[ID-PHy] » WLAN

NOTE: This site needs to be re-actualized, WLAN pages being really outdated, links not working anymore, ...
My apologies.

Wireless LAN problematic
in a Home, Telecommuter or SOHO environment

Some considerations (en Français) about Wireless LAN, also called WiFi, in a private home usage context, as telecommuter, or in a professional, SOHO environment (Small Office, Home Office).

Health concerns : Be aware that WiFi devices produce micro-waves (like your mobile, oven, ...) and a lot of questions are still open about its impact on health. Precaution principle would then recommend not to use them. So, if most of the time you work from a fix place (your desk) with the Broadband router at the corner of it, rather consider a wired only device. You can always cascade a WiFi one (either WAP or Router) behind it when you really need it, and switch it on only when required. This is what I personally do, and recommend ! You can as well disable WiFi on your router, but then when you need it, you'll have to change again its configuration from a wired PC (which also reboot it), hence the use of a separate box you can simply switch on/off.



1.  Security issues

The concern with wireless networking is that the range could extend far beyond the walls and parking lots of your building or office locations. There is no way to limit the propagation. Therefore, anyone wishing to attack your network and/or steal information, can easily do so by "war driving". War driving is the act of locating and possibly exploiting connections to Wireless Local Area Networks (WLANs). War driving requires the use of a computer device, an antenna, and software tools that can detect and exploit wireless access points.

WLANs may be considered similar to Broadband connections, that is, when active they expose networks to continuous probing. Once discovered, unprotected networks make for easy targets. PCs residing on WLANs may be compromised and can expose proprietary data and be used as back doors to more secure network locations. Without appropriate safeguards, distributed denial-of-service attacks, worms and viruses can traverse these wireless access connections right into your home or business network (LAN) and hosts (Servers, PCs, ...).

A wireless access point (WAP), is a public access, just like connecting your LAN (wired or not) to the Internet, but with one major difference : only your neighborhood can access it. Is this worse or better than Internet ? Think about it and provide your own answer ... From my point of view, even with a broadband connection, when connected to the Internet, I change regularly form IP address and nobody knows it : I feel completely anonymous ! Anonymous is not synonymous of security, I agree, but this is out of scope of a wireless security.
Now, with a WAP, my home LAN is extended to my neighborhood, it is not anonymous anymore ! If I have very good relationship with my neighbors, first I don't know all of them, second this is not a reason to invite everybody on my LAN, to share my broadband access with anyone (if some one uses your broadband connection "for free" to surf, it isn't really a security concern, he will just "eat" some of your bandwidth !), and third I don't want them to know what I do at home (I switch my connection on, only when needed): a little privacy please. Other said, my first concern is to convert this public access to a private one !

1.1  Home usage

This said, in a home environment, for private use or as telecommuter, aside the privacy aspect, the wireless gateway is not a security issue by itself : it can just provide you some extra security, and without it, your PC is/was directly connected to the Internet. If you configure your router with the biggest security holes, you'll never be less secure than without it : the true security must rely on each PC security, provided with personal firewall.
 
Now, the wireless gateway gives you also a home LAN, and you can use it not only to share the Internet access, but also to share private resources like printers, disks, folders, files, … and those shares resources are exposed to the Internet, accessible in wireless. And here, you open security issues, open holes on your hosts, PCs. Remember, as soon as wireless is activated on the Wireless router, your wired connections are exposed as well : the router makes no distinction, at IP level, between wired and wireless connections : both are part of one single LAN ! The only way to share resources in a complete secure way is to do it only through wired connections, and disable the Wireless (and Internet connection) the time you transfer data, the time you set shared resources (folders), and immediately "unshare" the folder prior to re-enable wireless (Internet). That will comply with the most strict business security policies.
 
Regarding business security, using your broadband connection for "teleworking", if you connect to your corporate network using a sound VPN client with IPSec encryption and have a Personal Firewall, you're safe, that PC is safe. But are you always connected to your Corporate network, and when not, is your Personal Firewall always active on your Wireless/Wired interfaces ? The concern is more when you directly surf on Internet without going through Corporate network, or if you have other PCs connected (wired or wireless) to the gateway. If you also use another PC to backup your (Company) data (which is a good idea), is that PC well protected ?
 
Resumed, with a Personal Firewall on each PC, you’re safe. The concern is more the PCs without FW, or opened FW (for games) with ”sensitive” data, on your home LAN (wired or not).
And remember, enabling a Wireless Access Point on your LAN, is putting it on the public space !

1.2  Small Office context

Typical and widely available Wireless Broadband Routers, are design for home usage, which context is slightly different than a professional usage in a small office, where just wireless may be required for work convenience, the first request being a Wireless Access Point (WAP).
 
As explained in previous section, "WiFi routers" are mainly design to share an Internet connection (broadband over ADSL or cable) between several users, for private applications (surf, on-line games, ...) as well as professional use (secure connection, with encrypted tunnel (IPSec) to the Corporate network) : it's in that context I wrote the Wireless broadband router configuration guide
 
For a professional intra-muros WiFi usage, the problematic is quite different.
 
First comes up the security issue : the wireless or WiFi, even with WEP (Wired Equivalent Privacy) encryption, is not considered as safe. You can easily find on the net programs / methods to break WEP. Other said, see the traffic on your LAN is almost a "kid's game". By "see the traffic", I mean copy all what goes the LAN, including passwords if in clear (not encrypted), data (files) flowing between the server and PCs, printed files, ... Le loup dans la bergerie (to set the fox to mind the gees ) !
 

2.  Throughput considerations

Then, from a throughput perspective, WiFi 802.11b works at 11 Mpbs, 802.11g at 54 Mbps, both in 2.4 GHz band, or 802.11a also at 54 Mbps but in the 5 GHz band with a shorter range. (Here a detailled Wireless standards comparison chart from Linksys.) Those bandwidth values are theoritical ones, practice is quite different. First, about 40% of it is wasted by wireless protocol (overhead, collision avoidance, ...). Then, this bandwidth is shared between all connected PCs. So, if the server and the client are both on WiFi, the actual available bandwidth is only the half ! Furthermore, WiFi signal (RF) declines quickly with distance (and 802.11a faster than 802.11g ... than 802.11b), and especially with the number of walls / floors crossed, but is also affected by other appliance working in the same frequency range (wireless phones, micro-wave oven, ...). Wired LANs are today at 100 Mpbs : maximal theoretical value, here also shared between PCs with simple HUBs, and dedicated with switches (but the server segment is still shared). However, with only 2 PCs on the LAN, the actual maximum is close to 80% or 90% of it, and 60% for a more loaded LAN.

For a home usage, to share an Internet access or access it wireless, performances of a 802.11b box are in accordance with my broadband access : my ADSL having a ceiling at 4 Mbps, wireless at 11 Mbps (or even at 22 as some claims) theoretical, 4.5 Mbps in practice are more than enough. And when I want a good throughput from PC to PC, nothing is worth an Ethernet cable.

I made some tests that way with my Wireless Broadband Router on 10 & 100 Mbps LAN, and on 802.11b wireless. You can see the results at WLAN performance tests.
 

3.   WiFi cascaded behind Wired router

Due to the uncertainty of the impact of micro-waves on human health, if most of the time you work from the same place (your desk) and only use or need wireless connection now and then, I would recommend a cascaded configuration. Therefor, select a wired only router in front of you broadband connection, and cascade a Wireless box behind it (this is plugged into one the LAN (private) port). This way, you can easily switch on/off the WiFi, the micro-waves.

3.1   Cascaded mode

Such a configuration is illustrated below, with one Wired Broadband Router, and cascaded a Wireless Broadband Router. This correspond to my own configuration, because I first bought the wireless box before considering its health impact (as most of us ?). You can as well use a Wireless Access Point (WAP), as WiFi device, which should be the simplest and cheapest solution.

The wired router must be configured the standard way. WAN port must match your Internet provider settings. For the LAN, I suggest however to use a specific IP subnet. In the example, subnet is 10.20.30.16 /29 (mask 255.255.255.248) for a range of 8 IP addresses, with 6 of them usable for hosts/PCS : .17 to .22 (and as most boxes only have 4 ports, you don't need more !). If Static DHCP is available, I also recommend to reserve one of them for the Wireless Router, so that it will always have the same (known) IP address. This can be useful for more complex configuration/settings, f.e. if you want to access PCs on the unsecure segment, or if you want to configure the WiFi device from the private segment (considered as WAN or Public segment by the Wireless router). And because you know where you Ethernet cables go to, you don't need extra security on the wired device (no MAC address filtering, ...). But remember, when switching the WiFi device, the private LAN becomes exposed too !

You then plug the WAN port of the wireless router to any LAN port of the wired router, possibly using a cross cable (but normally not, refer to your manuals). The WiFi router will consider the private segment as the WAN. The WAN port must be configured with dynamic DHCP, so it will get its IP address and other parameters like DNS from the wired router. The unsecure segment must have a different IP subnet than the private segment : in the example, its LAN subnet is 10.20.30.16 /28 (mask 255.255.255.240) for a range of 16 IP addresses, with 14 of them usable for hosts/PCS : .33 to .46. As the wireless router will open your home network to the neighborhood, it requires more attention on security aspects. Refer to Wireless broadband router configuration guide for more information, and as guidelines for the wired router configuration as well : DHCP, LAN, WAN, ... principles (and parameters) being the same on both boxes.

As each box (wired & wireless) does Network Address Translation (NAT, or rather Port Address Translation (PAT)), packets from wireless (unsecure) segment will be translated twice before going to the Internet ... without problem. I've tested the above configuration with D-Link DI-604 as wired device, and DI-614+ as wireless router, and all works perfectly, including IPSec tunneling to my company Corporate Network (in red on the diagram).
 

3.2   WAP mode

Alternatively, you could use your Wireless router as a Wireless Access Point (WAP), bypassing all router and FW features.

To perform this, plug an Ethernet (cross) cable between a LAN port of each device, and do the following configuration steps (not all are mandatory, depending on the security level you want) :

This way, you wireless router just extend your LAN over WLAN, without any filter, protection (hence the importance of last point above !). But this could be required for protocols that don't support IP routing and/or IP Network Address Translation (NAT), like pure LAN protocol (local printing, ...).

I also tested this, for sharing printers between MAC computers, as I couldn't totally open the FW on the wireless router.

4.  SOHO tentative design

This said, WiFi is very attractive, popular, comfortable and allows a freedom of work.

So, if you really want to work wireless in a SOHO environment, the most secure is to cut the LAN in two segments : one wired, "safe" or "private", and another WiFi, "public". Servers and printers, and as much as possible fix PCs, must be connected wired (via an Ethernet cable) on the "private" segment. On this one, the traffic is free between hosts (between PC and server, or from PC to PC). On the "public" or wireless segment, you have to take safeguards, security measures : encrypted tunnel (IPSec) and Firewall (FW). Typically, the FW will play the tunnel server role for all PCs on the "public" segment. With encrypted IPSec tunnels, you'll build a "Virtual Private Network" (or VPN), hence the VPN Server terminology also used. PCs on the "public" segment should moreover have a Personal FW to protect them form external attacks : WiFi or Internet. This set, you can add an Internet connection (ADSL or cable) without any additional risk : in fact, from security perspective, wireless and Internet are on the same footing.

From a practical point of view, it is possible to build such a configuration without investing that much, but you'll need at least two boxes : one for the private and public segment parting, which will act as FW and VPN server, and the other, on the public segment as Wireless Access Point (WAP). The latter could as well manage the Internet access, you'll then practically have a second FW, with other features like address translation, mandatory to "hide" all PCs (each having its own IP address) behind on single IP address when going out on Internet (this is what is called Network Address Translation (NAT), or more accurately "many to one NAT" or PAT (Port Address Translation)).

Cherry on the cake, with all this, you could as well, with the same level of security, connect yourself to your server from anywhere on the Net. All this configurable.

To make all this more comprehensible (?), here a small diagram :

All I explained here correspond to company's security standards,to those with a minimum security policy. This is maybe a little paranoiac, but remember that someone with a laptop could access your LAN from the neighborhood, from a car in the street ...

5.   How to configure router and webcam

If you want to place a webcam behind a broadband router, and want to access it from the Internet, you'll face two problems :
(i) You must know its public IP address : first your Internet Service Provider (ISP) usually gives you a dynamic IP address (changing over the time), and second you webcam will have a private IP address (not advertised on the Internet).
(ii) Your broadband router usually also includes a Firewall (FW), which first role is to protect you private LAN from the Internet. Other said, its main purpose is precisely to block incoming session (from the Internet to you LAN, where you webcam is).

In this section, when I talk about Webcam, I actually mean the Web server sending the webcam stream in format readable by any navigator like Firefox, Safari, Internet Explorer, ... Some webcams do embed this web server feature.

To circumvent this, you'll have to :

5.1   Solve IP addressing

As introduced, IP addressing issue is two fold :

5.1.1   Easily get the IP address assign by your ISP

To solve this, your broadband router needs a DDNS (Dynamic Domain Name Server) feature. Principle is quite simple : after subscribing to a (free) DDNS server supported by your router, you just have to configure it so that each time it get an IP address from your ISP, it send it to the DDNS server. This then will associate it to the DNS name you've registered. Some webcams also include DDNS feature, but as it is your broadband router that holds your public IP address, you must use the router feature, not the webcam one (which would try to advertise private address, anyway non routable over the Internet).

5.1.2   Map it to the actual private IP address of your webcam

Therefor, you first need to assign a static IP address to your webcam : either pure static or static DHCP (DHCP server will always provide the same IP address to your device).

5.2   Allow inbound traffic only to the webcam

To this, you need to open some holes in your FW, by either :
- defining a DMZ (De-Militarized Zone) on which you'll put you webcam, or
- defining a Virtual server, which will forward some specific traffic / queries to your webcam IP address.

You find more configuration details in section 3.1 of Wireless broadband router configuration guide (D-Link DI-614+ oriented, but principles should apply to any broadband router).

5.3   Webcam configuration

The webcam itself can then be configured the most standard way : just follow instructions, and opt for dynamic IP addressing if your router can do static DHCP.

6.  Some entry boxes

I quickly consulted some on-line shopping sites to get an idea of costs. Here some examples of "entry level boxes" that could do it (in the conditional), for about 100 USD or Euro each (in the 75 - 125 range) :

In short, for about 200 USD or Euro, plus 50 per PC, you've got a secure, dual FW, VPN server and WAP infrastructure !   This kind of "home market" solution has of course nothing to see with "professional" ones put in place by big companies, which spend millions for their security. But one should keep reasonable ...

Of course, this is still under condition as I didn't personnally tested all this together. You should have a "minimum" of networking knowledge to configure it (especially for the VPN server, as it is initialialy foreseen to share/control an Internet access). The secured configuration, by a professional, could cost you more than the hardware self.

And the very first thing to do is to clearly define the needs and requirements, and then to measure the risks !
 
 



 

... Think it twice ...


Pierre HARDY.
e-mail : pierrehardy01@yahoo.be

Copyright © Pierre Hardy, 2004. All rights reserved.

(4 - 25/05/2021)      ¤     


Free Web Hosting