53. Which 802.11 standards will I most likely encounter in my environment? What are some of the more important amendments?
IEEE 802.11-1997 is a wireless networking standard published by the IEEE. Many amendments and additions have been made. Amendments are indicated by a letter or pair of letters, e.g., 802.11b, 802.11g. Once the alphabet was exhausted, a second letter is used, e.g., 802.11ac. Regularly, the existing amendments are rolled up into a new version of the general standard, e.g., 802.11-2007 and 802.11-2016. See the IEEE GET Program for 802 standards web page36 and the Wikipedia 802.11 web page37 for more information. The Wikipedia IEEE 802.11 web page includes a full list of the 802.11 amendments.
A WLAN, or wireless LAN, is a network that allows devices to connect and communicate wirelessly. 802.11 can be thought of as the wireless Ethernet, also known by its standard title, IEEE 802.3. Wi-Fi devices operate in a group of frequencies called ISM (industrial, scientific, and medical) bands. These bands are available for use by anyone who chooses to buy government-authorized equipment and are shared with other technologies, including Bluetooth and amateur radio. Wi-Fi uses powerful tools to achieve highly reliable data links, even when operating with other devices transmitting in the same spectrum. These tools include protocols to retransmit packets if no acknowledgement of receipt is received; forward error correction, which allows reconstruction of a packet even if the some of the data were corrupted; a cyclic redundancy check to verify all the packet was received/reconstructed correctly; QoS mechanisms to prioritize important data; a cellular architecture, which allows for many, closely spaced APs; more bandwidth (555 MHz in the 5 GHz band alone) than in all broadcast TV, AM, FM, cellular, and PCS services combined, which allows for many APs to be placed in an area, all on different channels; and authentication and encryption, which provide secure communication to support HIPAA policies.
Some of the more common amendments are:
802.11-1997. The original 802.11 specification covering direct-sequence spread spectrum (DSSS), frequency-hopping spread spectrum (FHSS), and infrared (IR) physical layers at 1 and 2 Mbps data rates. Of these, only DSSS still has any support in manufactured products. DSSS uses 24 MHz–wide channels and FHSS uses 1 MHz–wide channels.
802.11-2007. New release that includes amendments a, b, d, e, g, h, i, and j.
802.11-2016. New release that includes amendments k, n, p, r, s, u, v, w, y, and z.
802.11a. Introduced orthogonal frequency division multiplexing (OFDM) with data rates from 6 to 54 Mbps in the 5 GHz band using 20 MHz–wide channels.
802.11b. Introduced complementary code keying (CCK) to provide 5.5 and 11 Mbps data rates in addition to 1 and 2 Mbps DSSS. Operates in 22 MHz–wide channels.
802.11e. QoS enhancements that provide for prioritized traffic flow.
802.11g. Added OFDM support with data rates from 6 to 54 Mbps in the 2.4 GHz band using 20 MHz–wide channels. Achieves backwards compatibility with 802.11b (which in turn is backwards compatible with legacy 802.11 1 and 2 Mbps DSSS) through transmission of management frames using legacy modulation and channels.
802.11h. Spectrum management. Introduced rules for European compatibility, specifically DFS (802.11 masters detect protected RF signatures on some channels and dynamically move to different channels) and transmit power control to ensure that devices don’t exceed the regulatory maximum for the current country and channel.
802.11i. Security enhancements. Introduced the Advanced Encryption Standard (AES), aka WPA2, to remediate the security flaws in Wired Equivalent Privacy (WEP). Also introduced an interim solution, Temporal Key Integrity Protocol (TKIP),
aka WPA, as a stopgap solution to improve security on legacy devices, as implementing AES required new hardware. Provided for both pre-shared key (PSK) and certificate-based authentication using the Extensible Authentication Protocol
802.11k. Defines and exposes radio and network information to facilitate the management and maintenance of a mobile WLAN. Provides information for the client to discover the best available AP.
802.11n. Allows higher throughput up to 600 Mbps, achieved by multiple radios to simultaneously transmit (or receive) on MIMO, wider bandwidth (up to 40 MHz–wide channels) and improved efficiencies in the MAC layer such as frame aggregation (send more than one frame per transmission) and shorter guard intervals.
802.11r. Sets standards for fast base station subsystem (BSS) transitions (fast roaming from one AP to another), specifically while using EAP authentication. 802.11i allowed these features, but this led to multiple vendors having different methods.
802.11ac. Provides higher speed improvements to 802.11n for the 5 GHz band, primarily through 80- and 160 MHz–wide channels and additional, simultaneous transmission (or reception). Supports data rates up to 866.7 Mbps per spatial stream and up to four spatial streams for a total of 3.467 Gbps.
802.11ax. Once again, speed improvements in the 5 GHz, using multiple-user MIMO (MU-MIMO). Simultaneous uplink and downlink over multiple spatial streams (carrier antennas). New trigger frame containing packet transmission scheduling information.
Wi-Fi 6: Wi-Fi 6 (802.11ax): The 6th generation of 802.11 (Wi-Fi) physical standards with data rates of up to 1.2 Gbps per spatial stream and eight spatial streams for a total of 9.608 Gbps. 802.11ax can simultaneously operate in the 2.4 and 5 GHz ISM bands. Note that previous 802.11 versions have been rebranded.
Wi-Fi 1: 802.11b (1999)
Wi-Fi 2: 802.11a (1999)
Wi-Fi 3: 802.11g (2003)
Wi-Fi 4: 802.11n (2009)
Wi-Fi 5: 802.11ac (2014)
“Extended” 802.11 channels are subject to FCC 47 CFR Part 15.407(b), sometimes referred to as “regulatory -B domain.” The channels are at the upper range of the 5 GHz ISM band. These are called out because some wireless adapters do not support the extended channels. If a wireless adapter doesn’t support these channels, it cannot associate with an AP that is using an extended channel. (The upper frequencies of the 5 GHz ISM band are subject to different regulatory requirements than the lower frequency bands. Wireless adapter manufacturers that chose not to test to these standards are prohibited from using these frequency bands).
54. What are the reasons to maintain or stop support for 802.11b?
802.11b is an amendment to the IEEE 802.11 standard that dates back to 1999. It uses a different modulation method and has a lower data rate than 802.11a/g/n/ac. Additionally, because 802.11b and 802.11g use different modulation methods, when an AP has even one 802.11b client, all of the management traffic must be transmitted at the slow 802.11b data rates. This creates a data bottleneck that can be relieved by phasing out devices that only support 802.11b.
The only reason to maintain support for 802.11b today is if the HDO has a high density of 802.11b clients, and if that is the case, consider a refresh to ensure that all clients can support 802.11g at a minimum and preferably 802.11 a/g/n. The vast majority of Wi-Fi–capable medical devices today are equipped with 802.11 g/n or newer wireless cards. Those that only support 802.11b generally do not support the most secure authentication and encryption solutions.
Once 802.11b clients are off the network, a good practice is to disable the legacy data rates of 1, 2, 5.5, and 11 Mbps to prevent 802.11b clients from using the network.
55. What is the difference between WPA2-PSK and WPA2-Enterprise?
WPA2-PSK is a method of encrypting data and authenticating wireless clients to the network and vice versa, using a pre-shared encryption key (PSK). The PSK is used with all devices connected to the same network. While the use of a PSK is generally considered adequate for consumer use in the home environment, it is generally not considered sufficiently secure for enterprise environments. To overcome the deficiencies of PSKs, a Remote Authentication Dial-In User Service (RADIUS) server is used to provide unique encryption keys for each user via centralized authentication, authorization, and accounting (AAA) management.
56. Why are WEP and WPA-PSK/TKIP no longer considered secure? What kind of wireless encryption should HDOs be using? How will this impact organizational support for wireless medical devices?
WEP and Wi-Fi Protected Access Pre-Shared Key—Temporal Key Integrity Protocol (WPA-PSK/TKIP) are no longer considered secure. Both protocols use a PSK, which is the essential weakness of these security schemes. Once the key has been shared to the wrong individual, access can be gained to the network, making any medical device connected to the network vulnerable to attack and potentially exposing protected health information (PHI). In addition, any PSK encryption is more vulnerable to “brute force” attacks.
57. What are the advantages of 802.11ac Wave2 over 802.11a/b/g/n? Are there any disadvantages besides the cost of replacing my wireless APs?
As with many other discussions of specific Wi-Fi protocol, a detailed discussion of 802.11ac Wave2 is beyond the scope of this document. Generally, 802.11ac Wave2 is considered to have greater range and data throughput than 802.11a/b/g/n. Part of this increase in data throughput is achieved by using MIMO. Another increase in throughput is due to “channel bonding,” allowing up to eight Wi-Fi channels bonded simultaneously into a single channel providing 160 MHz bandwidth. Channel bonding has the disadvantage of reducing the number of usable Wi-Fi channels in an enterprise environment by one half while increasing the throughput across the bonded channel.
In the 2.4 GHz 802.11b/g bands, there are only three orthogonal (non-overlapping) channels. So, although channel bonding is possible, it is considered a best practice not to allow it in a high-density enterprise environment. In the 5 GHz 802.11 band for 802.11n and the successor standard 802.11ac, there can be up to 12 bonded orthogonal 40 MHz channels.
58. Should I turn off lower 802.11b data rates to get better performance on my 802.11b/g network?
Many companies and hospitals have embraced the strategy of obsoleting 802.11b support to improve network efficiency. Since 802.11b and 802.11g use different modulation schemes, the network has to transmit management frames using 802.11b modulation to ensure that old clients can “hear” the management traffic. The lowest 802.11g data rate is 6 Mbps, so keeping the 5.5 Mbps 802.11b rate isn’t a big hit, but keeping the 1 Mbps data rate means that management frames essentially take six times as long to transmit as they would on a pure 802.11g or 802.11g/n WLAN.
It is important to have a plan that includes an inventory of devices to ensure 802.11b is supported as long as 802.11b devices exist. Often, a first step is to disable the 1 and 2 Mbps data rates and leave 5.5 and 11 Mbps data rates. Only the oldest (earlier than ca. 2000) devices support just 1 and 2 Mbps, and these support the original 802.11 (not 802.11b) standard. 802.11b introduced 5.5 and 11 Mbps. 802.11g devices (starting ca. 2003) are backwards compatible to run on 802.11b networks and add data rates 6, 9, 12, 18, 24, 26, 48, and 54 Mbps.
59. What are Dynamic Frequency Selection (DFS) channels and what are the pros and cons of using them?
DFS is a Wi-Fi function that enables WLANs to use 5 GHz frequencies that would otherwise be reserved for radars, on the condition that if radar signatures are detected, the channel is vacated within 10 seconds.
DFS support almost triples the available channels in the 5 GHz ISM band. This allows for higher densities of APs, more Wi-Fi devices, and faster data transfer rates. For the U.S., there are nine non-DFS channels: 36, 40, 44, 48, 149, 153, 157, 161, and 165. There are 16 DFS channels: 52, 56, 60, 64, 100, 104, 108, 112, 116, 120, 124, 128, 132, 136, 140, and 144. These channels are in the 5.25 GHz and 5.73 GHz frequency range. The IEEE 802.11ac standard takes advantage of the expanded range from eight to 16 DFS channels known as “regulatory -B domain” support. Wikipedia includes a table of all the DFS channels for various regulatory domains.38
When an AP detects a radar, it must vacate the channel. Most enterprise-class APs are constantly scanning other channels and can move quickly to another channel. Even so, some latency and jitter-sensitive applications such as VoIP might experience an interruption.
Before enabling DFS channels:
- Ensure that all client devices support those channels.
- Conduct a DFS survey to determine how often radar events occur. An Aruba Networks document39 describes the behavior of 5 GHz client devices in the presence of radar and describes how to conduct a DFS survey. If the survey detects that particular DFS channels are often vacated, those can be excluded from the AP channel list.
- Conduct a risk analysis comparing the advantages of the increased bandwidth to the probability (based on the DFS survey) and hazard level of an 802.11 communication issue when a radar is detected. Consult 80001-1 and the associated technical reports for more guidance on managing IT networks that support medical devices.