Going Wireless - Opinions Needed

Printable View

September 23rd, 2003, 08:38 PM
jared_c

Going Wireless - Opinions Needed

I messed around with wireless networking about a year ago when it wasn't as advanced as it is now. Quite frankly, it sucked and was slow.

However, wireless technology has seemed to advance, and all the networking cables I am using on my company web servers are starting to become a hassle to work with.

Does anyone have any opinions on going wireless in a network that is primarily for web hosting? Has wireless technology reached the point where it is reliable and speedy enough for such a network? Has anyone else here in the same business gone wireless?

Thanks for any info.
September 23rd, 2003, 09:14 PM
ol jeb

I wouldn't use wireless in my hosting environment, but it may be suitable for others environments. If you are serving up static pages/sites that have relatively low bandwidth requirements wireless may not be a bad solution. I wouldn't recommend it if you were doing any sort of e-commerce or portal solutions connecting to backend databases. IMHO

I'm curious as to what other people may have to say about this?

btw- it seems that a mess of network cables seem to be driving this question, why not get some sort of cable management hardware, you could pick some up real cheap. one of the best tools that i've found to help manage the rats' nest of cabling is a roll of velcro. keeps all of my cables together and then i make a note of which switch port is connected to which server.
September 23rd, 2003, 09:50 PM
RoadClosed

Quote:

roll of velcro

Lol, very state of the art and quite inexpensive

I have been anti-wireless for years. But I am getting to the point, along with the technology to seriously look into it. I mean I could run a t1 to a new spot, install a 52g wirless transciever and be done with it. Assuming of course you have secured it wiht digital certificates etc...

I really am starting to believe it's a viable and secure alternative. Granted to can't leave it alone and have to watch how you set things up. But if the risk or someone misconficuring something is minimal.... go for it.

On the other hand if you do have some time, cleaning up the cables isn't that bad. Heck pay someone else if you don't want to do it. :)
September 23rd, 2003, 10:15 PM
Maestr0

Using PEAP/MSCHAPv2 along with standard 128WEP you can achieve a fairly good level of security. Its MUCH better since windows now supports PEAP as of SP1 for XP and SP4 for W2k since you dont need 3rd party workarounds for better security.

-Maestr0
September 24th, 2003, 08:29 AM
ctsolutions

I've been testing out a new wireless box from netgear that actually uses IPSEC VPN tunnels for the wireless client connections. It works with any 802.11b wireless card, although I haven't figured out if it can be done without installing the (free) Safenet basic client. Because of that, I haven't tried it with my laptop yet (don't want to install stuff that screws with my networking like that) but I set it up for an accountant so he could use XP's offline files with his laptop. Seems to work like a dream, and I think it's pretty secure...Anyone else know anything about it?

I guess you may not be looking for so much security, though, since the data going to and from the web server is probably meant to be seen by others.
September 24th, 2003, 03:46 PM
jared_c

Thanks for the info everyone. I think I might start messing around with it. Maybe install a wireless card in one of my main web servers. If everything is running up to par on that server, I'll start switching the others to wireless.

I'm not worried too much about security. It seems that as long as you configure the wireless settings with a password and high encryption everything should be fine.

So anyone have suggestions on what wireless hardware to go with?
September 24th, 2003, 07:02 PM
ctsolutions

not sure how it works, but D-Link does have a nice little feature that permits speeds of 22mbps with 802.11b.
September 24th, 2003, 09:38 PM
souleman

D-Link basically runs 2 802.11b networks side by side so it doubles the speed (supposedly).

For the actual hosting, I wouldn't even consider running wireless. Its out of the question. Now for other applications (like maybe the accounting department or something) you could do wireless as long as you secure it properly. Servers NEVER go wireless, the other machines you can if you maintain security and are not running high bandwidth things (like large databases) over the network.
September 29th, 2003, 05:34 AM
crashburn181

would not run wireless on servers but for clients it would be great..
Reliability would be a issue at first, like any major network change
good luck
September 29th, 2003, 08:44 AM
ericc

WLAN although have been around for a fews now is still an its infant stage.
If you company is only using web browsing, then WLAN is the way to go.

However if you company is using a lot of streaming video(multicast), ORACLE, SAP traffic, then you would probably not use Wireless. Remember, no matter what the 802.11xx protocol you are using, you are confined to a hub environment. CSMA/CD will be running as you are only running on one channel. Unlike on a wired, if you are using a switch, you have dedicated speed for yourself.
September 29th, 2003, 10:19 AM
Rushyo

Just a small note...

alot of people seem paranoid about the security on WANs from people 'hijacking' the connection.

it really is as simple as set a password... alot of WAN users DON'T SET THEM... how dumb is that?

Can anyone enlighten me to other protection methods for a WAN?

Rushie :)
September 29th, 2003, 03:55 PM
mnchur

you can turn off broadcast packets this will will make it so someone would have to know the network adress to get on. you can also make it so only certain mac adresses are allowed to join the network..this will only keep out those who dont want to work for it though so dont think your safe with that.
September 29th, 2003, 04:30 PM
souleman

sniff enough packets and it will not be any problem breaking the password to get on the network. Spend about 5 minutes finding out what MAC's are allowed and go back later and its not hard to spoof a mac address. Turning off broadcast packets won't do much when all it takes is watching an active network for 20 seconds and you will know what the IP range is (and I think you mean turning off DHCP, not turning off broadcast packets).
September 29th, 2003, 04:50 PM
tekno

I think he meant turning off the SSID broadcasting, although the SSID is still sent in the frames between wireless clients.

I wouldn't suggest wireless for servers or anything production/mission critical. I would however use it for my employees on the LAN side of things.

If you have no choice to use wireless on your servers, then along with everyone else's suggestions, I would add a RADIUS server to provide that extra level of authentication.

and when you say WAN, do you mean Wide Area Network? In terms of protecting that, I would put the servers in the DMZ and stop all uneccessary services that are running and build some ACL's on the router/firewall.
September 29th, 2003, 05:05 PM
Turing_Machine

Not to start a flame war, but..

If you are using Microsoft servers to do the hosting, someone wardriving to grab your WAP security isn't your most obvious security hole.

That being said, I have had some luck using *smaller* antennae on the WAP and machines to limit the effective range for the Wireless LAN. Setting up an IPSEC VPN internally from all the servers to a central IPSEC enabled router or multi-homed machine is NOT easy to break, especially if you are using a rotating key vs. shared secret.

If you are looking for simplicity, think of combining your hosts onto fewer more robust servers, unless your company is offering co-location.

As far as looking for decent throughput, remember that adding an additional layer to the communication protocol does add overhead, and especially with the smaller data transfers of a web server, adding even small latency to each request does add up.

Think of it this way... you request an html document, then the client (IE, Netscape, etc.) then requests the embedded objects (images, external javascript, stylesheets, applets, etc) individually. Each connection and transfer has its own discrete amount of overhead.

Adding to that WAP security concerns may add discernable latency to the transaction, and at best, would increase processing overhead at very minimum.

If this is not of primary concern, then I would suggest an IPSEC tunnel from EACH machine to an IPSEC gateway on the actual network. Set up the network that any packets other than to the localhost are encrypted, and pushed to that IPSEC machine as its default gateway.

IPSEC allows for disparate OSs to share a singluar security interface, and allows the gateway to only have to understand one encryption algorhythm. Its a bit less overhead, and gives you multiple options for migration, should one of your clients require a Mac server, or even a *ux server.

Microsoft has a decent IPSEC implementation with a simple interface, and forcing all "client" hosts to send AND recieve ONLY IPSEC encrypted data will essentially secure your network, even if someone does sniff your WAP security.

Without the IPSEC certificates, all they have is a network without any machines that can hear them and no route out.

If you have any questions about the specifics of setting this up, post them here.