Slashdot Mirror
A WiFi-Only Office Network?
periol wonders: "I'm the sysadmin for a firm in mid-town Manhattan that is moving to a larger workspace six months from now. The new space is on one floor (100+ users to begin, 200 capacity) and is completely stripped. We've been playing around with the idea of completely wireless office, with no ethernet except to the access points (probably running over VPN for security). Email and files are all accessed locally over the network, and there is a web application hosted off site. Does anyone have experience with this kind of setup? My calculations are that we would need one access point per 15 computers, but I don't know what kind of issues we'll run into along the way. Will we run into unexpected periods of network downtime with a wireless-only setup like this?"
...and remember to put your microwave oven in an RF shielded cage. Hot coffee is not worth network downtime.
Also look into getting some anti radation / stealth wallpaper.
Got Debt?
Wireless performance is shit. Here's the problem: Sure, 802.11g gives you a theoretical peak 54 mbps. However, not only do you never get more than 50% of it, that bandwidth is shared among every user on the network and is half-duplex. It's like having everyone on a single hubbed network - once a buch of users all start communicating at once, you get collisions, and performance drops. 1 user on wireless is fine. 5 or 10 is questionable. 50 will be like molasses.
A completely wireless network is a bad idea for numerous reasons.
1) Reliability. I have yet to find a decent AP that doesn't need to be power cycled every so often to get things working again (although I haven't ever used a business quality AP)
2) Speed. As far as I know, pre-N technology hasn't been fully adopted and the best you can do is 802.11g (54Mbps) basically half of what you would get with wired (100Mbps). Granted you rarely ever get the full 100Mbps, but you rarely ever get the full 54Mbps either.
3) Management. You mentioned needing one access point per 15 computers, so you are looking at 7 APs to start and 14 after your growth. Do you or your IT department really want to manage 14 APs when you could throw in a couple of 48 port switches?
Personally, I have never seen the benefit to having a wireless card for a desktop computer when there is the possibility of wired. I have only used a wireless card in a desktop on one occasion; an apartment where it was basically impossible to run wires from room to room. Wireless technology is best suited for devices that are mobile; laptops, PDAs, etc.
My recommendation would be to go with a traditional wired network to each desk area (hopefully not cubicles). This will allow each employee to have access to the 100Mbps wired network to their desktop or laptop while at their desk.
For wireless access, I would recommend one of two solutions. If you have lots of non employees that visit your office with their own laptops, I would set up an unsecured wireless network with 2-3 APs that is on a separate network than the wired network. There is nothing more frustrating to me than having to help visitors enter a WEP key. Employees could then use VPN to connect to the secured (wired) network while on the wireless network. However, if you don't have many visitors, then you go with a WEP key (or Radius or WPA or whatever) secured wireless network and forego the VPN connection.
As my Uncle always taught me... My advice is free and worth every penny.
You can't just add access points to increase capacity... the limitation is the radio frequency space available. Remember there is only room for 3 wifi channels (1, 6, 11) in the 2.4GHz spectrum. Add a forth into the same space, and you're just stepping on the others and causing interference. Of course I'm assuming 802.11b/g here, as 802.11a has 20 distinct channels.
The other issue that people have mentioned is outside interference. Microwave ovens can be a real bummer. So can the little cordless 2.4GHz headsets executives seem to like. And you better hope nobody sets up a 2.4Ghz video sender for their security system in the vicinity. Or a nearby cell tower, or radio station. You could be working perfectly for a year, and then suddenly have your network permanently broken by something completely outside your control or ability to change.
There's a reason you don't hear of many people doing this.
-R
I provide helpdesk support for an environment with laptops that offer both wired and wireless connectivity. Attempting to authenticate to the domain, or use remote desktop software, is "untimely" at best, and nearly impossible for many occasions. A script that would take less than 10 seconds often drags on for 3-4 minutes when the target system feels the session should be routed over the WLAN.
Hey, no problem, you can connect using the IP assigned to the wired NIC, right? Good luck when the script only accepts the hostname, and that's mapped to the WLAN NIC. You can remap it by editing the hosts file, but when the system is FUBAR'ed to the point the user can't log on to read the other IP, your fix is useless. A substantial amount of troubleshooting time would be saved if wireless capability was only enabled on machines that need it.
And you want every machine to rely on the WLAN as the primary (or only) connection? It might work in a local shop, but be prepared to have users drag their machines over to you every time their system breaks.
We have several offices.
We put in 100% wireless at one when we moved. Saved us a bundle of time, but there were dead spots all over the place. Lots of people had laptops and moved around with them - some offices had good connectivity, some didn't. In hindsight, we didn't have enough access points to provide good coverage. We eventually switched to wired due to user frustration.
In the next office we learnt. Fewer people have laptops and move around. Everyone fixed is wired. Laptops have the option and using IBM's s/w on the thinkpads, they seamlessly switch when you unplug to move (in fact, some choose to stay wireless all the time). We carefully chose the locations of the APs by testing. Throughput is down but not noticeably so.
What to learn:
Think of access points in terms of distance between them and coverage as well as number of people connecting. And figure this out by testing, not by reading manuals. Walk the floor with a laptop and test every office, nook and cranny - there are lots of unexpected dead spots.
Security is not a problem - WPA is a piece of cake to set up and (as yet) unbroken.
So it can work.
How long do you think it will take me to crack the WPA/EAP key,
Which one?
Assuming EAP-TLS, each authentication is a mutual authentication using public/private key pairs on both access point and device. You'll need to crack the client's auth key to get in. So how long will it take you to crack a 2048-bit RSA key?
Or, assuming you want to sniff the data, rather than join the network, you need to crack the packet encryption keys. With WPA, that means you have to defeat TKIP, which changes the RC4 key on every packet transmitted, and isn't vulnerable to the related-key attacks that sunk WEP's stupid design. But if this is a new office, there's no reason for them to use the backward compatibility hack that is WPA, they should deploy WPA2, which uses AES for the packet-level encryption. Although both WEP and WPA/TKIP misuse RC4 in a way that enabled the WEP attacks (neither of them discard the first few hundred bytes of the keystream after a rekey operation), AES doesn't have the same potential weakness as RC4. Since the best known attack against AES is brute force, you're going to have to search a 128-bit keyspace. How long will that take you?
Given WPA2 and, say, EAP-TLS, the best known attacks on the WiFi security require breaking either RSA or AES. Good luck with that.
Note to ACs: I usually delete AC replies without reading them. If you want to talk to me, log in.
I'm one of the 20 laptop users in my office of 60 or so with 2 to 8 clients in our office at any one time. Our biggest issue is with the dsl going tits up at 5AM when the cranky old farts arrive in the office and stew until I arrive to reboot the dsl modem at 7AM. I put a xmas light timer on it to reboot it every night at 2AM.
The wireless is working fine for now with only me (vpn to our network) and a few clients and two printers. I'm adding two d-link range extenders this weekend to test for awhile before we move to our new office and quadruple our office space. I also expect the dropping connection to go away once I upgrade my card from a b to a newer g card.
In my experience, I've setup wpa-tsk security with a non-descript ssid and a superlong marketing phrase as the key. Had several complaints about the key being too long, I always offer to type in for them and I explain that it's for their protection. I could care less if some hacker uses a crappy dsl line to screw around, it's not connected to our network, but I would care if they got in and into the files of my clients on their laptops.
You don't say why you don't want a copper plant -- but it seems like you're giving network wiring a bad rap. Do you intend to have laptops assigned to everyone, and intend for them to roam around the office all day? (I'm picturing a scene of dogs wandering around at a dog park as I write this!) If the users are primarily sitting at their desks and are using "desktop" machine, there doesn't seem to be much of an advantage to go wireless -- in fact, I'd say that you'd have more headaches.
I'm assuming that you want to do this because the userbase is mostly laptop-based.
You definitely will spend a lot of money on getting real wifi equipment to do this roll-out. At the very least, you will want to have access points that will handle WDS correctly so that people can roam around from AP to AP. You will want to have central configuration management, performance/usage monitoring, and security management. (One product off the top of my head that might be useful: WiFi WorkPlace.)
Note that with wifi, each access point acts essentially like a shared hub -- and the throughput is less than half ot the signaling speed -- so your 10 users on the same 54-Mbps AP will be on an effetive "20 Mbps" hub... Latency is higher, too. Yuck.
In order to keep the footprint of each "hub" (AP) small to ensure reasonable performance, you will need a lots of low-powered access points. And hope that your client machines are running bug free drivers --- back when I used to play with linux wlan drivers, we sometimes had a client go crazy and pump up the transmitter to max power in order to associate with the AP on the other side of the building -- and stepping on a lot of traffic in the process.
Good luck!
Intel's Jones Farm campus uses primarily wireless. Here's an article in Cisco's Packet magazine (free registration and stupid Flash program required).
So if you're figuring on 1 AP per 15 users, you're going to be needing 7 APs to start with, and possibly up to 14 eventually. But if those 15 users have to share the bandwidth on that one AP, they're getting (on a really good day) about 3 Mbps of bandwidth if you go 802.11G. If you're wired for only Fast Ethernet they're going to be getting more than 20 times that.
The second question is the physical layout of the place. If it's a big empty warehouse type of place, there will be very little physical interference in the form of walls and such. If you are setting up a cube farm there will be even less, and the people will be packed fairly tightly into that space. If the APs are that close together, you're going to have lots of coverage area overlap, and with only three non-overlapping frequency ranges you will undoubtedly have roaming and AP association issues. You may plan on 15 users per AP, but that's just an average. If 30 of your users associate with one particular AP because it has the strongest signal, you will get lots of complaints very quickly.
Then there's the numerous security and cost issues which have been covered in other posts.
To best secure your network you'll have to block unwanted RF getting in and out, aka a Faraday cage http://en.wikipedia.org/wiki/Faraday_cage and then all of the users will start bitching that there mobile phones don't work.
From my experance I've found wired network far cheaper in the longrun. The cable costs maybe high to lay but once in maintance and upgrade costs are low. Were with wireless support costs are high and ongoing. We only use wireless as a bandage till the wires are in.
If you want really secure wireless do it at the power switch
[sVen]
Seriously, there are several systems vendors who you should check with:
Trapeze Networks (www.trapezenetworks.com), Aruba (www.aruba.com), and Meru (www.merunetworks.com) are able to deliver wireless systems with centralized management and control. You'll be able to use extremely strong encryption and authentication, you'll have granular user control for access management & VLAN structuring, and you can even monitor the wireless frequencies to detect "attackers" and "rogue access points".
Many laptops are now equipped with 802.11a and 802.11b wireless client cards, so AP crowding is no longer a problem (there are plenty of free channels in the 5.0 GHz frequency band).
So take a look, and you'll find these vendors have put a lot of thought into the reliability & security issues
theMole
It really depends on your usage. For standard internet access you can get by with 1 AP per 20 users. Anything more than that you need more APs. 5 users per AP is more realistic for users doing more than web surfing. Wireless sucks for moving large files around. Not a problem for any single user but more if more than one tries to do it your network goes in the toilet.
You can deploy a secure WLAN infrastructure but it takes some work. Ideally you would have a wireless IDS system such as Air Defense and encryption on the "wire". Some options for encryption are Air Fortress and Cranite . Both install a layer2 encryption client. Depending on what kind of AP you are using you can set the up to only forward Air Fortress frames and ignore everything else. Another option is something Aruba Networks product. Their are centrally managed and they have integral WIDs encryption.
If your users are using laptop you should mandate some sort of file system or whole disk encryption. Laptops are cheap to replace if a user leaves the laptop in a coffee shop but losing data is not cheap.
Look at the overall costs for all of the solutions before you make a decision.
The University of Paderborn in Germany (http://www.uni-paderborn.de/) uses a wifi network for about 14000 students plus profs and bureau staff. There are sometimes problems with the connection due to heavy traffic at some access points, but the overall performance is excellent.
I don't think you could generally say: many users in a small space over wireless = problems
This is why I would recommend using 802.11a. Stay far away from 802.11b/g in a a setup like this. Not only are you further away spectrum-wise from common sources of interference, 802.11a allows you 8 non-interfering channels vs 3 for 802.11b/g. This means you can have 8 APs in close proximity without causing interference.
Your calculation of 15-20 users per AP is a sound one. This will equal ~1Mbps/user of actual IP throughput. Plenty for most people.
Finally, I would recommend buying an enterprise-class wireless switch priduct from a company like Aruba Networks, Cisco, or Trapeze. With the density of APs you're talking about you will want the automatic calibration features that these products provide. Not to mention they'll allow you to use the latest Layer-2 auth and encryption schemes like WPA2 so your users will have single sign-on, secure access to the network.
Good luck,
Chris
An all wireless network for a 100+ person office may be buying a lot of trouble. For example, one user running a multicast app (think "ghost") means the whole network will become unavailable. One user with a 2.4Ghz phone or someone making popcorn in the corner kitchenette and you're going to have a lot of drop outs. One user with a PDA running B and your shared 22Mb/s (max) tput G network suddenly drops to 14Mb/s or less.
I'd definitely go with wired jacks with wireless available for convinience.
If you're dead set on this, though, you might actually be ok if you want to invest in a Meru network, though. One thing that's very nice about their product line is that their access points actually use CTS/RTS to control who's talking at once to guarantee bandwidth availability, so you might not be dead. But that's not a cheap solution. They are at this time unique in the wireless industry with this functionality. They're also the only vendor in the industry we've tested where having a B radio associated doesn't significantly drop tput (our testing showed that one B radio dropped G tput to about 20Mb/s).