You have probably seen a poster or other ad
indicating the availability of a “Wi-Fi Hotspot” in an airport, or even a McDonald’s
or Starbucks, but it didn’t mean a lot to you. Wi-Fi technology has been around
for a couple of years, but it has only recently become so commonplace that it
has attracted the notice of people who don’t eat, live and breathe computers.
This technology has the capacity to impact not only the way that law
enforcement and other public administrations wire their offices, but can also
be deployed as a vehicle for a wireless mobile network that does not involve
Wi-Fi, also known as 802.11x (pronounced “eight-oh-two-dot-eleven”
with an “a,” “b” or “g” on the end) is a networking protocol that allows
computers and other devices (printers, handheld PDAs, monitors, etc.) to communicate
with one another. In its simplest and most common form, a hardwired connection to
the Internet, via a telephone dial-up connection, cable modem or DSL line, is wired
to a Wi-Fi access point (AP).
The access point is a transmitter- receiver
that broadcasts a signal in the 2.4 or 5 GHz band to computers equipped with a
wireless local access network (WLAN) card. This WLAN card is itself a tiny transceiver,
capable of sending and receiving signals from the access point. The result is
that the AP and WLAN cards replace the need to string Category 5 (CAT5)
networking cables between computers in order to allow them to network.
802.11a is not especially common, but is
the fastest wireless LAN presently available; 802.11b is by far the most common;
and 802.11g is the in between model in terms of speed and appearance on the
market. 802.11g gear is backward-compatible with 802.11b, because they both use
the 2.4 GHz band. 801.11a uses the 5 GHz band. Each of these funny-sounding numbers
represents a standard developed by the Institute of Electrical and Electronics
Why is networking valuable? Networking
allows devices on the network to share resources. Resources include the
connection to the Internet, files that reside on one machine but not others,
printers, and servers that handle tasks such as routing and delivery of email. Most
computer networks are hardwired with CAT5 or fiber-optic cabling, and the
person using the network is only as mobile as the tether of the cable allows
him to be.
These networks are usually based on the
Ethernet protocol, a group of standards that allow these different manufacturers’
products to work with one another. An even simpler “network” called “sneakernet”
involves copying files to a floppy disk, then running down the hall with them
to a coworker’s computer. Without a network, every user who needs e-mail has to
have his own direct Internet connection, and everyone who needs to print files
needs their own printer, or is forced to use the sneakernet protocol.
Wireless networking involves the purchase
of specialized hardware, but it is often cheaper than the cost of buying cabling
and stringing it through the crawlspaces and ventilation ducts of a building.
Older buildings may have asbestos or heavy wall construction that precludes
this, anyway. There is also the advantage of not having to rewire the office
when people change desks or the arrangement of the room is otherwise revised.
Further, when workers have notebook computers
as their primary work machine, they can bring their computers to meetings and
still have the full capabilities of the network resources, so long as they
remain in range of the signal from the access point. If one access point is not
sufficient to serve an entire building, additional devices can be installed,
and the WLAN cards in each notebook will lock onto the strongest signal with no
intervention from the user.
The typical office-grade access point has
only 100 milliwatts of transmitter power, as it is not designed to have a range
of more than a few hundred feet. But because the 2.4GHz band is unlicensed, it
is possible to boost the power of these transmitters to as much as one watt,
which expands the range of the APs from hundreds of feet to tens of miles.
(Wi-Fi signals have been transmitted over distances of more than 60 miles under
ideal conditions and using special directional antennas.)
When the APs are placed strategically, they
can cover an entire community with few or no dead spots. This allows users in
the field to have the same access to network resources that they would have if
they were sitting in front of a computer in the police station. Small
communities that are beyond the reach of commercial mobile data networks or
previously regarded themselves as too tiny to have mobile data can get into the
big leagues with a Wi-Fi network for their cars and individual officers.
This is what has been done in Hermiston,
OR, a town of 13,000 served by a 25-officer department (see sidebar). Hermiston
is adjacent to the Umatilla Chemical Weapons Depot, an Army facility that
stockpiles tons of nerve and mustard gas agents that are earmarked for
destruction. The Chemical Stockpile Emergency Preparedness Program (CSEPP)
recognized the need for public safety agencies to be able to communicate with one
another and with the Army authorities in the event of a release of a chemical agent.
After exploring several methodologies, Wi-Fi was selected as the optimal
technology that offered the best balance of capability and cost.
To set up a Wi-Fi network, you need at
least one AP for the network, and a WLAN card for each computer that is to be
connected. The APs are widely available at electronics stores, and usually cost
less than $125. The AP is connected to the Internet source (a T-1, cable, DSL
or dial-up line) by a standard CAT5 networking cable, and usually also has a
hardwired connection to a server computer. Many APs also include a standard
two- or four-port network router for this purpose, so another piece of
equipment is unnecessary.
The client computers on the network need a
WLAN card. About 60% of the new notebook computers presently for sale have this
as a standard feature or an option, and there are advantages to having the WLAN
electronics installed internally. Most add-on WLAN cards are a little larger than
a credit card, and are installed in the computer’s PCMCIA slot. The card is fairly
well protected there, but the antenna for the card usually sticks out in the
form of some external nub or stub that can be damaged if the notebook is handled
roughly or placed into a case that hasn’t been configured to allow for the
The WLAN cards that are installed internally
often use an antenna wired into the display, so there are no stubs or nubs to
catch on anything, and will also have an on-off switch somewhere on the
computer. If you can buy your computers pre-wired with the WLAN cards, it is by
far the more preferable option.
Desktop machines usually communicate with
the wireless network by the use of a PC card that plugs in the innards of the
computer, much like a video or sound card, and will have an external antenna
poking out the back. There are also USB (Universal System Bus) attachments that
plug into a USB port on the computer, and work from a pack of card-size unit
that sits on the physical desktop.
Whichever mix of APs and WLAN devices you
use, it is a good idea to try to procure them from a single manufacturer. In
theory, and usually in practice, one company’s wireless gear will work with
another’s. However, setting up the network is often a tedious and challenging
job, and if you need to call the technical support line for assistance, the
support folks may refuse to help if there is another manufacturer’s product in
the mix. Technical support people like to assume that it’s the other guy’s
stuff, rather than theirs, that isn’t working, and will just tell you to straighten
out the problem with Brand X’s gear before you call them back.
Will you need assistance in setting up the
network? Maybe yes, maybe no. Windows XP Professional includes a “Zero
Configuration Wizard” that, ideally, will configure every machine on the
network for you and get them all to talk to each other. My personal experience with
the Zero Configuration Wizard is that I had to disable it and set all of the
options in Windows XP manually for each machine on the network.
If you are not comfortable with messing
with internal Windows settings, this will confound you. Computer publications
have rated Microsoft’s wireless hardware as being much easier to configure than
APs and WLAN cards from other manufacturers such as Belkin, Linksys and D-Link.
A major computer magazine recently rated Linksys as having “good” technical
support service, with Belkin and D-Link not doing so well.
Networks deployed over a large area are
called Wide-Area Networks or WANs as opposed to Local Area Networks, or LANs.
The best reason for using Wi-Fi to create a wide-area mobile data network is
cost. The hardware is much cheaper than the typical radio modem options, and
there are no recurring costs, as there will be if you go with a commercial
wireless provider like Sprint or AT&T.
If your intention is to use Wi-Fi to establish
a wireless mobile data network, the setup process is more or less the same as
the WLAN process, but your client computers will probably be using the Internet
to communicate with the databases and other network resources that you connect
with directly in the station. In a few cases, you might be able to engineer a
direct connection between the AP in the field and the server in the station,
but this often requires the use of costly leased telephone data lines that eat
up the savings the WAN was supposed to create in the first place.
The remote access point can be placed
anywhere that it is going to command a line-of-sight connection with units in
the field. Most cities have water towers, utility poles, or other structures
that can be used to establish the “high ground” foundation for the access
point, or a private building owner may agree to allow the installation.
Wireless access points typically broadcast
in an omnidirectional mode, which may not be desirable. If the access point is
on the perimeter of the service area, some of the signal output of the access
point will be wasted. A directional antenna, sometimes called a yagi antenna,
can not only boost the signal, but confine it to the area where it will be of
greatest use. There are certainly commercial antennas available for purchase,
but a person who is handy with radio hardware may be able to rig one for little
or no cost. One directional antenna used for “war driving” (more about this
later) expeditions is constructed on the foundation of a Pringles potato chip
can and aluminum foil.
A typical wide-area wireless network might
be set up this way: the connection to internal and criminal justice databases
is made via a hardwired connection at the police station. The server that
handles the database connection has a wireless access point connected to it, so
users within range of the access point in the station can use the databases and
other network resources without having to be tethered to an Ethernet CAT5
cable, while others use a conventional hardwired connection.
In the field, officers with WLAN cards in
their car-mounted computers or handheld computers link up with the network via
a wireless access point mounted on a high building. The AP has a hardwired
connection to the Internet via a cable modem or DSL line. Communication between
the field units and the server at headquarters is via the Internet, encrypted
and protected from intrusion and/or interception by a firewall that will allow
messages from the field units, but reject others.
It might be necessary to create multiple access
points around the operational area, depending on the size and the geography of
the area. While the signals between the access points and client computers aren’t
stopped completely by obstacles, they don’t penetrate them as readily as
lower-frequency signals (such as those in conventional police radio) do.
Higher radio frequencies tend to be absorbed
by geographical features like dirt and rocks, and the frequencies used in Wi-Fi
are in the 2.4 GHz and 5 GHz bands, three to six times the frequency of the 800
MHz bands that are usually the highest used in public safety communications.
Each access point will need its own connection to the Internet, so it’s
important to take these costs into consideration in your planning.
Security is a factor in any police communications
system, but it’s even more important with wireless networks. With a
conventional hardwired network, you can physically inspect the cabling and
other connections between the client and server computers and see if there has
been any unauthorized taps into the wiring. With wireless systems, you are
broadcasting your data into the ether that is beyond your control, and if it is
not properly protected, it can be intercepted, or a hacker may be able to access
your system and explore it for his own purposes.
There are several methods of protecting a
wireless network from intrusion, and in a public safety system, they should all
be used. A favorite pastime of hackers is a technique called “war driving,”
where potential invaders drive around office buildings and other areas where
wireless nets are likely to be installed, “sniffing” the 2.4 GHz band for
signals. This can be done with any laptop equipped with a WLAN card, as Windows
XP will cause a pop-up message to appear when the card detects an active
There is also now available a small device,
about the size of a vehicle remote control, that will light up in the presence
of a wireless network signal. It sells for less than $40. Many businesses and
home users set up wireless networks without changing the default security
settings, when there are any security features enabled at all. These are easy
pickings for the hacker, who can then use the free Internet service for his own
purpose, or start exploring the computers on the network to see what might be
Most of these intrusions are motivated by
no more than the prospect of getting a broadband Internet connection to use for
free, or simple curiosity in wandering around on someone else’s computer.
However, the free broadband connection can be used to upload or otherwise
traffic in illegal software, pornography, or other forbidden fruits, and if the
source of these is traced back, someone on the victim’s network will appear to
be the originator.
There are two basic methods for securing a
wireless network. The older and more vulnerable of these techniques is called
Wired Equivalent Privacy, or WEP. WEP requires the use of a passkey that can be
up to 26 characters long, and must be installed on every computer on the
network. The problem with WEP is that an intruder can monitor the traffic on
the network, and once enough has been intercepted, the access key can be
divined using software in wide use by hackers.
A successor to WEP, and one that provides
considerably better security, is WPA, or Wi-Fi Protected Access. Most newer
Wi-Fi equipment comes with WPA built in, and older models can often be updated
by downloading a new version of firmware from the manufacturer’s Web site
(firmware is a type of software that resides in a device’s non-volatile
Most computers have BIOS or Basic
Input/Output System firmware loaded into a chip on the device’s motherboard.
WPA uses improved date encryption through the temporal key integrity protocol,
where the encryption keys themselves are scrambled using a hashing algorithm
and an integrity-checking routine that ensures that the keys haven’t been
WPA also uses the MAC addresses of each
device on the wireless network to ensure that the device is authorized to
access the network. MAC (the acronym stands for Media Access Control) addresses
are unique and assigned to each network device at the factory. By allowing only
devices with registered and approved MAC addresses to access the network, “strangers”
can be denied access. WPA encrypts the MAC address itself using Extensible
Authentication Protocol (EAP), for a belt-and-suspenders approach to wireless
Even if your wireless network is using WEP
instead of WPA security, there are other methods of improving security on a
wireless network. By default, wireless networks broadcast their presence to any
receiver within range. Each network has a Service Set Identifier (SSID) that
shows in a list of available networks. The default SSID of a network is often
the name of the manufacturer that made the AP, e.g. “LINKSYS” or “BELKIN.” If
one of these default names shows up in a list of networks available to an
intruder, it is a near-dead giveaway that the network has been set up
carelessly and does not have the various security protocols enabled.
There are two ways to close off this avenue
of intrusion. One is to change the SSID to something other than the default,
and even better, to something that doesn’t indicate the owner. Thus, rather
than call your wireless network “ANYTOWNPD,” call it “X5000,” or “GREENBEANS”
or something that doesn’t give a clue as to who owns it. Then, turn off
broadcasting of the SSID entirely. A determined hacker with a signal detector
will be able to tell that there is an active AP in the area, but won’t be able
to ferret out the SSID (which is necessary to connect) without some more
extensive effort. Authorized users who know the SSID and who have the proper
network key will be able to connect easily.
The last method for securing your wireless
network is the simplest, and yet the most-often ignored: enforce strong
password usage. People generally choose passwords which are easy to guess and
won’t survive a brute force attack with a dictionary trying every possible
combination of known words. They also tend to write them down at obvious
locations near or on their computers.
Strong passwords have at least eight characters,
are a mix of uppercase, lowercase, numbers and punctuation, and are either
random or form nonsense words that may or may not have meaning to the user. “7y&F#ag!@”
is a strong password, “NUMBERONECOP” isn’t. By substituting some look-alike
characters for letters in an easily remembered phrase, one can come up with a
strong password that is also meaningful. For instance, “LAWANDORDER” can be
transformed into “2aW&0rd3R” with a little imagination.
Your 26-character network key is a form of
password, and is usually generated from a shorter passphrase. Make the
passphrase a likewise meaningless string of characters, and change it once a
month. Every user will need to change his network key at the same time to match
the one at the access point, but that takes less time than auditing your
network to see what damage an intruder may have done when he gained
Tim Dees is a former officer who
writes and consults about applications of technology in law enforcement. He can
be reached at (509) 585-6704 or by e-mail at firstname.lastname@example.org.