The 2 Mistakes Schools Make in Deploying Wireless Networks
- By Dian Schaffhauser
When the School District of Philadelphia announced last fall that it was deploying wireless Internet access at every school in the district--some 268 campuses--it was hyped as one of the world's largest enterprise wireless local area networks. Aside from the scale of the project (which involves the equivalent of 14,000 access points), the news barely raised an eyebrow among K-12 administrators. After all, announcements of new school deployments of WiFi have practically become a monthly occurrence on THEJournal.com.
Yet, according to wireless expert Frank Keeney, many schools and districts go into their deployments making two mistakes:
- They underestimate what equipment will be needed for full campus coverage; and
- They don't give enough thought to security concerns.
As president of Pasadena Networks, Keeney has consulted on and deployed his share of wireless deployments in campus environments. Now he sells wireless LAN equipment all over the world. In this interview, he shares his insights on how to overcome the two biggest mistakes schools make regarding WiFi.
Dian Schaffhauser: So how would a school district or a school go about getting a sense of the equipment they're going to need?
Frank Keeney: Ideally, it's part of a site survey with a vendor that will bring out some equipment and do some testing... Many of the manufacturers are very optimistic in their projections on their coverage, so they typically take ideal situations. You just can't set up an access point at the top of a building then expect everybody's laptop at every building indoors and out to be able to access that.
Schaffhauser: Are there any ways that a school can test coverage without having access to a lot of baseline information or a lot of equipment?
Keeney: Sure. Typically the best thing to do is, they can start out with one location and get a feel for what it's actually going to cover...
It's not just an issue of getting an access point [and testing that] but getting several different types of antennas to actually do the testing and find out which antennas work the best for that particular environment. When I would go out and do testing in the past, I would typically [take] three antennas and show the client, 'Here's the kind of coverage you're going to get.' Just try the antennas to see what works the best. There are some antennas that send the signal in all directions. But if you put an access point up in a corner of a room or a building, then you only need to send and receive the signal in one direction. You can use something directional. Those typically work a lot better. In almost every circumstance, a directional antenna will outperform what a directional antenna will do.
One of the biggest problems in putting a big omni-directional antenna on top of a building outdoors is not only is it sending its signal in all directions, but it's also receiving noise from all directions. Noise is typically one of the big factors in limiting distance of the network. You may put up this great network all over, but [you also need to expect to do] some work to isolate the interference. Everybody else is out there--the next door neighbors, the building next door, they may all have access points on the same frequency.
If you're using something directional, you can also choose what's called polarization, and an antenna can be vertically or horizontally polarized. That can give you some isolation from noise. Of course, you maybe limited to what you can use based on the equipment--if it's on laptops or PDAs. They may all be vertical.
What could also often happen indoors is if a microwave oven is old or if it's not very good, it will actually interfere with WiFi. WiFi and microwave ovens use the same frequency.
I've seen situations where a company had a few hundred employees and several access points spread out across the floor of their office space. Then during lunchtime and breaks, people would heat stuff up in the microwave. All the people around the lunch area would just get knocked off their networks. That was because the microwave oven had leaks.
There are many video transmitters that use the same frequency range. Many cordless phones that hook to the phone system share the same frequencies, and if they do, they have the potential of causing interference and then degrading the wireless networks.
So typically the best installers will go out there with what's called the spectrum analyzer, an instrument that will measure the noise level on a given frequency. So they can choose the right frequency to use in a given location.
Part of installing the network is managing the wireless spectrum. It's knowing what's actually out there using it. Then once your network is in, it's preventing other equipment that you have control over from interfering with the network.
Schaffhauser: Any advice about finding the right vendor to help with the deployment?
Keeney: You need to get somebody that has experience in both the security and the wireless aspects of the installations. It's not just plug and play. When you start doing outdoor devices, it can get quite a bit more expensive because then you're dealing with installing poles on the roof, which means you may need to either bolt into the concrete or bolt through the roof. And now you've got to waterproof that.
Indoor networks are fairly simple. Many schools are already wired. Setting up another device inside of a building is usually not complicated--running another cat5 cable, plugging in the device and mounting the antenna, and it's fairly simple. The outdoor stuff, it's all the waterproofing and making it ruggedized.
Then you need a pole going up 10, 20 feet or so from the roof just so its signal can get down. Typically, where schools are commercial construction with rebar, steel, most often they get almost no signal from outside to in. Those access points almost always need to go inside. If it's bungalows made of conventional wood construction, you maybe able to get around some of that.
Schaffhauser: The signal can't penetrate certain building materials?
Keeney: Specifically metal. But any substance will reduce the signal strength as soon as you introduce metal and dense materials that may have any sort of moisture in them.
Schaffhauser: You said that security was the second type of mistake that people often make in putting their wireless plans together. What happens there?
Keeney: Sometimes people will get consumer-type devices and set them all up with a shared pass phrase. They give everybody who wants to use the network that password. But ideally, in a campus environment where there's going to be many, many, many people using the networks, you need to have some method of centrally controlling who has access. The consumer access points often don't support that. It's all about choosing a vendor that can not only do the wireless piece but also work with the IT staff to integrate the authentication mechanism into the system that's already in place.
Many of the Cisco [wireless products] and other brands have tools that allow you to tie it into LDAP or Active Directory and allow you to use the same system. Windows has the capability of showing itself as a [Remote Authentication Dial In User Service] (RADIUS) Server. There are plenty of tools out there to integrate them. It's just a matter of finding the right one.
I liked to get the whole security mechanism working first, and then we wouldn't deploy until we knew that we had everything secured.
Schaffhauser: How do you know that the security mechanism is actually operational?
Keeney: It's all about setting up the access points so it won't allow any connection without security. At the same time, many vendors will have what are called sniffers, which basically sniff the packets of data off the air. You could examine the packets to verify that any transmission is securely encrypted.
There are circumstances where they may want an area or some place where either visitors or the public can get onto the Internet, like a hotspot type of situation. Of course that's not going to be encrypted. Then the key is to verify that no one on that open network can actually get into the school network. You just have to write the rules in the hardware that only allow connection to the Internet, nothing to the internal network. Most of these firewalls and other access control devices have that capability. So, it's a matter of configuring them correctly and then, of course, testing to make sure that all the configurations are set up correctly.
Schaffhauser: How do you know when you are on a truly secure wireless network? Is it simply that you need to plug in a username and password?
Keeney: You trust the administrator of the network to know that it's configured correctly. The user can see, when you view wireless networks, it'll say, "Oh, yes, this requires an encryption key and you have to type that in." But to know that it's truly secure the administrators of the network are responsible for that.
Schaffhauser: Is security for WiFi getting easier or harder to do well?
Keeney: I think it's getting easier because the capabilities of the access points themselves are more powerful. They have more capabilities and stronger encryption. It's this on-going game that as security and encryption capabilities are increased, then there's always people out there that just want to go out and try to break it. Then, as weaknesses are found, the vendors will typically fix them.
I always try to explain security for a wireless network this way: Imagine your internal network... and you just hung an Ethernet cable out on the streets, that anybody could plug into. What kind of controls do you want to have over that person who's plugging into it--because with the wireless network, that's what you are offering.
Get daily news from THE Journal's RSS News Feed
About the author: Dian Schaffhauser covers high tech, business and higher education for a number of publications. Contact her at firstname.lastname@example.org.
Proposals for articles and tips for news stories, as well as questions and comments about this publication, should be submitted to David Nagel, executive editor, at email@example.com.
Dian Schaffhauser is a senior contributing editor for 1105 Media's education publications THE Journal and Campus Technology. She can be reached at firstname.lastname@example.org or on Twitter @schaffhauser.