8 Wi-Fi mistakes to avoid
By Eric Geier (Our Owner & Lead Wi-Fi Consultant)
Originally published on NetworkWorld
Wi-Fi is great when it works right – and when it’s secure. Although setting up Wi-Fi can seem straightforward, there are many complexities. For example, not performing proper surveys, design work, and maintenance or ignoring security issues can cause major problems.
Here are some of the biggest Wi-Fi mistakes to avoid.
A successful wireless network requires careful analysis, designing, planning, and maintenance, which all revolves around the site survey.
A site survey includes a walkaround to capture Wi-Fi and RF spectrum data in order to get a baseline reading of signal, noise, and interference from your wireless access points, neighboring networks, and other RF sources. From that surveying work, analysis can be performed to determine the basics: optimum access point locations, channels, and power levels. These are also determined based on the desired specs of the network, such as the required wireless coverage areas, data rates, network capacity, and roaming capability.
Site surveys for smaller buildings or areas could be performed manually by walking around with a Wi-Fi and/or spectrum analyzer, and taking notes. However for larger surveys, a map-based site survey is crucial. You can load floor plan maps of a facility into a software program, walk around capturing data, and then view the results on heat maps. This gives you a very good visual of the signal and noise levels and how the signals propagate.
Though you might do a full site survey and all the proper analysis, planning, and designing during the initial deployment of the network, that doesn’t mean the work stops once the installation is complete.
Periodic site surveys are needed to see if adjustments are required. Interference, neighboring networks, and changes in how the Wi-Fi is used can have major impacts on the network’s performance.
Changes to neighboring wireless networks, which you likely have no control over, can cause co-channel interference, requiring you to modify the channels used by your access points. There can be changes in the network’s security as well, for instance if wireless access points become reset or users bring in and install wireless routers or access points themselves.
Don’t avoid advanced wireless settings. During the surveying, design, and deployment phases, you must determine the basic access point settings, such as channels, but it’s easy to look past the other settings.
Discover and investigate all the settings of your access points. See what unique features are supported that can help increase performance, such as 5GHz band steering, or to increase security, such as IPS/IDS functionality.
Also take a look at the usual advanced settings that can be used to tweak the Wi-Fi, such as channel-widths, supported data rates, beacon interval, and thresholds for fragmentation and RTS. Consider utilizing the following common features as well to help decrease overhead and increase data rates: Short Preamble Length, Short Slot Time, Short Guard Interval, and Frame Aggregation.
For smaller businesses and organizations especially, the simple personal or Pre-Shared Key (PSK) mode of Wi-Fi Protected Access (WPA/WPA2) security is much more attractive over the enterprise mode. With the personal mode, it takes just a couple seconds to set the Wi-Fi password, and most users understand they have to enter it in order to connect via Wi-Fi. The enterprise mode of Wi-FI security, however, isn’t so effortless. You must setup a RADIUS server for the 802.1X authentication and then create and give out unique login credentials to users.
That said, typically the personal mode of Wi-Fi security actually requires more work in the long-run to keep the network safe. Since there’s only a single global password for everyone, it would need to be changed at least every time an employee leaves the company or organization and when a user loses a Wi-Fi device in order for the network to remain secure. Without changing the password, the ex-employee or thief could simply return to the workplace—even if from the parking lot—and connect to the Wi-Fi.
The enterprise mode of Wi-Fi security doesn’t have to be difficult. There are hosted RADIUS services, for instance, that you can use so you don’t have to invest time and money in deploying your own.
No matter which Wi-Fi security mode you use, ensure strong passwords are used. The longer and more complex, the better. Utilize both upper and lower case letters, numbers, and special characters. Certainly don’t use words that would be in a dictionary.
Using a weak password with the personal (PSK) mode could make it very easy for someone to crack it. Though the AES encryption offered by WPA2 security is strong, all passwords are susceptible to brute-force dictionary attacks. This is where software repeatedly guesses the password using a dictionary of common words and phrases until it finds the correct password. That is why you don’t want your password containing any word or phrase that could be in a dictionary.
The same vulnerability applies to passwords used for the enterprise mode of WPA2 security. However, there are a few more hoops a hacker would have to get through before they could attempt brute-force cracking attempts on the 802.1X passwords.
Don’t forget about other network passwords as well, such as for your router, firewall, and access points. Ensure you change the default password on these network components to something strong. You don’t want curious users getting to the network settings.
Hiding the SSIDs, or network names, of your wireless network may seem like it offers security benefits, as someone must have it before attempting to connect, but doesn’t protect you from those really trying to get in.
You can disable the constant broadcasting of your SSID in beacons, which will hide it from the native list of available networks on computers and other Wi-Fi devices. However, you can’t stop the SSID from being sent in certain network traffic, such as associations and probes. Though normal Wi-Fi devices will “ignore” SSIDs in those types of traffic, wireless analyzers (such as Kismet and AirMagnet) are listening and will display them when heard.
Disabling SSID broadcasting also has a negative impact on the wireless performance. It will generate more management traffic, taking up valuable airtime that could be used for data transfer.
Most business-class wireless access points have the capability to support many virtual wireless networks, each with their own basic settings: SSID, security, broadcasting, band preferences, VLAN, etc. This can be a useful way to segregate the network, offering varying levels of network access. However, don’t get too carried away. Each SSID is basically its own network, requiring its own set of beacons and management traffic and taking up valuable airtime.
If you find you need more than three SSIDs, perhaps look into other ways of segregating the wireless access. For instance, leverage 802.1X authentication with the enterprise mode of Wi-Fi security to dynamically assign users to a VLAN once connection.
Wireless technologies are constantly evolving. For Wi-Fi, the IEEE publishes 802.11 standards so devices from different vendors are compatible with each other. In chronological order of their release date, the standards are 802.11: a, b, g, n, ac.
Each of these 802.11 standards supports varying speeds and performance. Even though all the common standards (b, g, n, ac) have interoperability between each other, mixing older devices with a network using newer standards slows the entire network. Thus try to ensure the wireless clients that are connecting to the network are using newer standards, such as IEEE 802.11n or 802.11ac.
If you have a BYOD (bring your own device) network, you may not be able to control what device or wireless standard users bring in. However, you can disable older standards to block them from connecting and negatively affecting the network. Today it’s probably safe to say most users won’t be bringing in a 802.11b device, so consider disabling it on the network. Most users likely will have 802.11n or 802.11ac, but you may want to keep the support of 802.11g depending upon your particular situation.