Thursday, 1 December 2011

Bad Wi-Fi Never Dies

I am currently in hospital because well, you know, needles are fun and I am sadistic. After going nuts without any mental stimulation all day I finally got a hold of my laptop and was curious to check out the WLAN environment.

Up until now all I could tell was that Cisco 1130 APs are used. The AP density seems to be overly high but without knowing whether some are used for security or location (monitor mode) it is hard to sure. I lost track of those APs with a blue ring after being moved down countless corridors ;).

I am in the bowel of a large hospital and I can't see many APs but despite this I have noticed a number of issues from the small sample size (5 APs). The low AP count is likely to stem from the fact that the hospital was built in the 1850s and therefore the walls are as thick as one would expect - top quality craftsmanship from the convicts!. The particular walls of my room are no doubt newer but this stuff ain't no drywall! Oh, this floor or section of the floor clearly has no APs deployed either.

Five APs and five Wi-Fi sins
  • 2 x APs on adjacent channels (channels 2 and 8 in this case);
  • 1 x AP using a 40 MHz channel at 2.4 GHz;
  • 2 x APs running WEP;
  • 1 x AP running WPA using the TKIP cipher (WPA w/TKIP still hasn't been cracked in any useful way so this may not be a massive issue but WPA2 w/AES is preferred);
  • 50% of packets transmitted at 802.11b rates (lower than I usually see but far from fantastic).
Interestingly, there are some 802.11b-only devices (bad) but they are probing for WLANs at 11 Mbps. This is a good thing assuming the lower 802.11b data rates have been disabled on the WLAN they are trying to connect to. If you must support 802.11b-only clients, just supporting 11 Mbps is recommended assuming cell coverage allows for it. The MAC OUI vendor of the clients originating these probes is Abbott Labs HPD and a quick search confirms that Abbott Laboratories is a <markting spiel removed> health care company. This makes sense as hospitals are one of the remaining places that you may still find 802.11b-only clients as Wi-Fi equipped medical equipment will generally have a longer usable life than your average laptop. Likewise, WEP and WPA-TKIP may be supported as these 802.11b devices are unlikely to support WPA2 with AES. If you must run WEP still, Dynamic WEP is preferred (if available) along with MAC filtering and one of the few times SSID hiding is recommended. A separate tightly ACLed subnet would be good too. Multiple layers to the onion, no matter how easy to peel ;)

Even though the particular area I am currently in only has a small amount of Wi-Fi activity, many bad practices can be seen with a dash of best practice thrown in. Oh, one last thing - according to the nurse I hit up, Vocera badges don't recognise Irish accents very well and there are an influx of them in Perth at the moment (Irish people; not Vocera badges :)). Something to do with the Western Australian mining boom and Ireland in the hole, one suspects ;)

No comments:

Post a Comment