4.1 Access Point Caveats

You should seriously consider how to balance ease of use with essential security when adding APs to your existing wired network. Even with WEP encryption and other access control methods in effect, AP security is far from perfect. Since an access point is by definition within range of all wireless users, every user associated with your access point can see the traffic of every other user. Unless otherwise protected (for example, with application layer encryption), all email, web traffic, and other data is easily readable by anyone running protocol analysis tools such as tcpdump or ethereal. As we saw in Chapter 3, relying on WEP alone to keep people out of your network may not be enough protection against a determined black hat.

In terms of establishing a community network, access points do provide one absolutely critical service: they are an easy, standard, and inexpensive tool for connecting wireless devices to a wired network. Once the wireless traffic hits the wire, it can be routed and manipulated just like any other network traffic, but it has to get there first.

Wireless access points that are on the consumer market today were designed to connect a small group of trusted people to a wired network and lock out everyone else. The access control methods implemented in the APs reflect this philosophy; if that is how you intend to use the gear, it should work very well for you. For example, suppose you want to share wireless network access with your neighbor, but not with the rest of the block. You could decide on a mutual private WEP key and private ESSID and keep them a secret between you. Since you presumably trust your neighbor, this arrangement could work for both of you. You could even make a list of all of the radios that you intend to use on the network and limit the access point to allow only them to associate. This would require more administrative overhead, as one of you would have to make changes to the AP each time you wanted to add another device, but it would further limit who could access your wireless network.

While a shared secret WEP key and static table of hardware MAC addresses may be practical for a home or small office, these access control methods don't make sense in a public-access setting. If you intend to offer network services to your local area, this "all or nothing" access control method is unusable. As we'll see in Chapter 7, it may be more practical to simply let everyone associate with your access point, and use other methods for identifying users and granting further access. These services take place beyond the AP itself (namely, at a router connected directly to the AP). See Section 7.8 discussion. Such an arrangement requires a bit more equipment and effort to get started, but can support hundreds of people across any number of cooperative wireless nodes with very little administrative overhead.

Before we get too fancy, we have to understand how to configure an access point. Let's take a look at how to set up a very popular access point, the Apple AirPort.