Escolar Documentos
Profissional Documentos
Cultura Documentos
What is a Hotspot?
A public Hotspot is essentially a public area in the usable range of a wireless network that is
intended for anyone, either pay or no charge, to have the capability to access the Internet for any
purpose, including connecting to their home corporate Intranet. Anyone with a compatible wireless
network devices such as PDAs, cell phones, notebook computers, or handheld games can connect
to the Internet or private intranet, send and receive email, and download files.
The sheer number of people emailing, chatting, shopping, uploading and downloading files, surfing
the web, and playing games across the Internet is phenomenal and increasing, offering Wireless
network connections bring customers into a place of business and/or lead them to choose one place
of business over another.
For example, business travelers can work from their hotel rooms, special events staff can update
schedules, locations, results, and specialized content to their customers without installing kiosks
and having lines queued up waiting for a terminal to become available. Employees can work from a
local coffee shop while enjoying a caf latte or cup of tea. These benefits offer a revenue
opportunity for both the service provider and the owner of the site.
Mobile Station(s)
Access Points(s)
Switches
Routers
Network Access Controller
Web Server
AAA Server
WAN backhaul (DSL, T-1)
Internet Service Provider (ISP)
Wireless ISP (WISP)
Performance Expectations
Hotspots are advertised to have high-speed connectivity, so
design with high-speed at the minimum:
Design a minimum of 100Kb/s transfer rate per user
Security expectations
Users are aware of security vulnerability & malicious acts on the network
The wireless service provider should secure the link
The users responsibility to provide security at the application level
Personal firewalls
Usually will not have personal firewall loaded
Physical size
Determine how many wireless Access Points (access points) must be
deployed
Number of users
This number, along with their usage patterns, will determine the bandwidth
required to provide a minimum of 100kbps per active user
Usage models
The types of applications the users will run while connected to the Hotspot
Providing the mobile station with information about the wireless network
User authorization
Layer 3 (IP) Address Management
An MS Can Proactively Get Information From An Access Point One Of Two Ways
Send Probe Request to discover
Send a Request for Association
Encryption key keeps the same value long enough to be easily broken
User Authentication largely missing
WiFi Protected Access (WPA) & WPA2: A subset of the 802.11i draft that was ready for market.
802.1x/EAP-TLS/TKIP/RADIUS, AAA Server for user authentication
Only subsets missing from 802.11i are Secure IBSS, Secure fast handoff, Secure de-authentication and
disassociation, as well as enhanced encryption protocols such as AES-CCMP.
EAP: The Extensible Authentication Protocol, a method of conducting an authentication conversation.
Extensible Authentication Protocol over LAN (EAPOL): 802.1x standard encapsulation for LAN MAC service.
RADIUS: Remote Access Dial In User Service; provides standard Authentication, Authorization and Accounting.
802.1x Architecture: 802.1x port-based access control.
Provides a controlled wireless network with user identification, centralized authentication, and dynamic key
management, which actually rectifies drawbacks in the WEP security, when using WEP
VPN (Virtual Private Network): Used to protect enterprise remote-access workers connections.
Creates a secure virtual "tunnel" from the end-user's computer through the through the Internet, all the way to
the corporation's servers and systems
Although considered the most secure, not very scalable to large numbers of personnel
1 No Security
2 MAC Address Authentication
3 WEP Shared-key Authentication
4 WEP Authentication/40-bit WEP Encryption
5 WEP Authentication/128-bit WEP Encryption
6 EAP-TLS/PKI Authentication/Digital Certificates
7 EAP-TLS Authentication/40-bit WEP Encryption
8 EAP-TLS Authentication/128-bit WEP Encryption
Switch/Hub
Standard Switch or Hub:
Provides multiple ports for connectivity to the Hotspots
backhaul
Sophisticated Switch with VLAN-capabilities:
Physically separate ports
Connect two or more ports together
Route packets from one port to another
Tag packets based on source or destination port
Provide Specific Quality of Service to Identified Users:
Apply special treatment to specific users
Reduce services to another
Make sure that your NAPT device supports multiple simultaneous VPN connections to the same
VPN server. This service will be important to your enterprise customers. When testing the NAPT
device or when specifying it for purchase, make sure that this requirement is met when using the
most popular tunneling protocols (GRE, PPTP, L2TP, IPSec). If possible, test multiple VPN support
using the most popular VPN products (e.g. Cisco, Microsoft, CheckPoint, Nortel, Netstructure).
Consult your ISP for advice on best WAN Access Router choices to
match the ISPs service and equipment.
Provisioning
Authentication
Security
WAN Access
You should perform a site survey at a time when the network will most likely be in use. If
possible, several visits to the site will help make sure that no additional sources of
interference are present. Make a log of any activity including channel, MAC address, and
signal strength.
Types of RF Interference
Direct interference
Other 802.11 devices; Performance most noticeable
Reflection
Indirect interference
Non-802.11 devices are also free to operate in this spectrum
Primarily burst devices, difficult to detect, shows up as high floor noise
Path interference
Refracting
Diffracting
Scattering
Performance Considerations
Distance (between transmitter and receiver)
Stepping down data rates act to lower generated errors
Pro-active methods used by the protocols to deal with signal interference
(RTS/CTS) reserves the channel before transmission of data frames
Overhead of protocol
802.11a utilizes the 5 GHz frequency spectrum and is more limited in the effective coverage distance than
802.11g (2.4 GHz) due to the frequency and power limitations. You will need about 2 to 3 times as many 802.11a
access points to cover the same area as 802.11g.
Summary
Wireless networks present unique challenges due to the complex characteristics
of Radio Frequency transmissions. Most network administrators have little
history planning, installing, and managing RF networks and therefore must be
careful to always;
SECURITY
802.11 specification addresses protection for the radio link layer only
Communications link between the mobile station and the access point
802.11 specification does not specify security beyond the access point
Responsibility of the Hotspot provider to insure that the wireless links are secure
Types of Attacks
Network setup and security should consider these threats
Unauthorized association to the access point
Rogue access points
Man-in-the-middle
Eavesdropping
MAC Spoofing
Denial of Service
Unauthorized association to access points and rogue Access Points are problems
specific to wireless networks.
Eavesdropping, MAC Spoofing and Denial of Service are also found in wired
networks.
Security Options
Wired Equivalent Privacy (WEP) protocol
First security specification
Serious weaknesses that rendered it virtually unusable
802.11 Task Force formed the 802.11 Task Group i (TGi)
Robust Secure Network (RSN) and is also known as 802.11i
More complex encryption algorithm and automatic key management
New requirement means that already deployed equipment cannot be upgraded
Wi-Fi Alliance concluded it necessary to provide a migration path
Wi-Fi Protected Access (WPA) specification and later WPA2
Developed by using finished portions of the 802.11i specification
WEP Encryption
WEP Weaknesses
Inability to maintain the shared key secret
Lack of automated key management
WEPs key is manual, every user needs to know
Secret key can be easily cracked from captured packets
WEP reuses encryption keys after 20,000 packets
Lets eavesdroppers know when the reuse is taking place
Part of the key, the IV, is sent unencrypted
Track of the IV and know when the key is been reused
Allows multiple packet captures encrypted with the same key
The same key is used for authentication and packet encryption
The shared mode exposes the text used to challenge the MS in both clear and encrypted modes
Weak keys are used in the RC4 algorithm
Weak keys have patterns in the first and third bytes that cause corresponding patterns in the first few
bytes of the generated RC4 key stream
A hacker uses the IV and exposed key stream to identify potential weak keys
No lack of forgery and replay protection
WEP, by itself, is not appropriate for Hotspots. Even if WEP used a strong encryption
algorithm, WEPs lack of an automated key management mechanism makes it impractical to use
in Hotspots. DKE does not help either due to its lack of adoption and interoperability issues.
Framework - 802.1X
A specification that describes an architectural framework for an
authentication and authorization mechanism that is based on port access control
802.1X is part of a family of standards for local and metropolitan area networks
and is being adopted by the IEEE 802.11s Task Group i as the basis for
Wi-Fis new security model
802.1X is based on the Extensible Authentication Protocol (EAP)
EAP provides the ability for network administrators to choose from several
authentication methods
802.1x
802.1x provides the specifications for authentication and authorization
How the access control mechanism operates
Levels of access control supported as well as port behavior at each level
Requirements for protocol between supplicant and authenticator
Requirements for protocol between authenticator and authentication server
Procedure for how authentication and authorization are used to support net access control
Encoding of Protocol Data Units (PDUs) used in authentication & authorization protocol xchges
Requirements for port-based access control management
Requirements for remote management using SMT
Requirements for equipment claiming conformance to the 802.1X standard.
Port-based Network Access Control
802.1X controls access to a network by limiting what services a client system can access from
another system (e.g. an access point) through a specific port.
A port is a point of attachment to the LAN, in a wired network, an example of a port would be a
MAC bridge port or the physical ports in a router, in a wireless network, an example of a port is
an association between a station (notebook computer) and an access point.
MD5 is the simplest of EAPs authentication methods, and least secure over a wireless network
MD5 is a one-way authentication method of supplicant (Mobile Station) to network (access point)
Uses a hash of a password and challenge string to provide proof of identity
MD5s main drawbacks include storage of the password in clear text mode for the authenticator
to access and one-way authentication method
Only the Mobile Station is authenticated leaving it vulnerable to man-in-the-middle attacks
MD5 provides no key management, attackers can still sniff your network and crack WEP keys
Support for MD5 is mandatory in the EAP specification.
EAP - The actual authentication method used is determined through a negotiation process
between the MS to be authenticated and the authentication server. The actual protocol used is
selected through a negotiation between the MS and the access point. Peer devices make the
authentication selection based on protocols supported and policies configured.
WPA
WPA is a subset of the 802.11i standard leaving out the specifications for Independent Basic
Service Set, pre-authentication and the use of AES
WPA supports WEP with TKIP enhancements for encryption, implemented in software
and/or firmware
WPA supports two modes of authentication operation; Enterprise and Pre-Shared Key (PSK)
Enterprise mode requires a RADIUS server for authentication and key distribution
PSK was introduced as a means of authentication for networks that lack an authentication
server
PSK mode, the pre-shared key is used only for authentication and not for packet encryption
For data privacy, WPA uses TKIP
Session keys are generated from this pre-shared (master) key and renewed on a regular
basis
Per-packet keys are in turn generated from the session keys using a mixing function
For data integrity, WPA adds a message integrity check (MIC) called Michael, provided
through TKIP
WPA2
WPA2 adds support for AES and roaming and uses CCM for header and data integrity
WPA2 also supports pre-authentication, reducing the ap-to-ap re-authentication time from
about 600 milliseconds to 30 milliseconds.
WPA2 Limitations
Requires hardware accelerated AES. This will require new aps, and in some cases, new
NICs/wireless client hardware.
Requires new client capabilities (802.1X and WPA2) in supplicants
Architectural Tenets
The guidelines for designing and deploying a hotspot are based on the
following principles:
Usability. The client should be able to gain access to hotspot services based on user and operator policies,
independently of the specific details of the hotspot implementation.
Simplified client provisioning. Users should be presented with a consistent AAA interface, regardless of
location or network operator, which is intuitive to use, while providing service information to more experienced
users. The sign-on experience should be independent of, or agnostic to, variations in network back-ends.
Common login. Different authentication credentials from different service providers should be accepted and
the user should be authenticated directly with the home service provider with common AAA mechanisms.
One-bill roaming. A roaming infrastructure should allow users to get connected at hotspots managed by
different operators, while being authenticated by their home service provider and charged for aggregate use on
a single bill.
Security. Both users and network operators should receive a high level of assurance throughout each
session.
Mutual authentication to protect user and network. The client should be allowed to verify the AP and/or
network credentials before divulging its own.
Secure tunnels for back-end authentication. The visited network operator should not require disclosure of
authentication credentials, to preserve confidentiality of account information. Only the home service provider
should have access to clients credentials.
Architectural Tenets
Support VPN for remote enterprise access. Hotspots should provide compatibility with
VPN tunneling for corporate users during connections from public hotspots.
Scalability. The recommended framework should provide a blueprint for independent
hotspots and hotspot networks of different sizes.
Accommodate various wireless topologies. The network topology should be planned on
the basis of the local network requirements for access and backhaul that can accommodate
the best wireless technology.
Ability to share infrastructure safely. Different network operators and service providers
should be able to use the same WLAN infrastructure and to segregate internal business traffic
from commercial traffic.
Support advanced services efficiently. Hotspot networks should be planned to support
advanced services when they will become available.
Unified accounting framework. Hotspot operators and service providers need to support
flexible billing models, which include prepaid and postpaid roaming, pay-for-use and contract
plans (either flat-fee or with limited usage). Data and financial clearinghouses and AAA
aggregators and intermediaries may facilitate the establishment and management of roaming
partnerships.
One-bill Roaming
1. The Mobile Client represents the users equipment (typically a
laptop computer, cell phone, or PDA) that is used to access the
802.11 network.
2. The 802.11 Access Point terminates the air (radio) interface to
and from the mobile client.
3. The Access Controller is the entity that verifies authorization
and enforces access control for authenticated users and segregates
traffic of non-authenticated (guest) users.
4. The Visited Network AAA Server (AAA-V) serves as an AAA
proxy for inbound roaming customers.
5. The Home Provider AAA Server (AAA-H) serves as the
RADIUS server authenticating the mobile client user. User
credentials are disclosed only to the AAA-H. The home SP and
visited network operator AAA servers also participate in
transactions involving the reconciliation of billing and settlement
recordsboth online and offline and done either mutually, or
via an intermediate settlement entity.
6. The Web Server is an optional component that could serve one
or more of the following functions: browser-based login portal,
local value-added services portal for guests and authenticated
users, portal for new subscriptions, and redirector for other
services.
7. The Roaming Intermediary (INT) represents a wide variety of
AAA and billing intermediaries which provide translations of
RADIUS billing records into other formats and can be a key
element in resolving legacy issues.
EAP-SIM
EAP-SIM is an authentication method which has a special relevance for public hotspots, as it
allows a SIM-card based user authentication across WLAN and GPRS/EGPRS wireless networks
(a method known as EAP Authentication and Key Agreement (EAP-AKA) offers a similar
solution for USIM cards used in 3G-WCDMA networks).
In EAP-SIM, the GPRS/EGPRS SIM authentication parameters are exchanged in the EAP
messages with added mutual authentication that improves upon GSM security. This mechanism
allows re-use of GSM and GPRS/EGPRS SIM cards and preserves cellular service providers
infrastructure elements like the Home Location Register (HLR).
The use of PEAP with EAP-SIM and other EAP methods allow for a consistent level of security,
independent of the EAP method and providing strong keying material and mutual authentication,
data origin authentication, session encryption, dynamic key distribution (through RADIUS)
between the EAP Client, NAS (network access server) and the EAP server.
The visited network only needs an 802.1X-compliant authentication framework to offer EAPSIM to roaming partners, which will then authenticate the user against their HLR. The EAP-SIM
method can be developed using the Microsoft EAP framework.
Advertisement
An industry-wide accepted solution for network and service discovery has not yet emerged,
however ongoing work indicates several solutions can be implemented successfully, including:
Advertisement using the EAP framework. While suitable for light weight
dissemination of SP information, this solution cannot be used for direct
advertisement by the home SP.
Advertisement within beacon frames. Beacon frames are overloaded with SP
information. The approach has several drawbacks: the information is not
authenticated, only limited information can be transmitted, its radio use is
inefficient, and it might require changes to client firmware.
Advertisement through the virtual AP framework. A variant of the previous
approach, it can advertise information relevant to each SSID.
Advertisement through PEAP. This solution offers a more robust post
association framework, which includes a secure provisioning service and can
provide detailed information and supports configuration by the home SP.
Network selection can then occur either by explicit SSID preference or by overloading the
Network Access Identifier (NAI) of the service providers (SP) in the SSIDs. This selection
process can be automated if supported by the client provisioning system.
Best Practices
Make sure to provide a solution that will not upgrade right away by installing mixed-mode access points
Mix-mode access points support WEP & WPA requirements and thus provide a transition path to WPA
Be aware that mix-mode is not endorsed by the Wi-Fi Alliance because It compromises WPA security
In an enterprise environment, where a single IT department controls deployment, it is easier to deploy
WPA
Public Hotspots must take a more diverse set of customer requirements into consideration
For public Hotspots, stay away from cheaper, SOHO access points
Lack processing power for newer encryption algorithms and support for authentication methods )
Install access points that support VLANs, this will facilitate the support of multiple access methods
Use SSL (Secure Socket Layer) or SHTTP (Secure HTTP) to protect personal information or credit cards
Wireless Gateways tend to enforce this security mode
Users needing to access corporate networks, VPN will still be the best method to secure their
connections
802.11i will only protect the wireless connection from the mobile station to the access point
Purchase equipment that can be easily upgraded to the new WPA, WPA 2.0 and RSN (802.11i) standards
Management Considerations
The primary goal of any Hotspot providers management strategy is to have data on a day to day
basis that a site is still up and running
Contract a 3rd party periodically audit in order to verify they are functioning as planned
Using a Copy Exact approach, all of your procedures, installation methodologies, equipment, revision control,
and maintenance processes are the same regardless of location
Security and monitoring of sites for access and activity is paramount in avoiding litigation
Management Tools
Site management tools addressing the health of the network from the wired & wireless networking side
Strategies need to be implemented to allow visibility into your remote network environments
Design a strategy to reach your equipment in the private address space
Avoid mistakes, pinging a device is not a sufficient measure to insure it is operating properly
Without visibility into your network to the device level you can never be sure of the state of the network
Implement proper monitoring capabilities this will assure that you can perform upgrades and remote changes
Enterprise applications
Enterprise business users make up the majority of recurring revenue for Hotspots
Business class users are the most demanding on a wireless infrastructure
Use of products like VPNs, Personal Firewalls, and Real-Time applications
Restricting activities should heavily consider the business user
There are three categories of business applications:
VPN and security
Real-Time applications
Real-Time Batch applications
WPA
WPA is a subset of the 802.11i standard leaving out the specifications for Independent Basic
Service Set, pre-authentication and the use of AES
WPA supports WEP with TKIP enhancements for encryption, implemented in software
and/or firmware
WPA supports two modes of authentication operation; Enterprise and Pre-Shared Key (PSK)
Enterprise mode requires a RADIUS server for authentication and key distribution
PSK was introduced as a means of authentication for networks that lack an authentication
server
PSK mode, the pre-shared key is used only for authentication and not for packet encryption
For data privacy, WPA uses TKIP
Session keys are generated from this pre-shared (master) key and renewed on a regular
basis
Per-packet keys are in turn generated from the session keys using a mixing function
For data integrity, WPA adds a message integrity check (MIC) called Michael, provided
through TKIP
WPA2
WPA2 adds support for AES and roaming and uses CCM for header and data integrity
WPA2 also supports pre-authentication, reducing the ap-to-ap re-authentication time from
about 600 milliseconds to 30 milliseconds.
WPA2 Limitations
Requires hardware accelerated AES. This will require new aps, and in some cases, new
NICs/wireless client hardware.
Requires new client capabilities (802.1X and WPA2) in supplicants
Architectural Tenets
The guidelines for designing and deploying a hotspot are based on the
following principles:
Usability. The client should be able to gain access to hotspot services based on user and operator policies,
independently of the specific details of the hotspot implementation.
Simplified client provisioning. Users should be presented with a consistent AAA interface, regardless of
location or network operator, which is intuitive to use, while providing service information to more experienced
users. The sign-on experience should be independent of, or agnostic to, variations in network back-ends.
Common login. Different authentication credentials from different service providers should be accepted and
the user should be authenticated directly with the home service provider with common AAA mechanisms.
One-bill roaming. A roaming infrastructure should allow users to get connected at hotspots managed by
different operators, while being authenticated by their home service provider and charged for aggregate use on
a single bill.
Security. Both users and network operators should receive a high level of assurance throughout each
session.
Mutual authentication to protect user and network. The client should be allowed to verify the AP and/or
network credentials before divulging its own.
Secure tunnels for back-end authentication. The visited network operator should not require disclosure of
authentication credentials, to preserve confidentiality of account information. Only the home service provider
should have access to clients credentials.
Architectural Tenets
Support VPN for remote enterprise access. Hotspots should provide compatibility with
VPN tunneling for corporate users during connections from public hotspots.
Scalability. The recommended framework should provide a blueprint for independent
hotspots and hotspot networks of different sizes.
Accommodate various wireless topologies. The network topology should be planned on
the basis of the local network requirements for access and backhaul that can accommodate
the best wireless technology.
Ability to share infrastructure safely. Different network operators and service providers
should be able to use the same WLAN infrastructure and to segregate internal business traffic
from commercial traffic.
Support advanced services efficiently. Hotspot networks should be planned to support
advanced services when they will become available.
Unified accounting framework. Hotspot operators and service providers need to support
flexible billing models, which include prepaid and postpaid roaming, pay-for-use and contract
plans (either flat-fee or with limited usage). Data and financial clearinghouses and AAA
aggregators and intermediaries may facilitate the establishment and management of roaming
partnerships.
One-bill Roaming
1. The Mobile Client represents the users equipment (typically a
laptop computer, cell phone, or PDA) that is used to access the
802.11 network.
2. The 802.11 Access Point terminates the air (radio) interface to
and from the mobile client.
3. The Access Controller is the entity that verifies authorization
and enforces access control for authenticated users and segregates
traffic of non-authenticated (guest) users.
4. The Visited Network AAA Server (AAA-V) serves as an AAA
proxy for inbound roaming customers.
5. The Home Provider AAA Server (AAA-H) serves as the
RADIUS server authenticating the mobile client user. User
credentials are disclosed only to the AAA-H. The home SP and
visited network operator AAA servers also participate in
transactions involving the reconciliation of billing and settlement
recordsboth online and offline and done either mutually, or
via an intermediate settlement entity.
6. The Web Server is an optional component that could serve one
or more of the following functions: browser-based login portal,
local value-added services portal for guests and authenticated
users, portal for new subscriptions, and redirector for other
services.
7. The Roaming Intermediary (INT) represents a wide variety of
AAA and billing intermediaries which provide translations of
RADIUS billing records into other formats and can be a key
element in resolving legacy issues.
EAP-SIM
EAP-SIM is an authentication method which has a special relevance for public hotspots, as it
allows a SIM-card based user authentication across WLAN and GPRS/EGPRS wireless networks
(a method known as EAP Authentication and Key Agreement (EAP-AKA) offers a similar
solution for USIM cards used in 3G-WCDMA networks).
In EAP-SIM, the GPRS/EGPRS SIM authentication parameters are exchanged in the EAP
messages with added mutual authentication that improves upon GSM security. This mechanism
allows re-use of GSM and GPRS/EGPRS SIM cards and preserves cellular service providers
infrastructure elements like the Home Location Register (HLR).
The use of PEAP with EAP-SIM and other EAP methods allow for a consistent level of security,
independent of the EAP method and providing strong keying material and mutual authentication,
data origin authentication, session encryption, dynamic key distribution (through RADIUS)
between the EAP Client, NAS (network access server) and the EAP server.
The visited network only needs an 802.1X-compliant authentication framework to offer EAPSIM to roaming partners, which will then authenticate the user against their HLR. The EAP-SIM
method can be developed using the Microsoft EAP framework.
Advertisement
An industry-wide accepted solution for network and service discovery has not yet emerged,
however ongoing work indicates several solutions can be implemented successfully, including:
Advertisement using the EAP framework. While suitable for light weight
dissemination of SP information, this solution cannot be used for direct
advertisement by the home SP.
Advertisement within beacon frames. Beacon frames are overloaded with SP
information. The approach has several drawbacks: the information is not
authenticated, only limited information can be transmitted, its radio use is
inefficient, and it might require changes to client firmware.
Advertisement through the virtual AP framework. A variant of the previous
approach, it can advertise information relevant to each SSID.
Advertisement through PEAP. This solution offers a more robust post
association framework, which includes a secure provisioning service and can
provide detailed information and supports configuration by the home SP.
Network selection can then occur either by explicit SSID preference or by overloading the
Network Access Identifier (NAI) of the service providers (SP) in the SSIDs. This selection
process can be automated if supported by the client provisioning system.
Best Practices
Make sure to provide a solution that will not upgrade right away by installing mixed-mode access points
Mix-mode access points support WEP & WPA requirements and thus provide a transition path to WPA
Be aware that mix-mode is not endorsed by the Wi-Fi Alliance because It compromises WPA security
In an enterprise environment, where a single IT department controls deployment, it is easier to deploy
WPA
Public Hotspots must take a more diverse set of customer requirements into consideration
For public Hotspots, stay away from cheaper, SOHO access points
Lack processing power for newer encryption algorithms and support for authentication methods )
Install access points that support VLANs, this will facilitate the support of multiple access methods
Use SSL (Secure Socket Layer) or SHTTP (Secure HTTP) to protect personal information or credit cards
Wireless Gateways tend to enforce this security mode
Users needing to access corporate networks, VPN will still be the best method to secure their
connections
802.11i will only protect the wireless connection from the mobile station to the access point
Purchase equipment that can be easily upgraded to the new WPA, WPA 2.0 and RSN (802.11i) standards
Management Considerations
The primary goal of any Hotspot providers management strategy is to have data on a day to day
basis that a site is still up and running
Contract a 3rd party periodically audit in order to verify they are functioning as planned
Using a Copy Exact approach, all of your procedures, installation methodologies, equipment, revision control,
and maintenance processes are the same regardless of location
Security and monitoring of sites for access and activity is paramount in avoiding litigation
Management Tools
Site management tools addressing the health of the network from the wired & wireless networking side
Strategies need to be implemented to allow visibility into your remote network environments
Design a strategy to reach your equipment in the private address space
Avoid mistakes, pinging a device is not a sufficient measure to insure it is operating properly
Without visibility into your network to the device level you can never be sure of the state of the network
Implement proper monitoring capabilities this will assure that you can perform upgrades and remote changes
Enterprise applications
Enterprise business users make up the majority of recurring revenue for Hotspots
Business class users are the most demanding on a wireless infrastructure
Use of products like VPNs, Personal Firewalls, and Real-Time applications
Restricting activities should heavily consider the business user
There are three categories of business applications:
VPN and security
Real-Time applications
Real-Time Batch applications
Network Requirements
Equipment Selection
There are only four major hardware components in the coffee shop Hotspot:
1. Access point
2. Switch
3. Wireless Gateway
4. DSL Router
The model of the DSL Router is normally determined by the service provider so you
only have to research and buy three of the four hardware components. The table below
shows some choices. These are not an endorsed, only presented as examples.
The expected network usage is web browsing to the conventions information site, general
web surfing, and accessing corporate e-mail (requiring VPN to connect to the corporate
intranet).
Site Survey
First, conduct a Site Survey:
Here we want to determine whether there are any existing wireless networks, or wireless networks
from neighboring sites that might overlap, or any devices, like microwave ovens or portable phones
that may cause signal conflicts.
We need to look for barriers, such as walls or other obstacles that might impact signals, and for
areas that might be difficult to cover with the circular coverage area of a typical access point
antenna, such as long, narrow hallways.
This will help us determine where the access points can be located, also consider:
Placing them where they are not easily accessible, to avoid tampering or theft.
Consider accessibility of power and network connectivity
The convention center has no existing wireless network.
No microwaves or other buildings present a conflict, all 3 802.11b channels are available.
Pillars in the main hallways are where the access points can be mounted.
Access points will be hung from the ceiling in the session rooms.
The venue provides an Ethernet drop in each of the session rooms, but not the hallway.
(We are constrained by the number of available channels and how much we can
reduce the power of the access points.)
Security/Authorization
Wireless network access will be free to attendees.
Site Management
We want to be able to monitor the health of the network
Bandwidth usage
Watch for introduction of viruses
Malicious users
We will want to choose access points, network gateways, and other network
components that include an SNMP capability to facilitate this.
We will use a network manager, such as HP OpenView to provide a centralized
management console.
It would also be a good idea during the course of the event to do regular RF
audits using tools like AirMagnet WLAN Analyzer or WildPackets Airopeek.
Billing
Design Issues
Network Topology
The user base for this Hotspot will be highly mobile.
To allow roaming (moving from access point to access point), a flat network is required
This will require VLANs to allow enough network capacity.
A NAT device will be utilized to handle the number of public IP addresses required.
Power
This network will only exist for a short time, during the duration of the event.
Not cost-effective for new power installs, and dont want be limited by existing outlets.
So well select an access point model that gets power over the network (PoE).
Run Ethernet cables to the a.p. locations to provide access to the backhaul network.
Performance
To give the users a broadband experience doing the types of applications we expect,
roughly 100Kbps of bandwidth is desired.
An 802.11b a.p.s maximum bandwidth is roughly 5Mbps of real throughput.
This means about 50 users per access point.
There are 28 access points in the convention center design.
If there is a perfect distribution of users and access points (which there wont be), this
means 1,400 simultaneous users at 100Kbps. The target is 780 users (26% of
3,000). Depending on how accurate the numbers are, we are currently providing
nearly double the capacity we think well need. This gives us plenty of breathing
room if our assumptions turn out to be incorrect.
If all 28 access points are operating at 5Mbps, then an OC-3 (155Mbps) backhaul will be
required. This assumes that all 50 users on the access point are simultaneously
downloading at all times.
If we assume half are actively downloading (vs. just reading content), then well need
about 70Mbps which can be achieved (plus extra) with two T3 lines.
Using two T3s (or equivalent) also would provide redundancy.
Ideally, each T3 would come from a different service provider, in order to avoid possible
outages due to service provider downtime.
Conclusions
Hotspots come in many sizes and shapes and usually with their own set of
challenges.
Gathering requirements, doing a site survey and choosing the right
equipment are the three most important factors for success.
As in any other worthwhile project, make sure you spend enough time getting
an understanding of what you need to deliver.
As wireless Hotspots become more popular, the number of users at your
Hotspot is likely to increase. Make sure you plan for the next revolution in
communications.
Appendix A
Sample Hotspot Site Survey Diagrams
-64
SUBWAY
Truck Fueling Canopy
-59
-49
-50
Telecom
Room/
DMARK
SD
LADDER
to roof
Cat-5 R
un 50
fe
et
250 mw
Amp NEMA
10
fo
AP2K
LM ot
R
Antenna to be mounted
onto a mounting pole,
which should be
mounted close as
possible to Southwest
corner, outside of
roofline wall. NEMA
enclosure should be
mounted on inside of
roofline wall.
-42
I-40
1 R
N10 CNTL-001
RC
RING-0104
644
SD
M
ALAR
F
O F NE
LI
E
IDL
8 db Omni
-50
-52
25 Truck
Lanes
-63
-60
30 Truck
Lanes
-70
NOTE: Burgandy -Numbers are Signal Strength Reference Levels produced from the RF Site Survey Utilizing Airmagnet.
An 11mbps connection is sustained with signal strength levels of -1 to -75. The lower the number, the better the signal.
HOTEL
-70
Appendix A
Sample Hotspot
Site Survey
Diagrams
Appendix A
Sample Hotspot
Site Survey
Diagrams
Appendix A
Sample
Hotspot Site
Survey
Diagrams
Appendix C - Miscellaneous
Hotspot-related
Appendix C Miscellaneous
Hotspot-related
SP-BP-001
SP-RSA
Rotary Attenuator
SP-MSW
Measuring Wheel
SP-TC-001
Travel Case
SP-DT-001
Duct Tape
100
SP-ZIPTIES
Zip Ties
SP-CMD-001
SP-LCT-330K
20
SP-CONPAC
SP-COAX
Coax Seal
CAF28777
CAF94146
CAF94568
CAF95950
S2402DS36RTN
ESS-PRO
SP-FG24008
8 dBi Omni
AIR-AP1231
Cisco 1231 AP
AIR-LMC352
Cisco LMC352
Appendix C Miscellaneous
Hotspot-related
Appendix C Miscellaneous
Hotspot-related
See Sparco
University for
PDF of US
Spectrum.