Introduction to wireless networking
This chapter introduces some concepts you should understand before working with wireless networks, describes Fortinet’s wireless equipment, and then describes the factors you need to consider in planning deployment of a wireless network.
Wireless concepts
Security
Authentication
Wireless networking equipment
Automatic Radio Resource Provisioning
Wireless concepts
Wireless networking is radio technology, subject to the same characteristics and limitations as the familiar audio and video radio communications. Various techniques are used to modulate the radio signal with a data stream.
Bands and channels
Depending on the wireless protocol selected, you have specific channels available to you, depending on what region of the world you are in.
l IEEE 802.11b and g protocols provide up to 14 channels in the 2.400-2.500 GHz Industrial, Scientific and Medical (ISM) band. l IEEE 802.11a,n (5.150-5.250, 5.250-5.350, 5.725–5.875 GHz, up to 16 channels) in portions of Unlicensed National Information Infrastructure (U-NII) band
Note that the width of these channels exceeds the spacing between the channels. This means that there is some overlap, creating the possibility of interference from adjacent channels, although less severe than interference on the same channel. Truly non-overlapping operation requires the use of every fourth or fifth channel, for example ISM channels 1, 6 and 11.
The capabilities of your wireless clients is the deciding factor in your choice of wireless protocol. If your clients support it, 5GHz protocols have some advantages. The 5GHz band is less used than 2.4GHz and its shorter wavelengths have a shorter range and penetrate obstacles less. All of these factors mean less interference from other access points, including your own.
When configuring your WAP, be sure to correctly select the Geography setting to ensure that you have access only to the channels permitted for WiFi use in your part of the world.
For detailed information about the channel assignments for wireless networks for each supported wireless protocol, see Reference on page 176.
Security
Power
Wireless LANs operate on frequencies that require no license but are limited by regulations to low power. As with other unlicensed radio operations, the regulations provide no protection against interference from other users who are in compliance with the regulations.
Power is often quoted in dBm. This is the power level in decibels compared to one milliwatt. 0dBm is one milliwatt, 10dBm is 10 milliwatts, 27dBm, the maximum power on Fortinet FortiAP equipment, is 500 milliwatts. The FortiGate unit limits the actual power available to the maximum permitted in your region as selected by the WiFi controller country setting.
Received signal strength is almost always quoted in dBm because the received power is very small. The numbers are negative because they are less than the one milliwatt reference. A received signal strength of -60dBm is one millionth of a milliwatt or one nanowatt.
Antennas
Transmitted signal strength is a function of transmitter power and antenna gain. Directional antennas concentrate the signal in one direction, providing a stronger signal in that direction than would an omnidirectional antenna.
FortiWiFi units have detachable antennas. However, these units receive regulatory approvals based on the supplied antenna. Changing the antenna might cause your unit to violate radio regulations.
Security
There are several security issues to consider when setting up a wireless network.
Whether to broadcast SSID
It is highly recommended to broadcast the SSID. This makes connection to a wireless network easier because most wireless client applications present the user with a list of network SSIDs currently being received. This is desirable for a public network.
Attempting to obscure the presence of a wireless network by not broadcasting the SSID does not improve network security. The network is still detectable with wireless network “sniffer” software. Clients search for SSIDs that they know, leaking the SSID. Refer to RFC 3370. Also, many of the latest Broadcom drivers do not support hidden SSID for WPA2.
Encryption
Wireless networking supports the following security modes for protecting wireless communication, listed in order of increasing security.
None — Open system. Any wireless user can connect to the wireless network.
WEP64 — 64-bit Web Equivalent Privacy (WEP). This encryption requires a key containing 10 hexadecimal digits.
WEP128 — 128-bit WEP. This encryption requires a key containing 26 hexadecimal digits.
Introduction to wireless networking Security
WPA — 256-bit WiFi Protected Access (WPA) security. This encryption can use either the TKIP or AES encryption algorithm and requires a key of either 64 hexadecimal digits or a text phrase of 8 to 63 characters. It is also possible to use a RADIUS server to store a separate key for each user.
WPA2 — WPA with security improvements fully meeting the requirements of the IEEE 802.11i standard. Configuration requirements are the same as for WPA.
For best security use the WPA2 with AES encryption and a RADIUS server to verify individual credentials for each user. WEP, while better than no security at all, is an older algorithm that is easily compromised. With either WEP or WAP, changing encryption passphrases on a regular basis further enhances security.
Separate access for employees and guests
Wireless access for guests or customers should be separate from wireless access for your employees. This does not require additional hardware. Both FortiWiFi units and FortiAP units support multiple wireless LANs on the same access point. Each of the two networks can have its own SSID, security settings, firewall policies, and user authentication.
A good practice is to broadcast the SSID for the guest network to make it easily visible to users, but not to broadcast the SSID for the employee network.
Two separate wireless networks are possible because multiple virtual APs can be associated with an AP profile. The same physical APs can provide two or more virtual WLANs.
Captive portal
As part of authenticating your users, you might want them to view a web page containing your acceptable use policy or other information. This is called a captive portal. No matter what URL the user initially requested, the portal page is returned. Only after authenticating and agreeing to usage terms can the user access other web resources.
For more information about captive portals, see the Captive portals chapter of the FortiOS Authentication Guide.
Power
Reducing power reduces unwanted coverage and potential interference to other WLANs. Areas of unwanted coverage are a potential security risk. There are people who look for wireless networks and attempt to access them. If your office WLAN is receivable out on the public street, you have created an opportunity for this sort of activity.
Monitoring for rogue APs
It is likely that there are APs available in your location that are not part of your network. Most of these APs belong to neighboring businesses or homes. They may cause some interference, but they are not a security threat. There is a risk that people in your organization could connect unsecured WiFi-equipped devices to your wired network, inadvertently providing access to unauthorized parties. The optional On-Wire Rogue AP Detection Technique compares MAC addresses in the traffic of suspected rogues with the MAC addresses on your network. If wireless traffic to non-Fortinet APs is also seen on the wired network, the AP is a rogue, not an unrelated AP.
Decisions about which APs are rogues are made manually on the Rogue AP monitor page. For detailed information, see Wireless network monitoring on page 111.
Authentication
Suppressing rogue APs
When you have declared an AP to be a rogue, you have the option of suppressing it. To suppress and AP, the FortiGate WiFi controller sends reset packets to the rogue AP. Also, the MAC address of the rogue AP is blocked in the firewall policy. You select the suppression action on the Rogue AP monitor page. For more information, see Wireless network monitoring on page 111.
Wireless Intrusion Detection (WIDS)
You can create a WIDS profile to enable several types of intrusion detection:
l Unauthorized Device Detection l Rogue/Interfering AP Detection l Ad-hoc Network Detection and Containment l Wireless Bridge Detection l Misconfigured AP Detection l Weak WEP Detection l Multi Tenancy Protection l MAC OUI Checking
For more information, see Protecting the WiFi Network on page 108.
Authentication
Wireless networks usually require authenticated access. FortiOS authentication methods apply to wireless networks the same as they do to wired networks because authentication is applied in the firewall policy.
The types of authentication that you might consider include:
l user accounts stored on the FortiGate unit l user accounts managed and verified on an external RADIUS, LDAP or TACACS+ server l Windows Active Directory authentication, in which users logged on to a Windows network are transparently authenticated to use the wireless network.
This Wireless chapter of the FortiOS Handbook will provide some information about each type of authentication, but more detailed information is available in the Authentication chapter.
What all of these types of authentication have in common is the use of user groups to specify who is authorized. For each wireless LAN, you will create a user group and add to it the users who can use the WLAN. In the identitybased firewall policies that you create for your wireless LAN, you will specify this user group.
Some access points, including FortiWiFi units, support MAC address filtering. You should not rely on this alone for authentication. MAC addresses can be “sniffed” from wireless traffic and used to impersonate legitimate clients.
Introduction to wireless networking Wireless networking equipment
Wireless networking equipment
Fortinet produces two types of wireless networking equipment:
- FortiWiFi units, which are FortiGate units with a built-in wireless access point/client
- FortiAP units, which are wireless access points that you can control from any FortiGate unit that supports the WiFi Controller feature.
FortiWiFi units
A FortiWiFi unit can:
l Provide an access point for clients with wireless network cards. This is called Access Point mode, which is the default mode.
or
l Connect the FortiWiFi unit to another wireless network. This is called Client mode. A FortiWiFi unit operating in client mode can only have one wireless interface.
or
l Monitor access points within radio range. This is called Monitoring mode. You can designate the detected access points as Accepted or Rogue for tracking purposes. No access point or client operation is possible in this mode. But, you can enable monitoring as a background activity while the unit is in Access Point mode.
The Products section of the Fortinet web site (www.fortinet.com) provides detailed information about the FortiWiFi models that are currently available.
FortiAP units
FortiAP units are thin wireless access points are controlled by either a FortiGate unit or FortiCloud service.
FortiAP is a family of Indoor, Outdoor and Remote Access Point models supporting the latest single, dual, and triple stream MIMO 802.11ac and 802.11n technology, as well as 802.11g and 802.11a.
For large deployments, some FortiAP models support a mesh mode of operation in which control and data backhaul traffic between APs and the controller are carried on a dedicated WiFi network. Users can roam seamlessly from one AP to another.
In dual-radio models, each radio can function as an AP or as a dedicated monitor. The monitoring function is also available during AP operation, subject to traffic levels.
The Products section of the Fortinet web site (www.fortinet.com) provides detailed information about the FortiAP models that are currently available.
Automatic Radio Resource Provisioning
To prevent interference between APs, the FortiOS WiFi Controller includes the Distributed Automatic Radio Resource Provisioning (DARRP) feature. Through DARRP, each FortiAP unit autonomously and periodically determines the channel that is best suited for wireless communications. FortiAP units to select their channel so Automatic Radio Resource Provisioning
that they do not interfere with each other in large-scale deployments where multiple access points have overlapping radio ranges.
To enable ARRP – GUI
- Go to WiFi Controller > FortiAP Profiles and edit the profile for your device.
- In the Radio sections (Radio 1, Radio 2, etc.), enable Radio Resource Provision.
- Click OK.
To enable ARRP – CLI
In this example, ARRP is enabled for both radios in the FAP321C-default profile:
config wireless-controller wtp-profile edit FAP321C-default config radio-1 set darrp enable
end config radio-2 set darrp enable
end
end
Setting ARRP timing
By default, ARRP optimization occurs at a fixed interval of 1800 seconds (30 minutes). You can change this interval in the CLI. For example, to change the interval to 3600 seconds enter:
config wireless-controller timers set darrp-optimize 3600
end
Optionally, you can schedule optimization for fixed times. This enables you to confine ARRP activity to a lowtraffic period. Setting darrp-optimize to 0, makes darrp-day and darrp-time available. For example, here’s how to set DARRP optimization for 3:00am every day:
config wireless-controller timers set darrp-optimize 0
set darrp-day sunday monday tuesday wednesday thursday friday saturday set darrp-time 03:00
end
Both darrp-day and darrp-time can accept multiple entries.