Blue Planet Studio - stock.adobe
Wi-Fi AP placement best practices and security policies
From a security standpoint, Wi-Fi network designers should consider the physical and logical placement of APs, as well as management, segmentation and rogue devices.
For more than 20 years, Wi-Fi has been part of business networking. For many business network environments, Wi-Fi is the dominant access method for most client devices. That means the wireless LAN needs to be reliable and set up to support operational goals, which can vary depending on individual network cases. Success of any WLAN depends on proper placement of the access points that make up the network, both from the physical and logical perspectives.
When end users experience poor Wi-Fi, they tend to know it. Whether it's a webpage that won't load or a video that stalls out, poor Wi-Fi is frustrating. By contrast, when end users are connected to a solid WLAN, they generally don't think about it because everything just works.
So, what's the difference between good Wi-Fi and bad Wi-Fi experiences? Follow these best practices to avoid bad experiences and promote a more positive Wi-Fi environment.
1. Space requirements drive Wi-Fi design
Good Wi-Fi doesn't just happen, especially in large or technically complex settings. Sometimes, IT teams install access points (APs) in areas that are simply convenient rather than placing APs where they need to go for the best performance. When this happens, the chances for end-user disappointment increase exponentially.
2. Leave it to the professionals
WLAN design is a skill executed by trained professionals. The process normally employs sophisticated modeling and survey software to achieve a design that satisfies clearly identified operational goals. Skip any part of that equation, and organizations can safely expect frustration.
With AP placement, professional design considers the number of APs required to serve the expected device counts with an agreed-upon per-client bandwidth and whether external antennas are needed to achieve coverage requirements.
3. Wi-Fi should be purpose-built
Different network purposes usually yield different network designs and AP placement. For example, using Wi-Fi-based location services and providing guest access result in different designs than a WLAN that services point-of-sale terminals that shouldn't leak outside company walls for security reasons.
4. Physical security of APs is not cut and dried
When different organizations plan AP placement and physical security, there's no single set of guidelines or advice to follow. Some environments warrant locking enclosures or making sure APs can't be physically reached by people who use the spaces. In others, enclosures would be a waste of money because the enclosure costs more than the AP itself, security cameras cover the area or the space is closed to the public.
Again, proper Wi-Fi AP placement depends on policy, situational specifics and operational goals per individual network settings.
When placing APs, a frequent mistake is being overly concerned with hiding the APs, which makes them nearly impossible to service later. Another mistake is installing APs in vulnerable areas where they could be tampered with or machinery or wheeled devices could bang into them. Common sense also factors into the bigger narrative on AP placement.
A solid site-appropriate design prevents expensive rework later, keeps users and administrators happy, and fits within the security policies that guide the environment. It also yields an actionable bill of materials and cabling plans to support the APs. Additionally, a well-executed design includes proper switch and cabling provisions. It also identifies various resources in the network path that connected clients interact with to ensure sufficient capacity throughout the network.
5. Consider logical placement of APs
Most wireless networks today are multipurpose. They might provide a dedicated service set identifier (SSID) for voice, another for guest access and yet another for managed business laptops -- all being served by the same APs. Each SSID typically equates to a specific virtual LAN and requires its own security configurations depending on client types that use that SSID. The APs themselves also bear scrutiny when it comes to logical placement. This refers mainly to how they are administered on the network.
6. Segment APs for security management
In the business network setting, rarely are APs managed on the same discrete network that client devices use. APs, switches, closed-circuit TV cameras and a range of other devices are typically managed in tightly controlled IP address space out of reach of those who might do harm if they could reach the operational crown jewels of the network.
Whether protected by a firewall or access control list, these devices often are rightfully closed off from the internet and the rest of the network for administrative access. Hopefully, only a small group of administrators can reach them and, then, only when two-factor authentication requirements have been satisfied.
7. Enable cloud
With more network services being cloud-managed, APs that are administered in private IP spaces still need a path to the internet, whether that is facilitated by network address translation or a resource like a bastion host or jumpbox. Thankfully, IT teams can logically isolate APs for management in several ways, while still providing access to the various devices that access the WLAN.
8. Beware of unwanted APs
No matter how well the WLAN meets operational requirements, some people may connect a wireless router or AP to the LAN within the business network -- and they have no business doing so. Ignorance, disregard for policy or maliciousness all may motivate the addition of a rogue wireless network device.
Regardless of why these devices show up, it's imperative to have a response strategy worked out ahead of time. Even when a security breach isn't the motivation behind the rogue device, that can end up being the unintended outcome. Minimally, a rogue device can create high-strength interference that impedes the use of the business Wi-Fi system for legitimate users.
A well-articulated and communicated policy is the first step in minimizing rogues. After that, detection is key, and this requires ongoing monitoring of the Wi-Fi spectrum for signals that don't belong.
In dense WLAN networks that are designed correctly, usually, the placement of business LAN APs can help pinpoint rogue devices. Most contemporary APs can report signals that shouldn't be there. Some systems call them neighbors, others call them rogues and some try to split hairs between the two notions.
Regardless, a booming unwelcome Wi-Fi signal in the middle of the corporate WLAN needs to be detected and investigated, with appropriate responses administered to prevent repeat offenses.
Editor's note: This article was updated to reflect more up-to-date wireless network design technologies and practices.