firmware and network adapter driver updates) prior to the migration. References in this procedure to configuring WPA settings in GPOs are only valid when the GPO is edited from Windows Server 2003 Service Pack 1 or later. This service pack had not been released at the time of writing. If you are not using Windows Server 2003 Service Pack 1 or later, follow the instructions given in the “Manually Configuring Windows XP WLAN Settings” section in this appendix.

To migrate from WEP to WPA, if your APs support dynamic WEP and WPA simultaneously:

1. Configure all wireless APs to support both dynamic WEP and WPA.

2. Create a new WLAN client settings GPO. Create a Wireless Network policy that configures the correct settings for WPA (refer to the procedure provided in the "Manually Configuring Windows XP WLAN Settings" section in this appendix). Then disable the existing WEP GPO and enable the WPA GPO so that all WPA settings are sent out to all clients. The clients will start using WPA on the WLAN following the next GPO refresh.

Note: If you are configuring your clients manually, you must disable the GPO that contains the WEP settings; if you do not do this, the manual WPA settings will be overwritten by the GPO.

3. Finally, you should update the IAS remote access policy session time–out and the client session time–out in the AP (as described in the "IAS Remote Access Policy" section earlier in this appendix).

To migrate from WEP to WPA, if your APs do not support simultaneous use of WEP and WPA:

1. Create a new WLAN SSID for the WPA network.

2. Edit the client network settings GPO and add the new SSID using WPA parameters (as described in the "Manually Configuring Windows XP WLAN Settings" section earlier in this appendix). If you are configuring your clients manually, you should configure them with the new SSID and WPA settings for that SSID. Do not remove the settings for the old WEP SSID in either case.

3. Working site–by–site, reconfigure your APs from WEP to WPA support, changing the SSID of the AP. As you reconfigure each AP, the clients will switch to the new SSID and use WPA.

4. Once you have reconfigured all APs, you can update the remote access policies on all IAS servers. You need to increase the session time–out value in the remote access policy (from 60 minutes to 8 hours) and change the same setting in the wireless APs (as described in the "IAS Remote Access Policy" section in this appendix).

5. Once the migration is complete, you can remove the WEP SSID from the GPO.


References
This section provides references to important supplementary information or other background material relevant to this appendix.

• The Cable Guy — March 2003, Wi-Fi Protected Access™ (WPA) Overview, available at the following URL:

http://www.microsoft.com/technet/community/columns/
cableguy/cg0303.mspx

• Microsoft Knowledge Base Article 815485, "Overview of the WPA Wireless Security Update in Windows XP," available at the following URL:

http://support.microsoft.com/?kbid=815485

• Microsoft Press Pass Announcement on WPA Availability, available at the following URL:

http://www.microsoft.com/presspass/press/2003/mar03/03-31WiFiProtectedAccessPR.mspx

• "Wireless 802.11 Security with Windows XP" white paper available at the following URL:

http://www.microsoft.com/windowsxp/pro/techinfo/
administration/wirelesssecurity/

Hack most wireless LANs in minutes!

by: George Ou

Even after two years of WPA certification and nearly one year after 802.11i ratification, you might be wondering why I’m still talking about WEP encryption. The fact is, I would love to stop talking about it if there weren’t such an overwhelming percentage of corporations, retail outlets, and hospitals still using WEP. Although WPA brought us TKIP (think of TKIP as WEP 2.0) encryption and 802.11i brought us AES encryption, the upgrade process has been extremely painful and many products still don’t support TKIP let alone AES. The sad state of wireless LAN security is that the majority of corporations and hospitals still use dynamic per-user, per-session WEP keys while the majority of retail outlets that I’ve seen still use a single, fixed WEP key.

In the past, a hacker was at the mercy of waiting long periods of time for legitimate traffic on a wireless LAN to collect 10 million of packets to break a WEP key. In my previous blog on this topic, which was based on Mike Ossmann’s WEP article, I alerted you to the startling fact that even wireless LANs that used 802.1x/EAP authentication to dynamically assign unique per-user, per-session WEP keys were no longer safe against WEP hacking since WEP cryptanalysis had improved 50 fold. Instead of waiting for hours or even days for those 10 million packets, you now only needed about 200,000 packets to break WEP. Even though dynamic WEP key rotation could change a user’s WEP key every few minutes or so (note that key rotation isn’t always implemented by default), the new WEP cryptanalysis techniques put even dynamic WEP in striking range. Now with the new active attacks on WEP described in Ossmann’s follow-up article, hackers no longer need to passively wait for legitimate packets on a wireless LAN because they can actively inject packets into a wireless LAN to ensure a speedy packet collection session. The end result is, any WEP based network with or without Dynamic WEP keys can now be cracked in minutes! If you’re scared, you should be and you’d better go back and read the recommendations in the end of my previous blog if you’re still running WEP in any form.

Hack most wireless LANs in minutes!

by: George Ou

Even after two years of WPA certification and nearly one year after 802.11i ratification, you might be wondering why I’m still talking about WEP encryption. The fact is, I would love to stop talking about it if there weren’t such an overwhelming percentage of corporations, retail outlets, and hospitals still using WEP. Although WPA brought us TKIP (think of TKIP as WEP 2.0) encryption and 802.11i brought us AES encryption, the upgrade process has been extremely painful and many products still don’t support TKIP let alone AES. The sad state of wireless LAN security is that the majority of corporations and hospitals still use dynamic per-user, per-session WEP keys while the majority of retail outlets that I’ve seen still use a single, fixed WEP key.

In the past, a hacker was at the mercy of waiting long periods of time for legitimate traffic on a wireless LAN to collect 10 million of packets to break a WEP key. In my previous blog on this topic, which was based on Mike Ossmann’s WEP article, I alerted you to the startling fact that even wireless LANs that used 802.1x/EAP authentication to dynamically assign unique per-user, per-session WEP keys were no longer safe against WEP hacking since WEP cryptanalysis had improved 50 fold. Instead of waiting for hours or even days for those 10 million packets, you now only needed about 200,000 packets to break WEP. Even though dynamic WEP key rotation could change a user’s WEP key every few minutes or so (note that key rotation isn’t always implemented by default), the new WEP cryptanalysis techniques put even dynamic WEP in striking range. Now with the new active attacks on WEP described in Ossmann’s follow-up article, hackers no longer need to passively wait for legitimate packets on a wireless LAN because they can actively inject packets into a wireless LAN to ensure a speedy packet collection session. The end result is, any WEP based network with or without Dynamic WEP keys can now be cracked in minutes! If you’re scared, you should be and you’d better go back and read the recommendations in the end of my previous blog if you’re still running WEP in any form.

Hack most wireless LANs in minutes!

by: George Ou

Even after two years of WPA certification and nearly one year after 802.11i ratification, you might be wondering why I’m still talking about WEP encryption. The fact is, I would love to stop talking about it if there weren’t such an overwhelming percentage of corporations, retail outlets, and hospitals still using WEP. Although WPA brought us TKIP (think of TKIP as WEP 2.0) encryption and 802.11i brought us AES encryption, the upgrade process has been extremely painful and many products still don’t support TKIP let alone AES. The sad state of wireless LAN security is that the majority of corporations and hospitals still use dynamic per-user, per-session WEP keys while the majority of retail outlets that I’ve seen still use a single, fixed WEP key.

In the past, a hacker was at the mercy of waiting long periods of time for legitimate traffic on a wireless LAN to collect 10 million of packets to break a WEP key. In my previous blog on this topic, which was based on Mike Ossmann’s WEP article, I alerted you to the startling fact that even wireless LANs that used 802.1x/EAP authentication to dynamically assign unique per-user, per-session WEP keys were no longer safe against WEP hacking since WEP cryptanalysis had improved 50 fold. Instead of waiting for hours or even days for those 10 million packets, you now only needed about 200,000 packets to break WEP. Even though dynamic WEP key rotation could change a user’s WEP key every few minutes or so (note that key rotation isn’t always implemented by default), the new WEP cryptanalysis techniques put even dynamic WEP in striking range. Now with the new active attacks on WEP described in Ossmann’s follow-up article, hackers no longer need to passively wait for legitimate packets on a wireless LAN because they can actively inject packets into a wireless LAN to ensure a speedy packet collection session. The end result is, any WEP based network with or without Dynamic WEP keys can now be cracked in minutes! If you’re scared, you should be and you’d better go back and read the recommendations in the end of my previous blog if you’re still running WEP in any form.

Monday, 5 November 2007

Using an Unsecured Wireless Network

A reader recently asked about the risks of using open public WiFi hotspots. These links show as "unsecured wireless connections" on your Windows laptop. Is it safe to use your credit card over such connections? Are there any precautions to take to make your connection more secure?
When using an https:// connection through your Web browser, your personal information is protected, even on otherwise insecure connections. This is generally considered strong enough network security to have when sending your credit card number, for example. At a public hotspot, the greater risk is usually someone situated behind you able to see the numbers you type.

Another security risk on public hotpots involves other computers also connected to this unsecured network. Network attacks can be made through them, by connecting to your computer and possibly downloading information from your hard drive.

People address this latter problem by running a firewall program on their computer. Firewalls guard against these incoming attackers. It is additional considered good practice not to stay connected to unsecured networks for too long of a time to become an attack target. You should always run a good firewall program whenever connected to a "unsecured wireless network" and disconnect when not using your link.

Using an Unsecured Wireless Network

A reader recently asked about the risks of using open public WiFi hotspots. These links show as "unsecured wireless connections" on your Windows laptop. Is it safe to use your credit card over such connections? Are there any precautions to take to make your connection more secure?
When using an https:// connection through your Web browser, your personal information is protected, even on otherwise insecure connections. This is generally considered strong enough network security to have when sending your credit card number, for example. At a public hotspot, the greater risk is usually someone situated behind you able to see the numbers you type.

Another security risk on public hotpots involves other computers also connected to this unsecured network. Network attacks can be made through them, by connecting to your computer and possibly downloading information from your hard drive.

People address this latter problem by running a firewall program on their computer. Firewalls guard against these incoming attackers. It is additional considered good practice not to stay connected to unsecured networks for too long of a time to become an attack target. You should always run a good firewall program whenever connected to a "unsecured wireless network" and disconnect when not using your link.

Using an Unsecured Wireless Network

A reader recently asked about the risks of using open public WiFi hotspots. These links show as "unsecured wireless connections" on your Windows laptop. Is it safe to use your credit card over such connections? Are there any precautions to take to make your connection more secure?
When using an https:// connection through your Web browser, your personal information is protected, even on otherwise insecure connections. This is generally considered strong enough network security to have when sending your credit card number, for example. At a public hotspot, the greater risk is usually someone situated behind you able to see the numbers you type.

Another security risk on public hotpots involves other computers also connected to this unsecured network. Network attacks can be made through them, by connecting to your computer and possibly downloading information from your hard drive.

People address this latter problem by running a firewall program on their computer. Firewalls guard against these incoming attackers. It is additional considered good practice not to stay connected to unsecured networks for too long of a time to become an attack target. You should always run a good firewall program whenever connected to a "unsecured wireless network" and disconnect when not using your link.

What is infrastructure mode in wireless networking?

Infrastructure mode wireless networking bridges (joins) a wireless network to a wired Ethernet network. Infrastructure mode wireless also supports central connection points for WLAN clients.

A wireless access point (AP) is required for infrastructure mode wireless networking. To join the WLAN, the AP and all wireless clients must be configured to use the same SSID. The AP is then cabled to the wired network to allow wireless clients access to, for example, Internet connections or printers. Additional APs can be added to the WLAN to increase the reach of the infrastructure and support any number of wireless clients.

Compared to the alternative, ad-hoc wireless networks, infrastructure mode networks offer the advantage of scalability, centralized security management and improved reach.

The disadvantage of infrastructure wireless networks is simply the additional cost to purchase AP hardware.

Note that home wireless routers all feature a built-in AP to support infrastructure mode.

What is infrastructure mode in wireless networking?

Infrastructure mode wireless networking bridges (joins) a wireless network to a wired Ethernet network. Infrastructure mode wireless also supports central connection points for WLAN clients.

A wireless access point (AP) is required for infrastructure mode wireless networking. To join the WLAN, the AP and all wireless clients must be configured to use the same SSID. The AP is then cabled to the wired network to allow wireless clients access to, for example, Internet connections or printers. Additional APs can be added to the WLAN to increase the reach of the infrastructure and support any number of wireless clients.

Compared to the alternative, ad-hoc wireless networks, infrastructure mode networks offer the advantage of scalability, centralized security management and improved reach.

The disadvantage of infrastructure wireless networks is simply the additional cost to purchase AP hardware.

Note that home wireless routers all feature a built-in AP to support infrastructure mode.

What is infrastructure mode in wireless networking?

Infrastructure mode wireless networking bridges (joins) a wireless network to a wired Ethernet network. Infrastructure mode wireless also supports central connection points for WLAN clients.

A wireless access point (AP) is required for infrastructure mode wireless networking. To join the WLAN, the AP and all wireless clients must be configured to use the same SSID. The AP is then cabled to the wired network to allow wireless clients access to, for example, Internet connections or printers. Additional APs can be added to the WLAN to increase the reach of the infrastructure and support any number of wireless clients.

Compared to the alternative, ad-hoc wireless networks, infrastructure mode networks offer the advantage of scalability, centralized security management and improved reach.

The disadvantage of infrastructure wireless networks is simply the additional cost to purchase AP hardware.

Note that home wireless routers all feature a built-in AP to support infrastructure mode.

WiMAX expected to supercharge wireless applications

By Colin Gibbs

WiMAX could be the technology that fuels the fusion of all sorts of mobile applications, integrating video, location-based services and a host of other offerings.

And analysts generally agree that speedy access to the wireless Web will be the key.

“When I talk WiMAX, I always quote my boss Sean Maloney,” said Ron Peck of Intel Corp., referring to the company’s general manager of sales and marketing. “If you’re pitching WiMAX, you must repeat: the mobile Internet is the next big thing.”

It’s no secret that WiMAX offers a combination of wide coverage, high capacity and low latency rarely seen—if not unprecedented—in wireless. The technology is claimed to top out at 70 megabits per second and delivers a footprint of as many as 37 miles under ideal conditions (although not simultaneously—like DSL, the network’s speed is influenced by its reach, and vice versa).

Actual network speeds are likely to average between 2 and 4 Mbps, according to operators. But even on the low end, WiMAX appears to be speedier and offer more capacity than 3G networks.

Fat pipe for hungry users

That combination means more than just connecting lots of users more efficiently, according to Daryl Schoolar, a senior analyst with In-Stat. It means more consumers can consume more data, more quickly.

“From everything I’ve been told by vendors who make both WiMAX and cellular equipment, WiMAX has significantly lower lag,” said Schoolar. “They also tell me it can support more connected users. That would certainly lend itself toward real-time apps such as streaming apps.”Which is why WiMAX is expected to give birth to a host of connected devices dedicated to a single use. Not only is the technology likely to serve as a catalyst for the production of mobile music and video players, it will provide connectivity to consumer electronics such as cameras, camcorders and gaming devices—devices that don’t traditionally offer network access.

Taking advantage of WiMAX

But even as it sparks an increase in the number of dedicated devices, WiMAX is predicted to provide a boost to converged devices. Just as 3G networks and GPS technology has provided a platform for developers to build compelling applications that deliver both relatively low latency and remarkably accurate location information, WiMAX’s speed and capacity could prove ideal for offerings that fuse a number of different applications.

“I think you’re going to see a lot of the video side of the Internet,” said Peck, including video-sharing and other mobile social networking features. “I also think you’re going to see a ton of visual apps” that integrate video with location-aware applications, games and other offerings.

Other possibilities include teleconferences that include both video and Web-based applications, and multiplayer games that feature GPS location information and nearly real-time play.

And while WiMAX may suffer in urban environments—where indoor usage may slow the network to the lower range of expected speeds even when a tower is relatively nearby—the technology will work hand-in-hand with Wi-Fi and other channels of connectivity, Peck said.

Questioning Wi-Fi

Wi-Fi is “stupid,” according to Peck, and simply offers a connection without taking other technologies into account. But WiMAX is “very smart” and can hand users off if a more efficient network is available. So consumers could surf the Web or sit in on a multiplayer gaming session on WiMAX on the commute home, then automatically switch to Wi-Fi when they get indoors.

So the new technology may provide a platform that not only serves as a high-speed highway, it will allow devices to take detours whenever backups occur. Developers will scramble to leverage WiMAX, Peck predicted, throwing all sorts of applications at the wall to see what sticks.

“I think it’s going to be the wild, wild West,” Peck predicted.

WiMAX expected to supercharge wireless applications

By Colin Gibbs

WiMAX could be the technology that fuels the fusion of all sorts of mobile applications, integrating video, location-based services and a host of other offerings.

And analysts generally agree that speedy access to the wireless Web will be the key.

“When I talk WiMAX, I always quote my boss Sean Maloney,” said Ron Peck of Intel Corp., referring to the company’s general manager of sales and marketing. “If you’re pitching WiMAX, you must repeat: the mobile Internet is the next big thing.”

It’s no secret that WiMAX offers a combination of wide coverage, high capacity and low latency rarely seen—if not unprecedented—in wireless. The technology is claimed to top out at 70 megabits per second and delivers a footprint of as many as 37 miles under ideal conditions (although not simultaneously—like DSL, the network’s speed is influenced by its reach, and vice versa).

Actual network speeds are likely to average between 2 and 4 Mbps, according to operators. But even on the low end, WiMAX appears to be speedier and offer more capacity than 3G networks.

Fat pipe for hungry users

That combination means more than just connecting lots of users more efficiently, according to Daryl Schoolar, a senior analyst with In-Stat. It means more consumers can consume more data, more quickly.

“From everything I’ve been told by vendors who make both WiMAX and cellular equipment, WiMAX has significantly lower lag,” said Schoolar. “They also tell me it can support more connected users. That would certainly lend itself toward real-time apps such as streaming apps.”Which is why WiMAX is expected to give birth to a host of connected devices dedicated to a single use. Not only is the technology likely to serve as a catalyst for the production of mobile music and video players, it will provide connectivity to consumer electronics such as cameras, camcorders and gaming devices—devices that don’t traditionally offer network access.

Taking advantage of WiMAX

But even as it sparks an increase in the number of dedicated devices, WiMAX is predicted to provide a boost to converged devices. Just as 3G networks and GPS technology has provided a platform for developers to build compelling applications that deliver both relatively low latency and remarkably accurate location information, WiMAX’s speed and capacity could prove ideal for offerings that fuse a number of different applications.

“I think you’re going to see a lot of the video side of the Internet,” said Peck, including video-sharing and other mobile social networking features. “I also think you’re going to see a ton of visual apps” that integrate video with location-aware applications, games and other offerings.

Other possibilities include teleconferences that include both video and Web-based applications, and multiplayer games that feature GPS location information and nearly real-time play.

And while WiMAX may suffer in urban environments—where indoor usage may slow the network to the lower range of expected speeds even when a tower is relatively nearby—the technology will work hand-in-hand with Wi-Fi and other channels of connectivity, Peck said.

Questioning Wi-Fi

Wi-Fi is “stupid,” according to Peck, and simply offers a connection without taking other technologies into account. But WiMAX is “very smart” and can hand users off if a more efficient network is available. So consumers could surf the Web or sit in on a multiplayer gaming session on WiMAX on the commute home, then automatically switch to Wi-Fi when they get indoors.

So the new technology may provide a platform that not only serves as a high-speed highway, it will allow devices to take detours whenever backups occur. Developers will scramble to leverage WiMAX, Peck predicted, throwing all sorts of applications at the wall to see what sticks.

“I think it’s going to be the wild, wild West,” Peck predicted.

WiMAX expected to supercharge wireless applications

By Colin Gibbs

WiMAX could be the technology that fuels the fusion of all sorts of mobile applications, integrating video, location-based services and a host of other offerings.

And analysts generally agree that speedy access to the wireless Web will be the key.

“When I talk WiMAX, I always quote my boss Sean Maloney,” said Ron Peck of Intel Corp., referring to the company’s general manager of sales and marketing. “If you’re pitching WiMAX, you must repeat: the mobile Internet is the next big thing.”

It’s no secret that WiMAX offers a combination of wide coverage, high capacity and low latency rarely seen—if not unprecedented—in wireless. The technology is claimed to top out at 70 megabits per second and delivers a footprint of as many as 37 miles under ideal conditions (although not simultaneously—like DSL, the network’s speed is influenced by its reach, and vice versa).

Actual network speeds are likely to average between 2 and 4 Mbps, according to operators. But even on the low end, WiMAX appears to be speedier and offer more capacity than 3G networks.

Fat pipe for hungry users

That combination means more than just connecting lots of users more efficiently, according to Daryl Schoolar, a senior analyst with In-Stat. It means more consumers can consume more data, more quickly.

“From everything I’ve been told by vendors who make both WiMAX and cellular equipment, WiMAX has significantly lower lag,” said Schoolar. “They also tell me it can support more connected users. That would certainly lend itself toward real-time apps such as streaming apps.”Which is why WiMAX is expected to give birth to a host of connected devices dedicated to a single use. Not only is the technology likely to serve as a catalyst for the production of mobile music and video players, it will provide connectivity to consumer electronics such as cameras, camcorders and gaming devices—devices that don’t traditionally offer network access.

Taking advantage of WiMAX

But even as it sparks an increase in the number of dedicated devices, WiMAX is predicted to provide a boost to converged devices. Just as 3G networks and GPS technology has provided a platform for developers to build compelling applications that deliver both relatively low latency and remarkably accurate location information, WiMAX’s speed and capacity could prove ideal for offerings that fuse a number of different applications.

“I think you’re going to see a lot of the video side of the Internet,” said Peck, including video-sharing and other mobile social networking features. “I also think you’re going to see a ton of visual apps” that integrate video with location-aware applications, games and other offerings.

Other possibilities include teleconferences that include both video and Web-based applications, and multiplayer games that feature GPS location information and nearly real-time play.

And while WiMAX may suffer in urban environments—where indoor usage may slow the network to the lower range of expected speeds even when a tower is relatively nearby—the technology will work hand-in-hand with Wi-Fi and other channels of connectivity, Peck said.

Questioning Wi-Fi

Wi-Fi is “stupid,” according to Peck, and simply offers a connection without taking other technologies into account. But WiMAX is “very smart” and can hand users off if a more efficient network is available. So consumers could surf the Web or sit in on a multiplayer gaming session on WiMAX on the commute home, then automatically switch to Wi-Fi when they get indoors.

So the new technology may provide a platform that not only serves as a high-speed highway, it will allow devices to take detours whenever backups occur. Developers will scramble to leverage WiMAX, Peck predicted, throwing all sorts of applications at the wall to see what sticks.

“I think it’s going to be the wild, wild West,” Peck predicted.

Sunday, 4 November 2007

Big players have big plans for WiMAX

By Kelly Hill

Consider WiMAX a bit schizophrenic. The technology is taking two divergent paths as different countries and different companies explore how best to put it to use in their respective markets.

Dr. Mohammad Shakouri, board member and VP of marketing for the WiMAX Forum, has described the technology as serving “the richest of the rich and the poorest of the poor” as companies lay out strategies that include either a high-end focused, consumer electronics play or a wireless broadband provider for the masses and in rural areas.

Both strategies are playing out in the U.S. market, but the space is dominated by three major players with large spectrum holdings in the 2.3 GHz and 2.5 GHz bands: AT&T Inc., Clearwire Corp. and Sprint Nextel Corp.

Sprint Nextel and Clearwire have been overshadowing the conversation of late, first appearing to operate on separate tracks and then announcing a partnership that is supposed to speed the deployment of mobile WiMAX as well as ease the burden of network costs for each respective company. The corporations have outlined a plan in which Sprint Nextel will build out 70% of the initial 100 million potential customers to be covered, while Clearwire builds out 30%. Sprint Nextel has outlined plans for a wide variety of consumer electronic devices to make use of the new network and also hinted at allowing wholesale agreements that could boost WiMAX traffic.

Sprint Nextel’s bet

Sprint Nextel has been outpaced in the traditional wireless market by Verizon Wireless and AT&T Mobility in subscriber growth and customer metrics, and it is betting that changing the nature of the competition will give it an advantage.

“It’s very difficult to change the balance of the subscriber bases right now in the U.S.,” said Moe Tanabian, analyst with IBB. Given Sprint Nextel’s customer and financial issues, he said, “they have to do something drastic. … They’re relying on this assumption—it may turn out to be true—that we’re moving from voice-centric wireless consumption to a data-centric wireless consumption” during the next three to five years.

Tanabian noted that Sprint Nextel first began its WiMAX push by aggressively talking up the technology and laying out ambitious plans—and that it has since toned down its approach a bit.

“They started to see things are not as rosy as they thought,” Tanabian said—and that led to the choice of Clearwire as a partner for WiMAX. The two companies plan to cooperate on services and branding under the Xohm brand name.

Clearwire’s upward mobility

For Clearwire, meanwhile, the announcement of the Sprint Nextel deal has catapulted it from an untried, small competitor into one that can play in the ranks of the top four wireless operators. It opens up the ability for the company to reach a vast potential customer base of 100 million people and to augment its coverage initially through use of Sprint Nextel’s cellular network.

Tanabian also noted that the company recently announced distribution agreements with satellite television providers DirecTV Group Inc. and EchoStar Communications Corp. that would enable it to fashion a triple-play bundle of services.

“They’re trying to diversify their business model,” Tanabian said. “So if for whatever reason the device ecosystem doesn’t develop as fast as they think it will, they still have other means of forging a business.

“Clearly, Clearwire was the winner from this deal—although Sprint won as well, by turning a foe into a friend and just getting rid of that headache. But Clearwire, it was just pure, sweet sugar for them.”

AT&T in Alaska

AT&T declined to speak about its plans for its holdings in the 2.3 GHz bands. However, the company did issue a statement on its strategy related to WiMAX, noting its deployment this summer in Alaska and apparently taking the path of using WiMAX to extend broadband coverage rather than push new technology.

“AT&T has been heavily involved in the development of emerging technologies like WiMAX and Wi-Fi mesh networks, which bring strong potential for extending and expanding customers’ ability to access broadband connections. The company has played a leading role in development of emerging WiMAX standards, and has launched 22 limited deployments and trials of WiMAX and other fixed wireless technologies to date, eight of which remain in operation as commercial offerings today,” said AT&T spokeswoman Jenny Parker.

Parker added that AT&T Alascom had announced its latest deployment of WiMAX in Juneau, Ala., in July and that it “plans to deploy WiMAX-based broadband in additional Alaska markets in 2008.”

“Outside of Alaska, AT&T will evaluate further opportunities to deploy WiMAX and other fixed wireless technologies based on customer needs and the results of its existing technical and commercial deployments,” Parker said.

Those opportunities could also include the bucket of 700 MHz spectrum AT&T Mobility recently acquired from Aloha Partners L.P. for $2.5 billion. The spectrum, which is near the 700 MHz spectrum the government is scheduled to begin auctioning early next year, gives the industry’s No. 1 player a deeper spectrum portfolio covering nearly 200 million potential customers across the country.

The carrier said it has yet to decide how to use the spectrum, but with its enviable propagation characteristics, you can bet it will be for an important service.

“We’ll use the spectrum either for broadcast mobile or two-way voice and data services, but not both,” AT&T Mobility spokesman Michael Coe recently said. “We’ll make that determination based on what’s best for our customers.”

Big players have big plans for WiMAX

By Kelly Hill

Consider WiMAX a bit schizophrenic. The technology is taking two divergent paths as different countries and different companies explore how best to put it to use in their respective markets.

Dr. Mohammad Shakouri, board member and VP of marketing for the WiMAX Forum, has described the technology as serving “the richest of the rich and the poorest of the poor” as companies lay out strategies that include either a high-end focused, consumer electronics play or a wireless broadband provider for the masses and in rural areas.

Both strategies are playing out in the U.S. market, but the space is dominated by three major players with large spectrum holdings in the 2.3 GHz and 2.5 GHz bands: AT&T Inc., Clearwire Corp. and Sprint Nextel Corp.

Sprint Nextel and Clearwire have been overshadowing the conversation of late, first appearing to operate on separate tracks and then announcing a partnership that is supposed to speed the deployment of mobile WiMAX as well as ease the burden of network costs for each respective company. The corporations have outlined a plan in which Sprint Nextel will build out 70% of the initial 100 million potential customers to be covered, while Clearwire builds out 30%. Sprint Nextel has outlined plans for a wide variety of consumer electronic devices to make use of the new network and also hinted at allowing wholesale agreements that could boost WiMAX traffic.

Sprint Nextel’s bet

Sprint Nextel has been outpaced in the traditional wireless market by Verizon Wireless and AT&T Mobility in subscriber growth and customer metrics, and it is betting that changing the nature of the competition will give it an advantage.

“It’s very difficult to change the balance of the subscriber bases right now in the U.S.,” said Moe Tanabian, analyst with IBB. Given Sprint Nextel’s customer and financial issues, he said, “they have to do something drastic. … They’re relying on this assumption—it may turn out to be true—that we’re moving from voice-centric wireless consumption to a data-centric wireless consumption” during the next three to five years.

Tanabian noted that Sprint Nextel first began its WiMAX push by aggressively talking up the technology and laying out ambitious plans—and that it has since toned down its approach a bit.

“They started to see things are not as rosy as they thought,” Tanabian said—and that led to the choice of Clearwire as a partner for WiMAX. The two companies plan to cooperate on services and branding under the Xohm brand name.

Clearwire’s upward mobility

For Clearwire, meanwhile, the announcement of the Sprint Nextel deal has catapulted it from an untried, small competitor into one that can play in the ranks of the top four wireless operators. It opens up the ability for the company to reach a vast potential customer base of 100 million people and to augment its coverage initially through use of Sprint Nextel’s cellular network.

Tanabian also noted that the company recently announced distribution agreements with satellite television providers DirecTV Group Inc. and EchoStar Communications Corp. that would enable it to fashion a triple-play bundle of services.

“They’re trying to diversify their business model,” Tanabian said. “So if for whatever reason the device ecosystem doesn’t develop as fast as they think it will, they still have other means of forging a business.

“Clearly, Clearwire was the winner from this deal—although Sprint won as well, by turning a foe into a friend and just getting rid of that headache. But Clearwire, it was just pure, sweet sugar for them.”

AT&T in Alaska

AT&T declined to speak about its plans for its holdings in the 2.3 GHz bands. However, the company did issue a statement on its strategy related to WiMAX, noting its deployment this summer in Alaska and apparently taking the path of using WiMAX to extend broadband coverage rather than push new technology.

“AT&T has been heavily involved in the development of emerging technologies like WiMAX and Wi-Fi mesh networks, which bring strong potential for extending and expanding customers’ ability to access broadband connections. The company has played a leading role in development of emerging WiMAX standards, and has launched 22 limited deployments and trials of WiMAX and other fixed wireless technologies to date, eight of which remain in operation as commercial offerings today,” said AT&T spokeswoman Jenny Parker.

Parker added that AT&T Alascom had announced its latest deployment of WiMAX in Juneau, Ala., in July and that it “plans to deploy WiMAX-based broadband in additional Alaska markets in 2008.”

“Outside of Alaska, AT&T will evaluate further opportunities to deploy WiMAX and other fixed wireless technologies based on customer needs and the results of its existing technical and commercial deployments,” Parker said.

Those opportunities could also include the bucket of 700 MHz spectrum AT&T Mobility recently acquired from Aloha Partners L.P. for $2.5 billion. The spectrum, which is near the 700 MHz spectrum the government is scheduled to begin auctioning early next year, gives the industry’s No. 1 player a deeper spectrum portfolio covering nearly 200 million potential customers across the country.

The carrier said it has yet to decide how to use the spectrum, but with its enviable propagation characteristics, you can bet it will be for an important service.

“We’ll use the spectrum either for broadcast mobile or two-way voice and data services, but not both,” AT&T Mobility spokesman Michael Coe recently said. “We’ll make that determination based on what’s best for our customers.”

Big players have big plans for WiMAX

By Kelly Hill

Consider WiMAX a bit schizophrenic. The technology is taking two divergent paths as different countries and different companies explore how best to put it to use in their respective markets.

Dr. Mohammad Shakouri, board member and VP of marketing for the WiMAX Forum, has described the technology as serving “the richest of the rich and the poorest of the poor” as companies lay out strategies that include either a high-end focused, consumer electronics play or a wireless broadband provider for the masses and in rural areas.

Both strategies are playing out in the U.S. market, but the space is dominated by three major players with large spectrum holdings in the 2.3 GHz and 2.5 GHz bands: AT&T Inc., Clearwire Corp. and Sprint Nextel Corp.

Sprint Nextel and Clearwire have been overshadowing the conversation of late, first appearing to operate on separate tracks and then announcing a partnership that is supposed to speed the deployment of mobile WiMAX as well as ease the burden of network costs for each respective company. The corporations have outlined a plan in which Sprint Nextel will build out 70% of the initial 100 million potential customers to be covered, while Clearwire builds out 30%. Sprint Nextel has outlined plans for a wide variety of consumer electronic devices to make use of the new network and also hinted at allowing wholesale agreements that could boost WiMAX traffic.

Sprint Nextel’s bet

Sprint Nextel has been outpaced in the traditional wireless market by Verizon Wireless and AT&T Mobility in subscriber growth and customer metrics, and it is betting that changing the nature of the competition will give it an advantage.

“It’s very difficult to change the balance of the subscriber bases right now in the U.S.,” said Moe Tanabian, analyst with IBB. Given Sprint Nextel’s customer and financial issues, he said, “they have to do something drastic. … They’re relying on this assumption—it may turn out to be true—that we’re moving from voice-centric wireless consumption to a data-centric wireless consumption” during the next three to five years.

Tanabian noted that Sprint Nextel first began its WiMAX push by aggressively talking up the technology and laying out ambitious plans—and that it has since toned down its approach a bit.

“They started to see things are not as rosy as they thought,” Tanabian said—and that led to the choice of Clearwire as a partner for WiMAX. The two companies plan to cooperate on services and branding under the Xohm brand name.

Clearwire’s upward mobility

For Clearwire, meanwhile, the announcement of the Sprint Nextel deal has catapulted it from an untried, small competitor into one that can play in the ranks of the top four wireless operators. It opens up the ability for the company to reach a vast potential customer base of 100 million people and to augment its coverage initially through use of Sprint Nextel’s cellular network.

Tanabian also noted that the company recently announced distribution agreements with satellite television providers DirecTV Group Inc. and EchoStar Communications Corp. that would enable it to fashion a triple-play bundle of services.

“They’re trying to diversify their business model,” Tanabian said. “So if for whatever reason the device ecosystem doesn’t develop as fast as they think it will, they still have other means of forging a business.

“Clearly, Clearwire was the winner from this deal—although Sprint won as well, by turning a foe into a friend and just getting rid of that headache. But Clearwire, it was just pure, sweet sugar for them.”

AT&T in Alaska

AT&T declined to speak about its plans for its holdings in the 2.3 GHz bands. However, the company did issue a statement on its strategy related to WiMAX, noting its deployment this summer in Alaska and apparently taking the path of using WiMAX to extend broadband coverage rather than push new technology.

“AT&T has been heavily involved in the development of emerging technologies like WiMAX and Wi-Fi mesh networks, which bring strong potential for extending and expanding customers’ ability to access broadband connections. The company has played a leading role in development of emerging WiMAX standards, and has launched 22 limited deployments and trials of WiMAX and other fixed wireless technologies to date, eight of which remain in operation as commercial offerings today,” said AT&T spokeswoman Jenny Parker.

Parker added that AT&T Alascom had announced its latest deployment of WiMAX in Juneau, Ala., in July and that it “plans to deploy WiMAX-based broadband in additional Alaska markets in 2008.”

“Outside of Alaska, AT&T will evaluate further opportunities to deploy WiMAX and other fixed wireless technologies based on customer needs and the results of its existing technical and commercial deployments,” Parker said.

Those opportunities could also include the bucket of 700 MHz spectrum AT&T Mobility recently acquired from Aloha Partners L.P. for $2.5 billion. The spectrum, which is near the 700 MHz spectrum the government is scheduled to begin auctioning early next year, gives the industry’s No. 1 player a deeper spectrum portfolio covering nearly 200 million potential customers across the country.

The carrier said it has yet to decide how to use the spectrum, but with its enviable propagation characteristics, you can bet it will be for an important service.

“We’ll use the spectrum either for broadcast mobile or two-way voice and data services, but not both,” AT&T Mobility spokesman Michael Coe recently said. “We’ll make that determination based on what’s best for our customers.”

Thursday, 1 November 2007

Ready to Pull the Plug?

The advantages of a local area network (LAN) are obvious: Users can share software applications and data—in short, they can stay in touch. Equally obvious are its disadvantages: Each computer—even an otherwise portable laptop—must be tethered by cable to a port in the wall. Unplug and you’re offline and out of touch.

THE SPEED ISSUE

In the past, speed was not wireless’ strong suit, so potential users will want to know: Is a WLAN fast enough for our needs? A typical wired LAN transmits data at between 10 and 100 megabits per second (Mbps). The old wireless LANs (based on the 802.11 technical standard for wireless transmission) crept along at no more than 2 Mbps, which is why most users rejected WLANs unless they had no other choice. Now a new standard (802.11b) is able to move data at more than an order of magnitude faster—a speed that makes it nearly as fast as the lower end of the standard LAN transmission rate, and thus a practical choice for most business environments.

Compared with LAN hardware, WLAN equipment is relatively expensive (we’ll break down costs later in this article). However, when you factor in WLANs’ many savings—which we’ll also outline—the entire setup works out to be less expensive. Here’s why: The biggest single expense of a traditional LAN is the cost of installing it. Wires or cables have to be snaked under floors and through ceilings and walls, and ports must be installed for each computer hook-up. When an office is reconfigured, new cable usually has to be added and new ports installed so users can plug in. Those costs typically amount to several times the cost of the LAN equipment itself.

With a wireless system, however, you avoid all those structural installation costs because there’s no need to run wires or cable to each port—transmission is through the air. Since floors, ceilings and walls are transparent to radio waves, the signals go right through them. And since WLAN software is mostly plug-and-play capable, much of it loads onto the computer network automatically, requiring little customization.

In addition, because WLANs don’t need structural installation, moving the computer setup to a new office space is as simple as packing up the equipment, then unpacking it in the new location and plugging it into the electric wall socket. No walls or floors to open up, no cables, wires or ports to install. Even upgrades or office expansions are relatively easy because there is no need to replace or move anything structurally.

From a productivity point of view, WLANs are especially attractive. If the computer users in the office all work on laptops—recommended in a wireless office—they can stay connected no matter where in the area they tote their computers (or PDAs or handhelds). All the computers need are wireless network interface cards (NICs). That gives them full access to the files on the network, printers and the Internet. A WLAN with sufficient, properly positioned access points can provide wireless connectivity over an entire building or even over an office complex.

WORKING TOGETHER

When used in an audit or consulting engagement, WLANs really shine. For example, the auditors can take their laptops with them and

Share disk storage on the senior auditor’s laptop, making many hard-copy workpapers unnecessary.

Access special application software designed for networks or collaborative workgroup projects, making the engagement more efficient.

Link to a client’s system more easily, enabling the use of client resources, including disk access for file downloads and fast Internet access.

When used in conferences, meetings and training programs, a wireless system makes it easier to display multimedia presentations, technical documents, training exercises and other materials directly on the participants’ computers. A wireless setup could replace expensive multimedia projectors, which cost a minimum of about $4,000 each.

The bottom line: The cost of installing a WLAN varies considerably. Much depends on the organization’s current computer equipment, the wireless hardware selected, the vendor, the physical proximity of the computers, the number of staff members who access the system and whether and how much professional assistance is needed to get the system up and running.

Proper positioning of access points is critical to achieve optimal communications; fortunately, several vendors bundle system survey tools to determine the best positions with their equipment. In general, equipment designed for enterprise-wide wireless networking is more expensive because the equipment and bundled software are more sophisticated than that designed for small office use. However, prices have been dropping recently.

CALCULATE COSTS

The following provides a minimum and maximum cost estimate of the equipment that is needed for a WLAN in a typical office:

Generally, every staff person who must move about the office with his or her computer should have a laptop that can accommodate a wireless NIC. A good quality laptop costs between $2,000 and $3,500.

Every laptop needs a wireless NIC, which costs between $100 and $300.

Every desktop to be connected to the WLAN will require adapters (a PCI or ISA) and a wireless NIC, which costs between $160 and $400. At least one desktop unit should act as a file and print server.

Wireless LAN signals have a transmission range of 80 to 1,500 feet, depending on the type of equipment, the data exchange rate and the obstacles that the signals must pass through. Access points also vary by the maximum number of simultaneous users, ranging from 15 to 60 users per access point depending on the type of equipment.

For optimal positioning of access points, it’s probably wise to engage a consultant to conduct signal testing. In general, you’ll probably need an access point for every 2,000 square feet of floor space. Access points cost between $200 and $1,500.

You should also add between $200 and $1,000 for a firewall or cable/DSL router.

These estimates don’t include training staff members, obtaining professional assistance in installation, special-purpose network software to increase staff productivity, fees charged by the Internet provider, network administration and maintenance.

Although security problems exist with any type of network, WLANs are slightly more risky than traditional LANs. The new 802.11b standard includes built-in security, providing some defense against unauthorized interception and access; however, there still are weaknesses. To upgrade security, some developers have implemented proprietary solutions; unfortunately, these features may make it impossible to interchange equipment from different manufacturers, limiting your LAN design options. But, as a practical matter, most users probably should not worry about security unless they feel that their size or type of business make them high-risk targets.

Should you consider unplugging and going to a WLAN? That depends on many factors. If you must upgrade your conventional wired LAN, and that work involves new wires or cables, you may want to unplug because in the long run it will probably save you money.

One thing you can be assured of is that wireless technology is the wave of the future—or at least the immediate future. While the hardware today is a bit pricey, costs are falling and will continue to do so for some time to come, and speed and reliability will improve apace. Since WLAN installations do not require structural work, it may be cheaper to unplug now and upgrade over time as WLAN hardware improves rather than make a huge investment in new cables and wires.