S 1.63 Adequate siting of access points
Initiation responsibility: Head of IT, IT Security Officer
Implementation responsibility: Internal Services, Administrator
Secure mounting of access points
In order to prevent manipulation to the access points, they should be installed in metal housings or secured in place with metal brackets allowing them to be mounted on the wall. Installation in raised floors, intermediate ceilings, or suspended ceilings and the use of external antennas are possible. Depending on the shape of the antenna, even a specialist might not be able in this case to determine if the object is a fire detector or an antenna for an access point.
Spaces and locations in which untrustworthy persons may be present for a longer period of time without being observed (outdoor areas, stairwells) must not be considered as possible installation locations as a matter of principle when the access points will be visible and their shape is not disguised. However, access points without routing functionality can be installed in these areas. This prevents unauthorised persons from reading any detailed information on the structure of the network. This reduces the points of attack of the WLAN and a possibly connected LAN.
For a minimum level of protection, the access point should be securely bolted to a location inaccessible without additional tools or in a location hidden from view.
Positioning the access points
The position and direction of an access point have a critical influence on the transmission quality and throughput of a WLAN. In general, the emission of radio waves into areas which are not intended to be supplied by the WLAN should be reduced as much as possible. This does not only reduce the number of possible points of attack, but also improves the level of service to the coverage area actually desired. Directional antennas, which bundle the electromagnetic waves radiated in a certain direction and therefore achieve a directionally dependent amplification effect (referred to as the antenna gain), can be used to accomplish this. This amplification effect must be adjusted to match the transmission power of the access point. Some access points support adjustable settings for the transmission power. This way, the coverage area will be provided with the necessary signal strength while simultaneously making it more difficult to access the WLAN from outside this area, since only comparatively poor reception conditions prevail here now. A prerequisite for this is suitable positioning of the access point and of the antenna. This may be performed on the basis of a corresponding footprint measurement.
When outdoor areas are to be supplied, antenna installations (antennas and possibly access points) must be suitably protected against the effects of weather, electrical discharges, and unauthorised access. The installation of access points outside of buildings should be avoided if possible.
When mounting antennas on the rooftops of buildings, the antennas must be protected against lightning. The antenna must be correspondingly shorter than the lightning rod and must be placed sufficiently far away from the lightning rod. This also applies to high-voltage power lines, i.e. a certain distance must be maintained. Antennas installed outdoors which may be subject to hazardous electrical discharges (this always applies to antennas mounted on rooftops) should be connected to a special overvoltage protector which quickly detects and shunts current and voltage spikes. The overvoltage protection is mounted between the antenna and the access point (usually inside the building or in a comparably well-protected place) and must be provided with a sufficiently dimensioned earthing connection. Access points generally should not be installed in areas which could be subject to electrical discharges.
If, in special cases, the access points are installed outside of a suitably air-conditioned building, it must be ensured that the access points are adequately protected against moisture, frost, and heat. Outdoor antennas must be suitably protected against accumulations of snow. They must be mounted in a location protected from the wind or, if this is not possible, be mounted tightly enough so that even high-intensity winds will not change the direction of antenna.
Review questions:
- Are the access points protected against unauthorised physical accesses?
- Has a footprint measurement been conducted in order to determine the transmission range of the access points?
- Have the reception ranges of the WLAN accesses been restricted to the relevant ranges?
- WLAN antennas are mounted to the roofs of the buildings: Have the antennas been protected against lightning?
- WLAN antennas are mounted outdoors: Have safeguards against electrical discharges been taken?