Sophos Wireless: Wi-Fi Fundamentals

Disclaimer: This information is provided as-is for the benefit of the Community. Please contact Sophos Professional Services if you require assistance with your specific environment.

Special thanks to KingChris, Heland, and emmosophos 

Overview  

When deploying a new wireless network or making changes to an existing network, there’s a lot of factors to consider. You need to consider interference, channel selection, speeds, and many other complicated pieces to the puzzle. This can be a complicated process, so we’ve put together some info to get you started on the right foot to try to avoid problems like slow or inconsistent connections. 

We’ll be going over the following: 

This article is accompanied by our video: Sophos Wireless: Wi-Fi Fundamentals

This Community guide will cover all of the same topics, for those who prefer reading.

Wireless Frequency Fundamentals

• Let’s start by talking about Frequencies. Wireless networks can function off 2 different frequency bands 2.4GHz, and 5 GHz.  
• Both Frequencies are susceptible to interference from the environment like solid objects and other radio frequencies. 

2.4

• The 2.4GHz frequency can penetrate objects better than 5 GHz, so it can achieve a longer range in your environment. 
• It's a more shared frequency band, so other devices like cordless phones, microwaves, Bluetooth devices also use 2.4 GHz, so they can actually cause interference on a 2.4 network. 
• The 2.4 Frequency band has 11 different “channels” which data can be transmitted on, but only 3 channels(1,6, and 11) are non-overlapping.   
• This means 1,6, and 11 are the only channels we can use without running into channel overlap issues. 
• We’ll talk more about channels shortly. 
  • 

5GHz

• Our other frequency band option is 5 GHz.  
• Now 5 GHz is less susceptible to channel interference but more susceptible to signal degradation.  
• 5GHz is a higher frequency its waveforms are much smaller and faster than 2.4 GHz 
• It’s more difficult for higher frequencies to penetrate objects, but they have a faster transmission rate, meaning much faster potential speeds.  
• 5GHz has 24 non-overlapping channels, so a lot more options to choose from. Because of that, it’s channels are less likely to get congested due to high traffic, or interfere with one and other if multiple APs are close together.  
  •  
• Now not all devices support 5GHz, so make sure to evaluate your client device requirements and your AP capabilities before selecting a band to use.  
• We'll talk more about that in the network requirements section. 

Channels

• The Concept of Channels can be a bit confusing but here at support we see a lot of cases caused by misconfigured Channel selection and width, so it's very important to understand. 
• Basically, each frequency band(2.4GHz or 5 GHz) can have dedicated lanes that traffic can be transmitted on. 
• The more data being transmitted on one lane means the more likely congestion can occur. 
• So if your network and a neighboring network for example are both using 2.4 GHz on channel 1, it’s potentially double the traffic on Channel 1. This can cause major Co-Channel interference or CCI for both networks.  
• Co-Channel Interference: Crosstalk from 2 different Radio Transmitters or antennas on the same channel.  
• When this happens you could experience anything from slow Wi-Fi, to as far as completely unusable Wi-Fi, even though your device shows fully connected. 
• In this scenario, it's best to switch your AP to a different non-overlapping channel, like channel 6 or 11, and this should resolve the issue.
• A channel is essentially a segment of the frequency band and can be either 20/40/80/160MHz wide. 
• 2.4 GHz can only accommodate a maximum of 40MHz wide since the entire range is only 72 MHz wide: 2.401-2.473. 
  •  
• The wider the channel, the more throughput capability it has, which means potentially faster Wi-Fi. 
• Think about channel width like a highway, if you double the amount of lanes, you can double the amount of traffic. 
  •   
• This comes with a price however as the wider each channel is, the fewer channels you have, and more so the less non-overlapping channels you have. 
• This raises the likely hood of Adjacent Channel interference occurring. 
• Adjacent Channel interference happens when 2 or more channels overlap with each other. 
• For example, if you had 2 APs using 2.4 GHz one on channel 1 and one on channel 2, since those 2 channels overlap the signals will interfere with each other.  
  •  
• In the situation, you would want to choose Channel 1 for the first AP, and channel 6 or 11 for the second AP because they don't overlap. 
  •  
• Essentially the same resolution as our first scenario. 
• In most networks, we tend to keep channels at 20 or 40 MHz max-width to increase the amount of non-overlapping channels we have to work with, but obviously that means we are sacrificing potential throughput. 
• If you plan on using 5GHz with 80 or 160MHz channels yes you can get great speeds, but make sure you're either not near other networks or really plan your channel selection well. 

• Automatic Channel Selection: 
  • Like many Access points, Sophos APs can actually be configured with automatic channel selection, so the AP will detect the channel with the least amount of traffic, and switch to that channel. 
  • This is convenient in simple setups like a home or a small office with few APs, but in High-Density environments deploying many APs, it may be best to statically assign channels to ensure APs aren't constantly switching between channels. 

Network Requirements

• Next, let's talk about the needs of your own network. 
• You need to identify the following information to help you plan your Wireless network design: 
  • Applications that will be in use on the network 
  • Number of simultaneous clients 
  • Types of clients 
  • Areas to be covered 
  • Power Availability 

Application Requirements

• Different Applications have different throughput requirements. For example: 
• VOIP has a minimum required bandwidth of 100Kbps up and down, but 3 Mbps is recommended https://www.phone.com/much-bandwidth-need-voip/ 
• 1080p HD video stream has a recommended bandwidth requirement of 5mbps, and 4K streaming has a recommended 8-20mbps https://help.netflix.com/en/node/306 
• These all don't sound like a lot, but if you have 50 users on skype calls simultaneously, you need at least a 150mbps network to meet recommended. throughput requirements. 
• So take note of what applications will be in use, and make sure to find out their throughput requirements.  
• You always want to ensure your network can handle more than required, because more bandwidth will result in a lot less frustrated users than not enough. 

Number of Simultaneous clients

• Most networks have more than one user, so knowing the amount of simultaneous users/devices on your network is extremely important. 
• Wi-Fi is "Half-Duplex", a turn by turn system, meaning every device takes turns transmitting and receiving data, and not at all the same time.  
• An AP can either receive or transmit data at a given moment. 
• So 50 users on your network means they're all taking turns sending and receive data, even though it seems seamless when deployed well. 

Types of clients

• Next, you want to know the types of client devices that will be on the network. 
• Different devices, use different wireless technologies housed under the 802.11 protocol suite. 
• Take look at this chart here:  

• Each standard of the protocol supports different bands and speeds as we can see, the fastest being 802.11 AC, which only supports 5 GHz. 
• Many modern devices will use 802.11n which supports both 2.4 and 5 GHz and is backward compatible. This is not all devices, however, so it's important to know what the devices in your network requirements. 
• 802.11 A, B, and G are older wireless Technologies so have slower transmission speeds. 
• If you have legacy devices in your network this can actually slow down your network speeds dramatically, since each device takes turns transmitting and receiving data. 
• The N and AC devices may be speeding along, but they may get slowed down waiting behind the B devices for example. 
• When deploying you can use a setting called band steering to direct 5 GHz clients to use 5GHz, and 2.4 GHz clients to use 2.4 GHz. 
• This is basically like creating a fast lane on a highway so the faster clients don't get slowed down. 
• The newer Sophos APX series access points support all the 802.11 standards we just spoke about, however, the older AP series vary per model.  
• This is important because that means each AP will support different devices, and different speed/frequency capabilities. 
• All Access points and their specs are listed here: https://www.sophos.com/en-us/products/secure-wifi/tech-specs.aspx 

MIMO

• Wireless devices can use multiple antennas to transmit more data, through a process called MIMO(Multiple In Multiple Out). 

• A Laptop, for example, can have up to 3 antennas, whereas a smartphone usually only has 1 or 2 to conserve battery power. 
• Let's take a look at this chart:  

• 
  If you're deploying many access point chances are you can't use 80 MHz channels as you would limit the amount of non-overlapping channels available, so you're more likely using 20 or 40 MHz meaning those devices can have a maximum throughput of 87 or 200Mbps. 
• So if your wireless devices only have 1 antenna, even if you're using 802.11 AC, your maximum throughput for that device is a maximum 433 Mbps if using an 80 MHz channel. 
• We can see with 1 Spatial stream, or 1 antenna, on a 20MHz channel, the max bandwidth is 87 Mbps, but 3 streams its 289Mbps. 
• This chart shows the potential maximum speeds per amount of spatial streams(Antennas) for 802.11 AC. 

Areas to be covered

• The next thing you definitely want to know is the areas that need coverage. 
• Make sure you note areas that need heavy coverage, for example, if the majority of users are connected in one section of an office(High Density). 
• the APs in that area may have significantly more simultaneous clients connected to them. 
• This could mean you need more APs in that area to distribute the traffic which will require more planning. 
• Sophos APs have been tested with 60 devices connected at once all transmitting data, with little degradation, but every network will vary depending on the applications and environment. 
• It's generally a good rule to limit simultaneous clients on each AP to around 30. 
• Again this number changes depending on your network. 
• Another thing to keep in mind is that different building materials can affect wireless signals significantly. 
• Drywall and insulation will block far less signal than thick concrete, however, in some parts of the world, there might be a metallic coating between the drywall and insulation that actually blocks wireless signals significantly. 
• If your site has wood or metal covered walls, depending on the thickness this could also seriously impede the signal.  
• So keep that in mind when planning, and be sure to find out what building materials are used if you're experiencing issues.
• Great article on building materials and Wi-Fi: 
• https://www.signalbooster.com/blogs/news/how-much-which-building-materials-block-cellular-wifi-signals 

Power Availability

• In terms of power availability, Sophos APs can be powered through Power over Ethernet, or DC power. 
• Some AP models can be powered through both, while some only PoE, so be sure to know what your APs require. 
• Make sure you know what infrastructure your site has available for PoE, and keep in mind APs can require more power on boot than advertised, so be sure your PSE can supply more than the minimum requirements.
• If an Access point doesn't receive enough power it can start rebooting randomly. 
• Some The more enterprise APs support 802.11at while the smaller APs support 802.11af.
• Again reference https://www.sophos.com/en-us/products/secure-wifi/tech-specs.aspx#ap-series to check AP specifications.

Site Surveys and Heatmaps

Note: Sophos has a wireless pre-sales desk that can help conduct site surveys. Please contact your sales person or sales engineer for more information.

Site Surveys

• Now the best way to plan your wireless deployment specific to your site is to perform a site survey. 
• There are 3 types of site surveys, Passive, Active, and Predictive. 

Passive Site surveys

• Passive surveys are listening surveys 
• They don't send any traffic out to the network just monitor radio frequencies in the area. 
• This can detect other APs in the area, their signal strength, the channels in use, the Signal to Noise ratio in the area, and other useful information. 
• This is the most common type of survey, because it's simple and you don't actually need to have any APs installed.
• There are tons of different applications to perform passive surveys. 
• You can even download free apps for smartphones, however, Smartphones aren't designed specifically to do this so it may not give you the most accurate response. 
  • 
• Most home telecom boxes/Access points also give you an option to perform a passive site survey in their admin portal: 
  • 

Active Site Surveys

• Are a lot more in-depth 
• For an Active site survey, you send and receive data on the network to get exact measurements. 
• These are done to deploy and troubleshoot wireless networks, as you measure things like throughput rates, packet loss, as well as all of the information in passive site surveys. 
• When actively surveying a site you typically create a wireless heat map to get a visual on the radio frequency strengths. 
• Heatmaps are great because you can really see where your problem areas are.
• Ekahau is basically the industry standard for active surveys at the moment with fantastic heat mapping software: 
• https://www.ekahau.com/products/ekahau-connect/pro/ 
  • 

Predictive Site Surveys

• Are a simulated site survey.
• For example, in Sophos Central Wi-Fi you can upload an image of a to-scale floor diagram and place the simulated access points to predict placement.
  •  
• Since you input an exact distance scale this can show a good representation of access point range on your site. 
• Check out steps to do this here: https://www.sophos.com/en-us/medialibrary/PDFs/documentation/SophosCentral/ctrl_WirelessCreatingSites.pdf 
• You can use many tools to do this but remember a simulation can really only really show range, it can't account for things like building materials and interference. 
• All three types of surveys are useful and there are tons of tools you can find online to perform site surveys.

Additional Considerations AP Hopping

• If you find that there is a section of your site where devices AP hop, either increasing transmit power for 1 AP or decreasing transmit power for the other may be an acceptable solution. 
• AP hopping is when a client device switches back and forth from one AP to another.
• This will result in very inconsistent Wi-Fi performance for the device.

Layer 3 Switches

• If your APs do not connect directly to the gateway and connect via a layer3 switch, create a static route for the “magic” IP 1.2.3.4 and route to your XG.  
• If you're using Sophos Central Wi-Fi, allow access to FQDN "wifi.central.Sophos.com". 

Web Filtering/HTTPs inspection

• There should not be any web filtering or HTTPs inspection applied to traffic destined to or originating from an AP as this causes problems with registration for Sophos Cloud Wi-Fi. 

Passwords

• Under no circumstances should Wi-Fi be completely open for all (i.e. no password)
• As general best practice, wireless network passwords should be changed frequently 

SSIDs

• More SSIDs means more overhead.  
• Be careful adding more SSIDs as this can create more management frames from your AP to handle, which could impact performance. 
• Each AP can handle a maximum of 8 SSIDs. This includes the mesh SSID if the mesh will be in use. 
• Hiding your SSID will not protect your wireless network, but it is a useful home network tip, as users attempting to connect while require knowledge of the SSID name.
• Great article on SSID overhead: http://www.revolutionwifi.net/revolutionwifi/2013/10/ssid-overhead-how-many-wi-fi-ssids-are.html 

Encryption

• We highly suggest using WPA2 (AES)
  • Any device manufactured after 2006 with a “Wi-Fi” logo must support WPA2 encryption.
  • Note: If your router only supports WEP encryption - please highly consider upgrading
• If you have ancient devices that only support WPA/TKIP and you must use a mixed mode (WPAWPA2-PSK (TKIP/AES) - remember that throughput and performance is greatly reduced due to TKIP’s processing requirements (not to mention security).
  • We suggest to use AES only and to use a separate AP for the older wireless clients that only work with WPA/TKIP.

More information - Naked Security: 8 Tips to Tighten Your Work-From-Home Network

Paul Ducklin’s recent article on 8 tips to tighten your work-from-home network included some great advice for securing IoT devices such as webcams and smart speakers. His key points are:

• Only connect devices that you really need to have online. Power down devices when you’re not using them.
• Make sure you know how to update your devices.
• Configure your devices correctly
• Change any risky settings, such as default passwords
• Check how much data you are sharing
• Put IoT devices on a ‘guest’ network if you can
• Turn on ‘client isolation’ if available
• Make sure you know who to turn to if you have a problem

Read the full article for more information.

Additional links

• Sophos Firewall: How to troubleshoot Sophos Access Points
• Sophos Central Wireless: FAQ
• Wireless Access Points Tech Specs
• Sophos Wireless Access Point: How to do a site survey
• Sophos Central Wireless: Creating Sites
• Creating Mesh Networks
• Sophos Firewall: Supported access points
• Government of Canada: Private Network Tips
• CISA: Securing Wireless Networks
• FTC: Securing Your Wireless Network