Slashdot Mirror
Building a Wireless Network for an Apartment Complex?
itwerx asks: "I've been asked to design a wireless infrastructure for an apartment complex. Tenants will pay an 'access deposit' and a monthly surcharge to get a PCMCIA/PCI/USB network card along with free installation and, of course, wireless Internet access. The buildings are arranged such that 2 WAP's per building should cover all the tenants (one WAP per side, far enough away to get line-of-sight through the windows). I do have a few concerns, however. All help is appreciated and when we're done we'll put up a HOWTO!"
"My concerns are the following:
- Interference between WAP's (there's several buildings) - there are enough channels if we go 802.11a but cost is a concern.
- Management of 'hitchhikers' - we're planning on manual assignment via DHCP/MAC address for tenants with others having all their HTTP requests get directed to an info page. Anybody done something different?
- Interference from WAP's and other devices that may be owned by tenants! Should we just avoid the default channel and hope for the best?!?
mac addresses are fairly easy to spoof (at least in OpenBSD), and any two-bit prism based sniffer can tell the mac addresses of other nodes on the network. It would probably be better to go with a different scheme, such as login/passphrase authentication, rather than MAC address. I know UC berkeley is using some sort of program like that check out Calnet
once you are done with the physical layout you should consider a vpn-type solution along with WEP and an ACL to prevent passer-by's from hacking the tenant's machines...
- 802.11 manages devices in a friendly way, and is designed specifically to play nice with lots of other 802.11 devices in the area. In fact, infrastructure networks assume it WILL work that way. Put your entire complex on one SSID and one channel - each WAP will form a BSS, and devices should seamlessly roam between them.
- Other peoples' devices shouldn't interfere with yours unless there is a LOT of devices. If they do, too bad for them, they can choose a new channel. Or you can choose a new channel. But it shouldn't be a problem unless there's a ton of networks.
- I would suggest leaving your network entirely open (no WEP, etc.) then putting a router at the edge which authenticates MAC/IP addresses, provides DHCP, and only routes those who enter a password of some sort. This leaves the internal network open to hackers unfortunately, but WEP management for an apartment will be hell, and the alternate solutions all tend to be non-standardized.
I am an assistant network engineer at a large midwestern university. Currently, like you we're in the process of figuring out how to deploy wireless access points. Our campus's Engineering Computer Network let us borrow a mobile testing appratus that has a WAP and an Antenna on it (looks like a camera tripod). We take it to different parts of our residence halls and, with a laptop, we take SNR readings from different parts of the surrounding rooms and record our measurements on the building blueprints. We figure we need about 6 WAP's to sufficiently cover the lounge areas of the older dormitories (with their steel and concrete infrastructure), but for your sake 2 WAP's should sufficiently cover a medium-sized apartment building and more. We also plan to cover several large outdoor areas, a library, and our Union right off the bat. The equipment we are using is Enterasys Roamabouts ($1000 a pop), [link] and they are highly configurable and have a ton of management features. We figure each WAP will get connected to a switch port on the Cisco Catalysts in our buildings. So far, we haven't done much in terms of the deployment because it is a long process, where the Physical Facilities department has to do the actual installation of the equipment, data jacks, etc. I assume in your case you can better coordinate this without all the red tape. We figure that by the time these are all installed and our userbase is well-informed of the network, we will have a great system that will scale to thousands of students and staff in the future.l
http://www.purdue.edu/ITaP/projects/wireless.shtm
- Interference between WAP's
If you have WAP's on different sides of buildings they most likely won't interfere with each other. Just keep the WAPs with the same channel as far apart as possible. If you can get your hands on some a few to test with it would be worth while to mock up a few layouts and wander around with a laptop to measure single strength and interference.
- Management of 'hitchhikers'
In addition you could run WEP, it is breakable but its another layer or security. Sorta like the car theif will go for the car without the club.
- Interference from WAP's and other devices that may be owned by tenants!
Here could be your big problem. As someone else mentioned there are lots of 2.4Ghz devices. Most would only cause a local disturbence, but if I decided to set up a WAP in my apartment you have no grounds to stop me from doing so. Some WAPs are smart enough to work nicely together though so it might not be as big a deal as microwaves and cordless phones.
I hope this helps. Our wireless guys pulled this off in 130 buildings over a several square kilometer area. Good Luck!
PS. Cracks about Redneck Rocky Top and such ilk should be modded -1!
Comparing it to Windows will be a moot point, since El Dorado is going to have a 40% larger code base than XP.
Its not really spoofing as such. Anyone can change their MAC identification to anything they want with most cards. in linux you do it through ifconfig and in WindNT/2K/XP you can do it in the network control panel. This is another reason I would go with PPPoE or a VPN.
I've worked with Karlnet's stuff. It does work as advertised, but in my opinion it is not at all worth the cost (something like $500 per base station *for the software* and $25 per client). In addition, I have never ever seen their Linux driver work. They supposedly came out with a new one recently, but I haven't heard good reports about it either.
Aside from all of that, Turbocell does do some neat stuff: bandwidth throttling on the client end, key-based authentication, and it supports hidden nodes on wireless networks. It seems more suited for "wireless ISP" type of arrangements than smaller rigs as described in the article.
To Karlnet's credit, they also now have a $75 version of their firmware that goes on an RG-1000 and allows for one or two wired ethernet devices. Still more than I prefer to pay for such things. And of course, your milage may vary.
Wireless network that spanned several different buildings, and required a few different AP's. Toughy, but not impossible. First, set each AP on its own channel. Second, enable MAC Address security for each Card on the network. Then instead of using DHCP to give out IPs you should assing each computer an IP and Subnet mask. Turn off DHCP server on the AP to try and stop any hitchhikers. The next thing you should do is enable WEP on the AP and the cards. Use the highest possible key. This should keep most of the standard users out of the network and force them to pay. As far as hardware, I suggest Linksys cards as they allow for the "any" SSID to be used allow each resident to use the best AP. Also, for desktops use USB so that you dont have to open up the computers. That could be a BIG liability for you and your employer. Only use PCI cards if they sign a letter releasing you from all liability. You can do this on 802.11b for the cost reasons. If you need further help with this project email me. If this works out please let me know.
It may be cheaper to just run cat5 through the buildings. Definetly more secure.
I spent 4 years as a wiring contractor and know its not dirt cheap, but depending on how many takers you have for your bandwith, paying a hundred bucks or so per wireless nic isn't cheap either.
I'm not sure how many units you have in the apartment, but if it was mine, I'd have the place wired with at least a solid RG-6 coax and an ethernet cable to each apartment.
Pick up Hacker's Challenge. They detail 20 real life attack scenarios, many of them are attacks against a wireless network, and the detail the steps taken to prevent attacks of that nature.
I don't know if it's been mentioned, but I would use IPSEC if I were you,
simply because 802.11a/b sniffing is trivial now and mac address spoofing is
even easier. Also, I would probably recommend against going with an
established commercial wap product, as they all almost definately aren't going
to have the flexibility you need in the future and are probably way too
expensive. I would roll a couple of OpenBSD boxes with wireless cards, that
way you have an all in one solution with lots of nifty stuff like traffic
shaping per mac, monthly bandwidth accounting capablities via pf, syslog, and
tons of other stuff that commercial vendors just don't offer. And I do mean,
don't offer, regardless of price. This page
offers a good howto regarding ipsec on openbsd and this page
give a pretty good read on replacing wep with ipsec on openbsd as well. Good
luck.
SealBeater
-- Its survival of the fittest...and we got the fucking guns!!!
NoCatAuth is a project that attempts to address the security concerns of running subscription based wireless services. AFAIK though, it's designed so that you must build linux boxes to act as access points, it would take some hacking to get it to work with existing access points (most of which can be administered through snmp).
If someone is determined enough, they can get on your WLAN. MAC addresses can be spoofed, WEP keys can be sniffed. All you can do is authenticate and log.
I recently spoke to some keen fellows from Baylor University that have created an OpenBSD-based firewall/logging/authentication system that takes the poster's info page one step further. Everyone authenticates via an SSL-encrypted web site in order to join the network. DHCP leases are handed out in conjunction with a login session, so you can track who does what. Logging in also opens up your firewall to allow the newly-leased IP address through.
We set up a small wireless network (5 hosts) at our apartment building to share internet. One of our biggest concerns was interference from other devices. On our limited budget we didn't have the luxury of buying signal testing equipment and AP's to see if 802.11b would be reliable in our building. So in the end, we went with HomeRF 2.0 equipment made by Proxim which has a better range and is much better at avoiding interference than 802.11b and transmits at a similar 10Mbps.
We bought the USB adaptors (for around $80) from Provantage for less than any USB 802.11b adaptors we could find at the time.
There are some limitations with HomeRF, (I don't think roaming between AP's is supported and only drivers for Windows and Mac are provided) but in our situation it was just what we needed and it's worked flawlessly. We've had no network downtime due to interference.
Have you considered going with a wired solution instead of a wireless one?
I assume that the units already have cable TV. If they do, you should be able to run a cat-5 cable beside the cable coax and replace the wall plates with one that includes both a coax port and cat-5 port. You then run the cables to a centralized 10base2 switch for each building, and thence to a central switch for the complex. You shouldn't skimp on these - get hubs with real VLANs. Commodity switches still leak information between the ports.
This will initially be more expensive than tossing up some WAPs, but it will probably save you a lot of headaches down the road because you don't need to worry about people running AirSnort, or interference from common household electronics, or any other crap like that. If people really want wireless access, let them set up their own WAP, but make sure they know their access will be cut off if it's abused.
For every complex problem there is an answer that is clear, simple, and wrong. -- H L Mencken
Actually believe him, its been a while since I did this stuff. My brain forgot about the SSID stuff. You could still run into problems if I put my access point up on the same SSID as the main network. WEP can partly solve this. But as has been said before its breakable.
Actually most wireless cards I saw will seemlessly switch channels to match a given SSID. So channel assignment usually is more based on local interference.
I setup a small AP in my apartment, only used by me, so far ;)
I used an old 486 laptop running Linux 2.4.18 (RedHat base) with an Orinoco Silver card, using 40-bit WEP (which to a cracker, is slightly inconvenient at best) and IPTABLES, MAC filtering with IPSEC 3DES and 1024-bit keys.
Be sure to use some kind of encryption better than WEP (like Checkpoint VPN, IPSEC, etc.) otherwise, it's only a matter of time before your users' account info is stolen.
Also consider the kinds of antennas used on the AP. I actually bought the 3 dB loop antenna (size of a 10" plastic ruler) but I don't even need it within my own apartment (100' radius). I use both 2.4GHz phone and microwave with no major problems in my access. Mind you, I'm not using the link for heavy-use or Internet/media streaming. Here are some links to sites that helped me:
Good luck with it, please post a link to your HOWTO when you get it running!
Suncoast Linux - Sarasota, FL
Having used Karlnet quite a bit, I can say that they do offer products that work well for this application. I worked for a wireless ISP and we used Karlnet exclusivly.
Having already gone through what you are attempting to do, here are a few tips.
1. Use a DHCP server. Otherwise, you will be getting calls all the time about how to set up DNS, IP's etc. It's a nightmare.
2. Line of site through a window doesn't always work well. The glass tends to refract some of the signal. If you can align the antenna parallel to the window it will work. Also, it doesn't necessarly have to go through a window. 2.4 GHz will also go through wood and sheetrock to a certian degree.
3. It works best when you can mount the antenna outside and point it straight at the tower. People are less likely to mess with it then.
4. You may think that you have three clear channels but many companies are using this spectrum now. If you are in an urban area, you will probably find that someone is already using some or all of these channels. Check before you spend a lot of money on equipment.
5. Keep your signal levels high. When we started, we would hook up customers with an 8 dB signal to noise ratio. As time went on, the noise floor came up and we had to devise new methods to keep customers online. If you can't get at least a 15 dB S/N ratio, don't even bother hooking them up.
6. Keep your antenna cables short (usually LMR-400). This is usually your bigest sorce of signal loss.
The company I worked for eventually came up with a design where the radio card was mounted on the back of the antenna outside the building. Cat 5 cable was run to the antenna with power injected onto the unused pairs. This design works well because the signal is converted directly to 10-BT at the antenna with minimal signal loss. Since the entire unit is outside the building, there is much less interference from microwave ovens and cordless phones.
Good luck.
- WEP (Wired
Equivalent Protocol)
- Open Systems
Authentication
- Shared Key
Authentication
- Access Control
Lists (MAC Address Lists)
- Closed Network Access Control (LUCENTS Proprietary Access
Control)
The important thing to note here is that EVERY one of these mechanisms can be worked around.- WEP has known
vulnerabilities allowing someone to decrypt information in real-time after
capturing about a days worth of traffic.
- Open Systems
Authenticationhas
"shown that the authentication management
frames are sent in the clear even when WEP is enabled."
- Shared Key Authenitication has shown that it is rudimentary to capture
the Initialization Vector since it is sent in the clear as part of a WEP
frame.
- Standard Access Control Lists are easily circumvented by an attacker
sniffing the network for a valid MAC and thus reprogramming their network card
to an appropriate value to gain access to the network.
- The proprietary Closed Network Access Control list that LUCENT (and
others)touts as "a system that will not send the network identification
(SSID) as a broadcast, thereby mandating that someone KNOW the SSID before
they can associate to the network," is inherently flawed
since:
"Several management messages contain the network name, or SSID, and these messages are broadcast in the clear by access points and clients. The actual message containing the SSID depends on the vendor of the access point. The end result, however, is that an attacker can easily sniff the network name, determining the shared secret and gaining access to the "protected" network. This flaw exists even with WEP enabled because the management messages are broadcast in the clear." When setting up a wireless 802.11b network, you MUST consider it to be publicly accessible. Anyone who is motivated can gain access to your physical network. They need not be within 300 meters, and through the use of a Yagi antenna or some other directional device could gain access from miles away. If setting up a wireless network despite the vulnerabilities please follow the following suggestions:- The most effective strategy would be
to put your wireless access points into aIPSEC enabled DMZ, and have your wireless
users tunnel into your network using a VPN. If your corporation doesn't
already have a VPN infrastructure in place, it's going to cost you some money
to implement. Even if you do have a VPN in place, and all of your clients
already have the VPN software, there's going to be an extra effort associated
with setting up a VLAN for your DMZ. But this solution adds a layer of
encryption and authentication that could make a wireless network suitable for
sensitive data.
- Consider using an additional level of authentication, such as RADIUS, before you permit an association with
your access points. While it's not part of the 802.11b standard, a number of
companies are optionally including some provision for RADIUS authentication.
Orinoco access points, for example, can enforce RADIUS authentication of MAC
addresses to an external RADIUS server. Intermec access points include a
built-in RADIUS server for up to 128 MAC addresses.( EAP (Extensible Authentication Protocol) is used to
allow wireless clients to authenticate to RADIUS servers using a single
sign-on. )
- At an absolute minimum, even with it's
vulnerabilities, you should enable WEP. Whether you implement 64-bit or
128-bit doesn't really matter too much, as it's not the encryption scheme
that's determining how long it takes to crack it, but the number of possible
Initialization Vectors. WEP is only a low barrier to entry, but it will keep
out many of the casual hackers because there are so many other wireless
networks that are wide open and easier targets.
REFERENCESUniversity of Maryland Study: http://www.cs.umd.edu/~waa/wireless.pdf
Fluhrer, Mantin and Shamir Study: http://www.eyetap.org/~rguerra/toronto2001/rc4_ksa proc.pdf
AT&T Labs and Rice University Study: http://www.cs.rice.edu/~astubble/wep/wep_attack.ht ml
My father is a big Radio Shack Remote lighting finatic. (X10) Every Light is hooked up with a remote switch. All his laps have the plugin appliance system. Even his Cristmas lights are X10 enabled.
Well I needed to toss a cablle modem to me LAN which BTW was Wireless. And the only spot I had was down in the basement. Infact exactly 4 inches (yes I just mesured) away from the X10 modual controling the christmass lights.
My laptop is now on the third floor on the other side of the house. Almost the furthest point without going outside. Well on avarage I get about an 80% signal strength considering the amount of plaster and copper pipes between me and the basement. (For some reason tonight I have a 60% strength).
So, that being the case I'll go check the x-mass lights
. . .
Yup it worked... I'll place my bet that the interferance if any is not that big a deal!!!
> SELECT * FROM brain_cells WHERE synaptic_rate > 0
0 row returned
Here are a few truths about 802.11b gear (and a couple of tips):
:)
1) 11mbit/sec actually turns into about 5mbit/sec because of error correction. (if I remember correctly, the 802.11b standard does errorchecking in a manner where it sends 12 bits and half of that is check sum.)
2) The top speed of the wireless wan is affected by the number of people on it. Just because each client connects to the AP at 11mbit/sec, it doesn't mean that the 11mbit will be guaranteed speeds.
3) you'll most likely require more than a 'couple' of access points to achieve building-wide coverage. Even the number of people in the facility that you're trying to cover affects the cell coverage size. (water absorbs and reflects RF - make sure you keep that in mind if you have plenty of foliage in and around the buildings.)
4) load-balancing is possible, but I've only seen it with the higher-end gear (ie. ciscos, etc.) That'll help with multiple people.
5) RF is prone to SERIOUS interference and even the waves are affected by the structures. This is very evident when you are a few metersaway from a radio (not line of sight) and you get a strong signal, then suddenly you walk into a RF null. not fun.
6)Make sure you use decent antennae (and make sure that the radios can handle the power requirements of the antennae you're using.)
7)Make sure that your cables and the like are properly made if you're doing them youself. If your cables suck, your signal will go to hades.
tip: make sure you have secure authentication systems and xmission security. it's no fun when someone gets 'smart' and steals free bandwidth... or worse, account data.
tip: make sure you have something there that can protect your arse should something REALLY go wrong with the network. Hell hath no fury like a geek bereft of network access.
tip: take the time to do the surveys. If you do proper surveys, you will be a much happier person in the long run.
Anyhow -- There you go. I'm sure there's some more stuff I missed. Let's hear them.
802.1x authentication. 802.1x is a port based authentication method that can be backed up to a radius server, or any other type of authentication device. It is based on EAP, and allows an encryption algorithm to be specified to be used in conjunction with a client app, and the server. When manufacturers start sending APs with 802.1x support in the next month or so, this will be the preferred solution for wireless security. Oh yeah, Windows XP already has built in support for 802.1x too. This will be the next round of wireless security, at least until TKIP is deployed.
Phase matching the antennas is the biggest pain, simply due to the high frequency (and therefore small wavelength). Many AP's and some cards provide 2 antenna sockets for a system called diversity.
Diversity actually is best used to reduce multipath signals, as the radio listens to both signals, and "picks" the best signal to use from the 2 it received. Since both antennas are in different physical locations (from a few inches to about 2 feet is best), each antenna gets a different signal. Do not place these antennas in largely disparate locations, or seperated by some interfering object (like a steel support beam), as diversity works best when it can see the signal at BOTH antennas.
There are a huge variety of antennas out there, that produce different polarisation and radiation patterns. Some antennas have receiving amplifiers that produce huge (30+ dB) gain on receive, while only producing about 7dB gain on transmit. Semi-directional (from 60 degree to 180 degree coverage) antennas are great for outside walls. Some have clockwise or counter-clockwise "Circular" polarisation patterns instead of the average horizontal or vertical (circular polarisation tends to be better for point to point applications, and your antennas should match each other - CW will talk to CCW).
For more information on this system, check out the GatorLink homepage and the GatorLink project page. I just wish all campus services used GatorLink (*ahem* ISIS).
Hello Cliff: While I have never posted on Slashdot I felt compelled to register and reply. PLEASE READ THIS CAREFULLY Allow me to explain that I am a network consultant and have learned the hard way on wireless--very hard and many sleepless nights. My first WLAN installation reminds me of where I think you may be right now, but I had done six months of research and had had endless hours of conversations with engineers from several manufacturers. Before we get to the problems I had, lets start with what you have missed overall: a site survey. NEVER even agree to take on a task like a WLAN unless you have done an extensive site survey. First, you will need blueprints if possible or will need to take fairly exact measurements of each apartment, know materials used in construction etc. You'll also need to have floor plans and more. That said, you should then know the maximum number of users and throw all the specs the manufacturer gave you out the window as regards range, distance and AP's required. And, I am assuming you will have over 20 users. In two different buildings? Don't go with consumer grade stuff like SMC for the AP's. SMC is the best of it but still lacks signal strength in many installs. Go with Cisco for AP's and routers, and ONLY Orinoco Gold cards for laptops and equivalent for desktops. You'll also need a portable spectrum analyzer and know how to intrepret the data it provides. Not sure if they can be rented but I paid $3,000 for mine and it was a deal. You'll need to set up the AP's and then go to every location and check SNR etc.--and record all the data. There's a mountain of paperwork on a project like this, just for the site survey alone. After that's done you will still need to go to each apartment with a mid-range laptop and again record signal strength etc. There will be dead spots, and God only knows where a tenant will put their PC. Now, you will have to roam about again with the spectrum analyzer AND a laptop to look for both multipath interference and to check for other 802.211b nets in the area. And did I mention if you are in a congested urban area or near a university or hospital you will also need to contact the admins at those institutions and hope they will cooperate and give you a map of their devices, antennae and locations? They generally will but may not even know where it all is if it's a large institution--and that can be yet another nightmare to solve. And, forget about promised scalability. Most AP's will really only handle 10 users or so, especially the consumer grade gear. At least unless things have changed drastically since November of 2001, my last nightmare install. You also have another problem: lack of a homogeneous hardware environment. On the Nigthmare Project 2001 (as I call it now) I had some PC's that never worked right if at all on the WLAN (30 users in one university residence, off-campus.) I spent an average of 8 hrs a day on the phone with high-level engineers from Cisco and SMC. Both companies were good but had to admit at times they had no idea why some problems happened. And I had their home and cell phone numbers. I know. Was dealing with a mix of Macs, Linux boxen and Windows PC's running anything from 98 to XP. And some were old Gateways, others new Dells. Gateways were the worst. Forget about the idea that your big worry will be with other 2.4 Ghz devices. Microwaves and phones have seldom been a problem for me on a project unless within 6 ft of the AP or wireless NIC. One stark exception is Panasonic phones, but this is a known issue fopr professionals. I am NOT anti-wireless but do think you should know that the obstacles you face are severe. I do this for a living and can say that I would not take on a project like this unless I had a very tight contract (you do have a lawyer, right.) CAT 5 and other options are cheaper and more reliable--and I haven't even touched on servers or security issues. Wireless is NOT cheaper, is more difficult to roll out and is a real headache--especially in historical buildings and those "impossible to wire" locations. I still do a lot of it but only for corporate installs where I have an open floor plan and decent line of sight. I also refuse to do an install now unless I know the company has skilled admins and will allow me indemnification. Do what you like but don't go into this believing all you have read from manufacturers or home users. Hope you don't have to learn as painfuly as I did. OK to email me at wavelanexperts@yahoo.com and I will be happy to chat on the phone or get you my real email. Good Luck!
I am in the process of developing a city-wide wireless network. Here are some of the thing I am doing in my lab to prepare for rollout.
1. PPPoE
Yes its anoying to users, and I'm not to fond of it myself, but it is a hell of alot better than any other auth method, IMHO, and it allows me to do some cool stuff with radius.
2. Amps are your friend
Most interference can be weeded out just by drownding it out. Pick a channel, and stay with it, when and if you have problems with interference amp it. Other devices that don't need as much as a spectrum in the 2.4 range, such as phones will just look for another clearer channel. At the ITECH i beamed in a signal into the convension center from a nearby hotel and ran an IP phone over it, I found out the morning of the show that lots of other people were using wireless inside the building, i just ran up to the roof of the hotel and stuck on an amp, and bamo 11Mbs, nailed.
3. Channel Selection
Most devices i've played with will either defaul to channel 1 or 6, put your signal on a high number like 9 to avoid killing your clients internal wireless network.
4. Saturation
The one concern I had is saturation, with only 11Mbs on 802.11b several power users could suck up alot of that. I would expect that more technical clients will realize that they are on an ethernet segment together and start setting up shared folders for their buddy 2 doors down so he can get all of his mp3s/porn. with enough users it could turn into a problem. I am remiding this by creating a backbone of 802.11a and then distriuting it with 802.11b
just my $.02