Wi-Fi Best Practices

Enhance your security, reliability, and availability

Like most technologies that an IT pro deals with, wireless technology changes from day to day. Not too long ago, having a wireless LAN (WLAN) was considered a mere luxury or something "nice to have." Nowadays, however, access to a WLAN is critical because the proliferation of mobile devices that have entered our industry invariably tout Wi-Fi as a key selling point. This is even more important as cellular carriers begin to cap their wireless data rate plans; unlimited cellular data plans are all but gone, whereas Wi-Fi is almost always unlimited (and faster).

It's important to take stock of your current WLAN infrastructure if you have one, and to be aware of the latest standards if you're designing a new one—even if it consists of only a single Access Point (AP). In this article, I take a look at the current wireless standards and discuss some common-sense best practices related to radio spectrum bands, channel selection, and security that you can begin implementing today to enhance the security, reliability, and availability of your Wi-Fi setup.

The Band Played On

Almost all discussions of Wi-Fi include at least a mention of spectrum bands—and our discussion is no different. In the United States, there are two spectrum bands commonly associated with Wi-Fi: the 2.4GHz band and the 5GHz band. Both are part of a broader set of radio bands known internationally as the industrial, scientific, and medical (ISM) bands. In general, access to all of these radio bands is unrestricted, subject to local regulations. This is great for saving on FCC licensing costs, but it comes at the expense of having to share these radio bands with a potential smorgasbord of other devices.

Related: Wi-Fi: Tools to Detect Interference

The IEEE standard that governs WLANs is called specification 802.11. IEEE standards specify the protocols that define the frequency, bandwidth, maximum data rates, and modulation of wireless signals. We're concerned with the primary four: 802.11a, 802.11b, 802.11g, and 802.11n—leaving legacy 802.11 (i.e., 802.11-1997) by the wayside.

802.11b is perhaps the most well-known protocol, and for good reason. It was the first protocol to gain widespread acceptance in the industry; the majority of the subsequent protocols are backwardcompatible with it. Originating in 1999, 802.11b operates at 2.4GHz, with a maximum throughput of 11Mbps.

802.11a also originated in 1999, as a speedier alternative to 802.11b. This was achieved by having 802.11a operate in the 5GHz band with Orthogonal Frequency Division Multiplexing (OFDM) modulation. Compared with the Direct Sequence Spread Spectrum (DSSS) modulation used by 802.11b, this allows 802.11a devices to achieve a maximum throughput of 54Mbps. The primary drawback to 802.11a is the lack of compatibility with 802.11b.

802.11g came on the scene in 2003, combining the best of 802.11b and 802.11a. 802.11g operates in the 2.4GHz band and is backward-compatible with 802.11b devices by supporting both DSSS and OFDM modulation. This allows 802.11g devices to achieve a maximum throughput of 54Mbps, with one caveat: Adding a single 802.11b device to an 802.11g network drops the maximum throughput of the network back to the 11Mbps 802.11b level.

802.11n is the newest and currently favored protocol. Arriving in 2009, 802.11n greatly enhances wireless networking by supporting a maximum throughput of 600Mbps. However, achieving this radical speed isn't a given. 802.11n works in both the 2.4GHz and 5GHz bands, using OFDM modulation. In the 2.4GHz band, 802.11n supports up to four multi-input multi-output (MIMO) streams (radio channels) across 20MHz of bandwidth for a maximum throughput of 260Mbps. In the 5GHz band, 802.11n likewise supports four MIMO streams but combined with a higher maximum bandwidth of 40MHz allows for a maximum 600Mbps throughput. 802.11n includes backward-compatibility for not only 802.11g and 802.11b but also for 802.11a.

Before we move on to radio channels, a quick discussion of the 2.4GHz radio band versus the 5GHz band is in order. The 2.4GHz band is more crowded because it has to share spectrum with plenty of other unlicensed devices. Microwave ovens, baby monitors, and cordless phones compete in this band for available spectrum. Similarly, the number of usable radio channels in the 2.4GHz band is more limited. The 5GHz band is less crowded and has more usable channels, at the expense of a slightly shorter maximum range.

Channel Surfing

Within the 2.4GHz and 5GHz radio bands, there are numerous channels that a Wi-Fi device can use. Although a complete discussion of radio signal modulation, channel subcarriers, channel separation, and other geeky topics is beyond the scope of this article, there are some basic ideas about Wi-Fi radio channels you should be familiar with.

Related: Wireless Network Channel Deployment

In the United States, at 2.4GHz, there are 11 channels to choose from. However, the exact frequencies of these channels overlap slightly as you increment from 1 through 11. This reduces the number of non-overlapping channels greatly, specific to the 802.11 protocol and channel width in use. Avoiding the overlapping channels allows for greater range and throughput of your wireless networks.

  • For 802.11b, channels 1, 6, and 11 won't overlap.
  • For 802.11g and 802.11n with a 20MHz channel width, channels 1, 5, and 9 won't overlap.
  • For 802.11n with a 40MHz channel width, channels 3 and 11 won't overlap.

At 5GHz (again in the United States), things are much easier. For 802.11a and 802.11n with either a 20MHz or 40MHz channel width, channels 36, 40, 44, 48, 149, 153, 157, 161, and 165 are available and won't overlap with each other. Channels 52, 56, 60, 64, 100, 104, 108, 112, 116, 136, and 140 are also available without overlap as long as the Wi-Fi equipment supports Dynamic Frequency Selection (DFS) and Transmit Power Control (TPC) capabilities.

This is because of an FCC rule designed to protect other equipment, primarily military and weather-related, that uses those channels. If your Wi-Fi AP doesn't support DFS and TPC, those channels shouldn't even be available to you for selection.

Security, Not Obscurity

We've discussed bands and channels—now, what about security? Every AP on the market supports at least some type of Wi-Fi encryption, but if you fire up your Mac or PC and scan the radio waves for nearby WLANs, you'll likely see many networks with weak encryption, or even none at all.

Wired Equivalent Privacy (WEP) is the oldest encryption algorithm available for use and one you should completely avoid. In addition to 64-bit encryption, WEP supports 128-bit encryption—but don't let the higher number fool you. Both have  numerous security flaws, and it's trivial to defeat the encryption on a WLAN using WEP. There are even downloadable utilities that can be installed that will do the decrypting for you in a matter of minutes.

WEP has been completely deprecated and shouldn't be used.

Wi-Fi Protected Access (WPA) was designed to replace WEP and its associated weaknesses. WPA was found to have some security weaknesses, but it's nowhere near as weak as the flaws found in WEP. Further development led to the more secure Wi-Fi Protected Access 2 (WPA2), the current gold standard in Wi-Fi security.

WPA and WPA2 are available in two modes: Personal (or pre-shared key—PSK) mode and Enterprise (or 802.1x) mode.

Personal mode (i.e., WPA-PSK) is designed for small office/home office (SOHO) users, allowing easy setup with a predefined key entered on an AP and subsequent Wi-Fi clients. Enterprise mode (i.e., WPAEnterprise) uses a Remote Authentication Dial-In User Service (RADIUS) server and the Extensible Authentication Protocol (EAP) to authenticate users or Wi-Fi devices before allowing access to a dynamically changing encryption key used by the AP.

(For information about Enterprise mode, see "A Secure Wireless Network Is Possible.") WPA and WPA2 also support two encryption protocols: Temporal Key Integrity Protocol (TKIP) and Advanced Encryption Standard (AES). TKIP is used by WPA. Counter Mode with Cipher Block Chaining Message Authentication Code Protocol (CCMP) is used by WPA2; because CCMP is based on AES, CCMP is typically referred to simply as AES. In Personal mode, you'll typically see these encryption options referred to in documentation and AP management software as WPA-PSK (TKIP) or WPA2-PSK (AES).

Putting It All Together

I've given you a lot of information—but how do you put it to good practical use? Clearly, 802.11n is the preferred choice for new WLAN installations and upgrades. But how can you achieve the maximum 600Mbps throughput? What about selecting between 2.4GHz and 5GHz and dealing with devices that don't support WPA2-PSK (AES)? To answer these questions, I came up with the following nine rules for common-sense Wi-Fi.

1.     Set your ultimate goals high for both your APs and all your devices: 802.11n, 5GHz, 40MHz bandwidth, four MIMO streams, WPA2-PSK (AES) on channel 36, 40, 44, 48, 149, 153, 157, 161, or 165. This will maximize your security stance, offer the highest maximum throughput, and set you up to encounter the least interference from other devices.

2.     Keep your shopping list short and always check the documentation before you purchase. Many APs that support 802.11n won't support four MIMO streams. Others will support 802.11n, but only at 2.4GHz. The same goes for Wi-Fi devices. I once purchased an 802.11n camera and was eager to connect it to my 802.11n 5GHz network, but I couldn't because the camera was 2.4GHz only. This information was buried in the documentation, which I hadn't bothered to read in detail before tearing into the product.

3.     Keep your passwords long. The longer your password, the longer it will take an attacker to crack it in a brute-force attack.

4.     Keep your APs high. The higher your APs are physically, the further the signal they generate will travel.

5.     Go downlevel only if you have to and only as far as you have to. You have a great 802.11n 5GHz network and everything is working fine—but then a new gadget that you need to get working only supports 802.11g at 2.4GHz, and your AP only works at 2.4GHz or 5GHz. You know you have to drop to 2.4GHz, but you should also consider setting your AP to block access to 802.11b devices because you won't be using them.

6.     Scan your environment with a Wi-Fi scanner to see what other networks in your vicinity are using. If all the networks around you are on channels 36, 40, 149, and 161, you know exactly which channels not to use for your own network. Commercial and free software, such as inSSIDer for Windows and iStumbler for Mac OS X, is available.

7.     Consider skipping SSID hiding. A common suggestion is to set your network name (SSID) to be hidden, so that a potential attacker can't see it. This also then requires that anyone who wants to connect to the network will need to know both the password and the exact SSID. Although it's true that attackers won't be able to see the name of your network, they will be able to see that a network is there—and a sophisticated attacker will be able to determine the SSID anyway.

8.     Consider using MAC filtering. If you have a small number of Wi-Fi clients and don't typically add and remove devices, consider setting up a MAC filter list on your AP(s). Although this approach requires you to obtain the MAC address from each device and manually enter it in your AP's management software, it adds one more layer of complexity that an attacker has to go through before being able to connect to your WLAN because he must then spoof a valid MAC address. However, consider the added management overhead before you do this, especially if your WLAN contains a large number of changing devices.

9.     Always think before connecting to a WLAN that's not your own. When you connect to a WLAN at a coffee shop, hotel, or a friend's house, always take a few seconds to think about what you intend to do on that network and balance that against the security in place. Remember that WEP encryption is basically no encryption, and much of what we do on the Internet is over unencrypted HTTP. However, if you only need to connect to a WEP-secured WLAN to go online with your 2048-bit encrypted VPN, you might feel perfectly comfortable doing so because the payload you will be passing wirelessly has a good level of encryption.

As always, none of this is a substitute for keeping your systems up-to-date and installing suitable anti-malware software and hardware or software firewalls.

Put Your New Knowledge to Use

Now that we've discussed the wireless landscape of today and gone over some basic rules for a high-performing and secure WLAN, take some time to see what you can do to get your own WLANs and APs up to the best level possible. Your iPads will thank you for the easy online access.


Learning Path

Windows IT Pro Resources
"Wi-Fi Alliance: Please Set Wireless Networks to WPA2"
"Enabling 802.11i Wireless Security with Windows Servers"
"Easy 802.11g Security"
"Secure Your Wireless Network"
"A Secure Wireless Network Is Possible"
"Planning for Wi-Fi"

Microsoft Resources
"802.1x Authenticated Wireless Deployment Guide"
"Wireless Networking Security"
"Secure Wireless Access Point Configuration"
"5-Minute Security Advisor - Strengthening Wireless Authentication"
"Wi-Fi: 8 tips for working securely from wireless hot spots"


TAGS: Security
Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.