Wireless Network Plan Deployment Scenario The Infrastructure deployment scenario is recommended for Apex Designs’ Conference Center. Deployment Scenario Reasoning The Infrastructure deployment scenario will allow for wireless access points (WAPs) to be connected to the existing wired network allowing employees with wireless devices the ability to access the company’s network.
This is a commonly used method of enhancing an existing wired network while adding the benefit of mobility to employees and is a cost-effective way to upgrade to a wireless local area network (WLAN). On-the-go employees can potentially improve job productivity while in the Conference Center by having the ability to wirelessly access company printers, file servers, and Internet and/or Intranet without the need to plug into the company network. Hardware Components
This section will detail the hardware component recommended for use in the wireless upgrade for the Apex Designs’ Conference Center. Each item specified was thoroughly researched for the best performance, ability to work with legacy equipment, cost, and investment longevity. Along with each component detailed are hyperlinks for reference and/or more information. ?Component Name: Cisco Aironet 1252 Access Point oJustification for using component: The Cisco Aironet 1250 series APs are the first Wi-Fi CERTIFIED 802. 11n draft 2. AP. It has also earned the Intel Connect with Centrino certification. As a thin client, the Cisco Aironet 1250 AP uses “Multiple In, Multiple Out” (MIMO) technology which uses wireless signal reflections to increase the device’s range and expand the coverage area to reduce dead spots; additionally, this WAP is UL 2043 Plenum rated for installation above suspended ceilings and supports Power over Ethernet (PoE) connectivity (or external DC power) allowing it to be installed in places that are not near electrical outlets.
Other features found on the Cisco Aironet 1250 Series AP product sheet include: •Backward compatibility with 802. 11a/b/g devices. •Data rate support of up to 300 Mbps per Radio and 600 Mbps per AP. •Gigabit Ethernet transmission ability and additional powerful platform tools required for 802. 11n and wireless technologies of the future. •External RP-TNC Antenna Connectors for both 2. 4 and 5-GHz Radios. •Investment protection – radio modules are upgradeable with the new technologies that evolve eliminating the expense of new AP installations. Built-in RF management capabilities help improve system performance and provide automated self-healing to make-up for RF dead zone and/or AP failures. •Security using Cisco Unified IDS/IPS to monitor the RF environment for unauthorized wireless activity, rogue APs, and RF denial of service attacks. •Management Frame Protection will encrypt transmissions and alert network administrators if an AP detects spoofed frames from malicious attackers. oRough cost estimate: $795 Part number: AIR-LAP1252AG-A-K9 oHow many units required: Four (4) Component Name: Catalyst 3560 24-port 10/100 PoE + 2 SFP Standard Image Switch oJustification for using component: This switch is fully compatible with the Aironet 1252 and will support PoE for each dual radio module AP eliminating the need for a separate power injector or additional drops of cabling; additionally, the Catalyst 3560 is a manageable switch capable of simplifying the wireless network by becoming the single point of administration. Other features found on the Cisco Catalyst 3560 Ethernet Switch data sheet are: •Easy to use and deploy with use of a Web browser and Cisco Express Setup. Superior manageability including already made templates for routing, access and virtual LAN (VLAN) deployment scenarios. •Provides PoE support with automatic endpoint discovery without user configuration. •Excellent redundancy for fault backup to ensure overall network reliability and stability. •High-performance IP routing with multiple routing capabilities including but not limited to IPv6 and Policy-Based Routing (PBR). •Bandwidth optimization with Cisco’s integrated IOS software features. •Advanced Quality of Service (QoS) inclusive of rate limiting based on the destination and source IP address. Extensive network-wide security features (such as IEEE 802. 1x) along with the ability to support 2000 access control entries (ACEs). oRough cost estimate: – $2629 new or $1983 certified used Part number – WS-C3560-24PS-S oHow many units required: One (1) ?Component Name: Plenum Rated CAT 5e Cable oJustification for using component: Plenum rated CAT 5e cable was created to install in plenum rated spaces (i. e. , space above suspended ceilings and vents) and should perform at frequencies up to 350 MHz while supporting higher performance for data speeds up to 1000 Mbps.
Will be needed to connect APs to the switch above the ceiling tiles. CAT 5 cable will also support PoE. Maximum length for 48V of PoE is recommended to be around 100 meters. oRough cost estimate: $138. 99 per box at 1,000 feet per box. Part number – 055-453/P/BL oHow many units required: One (1) ?Component Name: CAT 5E Patch Cords (7′ length) oJustification for using component: The CAT 5E Patch cords are required to connect each WAP from the Patch Panel to the Switch, and without these patch cords, the WAPs will not be able to access the company network. Rough cost estimate: $1. 32 each Part number – CB241-7BL oHow many units required: Four (4) ?Component Name: Cat5E 110 Type 12 Port Vertical Patch Panel with Bracket oJustification for using component: To install in switch room for CAT 5E cable to be terminated. Required to be a single point of access for patch cords which will then be connected to the Cisco Catalyst 3560 24-port Ethernet switch. oRough cost estimate: $16. 23 per panel Part number – 00153 oHow many units required: One (1) IEEE Wireless Network Type Apex Designs has identified that an 802. 1n LAN will be implemented. The benefits of 802. 11n over the other 802. 11 standards are: ? Significantly greater speed ?More range in data transmission ?Simple firmware updates will bring products based on Draft 2. 0 up to the final standard when it is ratified. Access Point Management Apex Designs has decided that thin access points will be used to simplify the management of the wireless LAN. By doing so, the wireless network can be managed from one central location (i. e. , the switch) rather than having to configure each access point separately.
All authentication information is stored in the switch which will reduce the time needed for sending authentication information from one AP to the other. Thin APs are proprietary which also means the WAPs and affiliated switch need to be from the same vendor for best performance. Location of Wireless Devices Network Performance Impediment Report (overview of floor plan and possible impediments) The site survey of the Conference Center found the Data Center located in northwest corner of the 300’x250’ floor plan.
Long hallways surround the large, centralized, Conference Room (which is located east of data center) on all sides with 14 rooms branching off these hallways. There are two (2) bathrooms directly south of the Data Center. A stairwell and an elevator are to the east of the Data Center, and a phone switching room is located in north east corner of the floor plan; additionally, there is a break room located in the middle of the south wall and a storage room directly north of the break room. The Conference Center poses several possible impediments that may affect performance of the WLAN.
There is a concrete wall surrounding the stairwell and elevator and another concrete wall separating the bathrooms. Two (2) vending machines in the break room and the phone switching room may cause signal interference; furthermore, if the Conference Center is fully occupied, the large amount of people would cause significant interference with the wireless signal. Summary list of possible impediments to wireless performance ? Vending machines in break room will cause interference with Wi-Fi signal. Possibly relocate the vending machine (if possible) to the small room to the immediate west of the break room. ?Phone Switching Room may provide interference when designing the network because of potential power and frequency radiations from that area. oOvercoming this issue will not be difficult as there is likely not enough interference coming from that area to affect the WLAN signal. ?The wall separating the two bathrooms and the walls surrounding the elevator and stairwell are concrete which will present WLAN interference problems in the walls surrounding areas. This could be overcome by ensuring there are WAPs installed in each of the four quadrants of the Conference Center ensuring wireless signal attains full coverage. ?The wireless signal may bleed outside the walls of the business putting the WLAN at a security risk. oLocation of APs should be strategically placed in the ceiling and the transmitting power output boosted or reduced accordingly (while staying within FCC limitations) to strengthen security and ensure signal strength and wireless connection reliability.
NOTE: Location of wireless devices are depicted in Appendix H Wireless Security Policy Since wireless components do not have physical a connection between them, the wireless links are vulnerable to information theft and eavesdropping. The IEEE 802. 11 standard defined two (2) types of authentication methods to provide a certain level of security… they are WEP Shared Key and Open System Authentication. Most IEEE 802. 11 wireless devices operate in an Open System network by default.
This section will list these two (2) security protections as well as two additional protections to add multiple layers of security to the WLAN. List of Security Protections ?Open System Authentication ?WEP ?Digital Certificates ?MAC address filtering Summary of Protections Open System Authentication (SSID beaconing): A wireless device sends an association request frame along with its SSID to the AP. If the device’s SSID matches the SSID of the WLAN access is granted. ?This security too is a default for all 802. 11 APs.
It is easy to configure and use to implement security measures for a wireless network. When using Open system authentication security the AP should be disabled from broadcasting the SSID and should be used with some form of encryption. This will ensure malicious attackers are not able to intercept the SSID during data transmissions; furthermore, the network administrator should change the SSID on a regular basis (similar to changing user passwords regularly) in the event the current SSID were to have gained access to the SSID information in another way.
WEP Shared Key Authentication (Wired Equivalent Privacy): WEP uses a shared key to encrypt (scramble) wireless transmissions to guard confidentiality of the data and ensuring only authorized parties can view it. ?The recommendation for the highest level of protection WEP can provide is to have the network administrator use WEP Shared Key Authentication for Authentication and Encryption using during all incoming and outgoing transmissions.
Configuring WEP to work for authentication and encryption will allow it to work in conjunction with the Open System SSID to ensure the SSID is not being sent out unencrypted when a device requests access to the network. Media Access Control (MAC) Address Filtering: Limits device access to an AP based on a node’s unique MAC address, and devices must have pre-approved authentication from the network administrator by having the device’s MAC address entered onto the wireless APs “approved” list. Enabling MAC address filtering makes guest devices difficult to add. It is recommended to enable and use MAC address filtering to provide an additional layer of WLAN security and protection. The Network administrator should set-up and enabled this security feature to ensure unauthorized wireless devices are unable to join the WLAN. This is especially important in the event an unknown user happens to “know” the network name (SSID) to prevent unauthorized access to the network. Digital Certificates: Digital credentials that provide identity and other supporting information about an entity.
They are issued by a trusted third party certificate authority who guarantees the validity of the information found in the certificate. All Digital Certificates are valid for a specified amount of time and have a date of expiration. ?It is recommended to use Digital Certificates in conjunction with both WEP encryption and Open System SSID authentication methods to provide additional security. When the Digital Certificate accompanies requests for access to the network, this ensures the user trying to gain access has been verified by a trusted third party.
When all four of these security measures are implemented together, the level of WLAN security is significantly greater; however, the next section lists possible network vulnerabilities and how to address them. Possible Network Vulnerabilities Some other potential network vulnerabilities may be out there as security is an ever-changing landscape; however, we have some recommended solutions to check for security vulnerabilities to further secure the network: New and more powerful security is now available (with an additional cost); however, we recommend hiring a few individuals who are professional hackers to see where any security gaps may be. Hackers are there to assist companies in exposing security faults of a systems security. ?With MAC address filtering on, this network will not allow guests to have access to the WLAN. Since Apex Designs’ buildings include this Conference Center (which draws many guests), a company Web page should be created for a Captive Portal. This will provide guest with a way to access the network.
Without a captive portal, unwanted users may try to tunnel through even the most secure of wireless networks. oAn additional benefit to the company is that Captive Portals will allow employees the ability to work from home via a Virtual Private Network (VPN). ?To further secure the network and help ward off unwanted users from leeching off the company’s wireless APs, a Wireless Intrusion Detection System should be installed to monitor radio frequency attacks for any wireless signals that may “bleed” through the walls of the Conference Center.