Wi-Fi is an interesting beast in that it has become ubiquitous in its presence and our desire to consume it. Wherever we go we are either looking out for free Wi-Fi or the businesses we visit are actively promoting we use it. In our homes it fuels most of our devices (I dare say there will be some like me who own a comms cabinet full of tech but it’s pretty rare) and should it fail it can (according to my children) be like falling back in time.
And yet the technology of Wi-Fi and its use are rarely given the time of day when it comes to investment and security. I am sure we are all familiar with Access Points (AP) being placed more for convenience (near a socket) or by the rule of thumb “the signal over there is terrible, pop one by that desk”. But is it really that simple?
I’ll save you the trouble of guessing, NO, it isn’t that simple, and NO the rule of thumb is not a recommended method for setting up your Wi-Fi.
What is an Access Point? An access point is a sub-device within the local area network that provides another location for devices to connect from and enables more devices to be on the network.
What Makes Good Wi-Fi?
Well there is two key aspects to this, ‘What is seeking to be achieved‘ and ‘The technology‘. As with all things the technology is (or should be) defined by what is seeking to be achieved.
Take the example of a small office which would like to provide Wi-Fi to its staff’s personal devices because mobile data reception in the area is poor. From the business perspective this is a nice to have rather than mission critical and a small budget would be allocated. Depending on the size and configuration of the office space a single self-contained AP solution would be fine. For a much larger business which deals with logistics (let us say), stock frequently arriving, leaving, and moving around the site, Wi-Fi is an essential tool for feeding this information into the business systems. Doing this via a static terminal or pen & parchment is very inefficient and costly. Therefore the Wi-Fi infrastructure is much more critical to business operations and would likely necessitate a much larger solution; multiple APs throughout the site centrally managed to ensure a uniform configuration, address load (quantity of devices), handing of devices off from one AP to another as they moves through the site and highlighting problems before or as they occur so the business impact can be mitigated.
What Questions Should Be Asked?
What/who is the Wi-Fi for? – Understanding your audience helps to identify the ‘Why‘ which ultimately leads to ‘What‘ is needed. As I mentioned in the above examples understanding who will use the Wi-Fi helps the business understand what they will use it for and how important that is (or isn’t) to them and helps define Where It Is Needed, How Critical Is It’s Availability and what Security considerations there are. It also informs Capacity which can often be over-looked; typically Wi-Fi is placed into an area with business use in mind but then it’s use expands to staff personal devices, then maybe guests and before you know it you have more devices connected to your Wi-Fi than was planned for and the system begins to struggle, I’ve genuinely seen mid-sized deployments with up to 200 devices connected and only 3 of them for legitimate business use.
Where is it needed? – Whilst it is entirely possible to have blanket coverage within a given area there are going to be areas where it is not a priority, lift shafts, cloak rooms, toilets, etc. Additionally understanding where these areas of coverage are in relation to networking equipment is invaluable as it can affect the methodology or feasibility of deployment; you may need to run fibre, daisy chain APs or uplink APs wirelessly (this is referred to as a mesh).
Do not assume that all coverage areas are the same, most medium to large businesses will have customer specific areas and these could be smaller or larger than the back-office workspace and will need to cater for different quantities of devices. Hospitality can be a good example of this as they will likely provide free Wi-Fi to guests which needs to be prioritised over staff use and deal with a much larger number of concurrent devices.
How Available does it need to be? – Essentially is downtime an issue? Depending on what/who the Wi-Fi is serving, multiple APs may be required within a given space to ensure the Wi-Fi stays up (even in a limited capacity) should an AP go off-line. Some AP’s may be in areas which are hard to reach for various reasons; security, lifting/access equipment may be required, etc. or it may simply be that there is limited other IT a staff member can access (the logistics example from earlier is a good fit here), meaning users may need to walk a reasonable distances to and from a workstation or rely on pen and paper – both of which are very inefficient uses of time.
So, ensuring that these areas can stay operational whilst an issue is investigated can be key.
What Are the Technology Considerations?
Environmental – Where are these AP’s going? This obviously depends on what/who will be using the Wi-Fi: are they going into warehouses where lifting or access equipment may be required? Will they be used outdoors or in refrigerated stores? Understanding the environment helps identify the correct APs to use, the practicalities of installation and maintenance, etc. One thing I would strongly urge everyone to do is physically visit the site, as I’ll go into later a lot of Wi-Fi planning is remote, pouring over floor plans and looking at synthetic surveys but this cannot give you the whole picture, frequently floor plans are not kept up to date, may not show what materials have been used, etc. So, visiting the site, gathering this info and looking out for the practicalities of how will the AP be mounted beforehand can be real time saver. As an example, a lot of APs are either designed to be mounted into suspended ceilings or on poles/walls. But what if there is no suspended ceiling? Or the ceiling is too high? You may need to use T-bars or I-beams as fixing points or look at drop pole solutions to lower the AP’s to an acceptable height and the drawings simply won’t give you that level of insight.
Infrastructure – we’ve touched on this a little before but understanding how many devices the Wi-Fi need to support, what levels of performance are acceptable and where the rest of the network is in relation are key. Going back to our ware-housing and logistics examples, a lot of the scanning devices in use in these areas utilise a 2.4GHz band, so implementing 5GHz Wi-Fi will likely not be the best investment as it typically requires more APs due to its shorter broadcast range. That said 5Ghz is a cleaner and better performing spectrum so if you are trying to future proof or address congestion issues in shared spaces (serviced offices, etc) 5GHz will probably be the better fit.
Coupled with the physical should be the logical, “what will provide Wi-Fi clients with network addresses & resources?” For those of you less technically orientated machines use numbers to communicate with each other, these are referred to IP addresses and regardless of your deployment, they are finite. Once the device(s) assigning these addresses has run out, new devices will be unable to communicate with other devices or break out to the internet; some clients will still show they are connected to the Wi-Fi even if they do not have an IP address so from a support perspective this issue can manifest as a Wi-Fi specific issue. The impact of running out of IP addresses varies from business to business and can be seen as an inconvenience that a member of staff can’t connect their phone to mission critical when important visitors in your boardroom are unable to connect.
Make sure you assess infrastructure holistically, divide up enabling services such as DHCP and DNS to their appropriate networks and/or look at clustered solutions.
Understanding the infrastructure also helps to identify how you may support the Wi-Fi going forwards. Some businesses may have a single IT guy, others will have a team or outsource, whichever is the case being able to monitor for issues, investigate and remediate without physically attending site or removing wires.
Security – I put security last as it is typically the last area considered (I sound so jaded) as it often doesn’t directly correlate to functionality or return on investment, but it is absolutely crucial. As we’ve already covered here the ‘What’ is really defined by the ‘Who’; Who will use this Wi-Fi network and what security do they need. A great example of this is public Wi-Fi, as a business you have no control over the devices which connect to your network, but you need to exercise some safeguards to protect your business and your customers. In these scenarios you should consider:
- Isolating your ‘guests’ – what this means is that devices on the guest Wi-Fi can only get to the internet, they cannot talk to each other. This prevents the spread of viruses and malware as well as stops criminals targeting customers using your network
- DNS based content filtering – all requests for websites need a thing called DNS (Domain Name Systems), essentially converting names like Google.co.uk to 220.127.116.11 (the IP addresses we mentioned earlier). By default DNS is broadcast in the clear so anything on the network can see it (we’re not going to get into DNS over HTTPS here) and this is great if you want to stop staff or customers accessing inappropriate content such as pornography, violence, extremism, racism, etc based content. You should also block pretty much everything other than generic web traffic (HTTP & HTTPS), again this helps to stops your network being miss-used for criminal activities.
- Restrict management access – I hope this goes without saying but you should never allow your guest network to access your management network or management interface(s) (not even the Wi-Fi controller(s)). Your guests have no need of this, and it is a security breach waiting to happen. Similarly my blood turns cold every time I see this but your production DHCP server/device should not be giving out addresses on your production range to your guests, even with Guest Isolation in place this is an accident waiting to happen (see my comments in the Infrastructure section above). This typically comes from skills or planning issue when the network is first deployed
- Control Bandwidth – depending on the nature of the business you may have either a dedicated internet connection for your guests or share one, in either case you don’t want one or two devices sucking up all the bandwidth for everyone.
- WIPS – Wireless Intrusion Prevention System is an interesting topic on its own, essentially it can help to stops other devices within your air-space imitating your network and luring other guests to connecting to it; the coffee shop horror stories all come from this particular attack and it’s very easy to pull off with little equipment and skill so depending on the type of customers you expect you may want to invest in some sort of WIPS overlay
There are of course other examples where you may need to provide safeguarding to your users if they are of a certain age, alerting on concerning search activities like ‘suicide’ and ‘self-harm’ can make all the difference; allowing staff to reach out to those users who may need help but be unable to ask for it.
How Do We Do It?
Well if you have made it this far through my ramblings it should come as no surprise to find that we are holistic in our approach, we blend all of this information/questions together. We ask Who the Wi-Fi is for, we ask Where it is needed, how Available does it need to be then we go an assess the environment both logical and logistically. One very important addition however, and this is not something I’ve mentioned yet, but we survey the environment where-ever possible with a spectral analyser. As I mentioned a lot of time in Wi-Fi deployments is spent desk side, looking at floor plans and simulating AP placement to see what coverage, throughput, predicated network health/issues, etc look like. But this is all theoretical and there may be items in the environment which are not on the plans or we cannot see with the naked eye. Radio waves are the best and most obvious examples of this, take the scenario of a shared office building, it’s highly likely that other tenants in the building (plus the building owners themselves) have put in their own Wi-Fi, smart devices are becoming more common in the work place, we see Printers, TV’s and other screen sharing devices and all of this uses Wi-Fi – most commonly 2.4Ghz and if you’ve been paying attention you’ll know that that’s a pretty narrow band so it’s awfully crowded in here. There are of course other examples of congestion or interference such as old air-con, bug zappers, etc. All of this is missed by a desk based synthetic survey
Our engineers are experts at wireless site surveys, providing you with the information needed to create fully optimised and trouble-free wireless networks.
So with all that in mind we design and implement a Wi-Fi solution which is fit for purpose, has adequate capacity and rarely any surprises – there are the odd occasions where we’re unable to do an onsite survey prior so the deployment may need to adapt on the fly or where a client has had a contractor put in a system shortly after which creates interference; again this typically comes from poor planning on the part of the contractor where they haven’t surveyed the site themselves or engaged with us but as I say these are very few and far between.
The very last ingredient in our sauce is Support-ability. I have singled this out as it will not apply to all businesses, as I mentioned you may have an in-house IT team or even a single IT manager. But for us as an Managed Service Provider we can’t just pop down stairs or next door to investigate Wi-Fi issues and as I’ve already mentioned we may need access equipment or special prearranged permission to access some areas, so being able to see where an issue has occurred and be able to troubleshoot it remotely is vital. This even goes as far as power, in some situations the AP(s) may need to be restarted, if these are powered by mains supply or Power over Ethernet (PoE) injectors that can mean either attending site or tying up a client employee to pull out wires or plugs, this is not an efficient use of that persons time and can create other security/access considerations. So planning ahead and ensuring we’ve mapped out the environment, we can securely access equipment remotely and do pretty much everything bar physically swap the unit out without getting up from our desks is key to ensuring our clients have a quality Wi-Fi solution.