A WiFi-Only Office Network?

periol wonders: "I'm the sysadmin for a firm in mid-town Manhattan that is moving to a larger workspace six months from now. The new space is on one floor (100+ users to begin, 200 capacity) and is completely stripped. We've been playing around with the idea of completely wireless office, with no ethernet except to the access points (probably running over VPN for security). Email and files are all accessed locally over the network, and there is a web application hosted off site. Does anyone have experience with this kind of setup? My calculations are that we would need one access point per 15 computers, but I don't know what kind of issues we'll run into along the way. Will we run into unexpected periods of network downtime with a wireless-only setup like this?"

The downside to wireless office:

[Avillia]

"I'm a corporate snoop in mid-town Manhattan that wants to get trade secrets. The target company is moving to a newer and larger office. They've been playing around with the idea of completely wireless office, with no ethernet except to the access points (probably running over VPN for security). Email and files are all accessed locally over the network, and there is a web application hosted off site. How long do you think it will take me to crack the WPA/EAP key, and how big of a thumb drive/media card do you think I'll need to store all that juicy information?"

Re:The downside to wireless office:

[swillden]

How long do you think it will take me to crack the WPA/EAP key,

Which one?

Assuming EAP-TLS, each authentication is a mutual authentication using public/private key pairs on both access point and device. You'll need to crack the client's auth key to get in. So how long will it take you to crack a 2048-bit RSA key?

Or, assuming you want to sniff the data, rather than join the network, you need to crack the packet encryption keys. With WPA, that means you have to defeat TKIP, which changes the RC4 key on every packet transmitted, and isn't vulnerable to the related-key attacks that sunk WEP's stupid design. But if this is a new office, there's no reason for them to use the backward compatibility hack that is WPA, they should deploy WPA2, which uses AES for the packet-level encryption. Although both WEP and WPA/TKIP misuse RC4 in a way that enabled the WEP attacks (neither of them discard the first few hundred bytes of the keystream after a rekey operation), AES doesn't have the same potential weakness as RC4. Since the best known attack against AES is brute force, you're going to have to search a 128-bit keyspace. How long will that take you?

Given WPA2 and, say, EAP-TLS, the best known attacks on the WiFi security require breaking either RSA or AES. Good luck with that.

Absolutely not.

[jacobdp]

Wireless performance is shit. Here's the problem: Sure, 802.11g gives you a theoretical peak 54 mbps. However, not only do you never get more than 50% of it, that bandwidth is shared among every user on the network and is half-duplex. It's like having everyone on a single hubbed network - once a buch of users all start communicating at once, you get collisions, and performance drops. 1 user on wireless is fine. 5 or 10 is questionable. 50 will be like molasses.

Expect congestion, but not necessarily outages

[JimZim]

You needn't expect any network outages above and beyond the standard switch, AP, and WLAN card failure rate.

The main consideration in your plan is the 802.11 host density. The 802.11 spectrum is divided into 14 partially-overlapping channels. Each channel in 802.11g provides a maximum of 54Mbps (this is theoretical- actual throughput is closer to 25-40Mbps on a good day). Even by configuring channel selection for an even distribution, you'd still end up with at least 7 hosts per channel. Because 13 of those 15 channels would be surrounded by channels with statistically-equal amounts of traffic, you can't guarantee more than 3.8MBps per host (perfect theoretical world), or closer to 1-2MBps in practice.

While 2MBps is fine for internet downloads, you'll experience a noticable delay accessing any sizeable files on network shares, or moving email attachments around.

Additionally, because of the overlapping nature of the 802.11 channels, and the leaving-much-to-be-desired spectral filters in most 802.11 stations, when any one user is transferring a large file and maxes out their channel x, expect all the users on channel x-1, x, and x+1 to experience sluggish performance. Given at least 7 hosts per channel, and at least 2-3 channels affected per burst, any burst large traffic will impact no fewer than 21 users on the network.

In short, yes, you could do it, but count on substantially poorer performance than a wired solution.

And as with all professional-grade wireless networks, accept absolutely nothing less than a strong per-host-authenticated VPN tunnel.

Good luck!

Probably not a good idea.

[TreeHead]

I install wireless networks professionally and I can pick out a handful of factors that will make or break your decision:

1. ...in mid-town Manhattan
2. The new space is on one floor...
3. ...100+ users to begin, 200 capacity...
4. ...(probably running over VPN for security)....
5. ...there is a web application hosted off site.

Issue 1: RF Interference
Addressing item #1, how much square footage do you anticipate these 100+ people using? According to item #2, you intend to accomplish this on one floor, and given that you are in mid-town Manhattan, I imagine a small office footprint.

At first blush, this sounds like a recipe for disaster--at least as far as I understand what you are doing. First of all, just being able to service X number of wireless users per access points is not enough. You have to consider how the RF field being put out by each AP will overlap others. In the US there are 11 channels for 802.11b/g and only 3 do not overlap (at least enough for it to matter practically); too much inter-accesspoint overlap will cause a sever drop in throughput--APs will be fighting each other's RF output. You may find yourself at the very least having to dial back each AP's power output significantly just to get clients to associate reliably. Also bear in mind that given you will be on a single floor, your RF output will extend three dimensionally to upper and lower floors if you are using directional antennas. This is not just an issue for your neighbors, but also with multipath distortion.

Issue 2: Latency
You mention that your network will "probably running over VPN for security" which will add to the already high latency of a wireless network. The overhead involved in setting up a connection on a wireless network and transmitting in a timely manner is exhorbitant by comparison to Ethernet. Add to that an even higher overhead for a VPN (even hardware accelerated) and you've got a recipe for disaster on all but the most tolerant user base. Item #5--your off-site web app--is likely to cause serious headache.

Latency will be a major factor if you intend on doing any amount of VoIP or video conferencing, and this traffic will require traffic shaping too.

Issue 3: Throughput
The reality is that we are still in a "Pre N" world. The very maximum you can squeeze out of your 802.11g network is around 22Mbps overall. And here's another fact that a lot of admins don't know: as soon as you associate 1--just 1--802.11b client to that g network, your total maximum throughput drops immediately to 8Mbps. Compare this to Gigabit Ethernet in performance vs. cost.

My suggestion is to design a wireless network that will properly cover the office space, but cable Ethernet drops for key locations such as stationary offices and conference areas that are likely to see a lot of consistent use. Users should be able to roam about the office, but have a drop at their disposal if their application demands it. Your users will be happier, you will be happier, and you won't run the risk of cooking your staff with all those microwaves. :D