Access Point Caveats
You should
seriously consider how to balance ease of use with essential security
when adding APs to your existing wired network. Even with WEP
encryption and other access control methods in effect, AP security is
far from perfect. Since an access point is by definition within range
of all wireless users, every user associated with your access point
can see the traffic of every other user. Unless otherwise protected
(for example, with application layer encryption), all email, web
traffic, and other data is easily readable by anyone running
protocol analysis tools such as
tcpdump or
ethereal. As we saw in Chapter 3, relying on WEP alone to keep people out of
your network may not be enough protection against a determined
black hat.
In terms of establishing a community
network, access points do provide one absolutely critical service:
they are an easy, standard, and inexpensive tool for connecting
wireless devices to a wired network. Once the wireless traffic hits
the wire, it can be routed and manipulated just like any other
network traffic, but it has to get there first.
Wireless access points that are on the consumer market today were
designed to connect a small group of trusted people to a wired
network and lock out everyone else. The access control methods
implemented in the APs reflect this philosophy; if that is how you
intend to use the gear, it should work very well for you. For
example, suppose you want to share wireless network access with your
neighbor, but not with the rest of the block. You could decide on a
mutual private WEP key and private ESSID and keep them a secret
between you. Since you presumably trust your neighbor, this
arrangement could work for both of you. You could even make a list of
all of the radios that you intend to use on the network and limit the
access point to allow only them to associate. This would require more
administrative overhead, as one of you would have to make changes to
the AP each time you wanted to add another device, but it would
further limit who could access your wireless network.
While a shared secret WEP key and static table of hardware MAC
addresses may be practical for a home or small office, these access
control methods don't make sense in a public-access
setting. If you intend to offer network services to your local area,
this "all or nothing" access
control method is unusable. As we'll see in Chapter 7, it may be more practical to simply let
everyone associate with your access point, and use other methods for
identifying users and granting further access. These services take
place beyond the AP itself (namely, at a router connected directly to
the AP). See Section 7.8
discussion. Such an arrangement
requires a bit more equipment and effort to get started, but can
support hundreds of people across any number of cooperative wireless
nodes with very little administrative overhead.
Before we get too fancy, we have to understand how to configure an
access point. Let's take a look at how to set up a
very popular access point, the Apple AirPort.
Sections
