Network management Toolkit

Tightly shod footprints toughen security

Tags:
Intruders,
Network Security,
Wireless Networking,
Footprint

Scott Robinson Tech Republic

Published: 24 Aug 2004 10:50 BST

A wireless network's footprint is its effective area of coverage, the physical territory in which one may access it. In most cases, growth in wireless network footprints is a good thing, even a bragging point. Bigger means greater access to the network. Metaphorically speaking, you want the network's footprint to be worthy of a tyrannosaur -- absolutely huge and providing great coverage and a high degree of availability.

On the other hand, that huge footprint carries a risk of malevolent intrusion that increases with its size. A network footprint is more or less a product of the access point deployment. And the primary entry in a WLAN for an intruder is, of course, the access point (AP).

That's why the management of a network footprint requires a constant balancing act between territorial expansion and controlling the increasing security risks. Simply, network footprint expansion is synonymous with increasing security risk. As you expand and increase your network, you must give corresponding diligence to security issues.

As your network grows, there are some specific initiatives you should make standard:

Curtail informal network expansion
When APs are added, they should be added according to a formal procedure that includes:

A request for the increase in coverage.

An assessment of the user load the AP will handle.

An evaluation of that local environment for leakage risks and potential signal interference.

An authorisation that leaves someone accountable.

A detailed record of the AP's installation and testing.

Wireless expansion via AP is so simple that it is a temptation to just pop an AP in as easily as we move a lamp in our office. But the issues and risks are exactly what they would be -- and then some -- if we were running network cable to a new floor of our building.

Control local AP footprints
While your network has a footprint, so do individual APs. Here are some rules of thumb for providing good coverage while preventing leakage:

Keep the AP as far away from any windows as possible.

Place the AP as high in whatever room it is sitting as you reasonably can.

Be certain the AP is not sitting too close to another RF source. (Computers themselves can cause interference; don't place an AP next to one.)

Choose antennas carefully. Different environments call for different antenna types. The idea is to keep signals within your building, with maximum access in the proper context and minimal access beyond.

Some good tips:

Use omnidirectional antennas for more centrally located APs.

Point the antenna straight up.

Consider a directional antenna in areas along the perimeter of your building to minimise signal leakage to the outside world. If you can't change the antenna of an AP near the building perimeter, point the antenna inward toward the centre of the building.

Maintain a proper client/AP ratio
Another aspect of network footprint control is individual AP effectiveness in context. It's very important that you keep a proper ratio of clients to APs. A good rule of thumb is 20:1 as an upper limit. Keep in mind that your effective AP range, the geography of the room, and possible sources of interference will not likely be more than 150 feet. Plan the number and placement of APs according to these rules.

Final thoughts
Increase your wireless network's effective resolution with an eye toward security when you fine-tune AP signal strength. There's a balance between a strong signal that makes the AP effective in the area where it's placed and a signal so strong that it leaks to the highway outside. Attention to this detail can prevent an intrusion.

Remember that rogue access points essentially represent unplanned, uncontrolled footprints. An axiom of control system theory is that you can't control what you can't observe. Since rogue APs can slip into even the best-planned wireless networks, resolve to keep a constant watch for them. You can detect rogue APs with a number of freely available utilities.