Menu

US Region

Grandmetric LLC
Lewes DE 19958
16192 Coastal Hwy USA
EIN: 98-1615498
+1 302 691 94 10
info@grandmetric.com

EMEA Region

GRANDMETRIC Sp. z o.o.
ul. Metalowa 5, 60-118 Poznań, Poland
NIP 7792433527
+48 61 271 04 43
info@grandmetric.com

UK

Grandmetric LTD
Office 584b
182-184 High Street North
London
E6 2JA
+44 20 3321 5276
info@grandmetric.com

  • en
  • pl
  • Wireless Network Security

    Wi-Fi design and security based on examples

    Wireless Network Security – How to Design Enterprise Wi-Fi?

    Date: 25.07.2022



    In today’s post, we’ll cover the planning, design, and building of professional, Enterprise-grade wireless networks, i.e. advanced wireless networks. 
    We’ll touch on the selection of equipment and components used in these professional networks. We’ll also review Wi-Fi access network protections in tandem with a component called Cisco ISE, which plays a role of a hub for managing the corporate network access permissions. 

     
    Let’s start with a brief introduction. 

    What are the differences between home and corporate networks? 

    The basic difference lies in the requirements set for networks. We have different requirements for home networks and expect different things from corporate, and business networks. 

    We treat home wireless networks as non-critical, which doesn’t mean that they are unimportant to us. There are many services that we use at home and we would like our Internet to work without any hiccups. 

    However, we have the same expectations for Enterprise-grade company networks, as for other systems of that class, that is reliability, stability, and continuous operation. In order to achieve this, we have to plan and design the Wi-Fi network accordingly and then select the appropriate equipment. 

    Considering a wireless network, a home one, for instance, we get 8–10 devices for a family of four. Corporate networks, however, sometimes have as many as several thousand appliances concentrated on each floor or in open spaces. 

    Remember: the main difference between a commercial and a business network is our requirements. 

    How to start planning an Enterprise network? 

    Planning depends on the network’s nature and the type of environment in which it will work. This could be a high-density wireless network, e.g. in office buildings with high endpoint density, or it could be a network for a shop floor or a high storage warehouse. Each case will require a different design approach. This is the starting point, from which we have to plan appropriate equipment, the number of Access Points, or the settings.  

    Wireless networks – an example of planning 

    An example that I’d like to show is a network in a hotel building with a high endpoint density. There are two Access Points per wing, around ten rooms with two people in each one. Every person has two, or three devices, which gives us something in the ballpark of a hundred users per two APs. Unfortunately, this cannot work. 

    The building plan with a high endpoint density network 

    What’s interesting, is that the scenario with Access Points being located in the corridor can be seen very often during construction design. This often involves the necessity of redesigning the wireless network at a later stage. In this case, we suggest placing Access Points inside the rooms. Of course, the channels and strength parameters need to be set appropriately, but this happens at the detailed design stage. 

    Planning with tools 

    While working, we frequently use the support of professional tools for network design, taking measurements, or auditing. However, we need to remember that the correct functioning of the tools is mostly dependent on their parametrization. 

    At the planning stage, we have to introduce partitions, for instance.  

    The characteristics of these partitions are important. Are they concrete or brick walls? Are there any additional damping materials? If the building already exists, measuring the attenuation of a given partition would be a good idea. Only on that basis the wireless network, the distribution of Access Points, power channels, etc., can be planned. 

    Remember: no tools or good practices are a substitute for expertise and experience with design. 

    Wireless network design and configuration equipment 

    For planning and designing components of the company network infrastructure, we should use equipment that’s fit for that particular type of network. This means that Enterprise-grade wireless networks are built with Enterprise-grade equipment, and campus networks are built with campus network equipment. It seems obvious, but the practices may surprise you. The temptation to save expenses rises frequently. Most often, it backfires later. 

    Enterprise-grade solutions and directional antennas 

    Enterprise-grade wireless networks feature differentiated Access Point strength, suited to the work environment (e.g. inside or outside the room), or the option to connect exterior antennas, which is absent in solutions used in home network systems. Most commercial solutions allow us to plug in some specific antennas, which results in underperforming radio, for example.  

    What’s more, connecting a large antenna with high amplification to the router or Access Point will not improve performance. While Enterprise-grade solutions provide dedicated directional antennas, i.e. antennas with specific features

    For open spaces, where the signal is transmitted over a long distance, but we don’t want it to scatter, directional antennas are key. This happens, for example, in high storage warehouses. 

    Taking a look at omnidirectional antenna properties, we’ll notice that they have pretty good coverage in their horizontal plane, or putting it in colloquial terms, they spread the signal around very well. However, their top-down coverage is disappointing. That’s why in many cases the horizontally suspended Access Point, which is how the one with integrated antennas should be installed, emits the signal around and downwards. However, it doesn’t perform well in the upward direction. 

    Warehouses and entresols often use multi-level solutions. That’s where omnidirectional antennas with top-down propagation are selected. In high storage warehouses, the signal travels for up to eight meters in the vertical plane. Realistically speaking, it has a problem with deflections later on. In such cases, help comes also in the form of APs with external directional antenna connection capabilities. Most frequently, Access Points with directional antennas are mounted in a different layout, e.g. on walls. 

    An example of Access Point layout 

    The diagram shows a warehouse with high storage shelves laid out in rows. It’s a tremendously difficult environment to handle as far as radio is concerned because the racks are up to 8 meters tall. The type of stored materials also affects the signal levels. Radio waves behave differently around paper and metal elements that have attenuating properties. 

    Remember: directional antennas work better in high storage warehouses than omnidirectional ones. 

    Wireless networks with a Wi-Fi controller 

    The diagram on the left shows a wireless network controller, commonly referred to as WLC (Wireless Controller). It’s a server that manages its connected devices, i.e. Access Points. 

    Wireless network components 

    The controller is a central management area, but it also controls the parameters of Access Points, configuration, SSID base, and wireless network security mechanisms. Additionally, network controllers can collect data from APs, perform parametrization in real time and adjust to the environmental data. 

    Wireless networks are known to have a significant rate of change. This is related to, e.g. more intense traffic during specific hours, which leads to heavier loads on the radio channels.  

    For the network to work in this case, it needs dynamic change. That’s where the controller comes in, analysing data from AP on an ongoing basis and adjusting the parameters. Naturally, it’s also an area, where you can integrate other security services, etc. 

    Wireless network controller types 

    When designing Enterprise type solutions, we can choose from a wide range of controllers. We have physical controllers and cloud controllers, small ones or the ones handling thousands of APs. We can install solutions in public clouds, like Google Cloud or Amazon. Of course, global worldwide networks frequently use one controller for an entire region, e.g. different ones for Europe and America. 

    It’s also worth noting that Cisco, for example, has a solution for smaller environments in the form of small integrated controllers that can run on APs. When dealing with business networks, you can’t find any controller-less solution any more. 

    Does the controller solve all network-related problems and can it work without supervision? 

    The controller can work on its own, given that the network is properly designed, of course. Access Points can automatically integrate with the controller, which assigns the policy and configuration template by default, and automatically manage the endpoint loads, channel distribution and signal strength. 

    Cisco 9800 virtual controller dashboard 

    However, very often, if not in most cases, administrative supervision by an engineer is required. 

    Let’s discuss an example. Let’s assume that Access Points are well-designed and have directional antennas. In order for the signal to propagate well, APs have been placed in aisles. Perhaps even each aisle a piece. The Access Points are relatively close to each other. The controller measures the signal strength on the basis of information received from Access Points. It will think: “Oh, these Access Points are very close, I should cut the signal to the minimum, so that they don’t jam each other.” 

     
    If we were to add another Access Point, and another one, it would turn out that they would drown out each other, so the controller cuts their strength. 

    In theory all looks fine. In practice, there is a problem, for example, in a specific high storage warehouse environment. The controller-limited signal will not come through to the end of a particular aisle. Moreover, considering that mobile devices do not use the full permissible signal strength due to battery life, it will quickly become apparent that there’s no reception in that spot. Despite the fact that measurements or an audit would indicate that there is reception there, the controller would automatically put a limit on it. This network will not work optimally. 

     
    Then, the role of an administrator is to manually adjust the signal strength, while simultaneously inspecting broadcast channels at suitable locations. 

    Remember: the network controller works properly only when its network is designed well. 

    Wi-Fi security mechanisms

    While for a wired network all we need is physical access, a wireless network allows us to try and connect as soon as we’re within its range. And if we can do that, intruders can do so too. That’s why it’s important to properly secure this network in a controlled manner. 

    Selected methods of securing wireless networks 

    In home networks we can use a PSK (pre-shared key), as we have a limited number of people knowing that key. Naturally, we assume that the key is not accessible to outsiders. However, the more endpoints, the risk of the key being leaked rises significantly. That’s why we should take care to change the keys often, if we’re using them. It’s very troublesome from the network management perspective. 

    But this is where Enterprise-grade solutions come to the rescue once more – such as 802.1X standard we’re already familiar with, commonly known as the Radius protocol. With it we can manage access to the network in a very secure manner. For wireless network security, we can use this authentication protocol in combination with domain credentials or certificates. 

    A simple example of using domain credentials: we can immediately shut down access to the network for a user that quit the company, by blocking the account in Active Directory. You don’t have to remember it. Today’s systems are integrated to such a degree that most of the time everything gets in sync with Active Directory, which automatically submits access data to other systems, as soon as HR blocks, lays off or terminates the employee’s contract. 

    However, in order for everything to work, we need a well-suited solution. 

    Wi-Fi security management with Cisco ISE 

    Cisco has in its range a solution in the form of a central area for managing access. Commonly it’s called a Radius server, but the Cisco’s version is something more. Cisco ISE (Cisco Identity Service Engine) is capable of integration with various systems and central directories, such as Active Directory. It also features guest network access and integrates with MDM (Mobile Device Management) systems for mobile access. An increasing number of mobile devices gets connected to networks, even corporate ones. These are private devices, but we want to manage them somehow. 

    Cisco ISE is a powerful product and its capabilities are an enormous subject. 

    Its crucial element is the central authentication feature. We know who, when and what they have connected to or, conversely, could not connect. When someone hasn’t changed the password, we have one place where we can quickly identify such condition. We don’t need to review the controller’s logs. One security point is all it takes. 

    ISE settings 

    In case of multiple controllers, we can enforce appropriate policies. 

    Access management can be very granular here. We can assign VLANs, with even more attention to detail in today’s networks, using Security Group Tags, and even control the firewall with Internet access. 

    Integrating a wireless controller with Cisco ISE is relatively simple. Basically, it relies on the Radius Protocol. Naturally, a Cisco controller can be integrated with another Radius server. However, in such case we will no longer have as many management options and this degree of authentication specificity. Still, it can be integrated with open source solutions as well. 

    Book a free online consultation with an Advanced Services engineer to learn, whether we can offer you support with network design and Wi-Fi security in your company. 

    Author

    Krzysztof Osmałek

    Grandmetric Advanced Services Leader. Expert in the design, build, and configuration of enterprise-scale wireless networks, critical for business continuity and operations.

    Leave a Reply

    Your email address will not be published. Required fields are marked *


    Grandmetric