Skip to main content

How To Install a Secure Wireless Network in Your Facility

  • by Tim Kridel
  • Done properly, building a wireless network won’t be the horror story it was for the school that shut down the network when a student’s laptop accessed an infected Web site and spread a virus.

We’re here to make sure that that doesn’t happen to you. With a bit of insight and some proper planning, you can install a wireless network that’s successful, stable, and secure.

Start with a solid foundation.

Before you do anything, make sure your wired infrastructure is strong. If it’s not working properly, installing wireless will exacerbate the problems.Planning is everything.

A successful wireless implementation is entirely dependent on figuring out the variables up front, including application, wireless frequency, density of users, and building materials.

1. Application: What do your teachers, administrators, and students want to accomplish with a wireless environment? You need to understand this before you get to the technical details.

“We are on our fourth iteration of wireless because we didn’t plan it correctly,” says Steve Terrell, the network and IT security engineer at the Illinois Mathematics and Science Academy in Aurora. Now he knows to ask the essential questions: How many people will be accessing the network, and what do they need to do with it?

As Terrell learned the hard way, providing a bunch of access points and wireless devices will not make a successful deployment. “If you don’t know what capacity you’re building for, your users will be unhappy.”

Try to anticipate what your users will want so that you don’t build a network to accommodate one device per person and then have people walk in with several devices each.

2. Wireless frequency: Even though wireless standards continuously evolve you should choose whichever equipment is right for your district. If your students’ notebooks are not the same standard as the access point, the access point will kick down to the speed of the notebook and you won’t get the true benefits of that access point. Even if you have 40 802.11n notebooks and an 802.11n access point, if just one person has a notebook that’s 802.11b, every user will default down to 802.11b speed.

Joe Penney, technology director at Madison-Plains Local School District in London, Ohio, chose 802.11n instead of 802.11g. “G is fast, but n provides higher speeds and a wider spectrum for us to run multimedia and streaming over,” he says. “N also provides double the coverage size.”

3. Density of users: Another critical issue is the number of users who will be accessing the wireless network. Remember, wireless is a shared resource. “Lots of people think they can put up an access point, get coverage, and they’re set, but that’s only part of the story,” says Thuan Nguyen, chief information officer at Kent (WA) School District. “You have to look at how many clients you’re building for and where they will be. You need to plan so you’ll be able to provide enough bandwidth, for example, to stream video to a class of 30 laptops.”

4. Building materials: Another consideration is your building’s makeup. Wireless will not penetrate metal, which is often found in older buildings. Newer construction, particularly LEED-certified, presents other challenges: wireless and cellular wreak havoc, and reflective glass can impede wireless coverage.

Mary Ann Beseda, technology director at Spring Independent School District in Houston, Texas, had difficulty with her schools’ cinderblock walls. “There’s a difference with how RF [radio frequency] goes through today’s buildings versus those built in the ’70s,” she says. “Music rooms can also present challenges. You can be standing outside the door and unable to get access because of soundproof walls.”

The Essential Site Survey
Next up is figuring out where to put access points.

Penney covered his 750-person high school with 12 access points. “We used a service provider through CDW-G who came in and did a site survey of the high school,” he says. “It is important to do a true site survey instead of guessing where your access points will go. It showed me how to overlap three different access points where I wanted them.”

At this time, you should also think about any non-tech devices running in your building, in particular microwaves, which usually run on the same channel as wireless.

Adam Weber, principal of Techedvise, an education-technology design and consulting firm in Carmel, Indiana, has helped hundreds of schools go wireless. He also recommends doing a site survey, and suggests using wireless-planning software to do it. “Whether it’s an entire campus or one building, we use these tools to ensure that you have proper wireless coverage.” Vendors such as Cisco, Meru, and Trapeze have their own software, and this, says Weber, will help with planning regardless of the platform you use.

Choosing Equipment
Terrell and Nguyen use Cisco products and services; Beseda and Penney use Aruba Networks. When choosing a vendor, it’s not just about price; it’s also about what you are trying to achieve. Weber says to talk with surrounding districts and to not assume that only one vendor has what you need. He suggests having a manufacturer or local reseller do a demo so you can see how it will connect and can get a feel for the user interface.

Penney’s system has a centralized controller that allows him to manage his network. “I can reconfigure ports as I need to,” he says. “It gives me the ability to customize.” When he installed wireless in the middle school, he just duplicated the high school configurations. “Management is easy, because you do it once.”

Beseda also uses a centrally managed system. “Otherwise you’ll be spending all your time going out and touching things, and most IT departments are short-staffed as it is,” she says.

Whichever system you choose, you have to keep in mind that wireless configuration is ongoing. When Sean McDonough, director of information technology at the Harrisburg (PA) School District, discovered that an office building was competing for air space and clogging his network, he had to reconfigure the way his access points were interconnected. Because of the constant tweaking, you need to be able to do it on your own. “We are constantly reevaluating. The spectrum changes, kids find ways to bring in other wireless devices, and you need to stay on top of things.”

Keeping the Network Safe
As with a wired network, your district policy will dictate your security. How do you intend the network to be used? What is acceptable and what isn’t? “Your first consideration should be if you want a Starbucks café atmosphere or something equal to your wired network in the security it can provide,” says Terrell. He lets visitors log on to a guest portion of his network only. During the log-in, they must confirm that they accept all responsibility for their actions.

Penney’s district provides wireless to anyone who’s near the school. He has four portals: one for district-owned equipment that’s hidden from outsiders; a staff-device portal, accessible by user name and password; a student-device portal, for kids who bring in their own wireless devices, which limits bandwidth; and a fourth one, for visitors. The visitor portal provides access only in certain areas, such as the main office. The visitor gets a password from a staff member and is granted usage for a set number of hours.

“Every once in a while, kids bring in their own device or an access point and plug it into the network,” says Penney. “Because I have all the heat maps on my controller, I can detect the rogue access point, locate it, and go ask them to unplug it. Or I can put it on a rogue list and keep our network running clean.”

Other things to decide how you’ll handle are encryption, rogue detection, and intrusion detection, Nguyen says. His district uses machine-level authentication, in which the computer authenticates to a server and creates encryption. When users log in, there’s a second level of authentication so that Nguyen knows who’s logged on to that machine at that moment.

Mark Coltharp, a technology-solutions consultant for Denver-based Accuvant who has worked with schools for 20 years, says a common mistake is to forget to physically secure the network. “I’ve seen several schools with access points or antennas in clear sight of the students, who take them home. It’s more than just a financial loss. The access points can contain key security data.” He suggests installing access points above the drop-tile ceiling (and exposing just the antennas) or encasing them in a grid.

Another security challenge is protecting students’ identities. “You need strong Web and content filtering on the back end,” Coltharp says. “I recommend full-disc encryption to protect them in case a laptop is stolen, as it has information about the child’s identity, his security key, and how he accesses the network.”

Last but not least, to protect against malware and viruses, Coltharp suggests limiting bandwidth and restricting usage by time of day and geographic location in the school. After all, you don’t want to be the horror story we mentioned before and which we write about in the next wireless article.