Follow Slashdot blog updates by subscribing to our blog RSS feed

 



Forgot your password?
typodupeerror
×
Wireless Networking Books Media Security Book Reviews Hardware Technology

A Field Guide To Wireless LANs for Administrators and Power Users 100

Ray Janus contributes this review of Thomas Maufer's Field Guide To Wireless LANs for Administrators, writing "Have you wondered about how the magic of wireless networks for PC's happens? If so, this is a very comprehensive manual on how your bits and bytes move through the ether, and the hazards that they face along the way. Having worked with LANs and WLANs in both personal and business solutions, I was pleased to receive a copy of the Guide at a Sonoran Desert User's Group Meeting, compliments of Addison-Wesley Professional/ Prentice Hall. On first glancing at the title, I expected a 'how to' manual on how to implement and manage a WLAN." While that's not exactly what he found, Janus has mostly good things to say about this book. Read on for his review.
A Field Guide To Wireless LANs for Administrators and Power Users
author Thomas Maufer
pages 333
publisher Prentice Hall/PTR
rating 8
reviewer Ray Janus
ISBN 0131014064
summary This book takes you under the hood of WLAN technology, providing detailed insights and recommendations along the way.

This book starts out an excellent historical overview of the evolution of local area networks and the migration of TCP/IP technology to a wireless environment. In the process, it provides a definitive reference manual on the 802.11 protocol stack, discussing the evolution and future direction of this standard. The issues associated with reliably transmitting data in the very chaotic wireless world are discussed, but the real meat comes in the book's addressing of the logic behind the radio circuitry in WLANs. Along with these insights that an RF engineer will love, the book is a great guide for anyone with protocol analysis tools looking at wireless traffic, especially given the clear illustrations in the text.

Acknowledging the rapid evolution of 802.11 standards over the last few years, an excellent summary is provided, from the venerable 802.11b standard through the -a and -g standards, and moving into future standards being developed by the 802.11 TGs. Maufer provides some key insights on future directions and capabilities of WLANs, too.

The book covers the principal areas of wireless networking, including security, the hot topic for every LAN administrator. While the book does a great job of addressing the theoretical security issues (and other aspects of wireless LANs operation), it is light on practical recommendations in day-to-day WLAN management. The Guide delves into creating strong passwords for use with WLANs, though, and addresses the strengths and weaknesses of the WEP architecture. It is especially rich in providing insights into the handshake and authentication procedures within WEP. A number of proposed security enhancements are discussed, including the deployment of RADIUS servers to provide authentication in enterprise WLANs. In closing on this section, Thomas provides good insights into WPA, which is becoming the future standard to WLAN security.

For a WLAN component designer, this is probably one of the best reference guides available, and this is also true for power users who really want to get under the hood of today's WLAN systems. However, for a network administrator seeking advice on how to address a herd of WLAN devices, my recommendation would be to seek elsewhere. Maufer offers little information about vendors' product types/models, making the detailed technology discussions independent of real-world products. For the administrator able to glean the technical details of their chosen WLAN products elsewhere, though, this book can be an invaluable guide in deciding the pros and cons of a particular product solution.

Along the way, Maufer provides a series of helpful screenshots, as guides to the technical discussions addressed in the various chapters. He provides a very balanced overview in the use of WLAN technologies for Apple, Linux and Windows platforms.

I recommend this Guide as an excellent text, rich in technical details, and protocol/logic illustrations. A "must read" for understanding WLAN technology in depth. With the rapid advances in WLAN technology, this book represents a excellent benchmark on 802.11 technology, from the perspective of its 2004 timeframe, and a sequel from the author would be an excellent additional resource for WLAN system designers and architects.


You can purchase A Field Guide To Wireless LANs for Administrators and Power Users from bn.com. Slashdot welcomes readers' book reviews -- to see your own review here, read the book review guidelines, then visit the submission page.

This discussion has been archived. No new comments can be posted.

A Field Guide To Wireless LANs for Administrators and Power Users

Comments Filter:
  • I want... (Score:2, Interesting)

    by robslimo ( 587196 )
    A definitive and practical guide to implementing a very secure WiFi LAN so I can convince my boss to cut the wire.

    It doesn't sound like this is it, or is it?
    • Re:I want... (Score:4, Informative)

      by HrothgarReborn ( 740385 ) on Wednesday March 17, 2004 @04:10PM (#8592067)
      Actually with the current WPA using AES or even TKIP along with a radius backend your pretty safe. really paranoid use ttls-eap instaed of peap and authenticate with certificates. Remember the challange of wireless is to make it as secure as the wired network not to solve every security issue.
      Consider this:
      You threats are minimal, limited to those people close enough to pick up a signal. Real but nothing compared to exposure from the internet.
      The encryption is now really good. I am sure someone can break it with enough time but not a serious enough threat to worry. It would be much easier to hop on the wired network and sniff.
      Authentication is now good to excellent depending on the protocol you use.
      Man in the middle is now impossible as long as you are properly verifying the certificates and keep your CA safe.
      • by Pii ( 1955 ) <jedi AT lightsaber DOT org> on Wednesday March 17, 2004 @04:59PM (#8592635) Journal
        I have deployed numerous WiFi networks in corporate environments...

        Rather than succumbing to the hassle of the various emerging authentication schemes, I've had good luck in convincing my clients to deploy their WiFi networks behind a VPN concentrator. (Or in cases where they wanted WiFi internet access for guests, putting the WiFi outside their firewall, and having the corporate users come in through a VPN concentrator.)

        This is a far simpler, and equally secure method.

        • I agree and have used this as well. We actually still have the wifi outside our firewall in one of our buildings and use the VPN to get in. But we have multiple sites connecting with private lines. All internet is piped through our central office so doing this in other offices means putting in a new firewall/VPN in each site. This is much more costly than a $50 access point.
          I would look again at WPA, it is past the emerging stage now and is well supported under XP and Mac OS X. Win 2K does it well also if y
          • All internet is piped through our central office so doing this in other offices means putting in a new firewall/VPN in each site. This is much more costly than a $50 access point.

            Just install firmware that supports OpenVPN and pptp on the access points -- problem solved. $50 AP hardware like the WRT54G is quite capable of running dozens of secure tunnels. We even host our internet-facing website off the RAM off what used to be a WAP, they are quite resilient and flexible little devices.
            • Just install firmware that supports OpenVPN
              Running Linux on a WAP, iPod, wristwatch or toaster is a lot of fun. I enjoy these kind of projects very much. But I am talking enterprise solution.
              This requires seamless operation, centralized user management and easy setup so helpdesk people can give rights in Active Directory (or similar) just by adding someone to a group. OpenVPN is a great project but does not give this. Getting a windows client installed and telling an Exec to *gasp* modify a config file is
    • Re:I want... (Score:3, Informative)

      by revividus ( 643168 )
      Maybe this [oreilly.com] is that kind of book, or this [oreilly.com].

      Oh, wait... do you want your boss to read it?

      • Thanks, looks like your second link, 802.11 Security is the one I might want.

        Has anyone here read it yet? The reviews [amazon.com] are mixed, some saying it's to cursory.

  • Until the day when I can surf the net, with relative security. By relative I mean as secure as a dialup. I'll stay wired.
    • yeah, or we could all just sit outside huge corporations with home-made antennas and leech bandwidth off of them.
    • Might as well go for it then. It's easy to sit outside a house and tap into someones phone lines. If you're not using encryption, with any physical layer, then you're wide open to snoopers. A wired LAN is reasonably safe if it's all contained within a know safe area (such as your apartment) but otherwise I wouldn't consider it safe. The only security benefit I can see to dialup over wireless is that people have to briefly get out of their car to tap your phone line.
  • by slakr ( 604101 ) * on Wednesday March 17, 2004 @03:44PM (#8591800)
    One of the most common methods of protecting a WLAN, that I think is ignored by most people and this text, is not protecting it much at all, but restricting the use so that its unusable for anyone other than an authorized user. You turn on WAP or MAC-Address filtering to make it inconvinient to attach (though since both of these are vulnerable, this is not enough security in itself). Then you only allow access from the WLAN to your corporate VPN servers. Most machines (laptops) that make use of this will already be equipped for corporate VPN access, and so you rely on the security of your VPN in an unsecured (or relatively unsecure) network. Why are we working on all sorts of new standards when a simple combination of available standards will do just as well? Its not like using Radius auth (via SecureID or password) to your VPN is any harder for the user than any of the other suggestions coming out. Truthfully, its easier for IT since you don't have to build new security infrastructure, and you don't have to retrain users.
    • Most wireless access that I do and my co-workers do is outside the office. Maybe at a Starbucks, at a hotel, or even at home on my couch. The VPN could secure my data going to my office, but what about the data going elsewhere? What about my POP3 password for my personal email account that I just transmitted through the air? A lot of "road warriors" put way too much trust in to their VPN and connect to insecure wireless networks and do very stupid things. A co-worker of mine was confused when he got an
      • by Homology ( 639438 ) on Wednesday March 17, 2004 @04:47PM (#8592473)
        The VPN could secure my data going to my office, but what about the data going elsewhere? What about my POP3 password for my personal email account that I just transmitted through the air?

        For starter, you could use a POP3 server that use encryption. Courier-pop3 server, for instance, supports both TLS (over the usual port 110) and SSL using port 993.

        The Mozilla Thunderbird (free and nice client) and Outlook can use POP3 over SSL, so your POP3 password is encrypted. KMail and Sylpheed-claws supports both.

        As for sending mail, you can configure your mail server to use STARTTLS, and once again, no passwords in the clear.

        If your favourite POP3 server does not offer encryption, ditch it.

        If you want to test encryption, get a free account at www.myrealbox.com that support various encryptions. Fire up your tcpdump, and try sniff the mailtraffic.

        • That was just an example.

          Anyway, I'm perfectly aware of how to secure my POP3/IMAP/Sendmail traffic. That doesn't mean my Mom is. There are more people like my Mom out there at Starbucks checking their email than there are like me.
        • If your favourite POP3 server does not offer encryption, ditch it.

          You can also use a wrapper program like Stunnel [stunnel.org] if you don't want to ditch your existing software. Stunnel allows you to use SSL with almost anything, including proprietary apps. I've used it with POP servers and it works reliably.

      • Maybe its a difference in the way our corporate VPN infrastructure works. But we associate our VPN client with a personal firewall, so that when you're VPN-ed in, ALL data flows the VPN to the corporate network before getting out to the internet. So your POP3 password is securely transmitted (over the IPSec tunnel) to the inside, and then goes out from there. Similarly web broswing goes inside, then through our corporate proxy server and then outside. But if thats not the case with your implementation,
        • by Ungrounded Lightning ( 62228 ) on Wednesday March 17, 2004 @05:34PM (#8593057) Journal
          [...W]e associate our VPN client with a personal firewall, so that when you're VPN-ed in, ALL data flows the VPN to the corporate network before getting out to the internet. So your POP3 password is securely transmitted (over the IPSec tunnel) to the inside, and then goes out from there. Similarly web broswing goes inside, then through our corporate proxy server and then outside.

          That's the way to go: Use an encrypted tunnel to work (or home or wherever) and use the site at the other end of the tunnel as your forwarder/proxy for everything.

          [...]VPN [rather than other fancy stuff] should [also] be the right answer [for in-building wireless].

          Again dead on. In-building wireless doesn't STAY in-building. So treat it like the general internet, put it on the OUTSIDE of your firewall, and secure-tunnel through for access inside.

          Option 1: You can treat your APs and the general Internet as TWO separate external nets, both outside your firewall. Then your laptop has to tunnel in and authenticate to make any use of the AP, effectively becoming wired to your lan.

          Option 2: You can treat them as ONE outside-the-firewall net, routing packets between them as well as from each to your firewall. Then you become a hot-spot, and visitors (customers, vendors, partners) can also use THEIR laptops to VPN to THEIR private nets (or surf the web B-) ) without having privileges on YOUR local net.

          For option 2 you can use WEP as a no-tresspassing sign (post the netname and current password or have them get it from security or their inside contact), set up some other authentication mechanism, or leave your APs open (if you want to do your neighbors a service).
        • But if thats not the case with your implementation, then I agree that VPN alone is not a solution for HotSpots and the like.

          You're probably right. My VPN connection isn't the proper VPN for properly securing wireless connections.

          But my point still stands, VPN isn't a solution for everyone. Not everyone has access to one or knows how to set one up properly. Same can go for Wireless security though... Setting up a Radius server and an Access Point to use it isn't a task my Mom can do. And I think
      • In our network, we've got our WiFi outside the firewall, and we wireless users utilize the VPN for internal connectivity. Works great, and you can hardly tell you're not wired to a switchport.

        What are you guys using for VPN connectivity?

  • by Anonymous Coward
    This is an EXCELLENT book for detailed frame analysis, especially if you need the guts of the new security protocols. I read most every wireless LAN book that hits the market, and have written a few of my own. This book is definitely a winner. Thomas does a great job of bringing out hidden and vague areas of the 802.11 standards, and answered several detailed questions that nobody else has been able to answer. Kudos on a job well done.
  • Duh... (Score:5, Funny)

    by lukewarmfusion ( 726141 ) on Wednesday March 17, 2004 @04:09PM (#8592052) Homepage Journal
    "Have you wondered about how the magic of wireless networks for PC's happens?"

    Duh, it's magic...
  • Itallics (Score:1, Offtopic)

    by scum-e-bag ( 211846 )
    Someone forgot the closing </I> on the front page.

    Who is getting sloppy with their HTML?

  • Have you wondered about how the magic of wireless networks for PC's happens?

    Well there's this plug for the cable(with eight pins instead of 4 for much more speed!), a radio thingy, and lots of little electronical chip things, and they make the wire talk to the air using the antenna. I heard some of them have a little penguin inside to help move the webpages around and deliver my email. Not that complicated, really.

  • Wow, this review had so many copy/paste trolls it was insane. In any case, remember this: if you can Google up something to copy, we can Google up the original source just as easily. It's not really a good tactic to get karma, they typically get smacked down to -1 before reaching 4.
  • In tribute to this "Great Book" I submit a great site. Netstumbler.com [netstumbler.com] and Netstumbler.org Forum [netstumbler.org]
  • Someone failed to close the i tag in the post for this story.
  • by newdamage ( 753043 ) on Wednesday March 17, 2004 @05:28PM (#8592989) Homepage Journal
    My belief for securing access points in this day and age is to just make yourself secure enough that the attacker decides that it'd just be easier to look for an unsecured AP. If you have such critical information on your network that you need super-secure wireless access, you probably shouldn't be using wireless in the first place.

    Casual war-driving studies have been done in the past, and if I remember correctly, on average 60% of APs that were broadcasting were still in their default out-of-box configuration (no WAP, no MAC filtering, default password for adminstration). If you just enable WAP (please use a good random key generator, folks), and MAC filtering, more than likely it just won't be worth it for somebody to try to break in to access your network.

    Also, just in case somebody does break into your AP and does something nasty, this is what the daily logs are for, so enable logging on your AP and back them up to disk regularly. Because, yes, you are responsible what goes through your connection, so you better be able to prove there was unauthorized entry, limiting your liability.
  • Since this is the textbook for the wireless class I'm taking this semester, it does a good job of explaining things, but sometimes the use of acronyms get in the way. I was advised to read over things more than once in this book. Granted, it's not exactly an advanced class, but I haven't had much trouble with the explanations.
  • Any book that says "for power users" isn't.

Swap read error. You lose your mind.

Working...