Coping with Wi-Fi growing pains
Your wireless network needs to grow with your business. Steve Cassidy explores the challenges involved in scaling up
Steve Cassidy explores the process of scaling up.
“The simplest option is what the most impatient person would do: lease a second internet connection and install a second router”
Wi-Fi is the backbone of most home and professional networks: most businesses want to provide a wireless service to welcome their guests and support their workforce. Unfortunately, delivering fast, stable and pervasive coverage isn’t always easy. Sit with a simple, free Wi-Fi analyser app on your phone and you’ll see that base stations and devices don’t always work together efficiently.
And while it’s true that you can provide a basic service by setting up a domestic router, what happens as your business – and its reliance on wireless traffic – grows? The road that takes you from a cheap and cheerful setup to something that will operate across an entire campus can seem impossibly difficult. Assumptions that work at one scale won’t hold at the next, and issues you’ve never had to consider before come into play as your wireless demands evolve and expand.
When simple is actually simple
When you’re designing a network, it pays to start by considering the simplest option. In the context of extending company Wi-Fi, the simplest option is precisely what the least experienced, most impatient person would do: lease a second internet connection and install a second router.
At first glance, this may sound inefficient. A consultant colleague of mine once visited a company running off just such a setup, and immediately determined to rip it out. After three months working on a more integrated solution, at a cost of two years’ worth of internet service, he ended up going back to the twin-line approach.
It’s a case study that’s worth examining because it illustrates some important issues that arise when you try to implement smarter Wi-Fi at larger scales. The first challenge my colleague hit was the nature of the building itself – an old airship factory over 100m long.
For the client’s business, this was the perfect size, as it meant they could have dedicated areas for hazardous operations. However, not only was the building too large for a regular Wi-Fi base station to cover, it housed some interesting facilities, such as a welding station halfway down the building, where bursts of hundreds of amps arced through the air, inside a galvanised steel shed. This ensured that wireless signals wouldn’t pass that point. The run from one end of the building to the other was also too long for standard wired Ethernet, which ran out of reach at around the 60-metre mark.
The proposed solution was fibre, which meant installing new switches at both ends. Technically speaking, this worked, but the workforce quickly started complaining that the home-account federated access they had enjoyed as part of the ISP’s feature list no longer worked with the internally authenticated access. This in turn kicked off a long project aimed at spreading authentication across multiple servers – which meant additional machinery, licences, relationships and consulting time that had not been needed in the original, two-line configuration.
Eventually, the operations manager pointed out that the employees working at the far end of the building had been better off connecting via a second phone line, delivered via overhead wiring on poles through the woods that had been installed back when the place was still being used for manufacturing
airships. Bye-bye servers, bye-bye fibres and bye-bye consultant.
Of course, that doesn’t mean every scenario can be accommodated like this. For one thing, the cost rises linearly as you install more and more lines. For another, this type of supply can come with multiple gotchas such as bundle deals or tariff breakpoints that commit you to extra payments if you don’t use the lines enough. Moreover, it’s not uncommon to be locked into a five- or ten-year relationship by one of these deals. That’s not great, as you’re probably going to want to upgrade your networking provision before you want to change ISP.
Consequently, while this solution has the benefit of simplicity, I would advise against taking it any further than two lines across a large site or a pair of separated locations. Beyond this, the cost and complexity of management swings back in favour of a classical IT approach – unless, of course, there’s an extraordinary environmental influence such as horrible signal-mangling electric emissions to contend with.
Restrictions and interdictions
Another consideration is how you’ll manage what network users can access. Private company networks are often restricted; the motivations for this are legion, whether you consider them from an abstract, technical perspective or follow the incident history of the average business. On the technical front, a degree of distrust ought to be uncontroversial, as low-end Wi-Fi repeaters aren’t always smart enough to defend against a client that is – whether through undiagnosed infection or deliberate malice – trying to cause trouble. And that goes for phones as much as laptops these days.
Unfortunately, there’s something about Wi-Fi that engenders a sense of reliance and entitlement among users. Blocks and interruptions, for whatever reason, produce much more anxiety and impatience than servers being down, websites being updated and so on. Once a business has got its first base station going, there tend to be shrieks of agony the moment users run into restrictions. Some businesses try to head this off by running the whole network as merely an adjunct to the Wi-Fi, with enormous spend dedicated to the crazy idea of a “wireless perimeter”.
This is another scenario where a twin-line approach can pay off. If you decide on day one to set up a guest network, running on its own (slow, cheap) DSL line, entirely separate from the business network – which has its own router, SSID, user database and so forth – then a vast amount of harrowingly complex configuration can be avoided entirely. You just need to make sure the right traffic goes to the right network, so segregate user lists and perhaps even operate a hidden SSID for the firm’s internal LAN. As we’ve mentioned, however, setting up multiple lines will only take you so far. Once you have more than two base stations, the administrative load of managing them separately starts to tell. The administrative load of almost any Wi-Fi provision is higher than most people would assume, because Wi-Fi is for mobile devices, and people take such things home, lock them in the car, go on holiday with them – but I digress. The point is, once you need a few base units, manageability comes into play. You don’t want to be configuring each access point individually – instead you want to be able to manage SSIDs, passwords and security as if your portfolio of devices were just one unified whole. You’re also very likely to want to set up an SSO system. Not SSL, which is a security layer for all kinds of traffic, but instead a Single Sign-On architecture that spares users from having to worry about multiple credentials for all your different network resources. This brings its own challenges: in a regular corporate network, you very much want your devices to be able to seamlessly reauthenticate as they roam from one base station to another, but at the same time, users really should be using unique passwords to access the various systems that become available once they are connected by Wi-Fi. Several of the more expensive players make an enormous fuss about SSO, blurring it into the corporate authentication platform (which on Windows mostly means Active Directory), offering nicely expensive consultancy contracts to pull it altogether, and bundling in cloud-based device management for
“Unfortunately, there’s something about Wi-Fi that engenders a sense of reliance and entitlement among users”
good measure. I guess if you’re setting up Wi-Fi in some remote situation, with a nice wide strip of countryside around you to isolate your signals, then single-identity SSO might be a safe option – although I would never consider it something to aspire to in regular a corporate network.
Variable environments
While there are plenty of general principles of network security, some Wi-Fi environments simply defeat all the old traditional models. I met some people from Alcatel in 2016 who were very happy to describe the degree of security and traffic segregation required by the Burj Al-Arab hotel in Dubai, an enormously tall building that has no choice but to use a single network backbone for every bit of information flying around the place. When you see a fireworks display that uses the Burj as the world’s largest launching point, the rockets and starbursts go off in sync because they are all logged in to the network – wirelessly of course, via hundreds of access points. At the same time, that network also has to support any number of guest smartphones, security devices, CCTV cameras, environmental monitoring sensors – everything. This is a far harder brief than allowing warehouse workers to read their email and get WhatsApp messages from their line manager.
For me, that kind of giant project marks the point at which you can’t just buy in hardware and services and expect them to work with whatever’s in place already. Wi-Fi has to be a seamless part of a larger whole, even though that seamlessness may not be at all visible to users.
It remains a special case, though. I don’t foresee that sort of model trickling down to smaller, simpler deployments. As a result, if you can, it makes more sense to be able to specifically manage your Wi-Fi, rather than having to take a wholenetwork approach to everything.
Base station bingo
Another important part of the battle is choosing the right hardware for your business. The world of Wi-Fi is full of buzzwords, frequencies, security standards, management standards, authentication systems, and so on. Needless to say, these features are not always represented by manufacturers in straightforward ways. For example, even a simple, oneantenna router may be festooned with promising terms such as “VPN”, “WiMax” or “VLAN”. However, be warned: there’s no international testing and compliance body that guarantees these features will work in the way you want them to, or interoperate with anyone else’s implementations. Nor is there any guarantee that Windows 10 will support them properly – a particular bugbear with VPNs at the moment.
To make matters worse, manufacturers like to offer a confusingly wide range of models, with the low-end units lacking key features and capabilities. At the time of purchase, you may not fully appreciate the usefulness of these features – it’s surprising how many networks I see that completely ignore well-understood traditional configuration options that would almost instantly solve various difficulties. For example, making use of static routes, Layer 3 routing and separate IP subnets can make an enormous difference to quality of service. Furthermore, it can be very helpful to create a DHCP superscope on the company server, rather than using a router’s internal DHCP server for address allocation. If you buy the cheapest base station that appears to do everything you need, you may
“Manufacturers like to offer a confusingly wide range of models, with the low-end units lacking key features and capabilities”
discover that these options are closed to you.
Of course, there’s also no point in paying for features you genuinely don’t need. If you want customers to pay for their access and be given little printouts of one-shot usernames and passwords, it’s very likely you won’t need both massively smart traffic segregation or provision of guaranteed bandwidth for roaming VoIP devices.
The one area where I take no prisoners is wireless security. This is such a fast-moving field, with so many well-recorded instances of supposedly secure Wi-Fi being circumvented, that I utterly disregard the idea of security at the base-station level. Build the security into your wired network (with a multi-zone firewall, for example). If all else fails, in the middle of your worst nightmare you can always yank the lead out and know where you stand.