Disclaimer: This information is provided as-is for the benefit of the Community. Please contact Sophos Professional Services if you require assistance with your specific environment.
Table of Contents
- Wireless Frequency Fundamentals
- Network Requirements
- Site Surveys and Heatmaps
- Additional Considerations
- Naked Security: 8 Tips to Tighten Your Work-From-Home Network
When deploying a new wireless network or making changes to an existing network, there are a lot of factors to consider. You need to consider interference, channel selection, speeds, and many other complicated pieces to the puzzle. This can be a complicated process, so we’ve put together some info to get you started on the right foot to avoid problems like slow or inconsistent connections.
This Recommended Read is accompanied by our video: Sophos Wireless: Wi-Fi Fundamentals
Wireless Frequency Fundamentals
- Let’s start by talking about Frequencies. Wireless networks can function off two frequency bands, 2.4GHz and 5 GHz.
- Both Frequencies are susceptible to environmental interference like solid objects and radio frequencies.
- The 2.4GHz frequency can penetrate objects better than 5 GHz, achieving a longer range in your environment.
- It's a more shared frequency band, so other devices like cordless phones, microwaves, and Bluetooth devices also use 2.4 GHz so that they can cause interference on a 2.4 network.
- The 2.4 Frequency band has 11 different “channels” to transmit data, but only three channels(1,6 and 11) are non-overlapping.
- This means 1,6, and 11 are the only channels we can use without channel overlap issues.
- We’ll talk more about channels shortly.
- Our other frequency band option is 5 GHz.
- 5 GHz is less susceptible to channel interference than signal degradation.
- 5GHz is a higher frequency. Its waveforms are much smaller and faster than 2.4 GHz
- Higher frequencies are more difficult to penetrate objects, but they have a faster transmission rate, meaning much faster potential speeds.
- 5GHz has 24 non-overlapping channels, so there are a lot more options to choose from. Because of that, it’s channels are less likely to get congested due to high traffic or interfere with one another if multiple APs are close.
- Now, not all devices support 5GHz, so make sure to evaluate your client device requirements and your AP capabilities before selecting a band to use.
- We'll talk more about that in the network requirements section.
- The Concept of Channels can be a bit confusing, but here at support, we see a lot of cases caused by misconfigured Channel selection and width, so it's very important to understand.
- Each frequency band(2.4GHz or 5 GHz) can have dedicated lanes that traffic can be transmitted on.
- The more data is transmitted on one lane, the more likely congestion can occur.
- So if your network and a neighboring network, for example, are both using 2.4 GHz on channel 1, it’s potentially double the traffic on Channel 1. This can cause major Co-Channel interference or CCI for both networks.
- Co-Channel Interference: Crosstalk from 2 different Radio Transmitters or antennas on the same channel.
- When this happens, you could experience anything from slow to completely unusable Wi-Fi, even though your device shows fully connected.
- Switching your AP to a different non-overlapping channel, like channel 6 or 11, should resolve the issue.
- A channel is a frequency band segment that can be either 20/40/80/160MHz wide.
- 2.4 GHz can only accommodate a maximum of 40MHz wide since the entire range is only 72 MHz wide: 2.401-2.473.
- The wider the channel, the more throughput capability it has, potentially faster Wi-Fi.
- Think about channel width like a highway, if you double the amount of lanes, you can double the amount of traffic.
- This comes with a price; however, the wider each channel is, the fewer channels you have, and more so, the fewer non-overlapping channels you have.
- This raises the likelihood of Adjacent Channel interference occurring.
- Adjacent Channel interference happens when two or more channels overlap with each other.
- For example, if you had 2 APs using 2.4 GHz, one on channel one and one on channel 2, the signals will interfere since those two channels overlap.
- In this situation, you would want to choose Channel 1 for the first access point and Channel 6 or 11 for the second access point because they don't overlap.
- Essentially, it’s the same resolution as our first scenario.
- In most networks, we tend to keep channels at 20 or 40 MHz max-width to increase the amount of non-overlapping channels we have to work with, but that means we’re sacrificing potential throughput.
- If you plan on using 5GHz with 80 or 160MHz channels, you can get great speeds, but make sure you're not near other networks or plan your channel selection well.
- Automatic Channel Selection:
- Like many Access points, Sophos APs can be configured with automatic channel selection, so the access point will detect the channel with the least amount of traffic and switch to that channel.
- This is convenient in simple setups like a home or a small office with few APs. Still, in High-Density environments deploying many APs, it may be best to statically assign channels to ensure APs aren't constantly switching between channels.
- Next, let's talk about the needs of your network.
- You need to identify the following information to help you plan your Wireless network design:
- Applications that will be in use on the network
- Number of simultaneous clients
- Types of clients
- Areas to be covered
- Power Availability
- Different Applications have different throughput requirements. For example:
- VOIP has a minimum required bandwidth of 100Kbps up and down, but 3 Mbps is recommended https://www.phone.com/much-bandwidth-need-voip/
- 1080p HD video stream has a recommended bandwidth requirement of 5mbps, and 4K streaming has a recommended 8-20mbps https://help.netflix.com/en/node/306
- These all don't sound like a lot, but if you have 50 users on Skype calls simultaneously, you need at least a 150mbps network to meet the recommended. throughput requirements.
- So please note what applications will be in use and determine their throughput requirements.
- You always want to ensure your network can handle more than required because more bandwidth will result in fewer frustrated users than not having enough.
Number of Simultaneous clients
- Most networks have more than one user, so knowing the number of simultaneous users/devices on your network is extremely important.
- Wi-Fi is "Half-Duplex", a turn-by-turn system, meaning every device takes turns transmitting and receiving data, and not at all simultaneously.
- An access point can either receive or transmit data at a given moment.
- So, 50 users on your network are taking turns sending and receiving data, even though it seems seamless when deployed well.
Types of clients
- Next, you want to know the types of client devices on the network.
- Different devices use different wireless technologies housed under the 802.11 protocol suite.
- Take a look at this chart here:
- Each standard of the protocol supports different bands and speeds, as we can see, the fastest being 802.11 AC, which only supports 5 GHz.
- Many modern devices will use 802.11n, which supports both 2.4 and 5 GHz and is backward compatible. However, this isn’t all devices, so it's important to know the devices in your network requirements.
- 802.11 A, B, and G are older wireless Technologies with slower transmission speeds.
- If you have legacy devices in your network, this can dramatically slow down your network speeds since each device takes turns transmitting and receiving data.
- The N and AC devices may be speeding along, but they may get slowed down, waiting behind the B devices, for example.
- When deploying, you can use band steering to direct 5 GHz clients to use 5 GHz and 2.4 GHz clients to use 2.4 GHz.
- This is basically like creating a fast lane on a highway so the faster clients don't get slowed down.
- The newer Sophos APX series access points support all the 802.11 standards we discussed. However, the older access point series vary per model.
- This is important because each AP will support different devices and have different speed/frequency capabilities.
- All Access points and their specs are listed here: https://www.sophos.com/en-us/products/secure-wifi/tech-specs.aspx
- Wireless devices can use multiple antennas to transmit more data through MIMO(Multiple In, Multiple Out).
- A Laptop, for example, can have up to 3 antennas, whereas a smartphone usually only has 1 or 2 to conserve battery power.
- Let's take a look at this chart:
20 MHz Channel Width
40 MHz Channel Width
80 MHz Channel Width
1300 Mbps pSo no matter how fast your Access point is, your network is only as fast as the clients that use it.
If you're deploying many access points, chances are you can't use 80 MHz channels as you would limit the amount of non-overlapping channels available, so you're more likely using 20 or 40 MHz, meaning those devices can have a maximum throughput of 87 or 200Mbps.
- So, if your wireless devices only have one antenna, even if you're using 802.11 AC, your maximum throughput for that device is a maximum of 433 Mbps if using an 80 MHz channel.
- We can see with 1 Spatial stream, or one antenna, on a 20MHz channel, the max bandwidth is 87 Mbps, but with three streams, it’s 289 Mbps.
- This chart shows the potential maximum speeds per amount of spatial streams(Antennas) for 802.11 AC.
Areas to be covered
- The next thing you want to know is the areas that need coverage.
- Ensure you note areas that need heavy coverage, for example, if most users are connected in one office(high-density) section.
- the APs in that area may have significantly more simultaneous clients connected to them.
- This could mean you need more APs in that area to distribute the traffic, requiring more planning.
- Sophos APs have been tested with 60 devices connected at once, all transmitting data with little degradation, but every network will vary depending on the applications and environment.
- Limiting simultaneous clients on each access point to around 30 is generally a good rule.
- Again, this number changes depending on your network.
- Another thing to remember is that different building materials can significantly affect wireless signals.
- Drywall and insulation will block far less signal than thick concrete; however, in some parts of the world, there might be a metallic coating between the drywall and insulation that blocks wireless signals significantly.
- If your site has wood or metal-covered walls, depending on the thickness, this could also seriously impede the signal.
- So keep that in mind when planning, and find out what building materials are used if you're experiencing issues.
- Great article on building materials and Wi-Fi:
- Regarding power availability, Sophos APs can be powered through Power over Ethernet or DC power.
- Some access point models can be powered through both, while some only have PoE, so know what your APs require.
- Make sure you know what infrastructure your site has available for PoE, and keep in mind that APs can require more power on start than advertised, so be sure your PSE can supply more than the minimum requirements.
- If an Access point doesn't receive enough power, it can start rebooting randomly.
- Some more enterprise APs support 802.11at, while the smaller APs support 802.11af.
- Again, reference https://www.sophos.com/en-us/products/secure-wifi/tech-specs.aspx#ap-series to check access point specifications.
Site Surveys and Heatmaps
Note: Sophos has a wireless pre-sales desk that can help conduct site surveys. Please contact your salesperson or sales engineer for more information.
- The best way to plan your wireless deployment specific to your site is to conduct a site survey.
- There are three types of site surveys: Passive, Active, and Predictive.
Passive Site surveys
- Passive surveys are listening surveys
- They don't send any traffic to the network monitor radio frequencies in the area.
- This can detect other APs in the area, their signal strength, the channels in use, the Signal to Noise ratio in the area, and other useful information.
- This is the most common type of survey because it's simple, and you don't need to install any APs.
- There are tons of different applications to perform passive surveys.
- You can even download free smartphone apps; however, smartphones aren't designed specifically to do this, so they may not give you the most accurate response.
- Most home telecom boxes/Access points also give you the option to perform a passive site survey in their admin portal:
Active Site Surveys
- Are a lot more in-depth
- For an Active site survey, you send and receive data on the network to get exact measurements.
- These are done to deploy and troubleshoot wireless networks as you measure throughput rates, packet loss, and information in passive site surveys.
- When surveying a site, you typically create a wireless heat map to visualize the radio frequency strengths.
- Heatmaps are great because you can see where your problem areas are.
- Ekahau is the industry standard for active surveys at the moment with fantastic heat mapping software:
Predictive Site Surveys
- It’s a simulated site survey.
- For example, in Sophos Central Wi-Fi, you can upload an image of a to-scale floor diagram and place the simulated access points to predict placement.
- Since you input an exact distance scale, this can show a good representation of access point range on your site.
- Check out the steps to do this here: https://www.sophos.com/en-us/medialibrary/PDFs/documentation/SophosCentral/ctrl_WirelessCreatingSites.pdf
- You can use many tools to do this, but remember, a simulation can only show range. It can't account for things like building materials and interference.
- All three types of surveys are useful; you can find many online tools to perform site surveys.
Access Point Hopping
- If you find a section of your site where devices access point hop, increasing transmit power for one access point or decreasing transmit power for the other may be an acceptable solution.
- AP hopping is when a client device switches back and forth from one AP to another.
- This will result in very inconsistent Wi-Fi performance for the device.
Layer 3 Switches
- If your APs don’t connect directly to the gateway and connect via a layer3 switch, create a static route for the “magic” IP 188.8.131.52 and route it to your XG.
- If you're using Sophos Central Wi-Fi, allow access to FQDN "wifi.central.Sophos.com".
Web Filtering/HTTPs inspection
- There should not be any web filtering or HTTPs inspection applied to traffic destined to or originating from an AP as this causes problems with registration for Sophos Cloud Wi-Fi.
- Under no circumstances should Wi-Fi be completely open for all (i.e. no password)
- As general best practice, wireless network passwords should be changed frequently
- More SSIDs mean more overhead.
- Be careful adding more SSIDs, as this can create more management frames from your AP to handle, which could impact performance.
- Each access point can handle a maximum of 8 SSIDs. This includes the mesh SSID if the mesh will be in use.
- Hiding your SSID won’t protect your wireless network, but it is a useful home network tip, as users attempting to connect require knowledge of the SSID name.
- Great article on SSID overhead: https://www.revolutionwifi.net/revolutionwifi/2013/10/ssid-overhead-how-many-wi-fi-ssids-are.html
- We highly suggest using WPA2 (AES)
- Any device manufactured after 2006 with a “Wi-Fi” logo must support WPA2 encryption.
- Note: If your router only supports WEP encryption - please highly consider upgrading
- If you have ancient devices that only support WPA/TKIP and you must use a mixed mode (WPAWPA2-PSK (TKIP/AES) - remember that throughput and performance are greatly reduced due to TKIP’s processing requirements (not to mention security).
- We suggest using AES only and a separate AP for the older wireless clients working only with WPA/TKIP.
Naked Security: 8 Tips to Tighten Your Work-From-Home Network
Paul Ducklin’s recent article on eight tips to tighten your work-from-home network included some great advice for securing IoT devices such as webcams and smart speakers. Their key points are:
- Only connect devices that you need to have online. Power down devices when you’re not using them.
- Make sure you know how to update your devices.
- Configure your devices correctly
- Change any risky settings, such as default passwords
- Check how much data you’re sharing
- Put IoT devices on a ‘guest’ network if you can
- Turn on ‘client isolation’ if available
- Make sure you know who to turn to if you have a problem
Read the full article for more information.
- Sophos Firewall: How to troubleshoot Sophos Access Points
- Sophos Central Wireless: FAQ
- Wireless Access Points Tech Specs
- Sophos Wireless Access Point: How to do a site survey
- Sophos Central Wireless: Creating Sites
- Creating Mesh Networks
- Government of Canada: Private Network Tips
- CISA: Securing Wireless Networks
- FTC: Securing Your Wireless Network
[edited by: Erick Jan at 1:30 AM (GMT -8) on 11 Jan 2024]