Best practices for AP placement

and learn to configure incoming and outgoing policies to meet business needs. This tip was originally part of the Wireless Security Lunchtime Learning series on SearchSecurity.com.

Many installers make the mistake of treating 802.11 WLANs just like Ethernet, placing access points (APs) in locations that facilitate outsider access to corporate networks. But, from a security perspective, WLANs should be treated like the Internet -- a network composed of trusted and untrusted users. This tip offers network topology and physical positioning recommendations for safer AP deployment.

Position matters

This approach is straight-forward, but may not optimize cost, performance or security. Desired coverage areas are rarely circular. To fill resulting gaps, you may end up purchasing more APs than your customer really needs and "leaking" quite a bit of signal. Site modeling and/or directional antennas can help avoid this.

• Modeling tools try to satisfy user location, density and throughput requirements by combining building material characteristics, AP capabilities and site survey measurements to predict where APs should be placed and verify results. Up-front planning takes more time and effort, but can pay off in the long run, especially for large WLANs. For example, see AirMagnet Surveyor, AirTight SpectraGuard Planner, Network Chemistry RFprotect Survey and Trapeze RingMaster.

• Replacing the AP's "rubber ducky" omni antennas with directional antennas can better focus radiated power where it belongs, improving inside coverage and reducing outside signal leakage.

Physical or logical LAN segmentation

• For example, cable all of your customer's APs to a new Ethernet switch, rather than connecting them to an existing Ethernet switch used by nearby wired devices. Or you cable "thin" APs to a new wireless switch (e.g., Aruba, Cisco, Trapeze) that's responsible for managing and monitoring them. Clumping all APs into one physical LAN is easy to understand, but it does not scale.

• Larger WLANs should create logical workgroups using Virtual LANs (VLANs). VLANs tag packets or ports with identifiers used to control traffic flow. For example, connect your APs to existing Ethernet switch ports, but assign those ports their own new VLAN. You'll probably want at least two new VLANs -- one for AP management and another for wireless users.

Creating network barriers

For this reason, wireless APs should always be separated from trusted subnets using some type of network layer policy enforcement device, like:

• Routers
• Firewalls
• VPN gateways
• Wireless gateways and Layer 3 switches
• Network access controllers

When creating a network barrier, consider functions that device must perform. To enforce security policies, you may need access controls (based on MAC, VLAN, IP, port or application traffic inspection), station or user authentication, VPN tunneling (with or without subnet roaming), session accounting, virus scanning, content filtering, intrusion detection/prevention and bandwidth limits. A general-purpose firewall can do much of this, but a wireless gateway or Layer 3 switch may fill this role AND provide 802.11-specific functions like AP discovery, provisioning and RF management. Different barriers may be appropriate for different users -- for example, a Web-based access controller for guests and a VPN gateway for employees.

Finally, no matter which device you choose, configure incoming and outgoing policies to meet business needs and deny everything else. For example, there's probably no reason that SNMP requests, routing messages or DNS zone updates should originate from your customer's WLAN. Granular policies may require more effort to maintain, but can reduce the risk of core network compromise by wireless-borne attacks.

About the author
Lisa Phifer owns Core Competence, Inc., a consulting firm specializing in network security and management technology. Core Competence produces The Internet Security Conference (TISC), an annual symposium for network security professionals. Phifer has been involved in the design, implementation, and evaluation of data communications, internetworking, security, and network management products for nearly 20 years.

This tip originally appeared on SearchSecurity.com.