This paper presents a comprehensive proposal for implementing a cost-effective wireless local area network (WLAN) for Davis Networks Inc. The design leverages five wireless access points with omnidirectional and directional antennas to extend high-speed internet connectivity from a central Computer Center building to surrounding facilities within 500–1,000 meters. The proposal emphasizes affordability (USD 800–1,000), security through VPN and firewall architecture, scalability via centralized authentication, and user accessibility through infrastructure mode networking. Key components include IP table-based firewalls, DHCP servers, DNS forwarders, and a pinger system running on Linux. The paper outlines requirements analysis, site surveys, system design, testing, installation, and operational support planning while addressing security vulnerabilities in WEP encryption and proposing alternatives such as LEAP and VPN integration.
This proposal outlines the development of an affordable local area network for Davis Networks Inc. The project aims to provide wireless internet connectivity to all users on desktops and laptops from the organization's existing high-speed connection at a cost between USD 800 and USD 1,000, including installation expenses such as wiring. Implementation will require careful planning to address physical obstacles such as electric poles, trees, and walls. The Computer Center building will serve as the core location, offering the highest connection speeds, with distribution extending to surrounding buildings located 500 to 1,000 meters away.
The network design incorporates five wireless access points (WAP) equipped with omnidirectional antennas (labeled A, B, C, D, E) and two directional antennas (X and Y). The Computer Center will host one WAP with one omnidirectional and one directional antenna. Directional antenna X will communicate with directional antenna Y, while omnidirectional antenna B provides intermediate support. All access points will operate in repeater mode, with each broadcasting signals to laptops, computers, and other devices within range. Weaker access points receive signal support from stronger ones to ensure consistent coverage. As per best practice, a market survey will be conducted to identify products offering the highest cost-benefit ratio. Alternative approaches, such as maintaining a wired network backbone or integrating fiber optics to increase bandwidth, may be considered if needed. Low-gain antenna WAPs can also be positioned to cover clusters of neighboring buildings (Deep, Kush & Kumar, 2010).
Multiple Radio Access Technologies (RATs) currently exist in the wireless communication landscape, including GSM/GPRS, UMTS, IEEE 802.11-based wireless LAN (Wi-Fi), and IEEE 802.16-based Wireless Metropolitan Area Network (WiMAX). Future mobile communication systems will operate in heterogeneous wireless environments, delivering seamless communication with adaptive quality of service and integrated service management. In such multi-technology settings, coordinating Radio Access Networks (RANs) presents significant challenges. The Next Generation Mobile Networks (NGMN) framework provides recommendations to standardization bodies and manufacturers for achieving cost-effectiveness in integrated mobile communication systems. NGMN divides recommendations into three groups: functional recommendations enabling service providers to offer flexible services; cost-efficiency recommendations; and guidance for deployment suitability evaluation. The NGMN expects integrated networks to maximize resource exploitation by supporting multiple RATs. Session Initiation Protocol-based subsystems may be implemented to control network access and service functions (Luo & Bodanese, 2008).
Contemporary homes increasingly feature multiple wireless access points and laptops with wireless capabilities, and this trend is expected to continue as costs decline. However, the IEEE 802.11 standard supports only three non-interfering channels, causing performance degradation due to interference from multiple wireless devices. Spectrum scarcity may become a critical issue in the future. Addressing this challenge requires active monitoring of spectrum usage in specific locations and efficient allocation of spectrum resources as wireless devices demand them (Li & Liu, 2005).
Wireless technology has revolutionized cost-effective and popular solutions for educational and business environments. This proposal seeks to create an affordable wireless local area network tailored to Davis Networks Inc.'s budget and timeline constraints. Wireless technology adoption has accelerated across consumer and professional domains, from TV remotes and vehicle locks to radio, Wi-Fi, and mobile phones. Enhanced worker mobility allows personnel to access information electronically while traveling globally. The past two years have witnessed widespread adoption of wireless networking and mobile telephony, with these devices increasingly integrated into internet-connected networks. Traditional objections to wired networks—delays, expenses, and installation hassles—have driven adoption of wireless solutions by both homeowners and enterprises. Wireless networks offer lower cost and superior throughput compared to wired alternatives, explaining their exponential growth in communities, homes, businesses, and public spaces. High-speed internet is now accessible globally rather than remaining a luxury.
Two primary mobile wireless network variants exist: infrastructure networks and infrastructure-less (ad hoc) networks. The wireless networking market is expanding rapidly as organizations discover the advantages of wireless deployment. Wi-Fi affords users greater mobility, critical for operations in warehousing, manufacturing, transportation, airports, hotels, colleges, and convention centers. Within business environments, WLANs are essential for public areas, conference rooms, and branch offices. Davis Networks Inc. possesses the competency to execute this comprehensive Wi-Fi rollout.
Requirements Analysis involves defining technical requirements and specifications that form the foundation of wireless network design.
System Design encompasses selecting the optimal system architecture, wireless technologies, configurations, and products to meet all requirements.
Site Surveys identify suitable locations for wireless access points and nodes, analyze current radiofrequency interference, assess mounting assets, and evaluate existing wired distribution systems.
System Testing verifies network installation through test plan development and execution, ensuring signal coverage, security, supportability, and performance requirements are satisfied.
System Installation involves planning installation activities, training installers, and supervising deployment. Recommendations may be provided for reputable installers if outsourcing is necessary.
Security Assessments evaluate network security by reviewing network configuration and conducting penetration tests.
Expert Troubleshooting diagnoses wireless network problems through system behavior observation, protocol analysis, and radiofrequency testing.
Operational Support Planning develops ongoing support plans for wireless networks, assesses current support capabilities, creates troubleshooting decision trees for support staff, and identifies necessary tools and recommendations for optimal network support.
Project Management coordinates enterprise wireless network deployment and manages all project operations. Activities include requirements definition, design, installation, testing, and support plan implementation.
The wireless LAN operates in infrastructure mode through wireless access points. This mode permits wireless connectivity to devices across a defined coverage area. Each access point contains at least one antenna enabling interaction with wireless nodes. In infrastructure mode, the wireless access point converts airwave data into wired Ethernet data, linking wireless clients to the LAN. Network coverage extends by connecting multiple access points via a wired Ethernet backbone. When a mobile device moves beyond one access point's range, it seamlessly transitions to another access point's range without connection loss. Wireless clients can thus roam continuously between points without interruption. IEEE 802.11g/b wireless nodes communicate via radiofrequency signals in the Industrial Scientific and Medical (ISM) band ranging from 2.4 GHz to 2.5 GHz. Surrounding channels are separated by 5 MHz. Due to spread spectrum effects, a transmitting node uses frequency spectrum extending 12.5 MHz below and above the center channel frequency. This overlap causes interference. Using two optimally separated channels significantly improves performance by reducing channel cross-talk. However, wireless connections face vulnerability to information theft and eavesdropping due to their airwave nature.
The most widely used WLAN protocol is the IEEE 802.11b standard. This protocol operates in the 2.4 GHz frequency range with a maximum data link rate of 54 Mbps and typical throughput of approximately 26 Mbps. Higher frequency generally correlates with higher bandwidth, though range decreases accordingly. The more recent IEEE 802.11g protocol extends 802.11b by operating in the same 2.4 GHz band while employing superior modulation techniques to increase bandwidth. The 802.11g standard features a 54 Mbps data ceiling and upper-end throughput of 22 Mbps, combining advantages of both 802.11b and 802.11a. Radio signal propagation for all three protocols depends on multiple factors; consequently, manufacturer specifications may not reflect actual performance. Barriers such as glass, metal, and wood significantly affect signal strength (Sohal & Dowdy, 2004).
All systems must prioritize scalability, ease of use, and cost-effectiveness. This project addresses all three. Layout design and user mobility represent key considerations. Ideally, network access should be traceable to specific individuals for security audits, a requirement that complicates wireless implementation. The project's objectives are outlined below.
The design prioritizes user convenience. Network access requires a computer account available through Davis Networks Inc.'s central computer services. The Local Area Wireless Network (LAWN) system authenticates users rather than hardware. This design means device changes do not affect network access. The authentication process is straightforward: a user with a wireless device simply opens a web browser and attempts to load a webpage. If unauthenticated, the browser redirects to a login screen requesting user credentials. Upon successful authentication, network access is granted until manual logout or automatic logout after 30 minutes of inactivity (Makmur & McGrew, 2002).
The network design employs a top-down infrastructure approach ensuring straightforward deployment. For departmental integration into the LAWN system, implementation of LAWN's firewall component is required. Since authentication is centralized, departments may use the central authentication system rather than maintaining separate schemes. LAWN system deployment requires a dual Ethernet interface Linux system. Firewall software is available through DCIS/LCSR as an RPM file. One firewall Ethernet interface connects to external users while the other connects to a hub or switch serving the access points. When circumstances require in-house authentication alongside the full LAWN system, a trust relationship between authenticators may be implemented. In such configuration, the LAWN system functions seamlessly as a unified entity, with authenticators contacting each other to verify user credentials (Makmur & McGrew, 2002).
Because the firewall manages all networking issues—access restrictions, name servers, and dynamic configurations—there is no need to purchase feature-rich wireless access points. Only cost and reliability matter. The firewall machine itself is constructed from affordable software and hardware. A personal computer with a 300 MHz Pentium processor, 256 MB memory, a 10 GB hard drive, and free Linux OS is sufficient. Such a system costs approximately USD 200 per unit (Makmur & McGrew, 2002).
Security is fundamental to the LAWN system. Authentication is essential and drives the system's design. LAWN ensures every access is traceable to an individual who can be questioned regarding unauthorized use. Two primary security concerns exist in LAWN: first, controlling wireless network access, and second, securing transmitted data.
For access control, only authenticated users gain entry. Usernames and passwords are verified against central or designated authentication servers before access is granted. The HTTPS protocol secures password authentication through web browsers, protecting credential privacy (Makmur & McGrew, 2002).
Data security during transmission is more complex. The current 802.11b protocol (Wi-Fi) includes built-in encryption technology called Wired Equivalent Privacy (WEP), designed to secure transmitted data. However, WEP has proven inadequate and vulnerable to breaches within short timeframes. LEAP (Lightweight Extensible Authentication Protocol) was developed as an alternative to WEP. This proprietary Cisco technology currently operates only on Apple Airport cards (version 2.x firmware), Cisco Access Points, and Cisco 802.11b wireless cards. Users with non-Cisco 802.11b cards cannot use LEAP (Makmur & McGrew, 2002).
Given WEP's weaknesses, it will not be incorporated into LAWN design. This deliberate exclusion ensures users understand potential security risks. To address transmitted data security, the LAWN system offers an optional Virtual Private Network (VPN) server. VPN creates a secure private network tunnel between the VPN server and the user's computer, encrypting all transmitted data regardless of medium and preventing eavesdropping. Unlike LEAP, which requires costly Cisco equipment, users without 802.11b cards or those working from home can access VPN through any low-cost access point while maintaining security. LAWN/VPN usage requires dual login: first to LAWN, then to the VPN server for encryption services (Makmur & McGrew, 2002).
Optional VPN deployment may reduce adoption due to cost or convenience concerns, leaving some user data vulnerable to eavesdropping. An alternative approach encrypts all network traffic using current secure services. Users might employ Secure Shell (SSH) instead of Telnet, SSL-secured POP or IMAP instead of standard email protocols, and SMTP with SSL for outgoing mail. These tools are freely available on the internet for all computing platforms.
Users must understand that WEP security is weak and should not be relied upon. The optimal approach combines secure application-level services with VPN adoption for comprehensive protection.
The LAWN system architecture resembles a workgroup model. Each workgroup consists of a dynamic Linux-based firewall, a network hub and/or switch, and wireless access points. One firewall interface connects to the external world; another connects to the wireless network. The firewall determines external network access by managing a hardware address access list. Authenticated users are added to the access list; unauthenticated users or those logged out are denied access (Makmur & McGrew, 2002).
When a user's computer enters a wireless access point's range, the DHCP server on the firewall machine delivers all required configurations: IP address, name server, and gateway. When the user launches network-dependent software, the firewall discovers the hardware and queries the authentication server. Authenticated users receive access. For web browser applications, the firewall redirects to the authentication server, displaying a login page. Upon successful authentication, the firewall authorizes the computer's hardware address in its routing tables. The firewall continuously monitors user activity. If the user's computer fails to respond to network requests for a set period or the user manually logs out, the hardware address is removed from the firewall's routing tables (Makmur & McGrew, 2002).
The infrastructure consists of fixed wireless relays and wired base stations. Base stations connect the wireless network to the internet. In this network topology, a mobile unit connects to the closest available base station within communication range and communicates with it. Such networks are typical in office WLANs. Mobile ad hoc networks represent autonomous systems of wireless routers and mobile hosts that can relocate and self-organize; these are heavily used by homeowners. While WLANs enjoy popularity among homeowners, security concerns have historically impacted adoption rates. However, several misconceptions exist regarding wireless network security. Research indicates WLAN adoption would double within two years, driven by company deployment speed benefits, lower infrastructure costs, and improved productivity. Rapid implementation raises concerns about emerging security issues that must be addressed. Security represents the primary concern; increased technology adoption escalates attack risk. For WLANs, security issues are compounded by vulnerable transmission modes and inadequate existing infrastructure (Deep, Kush & Kumar, 2010).
Like all organizations, Davis Networks Inc. will implement network protection ensuring secure user connections and safe data delivery. VPN provides robust remote server access solutions. Internet Protocol Security (IPsec) configuration integrated with VPN enhances security further. Davis Networks Inc. will employ private key infrastructure and add firewall protection as an additional security layer.
Encryption encodes data or messages using mathematical keys, obscuring meaning and preventing unauthorized decryption. Historically, encrypted network transmissions required both sender and recipient to use identical encryption keys. Modern developments introduced asymmetric encryption classes featuring two different keys: one for encryption and one for decryption. The receiving device uses a private key to decrypt received data. Remote devices sending encrypted information use a public key for encryption before transmission (Kandry & Hassan, 2008).
This proposal focuses on designing and implementing a low-cost wireless system with firewall protection for individual and corporate clients, employing Dual-homed Host architecture. The firewall acts as a barrier restricting packets from accessing the private network. All inbound traffic and all outbound traffic must pass through the firewall; only authorized traffic proceeds. Packets must meet requirements or be authenticated to gain access. Firewalls create checkpoints (choke points) between internal networks and the untrusted internet, enabling monitoring of all inbound and outbound traffic, filtering and verification as data passes (Kadhim & Hussain, 2006).
A firewall system comprises a personal computer, host, collection of hosts, or router shielding sites or subnets from potentially abusive external services and protocols. The firewall serves as gatekeeper controlling trust boundaries between the internal network and untrusted internet. Firewall implementation levels vary: between internet and internal network, between internal networks and subnets, between individual PCs and other networked computers, or between internal networks and external internet. The proposed system incorporates application-level monitoring and packet filtering mechanisms. Single-box architecture (Dual-homed Host) provides optimal isolation between protected and internet-facing networks. Packet filtering is employed since firewall mechanisms must construct and use packet-based tools. Additional firewall mechanisms employ logging and auditing to identify specific employees or managers, displaying relevant private information accordingly (Kadhim & Hussain, 2006).
The firewall operates by receiving packet data from the LAN interface providing internet connectivity and from ports under monitoring. Packets enter a buffer and are examined against a table of authorized IP addresses, comparing source and destination IPs. Port count, source IP, and destination IP determine security level. Unauthorized source or destination IPs trigger packet rejection and denial notification to the requestor. Authorized packets prompt the firewall to request username and password credentials. Incorrect credentials are rejected; correct credentials grant access. The firewall employs multiple algorithms to execute these functions (Kadhim & Hussain, 2006).
The firewall runs on a dual Ethernet computer and comprises an IPTable-based firewall, Domain Name Server (DNS) forwarder, firewall daemon, pinger, and DHCP server. All components are integrated into the RedHat Linux OS except the firewall daemon and pinger, which were developed at LCSR.
IPTable (RedHat 7.1 Linux component) dynamically controls network access through the firewall daemon and pinger. The Network Address Translation (NAT) server also utilizes it. IPTable is the primary component blocking or unblocking external network access. It uses NAT masquerading server configuration, allowing the firewall to support increased wireless hosts without reserving valuable IP address blocks. NAT requires only one real IP address for all wireless devices behind the firewall. Since the authentication server resides ahead of the firewall, IPTable defaults permit access through authentication server HTTP and HTTPS ports.
DHCP Server (RedHat 7.1 Linux component) dynamically configures user TCP/IP settings, automatically providing Subnet Mask, Internet Protocol Number (IP), Domain Name Service (DNS) server address, and Gateway address when users are within wireless access point range. Without this information, computers cannot access the network. Settings are automatically provided so users need not manually configure their systems. Configuration renewal occurs after designated time periods. All contemporary microcomputer operating systems support DHCP, eliminating the need for user system modifications (Makmur & McGrew, 2002).
DNS Forwarder (RedHat 7.1 Linux component) solves the problem of wireless devices lacking direct DNS access beyond the firewall. DNS translates computer names into IP addresses. A DNS forwarder on the firewall machine forwards all wireless DNS requests to external DNS servers through the firewall's external Ethernet interface (Makmur & McGrew, 2002).
Pinger assists in managing user access and supporting roaming authorized users. The pinger periodically "pings" all currently authorized users. If no response is registered after a set period, the firewall removes the computer from the access list. Pingers also counter-check the authorized roaming users list, verifying previous logins and granting appropriate access (Makmur & McGrew, 2002).
Firewall Daemon listens for instructions from the authentication server. When a user authenticates, the authentication server contacts the firewall daemon, instructing it to grant access to the user's computer hardware address. The daemon verifies all instructions before authorizing wireless device hardware address access (Makmur & McGrew, 2002).
Implementation of the proposed network strategy is estimated to require approximately one week. Final implementation costs are projected to be significantly lower than initial estimates. Weekly user feedback will be collected to improve network performance, educate users on optimal usage, and inform users of received value from their investment. The entire network will be deployed and tested through testbed environments. Continuous network monitoring enables fine-tuning optimization. Monitoring and user feedback analysis reveal the following findings:
"Deployment schedule and optimization feedback"
Always verify citation format against your institution’s current style guide requirements.