This is going to be a brief walk through of some ideas surrounding setting up a wireless network inside of an office. We will take a look at some equipment options and review some of the considerations that will influence how a wireless network is setup, how it can be optimized, and how it can be secured.
Is it Necessary?
With the explosion of portable technology such as smart-phones, tablets, and net-books, the reasons for taking advantage of this technology are easier to understand and a number of businesses have already taken the plunge. Often, like diving into water, not a lot of planning takes place because setting up a wireless network is almost too easy. Unless you are installing enterprise grade wireless equipment, most of the gear will come configured to run with minimal interaction from people. Wireless retail equipment is designed and intended to be installed by the average home DIY-er and will offer only the most basic of security schemes while at the same time providing complete access to all types of network services, many of which are either unnecessary or carry their own security risks. If you are looking at implementing a wireless network please start with the most basic question: Why?
When working with attorneys and law office administrators the number one reason for installing wireless is the perceived convenience and improvement of productivity. These are good reasons to consider installing this service but they are often lacking the business planning to ensure that wireless will have a positive effect that will outweigh the associated costs and the fact that you are creating a connection to your network that may be a little more difficult to control. Other reasons that wireless is installed are:
- Mobile Device Dependence on Local Wireless - While many people have smart-phones, netbooks, or tablets that come with their own cellular data plans these devices are often set to prefer the use of wireless networks. As cell phone companies evaluate issues of network overuse and implement policies to throttle or price by use cell phone data plans they are pushing users to take advantage of any available wireless.
- New Office Build-outs – Moving into a new office is expensive and one of the major costs is the installation of wiring and a routine occurrence is to find that the wire in your office does not necessarily go where you want to place a computer. Another common issue is security, where a leased office space will provide local network wiring but that wiring will terminate in a closet or utility room where more than one tenant may have access. Setting up a private wireless network can help to mitigate this risk.
- Better Client Service – If it is not uncommon to have clients wait in your office the additions of a free wireless service can make the experience a more comfortable one. Also, if you are hosting meetings in the office, the ability to provide network access to your guests without introducing an additional security risk, can make for shorter and more productive sessions.
These are just a few reasons to consider installing wireless in the office. Take the time to look at your office operations and understand what is driving the use of wireless networks. If installing this service continues to make good business sense after the review then, prior to installation, consider amending any employee policies to cover the use of the wireless and to prohibit connecting personal wireless devices to the office network.
How Will the Wireless Network Be Connected?
If there is a local office or computer supply company you can have a wireless network setup within the hour but to implement this service in a secure and reliable fashion there are a few considerations to review.
Who will use this network?
This will go a long way in determining how the gear will be connected to the network. If this is a client service will you want it to connect to your office network or to use a separate dedicated internet service? With the continuing drop in price for broadband services it is an economical choice to bring in an additional Internet access point and connecting the wireless equipment to that, ensuring that there is no physical connection between the wireless network and your own local network and its sensitive data. (There is an added benefit to this arrangement if you can bring in the service from another provider as it will provide you with a backup connection should your primary Internet access service fail.)
If the wireless is to be installed to allow the staff to access local network services and data then you will be connecting the gear onto your local backbone. This selection will impact the choice of equipment later on as the security requirements and complexity will have increased in creating a service that can access both the office data and applications, along with providing remote access to the Internet. A staff based wireless system will still require that some type of segmentation or choke point be created that can allow the service to be shut off quickly if needed. Additionally, a staff based system will require its own authentication and security system where each staff person or device has its own account to access the service. This will reduce administrative burden over the long haul as with the inevitable rotation of staff, or the loss of gear, you will not have to reset the entire wireless framework. A possible solution here is something along the line of a ZyXel enterprise access point.(Above) These types of devices provide complete integration with a local network’s services and authentication schemes.
Where will the gear be located?
A common goal is to place the gear in a way that maximizes its range while keeping it close to a power outlet and data jack to connect it to the network. Physical security of wireless gear should be a significant consideration during installation. Some wireless gear will come with its own network ports that will allow for the bypassing of the wireless security and the equipment has its own inherent value that can make it susceptible to theft. A great solution is to consider an integrated wall jack such as the HD28650 pictured to the left. These will use internal wiring to provide network access. A possible tradeoff is that these devices typically have a shorter range and are only capable of providing service with a range of about 30-50 feet.
Another possibility is to mount the equipment into the ceiling and enclose it with a lockbox that is transparent to the radio frequencies that wireless networking gear uses. There are a number of possible configurations with the most common being a lockbox that looks like a larger version of the common smoke detector.
What flavor of wireless network will be provided?
As of this writing there are currently four types of wireless network: a, b,g, and n. While most gear will provide the ability to run in ‘mixed mode’ where the device will provide access over several types of network you should consider standardizing on a single type. The reasons for this center around performance as it is common with wireless gear to have its data transmission speed impacted by the different types of network service it is being asked to provide. Currently the most common network flavor is type g with type n, being the newest standard coming on strong. Most client devices will also support a multiplicity of network flavors so standardizing your transmission gear should not have a significant impact on their ability to connect.
Securing the Wireless Network
As wireless network services are the single most tempting targets to hackers the single largest administrative headache will come from securing the wireless service. The security model will be impacted by whether the service will be provided as a client service, a staff service or in some type of combination. There are some common steps that can be taken regardless of use and these should be applied to any wireless service that is in use in the office:
- Standardize on a vendor – If possible consider selecting a single equipment vendor that is capable of providing the wireless access points, routers, and internal cards for a wireless network. This can simplify both the installation and management of the network by providing a single security and management interface.
- Set up the equipment without connecting it to the live network. – Wireless network equipment comes with a well known and documented set of standard settings and passwords. A simple test is to Google the model of your wireless device along with the words Administrative Password and the chances are good that you can see the password in the first page of the results. Setting up and testing your equipment disconnected from the network will provide a secure environment during the initial configuration and installation.
- Change all internal administrative passwords. – At a minimum consider a password for any wireless access service to be 16 characters or longer. Use a phrase that is memorable to you and then transpose words or characters to further improve the complexity. Enterprise grade equipment may also provide a time out after failure option to prevent passwords from being streamed to the device.
- If there are multiple wireless devices prevent them from connecting to each other. – One common feature for wireless equipment is the ability to access other wireless services. This ability is often available out of the box and can create a security issue if you are using multiple transmission points. If this is available there should be a control to enable client isolation which is geek speak for do not talk with other access points.
- Disable remote administrative access. – Unless there is a glaring need to manage the wireless service while connected wirelessly the ability to access the administrative functions via wireless should be disabled. Each of these devices will be connected to the network via a cable and can be managed through that interface. If the device provides any other type of management interface consider disabling those as well. (Often the equipment can come supplied with a serial communications interface port or even a remote modem access port. Again, unless there is a glaring requirement to have access to these, disable them.)
- Hide the SSID. – Wireless services are meant to be found. That is part of the service. Wireless access points advertise their existence by use of a Service Set Identifier or SSID. Devices will require this SSID to attempt to establish a connection to the wireless network and a number of devices will have the ability to connect to networks that are not openly broadcasting their SSID. Remember, the SSID is not a password or security feature but a means of identifying the network. If the service is going to be provided to staff only then you can hide this SSID which can prevent it from being seen by idle browsers but understand that hiding an SSID will not prevent it from being found by experienced users. It just adds a speed bump to the person that is casually looking for a free WiFi fix. There are a lot of free tools out there that will locate networks even if the SSID is hidden. A better method will be to name the SSID in a manner that is descriptive without being able to be tied to your business. Good examples of generic names are ‘Lobby WiFi’ or Training, or GuestWiFi.
- Turn off unneeded wireless services – Wireless devices provide a number of services to provide access to different internet channels or ports. Each of these channels can contain their own security flaws. The administrative tools for the device should allow for nonessential services to be turned off and will eliminate a possible avenue of attack. Common services to shut off are FTP services, media streaming services, Telnet, and gaming protocols.
- Enable strong wireless access passwords. – If you are providing wireless access to the public there is nothing wrong with requiring a generic password. This helps ensure that only clients have access to the service. The most common security format for wireless services is WPA2 encryption. This security standard is common on current generation wireless devices and is, in fact, mandatory for all devices that display a WiFi mark WPA2 provides the use of a password or security key be required to access the wireless service. If you are providing the wireless as a service to client you will want to find the delicate balance between requiring a strong password and not burdening your clients with the need to write it down.
- Enable session timeouts for public services – A hard learned lesson by coffee shops around the world is that public wireless will draw a non-paying crowd. If you are providing wireless services consider setting a time out that will force guests off your network at a regular interval. A common setting is 2 hours.
- Keep the gear up to date. – As new threats are discovered the manufacturer of your equipment will issue firmware patches to update their devices. These should be checked and installed on a regular basis. While most wireless equipment will have an ability to check for updates on their own, it is a good idea to log the location of the firmware and software update notice website addresses for any equipment that you place on your network.
- Consider an audit – Once the gear is in place consider having it audited by a third party. The can evaluate the security of the system and provide insights that can improve the service and your peace of mind. If you would like to test your network first you can use a number of free wireless testing tools such as NetStumbler (www.netstumbler.com ) to get an idea of how your wireless network might look to an outside intruder.
Again, this is a brief look at some options and considerations for installing a wireless network in your office. There are a number of business reasons to evaluate and balance against the security responsibility that you shoulder. You can create a highly reliable and secure wireless network by moving through these recommendations and building a punch-list plan before you spend a single dollar for equipment and service. An internal wireless network will provide a number of immediate and long term benefits for your practice. Good Luck.
Mr. Lincoln Mead is the IT Director of the Utah State Bar and an obsessive fan of Cubs baseball. As the Bar IT Director he assists Utah attorneys with evaluations of practice management technology and manages the technology vendor relationships on the Utah State Bar group benefits program. Lincoln is a past Chair of IT section for the National Association of Bar Executives and is a member of the Law Practice Management Section of the ABA. He is a frequent guest lecturer for other Bars and law related organizations around the country where he speaks on technology policy, planning, implementation, and use. He is currently assisting the Utah state courts with educating attorneys on the court's new efiling system.