What to Look for in an Access Point

Although you can buy a standard AP from some SOHO network vendors, most of the APs on the market today include a router that can be used to connect to a broadband Internet connection, such as a cable/DSL modem. Most of these units also include an Ethernet switch. As a result, most vendors in the SOHO networking category sell more wireless routers with integrated switches instead of APs. For business-level (especially enterprise-level) networking, APs continue to be popular items because they can be plugged into an existing Ethernet network that is already equipped with a router.

Table 19.2 lists the differences between wireless APs, wireless routers, and wireless routers with integrated Ethernet switches.

^[*] Most IEEE 802.11b APs and routers support WEP only; most IEEE 802.11g and 802.11a APs and routers support WPA and WPA2. Check with your vendor for firmware updates if your AP or router does not support WPA/WPA2 security.

What do the differences between a wireless AP, a wireless router, and a wireless router with integrated Ethernet switch mean? The simplest of the three devices is a wireless AP. A wireless AP's functions include

• Providing wireless access between clients

• Connecting wireless clients to an Ethernet network (optional)

• Providing a secure connection between clients (optional)

An AP is not equipped with a DHCP server for providing IP addresses, nor is it equipped with a router for connecting clients with another network (such as the Internet). Thus, an AP should be used in conjunction with an existing wired Ethernet network.

Although a wireless router resembles an AP, it offers additional features:

• Provides wireless access between clients

• Connects wireless clients to an Ethernet network (optional)

• Provides a secure connection between clients (optional)

• Provides server-assigned IP addresses to clients via its integrated DHCP server (optional)

• Uses network address translation (NAT) to help hide LAN clients from the Internet

• Routes traffic between the LAN and the Internet (WAN) when connected to a broadband Internet access device or a wired network connected to the Internet

A wireless router provides one-stop shopping for wireless clients' LAN support needs. However, it does not provide these services to wired Ethernet clients.

A wireless router with an integrated switch supports both wireless and wired clients and includes the following functionalities:

• Provides wireless access between clients

• Connects wireless clients to an Ethernet network (optional)

• Provides a secure connection between clients (optional)

• Provides server-assigned IP addresses to clients via its integrated DHCP server (optional)

• Uses network address translation (NAT) to help hide LAN clients from the Internet

• Routes traffic between the LAN and the Internet (WAN)

• Provides high-speed switch connections between wired Ethernet clients

• Provides connections between wired and wireless clients connected to the router

• Can provide DHCP and Internet access for additional wired Ethernet clients by connecting another switch to the unit's uplink port

As you can see from this comparison, a wireless router with an integrated Ethernet switch makes it easy to build a mix-and-match network with both wireless and wired clients. It's not surprising that this type of device is the most popular for SOHO networking.

What benefits do these features provide?

If you are going to use the Access Point only in a closed network, the broadband connection (WAN port) won't be necessary. However, you will be hard-pressed to find an Access Point that doesn't have this port, and it can be ignored until you want to use it.

DHCP enables clients to obtain a server-assigned IP address and IP configuration from the Access Point. A DHCP server uses a private address range (one that is not valid for use on the Internet). The most common range that SOHO wireless routers support is the 192.168.x.x range; however, some routers also support 172.16.x.x. If your wireless router has an Ethernet switch, the DHCP server provides addresses to both wired and wireless clients connected to the router.

When making a connection to the Internet, the Access Point substitutes its IP address in packets the client sends out onto the Internet. When packets for the client are returned to the Access Point, it removes its own address and replaces it with the client's address. This technique is known as Network Address Translation (NAT). Using NAT and a private address range enables you to use a single Internet connection and share it with two or more computers. A second benefit of NAT is that it helps prevent other computers on the Internet from gaining addressing information about the computers on your local network. Although not a perfect firewall solution, NAT can prevent simple attempts at intrusion.

DHCP is usually employed by Internet service providers (ISPs). This is because the IP address space used on the Internet is finite, and there aren't enough addresses to go around for all the computers that connect to the Internet. Thus, if you have a broadband connection for your Access Point, network packets going to and from the Internet are going through two levels of NAT! The first level is between the ISP and your wireless Accent Point. The second is between the Accent Point and a client computer on the wireless network.

An Access Point that incorporates three or more RJ-45 ports includes a 10/100 Ethernet switch. This feature enables you to connect computers to the Access Point using a wired connection. This feature is useful when you only need to use wireless networking for a few computers (such as laptops that you move around the home or office), while other wired computers (such as a desktop workstation or server) are located in a fixed location. Another reason for using an Access Point that provides both wired ports and wireless networking is that 802.11b operates at speeds ranging from 1Mbps to 11Mbps. Although these rates may be sufficient for some computers, servers and other client computers that transfer large amounts of data are candidates for a wired 100Mbps connection. Thus, you get the best of both types of networking. This also enables you to add wireless capabilities to computers over time, allowing you to spread out your expenses when buying wireless network cards.

Note

802.11a and 802.11g wireless networks operate at rates up to 54Mbps. Although this is less than the 100Mbps you can achieve using a wired connection, it might be sufficient for servers and some clients in your network, especially laptop computers.

Distance Limitations

In general, 802.11b networks can span a distance up to 100 meters indoors and up to 300 meters outdoors. However, such seemingly trivial things as buildings, trees (as well as the weather), and other similar barriers can dramatically reduce this distance. When planning for the installation of a wireless network that will require more than one Access Point, because of distance limitations, start with just one Access Point, and test using it at different parts of the building. Using this method, you can determine how many Access Points will be needed. Don't count on the distances provided for in the 802.11b specifications. Additionally, if you are going to use more than one type of network adapter cardsuch as one for laptop computers and another for desktop computersor cards from different manufacturers, be sure to perform the same tests using each type of adapter.

Although you can use repeaters to increase range, most APs have removable antennas, enabling you to install higher-gain or directional antennas to improve range or coverage. We recommend trying better antennas before adding repeaters to your wireless network because the fewer devices you have on your network, the simpler it is to manage and the more reliable it is.

Firewalls

In addition to NAT, some Access Points come with minimal firewall capabilities. For example, you can use port blocking and packet filtering to help protect your LAN. Although not a necessity, a firewall, along with a good antivirus program, helps protect your wireless network from many of the malicious attacks that periodically occur on the Internet. Even if the Access Point does provide a simple firewall, you should probably go the extra mile and buy a software-based firewall for each computer in your network that uses other firewall techniques. The costs for these programs is minimal (usually around $50) when you consider the time it takes to restore data from backups when a virus, a worm, or another similar program invades your computer. $50 is not much to pay for the extra security that a firewall and an antivirus program can give you.

Although Windows XP includes a firewall and the version included in Windows XP Service Pack 2 offers enhanced features and easier configuration, it does not inspect outgoing packets that could be generated by a virus, worm, or spyware. For this reason, a third-party firewall such as Zone Alarm is highly recommended.

Note

NAT and firewalls are covered in greater detail in Chapter 45. This is recommended reading for anyone who is thinking about connecting any LAN to the Internet. In addition, all chapters in Part VIII, "System and Network Security," should be required reading material for anyone who operates a network in which a high degree of security is desired.

Access Points with VPN Support

If you plan to connect to an enterprise network via a virtual private network (VPN), you might need an AP that is especially designed to handle VPN traffic. Although virtually any AP supports a single VPN tunnel, you need a specially designed AP to handle two or more VPN tunnels or to handle incoming VPN traffic.

If two or more users on your home or SOHO network need VPN support at the same time, be sure to use an AP designed to support multiple tunnels. Some of these APs also provide better firewall features than normal APs. Note that most products with enhanced VPN support are actually wireless routers with integrated Ethernet switches.