138 Routing Note: If you supply a firewall as a standalone appliance, you may want to turn the router's firewall off. More in Chapter 10. By default, most of today's small routers block packets from well-known ports. If you want to let them through, or want to let through traffic from specific Web applications such as games, then you will need to open the ports manually, as in Figure 6-10. You enter the ports you want to open in the Start and End boxes. (These make it easier to enter a range of ports.) If you have a Web server or FTP server with static IP addresss, you will need to open their ports, for example. Figure 6-10: Configuring a router to open specific ports Finally, you can usually configure Internet access policies (Figure 6-11), providing access controls for specific machines on your internal network. Adding Routers to an Ethernet 139 First, you create a list of workstations to be affected by the policy, as in Figure 6-12. Then you indicate when you want to deny or allow access. Notice also at the bottom of the access policy screen that you can block Web sites by URL or keyword. (It may not be as flexible as many stand- alone parental control applications, but it's a start!) Figure 6-11: Configuring Internet access policies Note: You may have noticed that this router also has a screen for configuring wireless connections. We'll look at that in Chapter 7. 140 Routing Figure 6-12: Setting up a list of PCs for an Internet access policy Integrating Wire/ess Transmissions If you read the popular press, you would think that small networks were wireless, and nothing but wireless. The ostensible ease of setting up and using a wireless network seems to be endlessly appealing. And there is no question that a wireless connection is convenient for connecting a comput- er such as a laptop that needs only occasional access to your network or that changes its location frequently. However, there are major drawbacks to wireless networks~especially in terms of security~that should make even the smallest of small business users think twice. In this chapter we'll look at why the most common wireless networks aren't truly Ethemet (and why they can't be). We'll also talk about wireless standards and speeds, along with how wireless connections work. Along the way we'll explore the security issues that still plague today's wireless connections. 141 142 Integrating Wireless Transmissions Wireless MAC Protocol versus Ethernet MAC Protocol As you will remember, the Ether MAC protocol (CSMA/CD) relies on the ability of connected devices to detect the presence of a signal on the net- work wire. When a device detects a signal, it knows that the wire is in use and that it must wait to transmit. Wireless connections, however, can't use CDMA/CD. Why? Because wireless devices can't detect collisions. And why not? Because wireless transmissions are half duplex. With CSMA/CD, the transmitting device must send a flame and then imme- diately listen for a collision. But a wireless device can't send and listen at the same time. Therefore, if it transmits and a collision occurs, it has no way to detect that collision. CSMA/CA (Carrier Sense Multiple Access/Collision Avoidance) tries to minimize collisions. It works in the following way: 1. A device waiting to transmit checks to see if there is a carrier signal (access point is busy). 2. If the access point is not busy, it sends a jamming signal to alert other devices that it will be transmitting. 3. If there is a signal, the device waits a random amount of time and then checks the transmission channel again. 4. If the access point is still busy, the device doubles its wait time, and continues to do so until it can gain control of the tramission frequency. The randomness of the wait intervals and the increasing wait time mini- mize the collisions. Packets that are mangled by collisions won't generate TCP acknowledgment packets and will therefore be resent. Wireless Speeds and Standards One reason that wireless networks aren't as widely used in business net- works as they are in home networks is speed: Although some current stan- dards are rated to perform as well as wired networks, in practice wireless networks almost never achieve anywhere near their rated throughput. The standards are constantly pushing speeds upward, and we can only hope Wireless Speeds and Standards 143 Table 7-1: that eventually wireless technologies actually will be able to achieve rated speeds. At this point, the standards for wireless tranmissions are subsets of the IEEE's 802.11 and 802.16 specifications. (See Table 7-1.) Notice first that with the exception of the as yet unreleased 802.1 l n, the Wi-Fi standards are all slower than wired networks. In addition, they operate in the same bands as most coredless telephones! Wireless Networking Standards Maximum Standard AKA Speed Security Comments 802.1 la Wi-Fi 54 Mbps (5 WEP; WPA, GHz band) WPA2 802.1 lb Wi-Fi 11 Mbps (2.4 WEP; WPA GHz band) 802.11 g Wi-Fi 54 Mbps (2.4 WEP;WPA GHz band) 802.11 i AES 802.11 n a Wi-Fi 540 Mbps (2.4 GHz or 5 GHz bands) 802.16 WiMax 75 Mbps b DES3; AES Bluetooth 2 Mbps (2.45 SAFER+; E22; GHz band) E0 Good for multimedia, voice, and large images. Nonetheless, not widely used. Greater range than 802.11 a. First widely implemented wireless standard. Compatible with 802.11 b. Widely used. Specifies additional security for 802.1 l x networks. Has a range of up to 250 meters. Interferes with 802.1 lb and 802.11 g networks. Intended for wireless MANs. Intended for connecting small peripherals, such as keyboards, PDAs, and cell phones, to computers. a. This standard is not as yet approved. It is scheduled for final approval in July 2007 and release in April 2008. Currently, you can purchase products labeled "pre-n," but there is no guarantee that those products will be compatible with the standard that is ultimately released. b. WiMax speeds depend heavily on distance. The 75 Mpbs speed is achievable for up to four miles, but drops to 50 Mbps between 4 and 6 miles, and to 17 Mbps over 6 miles. 144 Integrating Wireless Transmissions Most of wireless access points handle both 802.1 lb and 802.1 lg transmis- sions. Most laptops come equipped with 802.1 lg wireless adapters. None- theless, the compatibility doesn't work in the same way as autosensing ports on an Ethemet switch. The switch can operate with one port at 10 Mbps, several ports at 100 Mbps, and yet even more ports at 1000 Mbps; the speed of the transmissions between each device and the switch is a mat- ter for the switch and device, independent of the speed of other devices connected to the switch. However, if both 802.1 lb and 802.1 lg devices are communicating with the same access point, the access point slows down to 802.1 lb speeds for all of its transmissions, removing the advantage of hav- ing the faster devices. At the time this book was written, it made sense to purchase 802.11g equipment, especially for new installations where no 802.11b devices would be in use. It was somewhat risky to purchase pre-n equipment, given that there was no guarantee that it would be compatible with 8012.1 In equipment that was produced in response to the final accepted standard. Wireless Access Points Wireless network adapters communicate with wireless access points (APs). As you read in Chapter 6, an access point may be built into a small router, along with an Ethernet switch (for example, Figure 7-1). Alterna- tively, you can purchase stand-alone access points, which don't look much different from the all-in-one router. (The little antennas sticking up are a dead giveaway that you're dealing with a wireless device.). Note: The irony of the preceding is that a stand-alone ac- cess point costs the same as, if not more, than a small router with a switch and access point built in. Service 'de? Identifiers Wireless access points are limited in range. It therefore is not unusual to have more than one access point with overlapping ranges in the same net- work. To distinguish themselves, APs have names known as Service Set Identifiers (SSIDs). When a remote device wants to connect to an AP, it Wireless Access Points 145 Figure 7-1: A router with a built-in wireless access point (Courtesy of Belkin Corportation) supplies the SSID of the access point it wants to use. In public hot spots, however, many APs may share an SSID to make it easier for clients to move from one AP to another without signal interruption. By default, APs broadcast their SSIDs for any wireless adapter in range to pick up. This is why it is so easy to connect to the wireless service in an airport, for example. The driver for a laptop's wireless adapter searches for SSID broadcasts and identifies the strongest signal it can find. That is the network to which it will attempt to connect first. APs broadcasting their SSIDs are therefore wide open to any device in range, a major security problem. There are two very simple things you can do to prevent just anyone from connecting to your wireless access points: Turn off the broadcast of the SSID and change the default name of the AE The default names are usually something like the name of the manufactur- er of the AP or the word "wireless" or something else equally insecure. For example, there are probably tens of thousands of unsecured wireless rout- ers in the United States broadcasting the SSID "linksys." For more well- known SSIDs, see Table 7-2. 146 Table 7-2: Well-Known SSIDs Integrating Wireless Transmissions Vendor SSID Addtron WLAN Cisco tsunami Compaq Compaq Intel intel Linksys linksys Lucent RoamAbout Default Network Name 3Com 101 Others Default SSID many Wireless If your access point is part of a router, you'll use the router's Setup utility to take care of this (for example, Figure 7-2). Otherwise, you'll use the Set- up utility that is part of the AP. Figure 7-2: Configuring SSID broadcast Wireless Access Points 147 Note: How big a problem is the SSID broadcast, really ? You de- cide: From the second floor of my house, which is set 150 feeet back from the road, a guest in my guest room can pick up the SSID broadcast of my neighbors across the street. The signal is going through two stick-built houses and traveling at least 250 feet. Although brick, stone, and metal can restrict the range of wireless signals, don't count on your walls keeping in your wireless transmissions. Turning off the broadcast of the SSID and changing the default SSID will go a long way toward deterring war drivers, individuals who use special- ized equipment and antennas to find open wireless networks. However, it isn't enough to deter the sophisticated service and data thief. For that you need encryption, which is discussed in the last section of this chapter. Adding Access Points to a Wired Network It's relatively simple to add a wireless access point (or two, or three, ) to a wired network: If you purchase a router with a built-in access point, just add the router to your network. The access point automatically be- comes part of the network. If you purchase a stand-alone access point, be sure that it has an Ethernet port. Then, use a short Cat 5 or better patch cable to connect the AP to a port on an Ethernet switch. Each AP you add to the network will consume one port on a switch. You do, however, need to pay some attention to where you place your ac- cess points. Wi-Fi signals do travel through wood quite well, but not as well through metal and concrete. Floors tend to present more of a barrier than walls. Therefore, you want to place APs fairly high where they are least likely to encounter barriers in the transmission path. (Line-of-sight is optimal but does defeat the purpose of allowing equipment to move from place to place in the office !) If you have office space that is broken up with cubicle partitions, try to place the APs above the level of the cubicle walls. Although Wi-Fi signals will certainly go through cubicle walls, with too many walls the signal strength will attenuate to such a point that it is unusable. [...]... the network Because it handles a higher volume of network traffic than most other computers, it also should be on the fastest network segment Today that means that servers should be connected by gigabit Ethernet (over either UTP wire or fiber optic cabling) File Server Services A file server is more than just a piece of hardware It includes software that supports file sharing and, in particular, handles . stand-alone access point, be sure that it has an Ethernet port. Then, use a short Cat 5 or better patch cable to connect the AP to a port on an Ethernet switch. Each AP you add to the network. wireless connections. 141 142 Integrating Wireless Transmissions Wireless MAC Protocol versus Ethernet MAC Protocol As you will remember, the Ether MAC protocol (CSMA/CD) relies on the ability. (APs). As you read in Chapter 6, an access point may be built into a small router, along with an Ethernet switch (for example, Figure 7-1). Alterna- tively, you can purchase stand-alone access