As we discussed in Chapter 3, an access point (AP) is a piece of hardware that connects your wireless clients to a wired network (and usually on to the Internet from there). As with any piece of bridging hardware, it has at least two network connections and shuffles traffic between them. The wireless interface is typically an on-board radio or an embedded PCMCIA wireless card. The second network interface can be Ethernet, a dialup modem, or even another wireless adapter. Many access points now even include multiple Ethernet ports, which simplifies the creation of a trusted network segment.
The access point hardware controls access to and from both networks. On the wireless side, most vendors have implemented 802.11b access control methods (such as WEP encryption keys, “closed” networks, and MAC address filtering). Some have added proprietary extensions to provide additional security, such as more sophisticated encryption.[9] Many access points also allow control over what the wired network can send to the wireless clients, through simple firewall rules. Much of this functionality is accessible through either a Java-based tool or a simple web page interface.
In addition to providing access control, the access point also maintains its own network connections. This includes functions such as dialing the phone and connecting to an ISP on demand, or using DHCP on the Ethernet interface to get a network lease. Most access points can provide NAT and DHCP service to the wireless clients, thereby supporting multiple wireless users while requiring only a single IP address from the wire. Some support direct bridging, allowing the wired and wireless networks to exchange data as if they were physically connected together. If the access point has multiple radios, it can bridge them together with the wire, allowing for a very flexible, extendable network.
Another important service provided by APs is the ability to “hand off” clients as they wander between access points. This lets users seamlessly walk around a college campus, for example, without ever dropping their network connection. Current AP technology allows roaming only between access points on the same physical subnet (that is, APs that aren’t separated by a router). Unfortunately, the roaming protocol was left unimplemented in the 802.11 spec, so each manufacturer has implemented its own method. This means that hand-offs between access points of different manufacturers aren’t currently possible.
In the last year, at least twenty different access point hardware solutions have hit the consumer market. Low-cost models (intended for home or small office use) such as the Linksys WAP11 and D-Link DWL-1000AP currently retail for around $75. Higher-end APs like the Proxim AP-2000 and Cisco Aironet 1200 cost about $600. Typically, higher-priced equipment includes more features, greater range, and generally more stable operations. While every AP will claim 802.11b (or Wi-Fi[10]) compliance, they are not all alike. Features that set different models apart include:
Direct bridging to the wired network
NAT/DHCP service
Multiple radios (to support more users, or for use as a repeater)
External antenna connectors
Greater radio output power (most operate at 30mW, while some operate at 100mW or more)
Security enhancements such as 802.1x and tagged VLANs
Upgrade paths to 802.11g and 802.11a
In general, look for an AP in your price range that will work for your intended application, with the greatest possible range. Single radio APs can support several users simultaneously, and, as we’ll see in Chapter 6, adding APs to your network is probably preferable to simply adding higher-gain antennas or amps to your existing AP.
You should
seriously consider how to balance ease of use with essential security
when adding APs to your existing wired network. Even with WEP
encryption and other access control methods in effect, AP security is
far from perfect. Since an access point is by definition within range
of all wireless users, every user associated with your access point
can see the traffic of every other user. Unless otherwise protected
(for example, with application layer encryption), all email, web
traffic, and other data is easily readable by anyone running
protocol analysis tools such as
tcpdump
or
ethereal
. As we saw in Chapter 3, relying on WEP alone to keep people out of
your network may not be enough protection against a determined
black hat.
In terms of establishing a community network, access points do provide one absolutely critical service: they are an easy, standard, and inexpensive tool for connecting wireless devices to a wired network. Once the wireless traffic hits the wire, it can be routed and manipulated just like any other network traffic, but it has to get there first.
Wireless access points that are on the consumer market today were designed to connect a small group of trusted people to a wired network and lock out everyone else. The access control methods implemented in the APs reflect this philosophy; if that is how you intend to use the gear, it should work very well for you. For example, suppose you want to share wireless network access with your neighbor, but not with the rest of the block. You could decide on a mutual private WEP key and private ESSID and keep them a secret between you. Since you presumably trust your neighbor, this arrangement could work for both of you. You could even make a list of all of the radios that you intend to use on the network and limit the access point to allow only them to associate. This would require more administrative overhead, as one of you would have to make changes to the AP each time you wanted to add another device, but it would further limit who could access your wireless network.
While a shared secret WEP key and static table of hardware MAC addresses may be practical for a home or small office, these access control methods don’t make sense in a public-access setting. If you intend to offer network services to your local area, this “all or nothing” access control method is unusable. As we’ll see in Chapter 7, it may be more practical to simply let everyone associate with your access point, and use other methods for identifying users and granting further access. These services take place beyond the AP itself (namely, at a router connected directly to the AP). See Section 7.8 discussion. Such an arrangement requires a bit more equipment and effort to get started, but can support hundreds of people across any number of cooperative wireless nodes with very little administrative overhead.
Before we get too fancy, we have to understand how to configure an access point. Let’s take a look at how to set up a very popular access point, the Apple AirPort.
[9] Unfortunately, as is usually the case with proprietary extensions, these services can be used only if all of your network clients are using hardware from the same vendor.
[10] Wi-Fi is the “marketing friendly” name picked by the WECA (the Wireless Ethernet Compatibility Alliance) to refer to c802.11b-compliant gear. See http://www.weca.net/ if you’re so inclined.