An analysis of the different internet broadband technologies available for commercial home consumers in a remote rural community will assist in selecting the best broadband technology and local internet service provider for the project.
There are different broadband technologies available for home consumers wanting fast internet connection. They are broadband via:
- Telephone line (digital subscriber line).
- Mobile telephony
Broadband internet via telephone or cable offers the fastest speeds at affordable prices. Their only limitation is infrastructure availability. The only way to benefit from these technologies is if the infrastructure is in place i.e. fibre optic cabling for digital subscriber line (DSL) broadband service and cable broadband service.
Mobile telephony internet broadband is basically broadband access via a wireless connection. One requires a dongle connected to a computer to gain the necessary broadband access and, of course, a mobile internet broadband provider with at minimum 3G network coverage. Overall it is slower than DSL or cable broadband and more expensive. It is a good solution for an individual consumer without conventional broadband access i.e. DSL or cable. It also offers flexibility in terms of mobility and not having to take a long term land line contract. Its main drawback is that it tends to suffer from poor signal performance issues especially in remote locations.
Internet connection via satellite broadband is more expensive and provides slower broadband speeds than cable or DSL. This said, it is the best alternative available for home consumers living in remote locations where cable and DSL is not accessible. Also when compared to mobile telephony broadband, it does not suffer from signal performance issues. It also offers dedicated broadband internet bandwidth speeds.
Out of the four options, satellite broadband is the best solution available for users in a remote rural location, without the normal terrestrial telecommunication infrastructure found in urban areas, as it is affordable and does not suffer from signal loss; and also offers decent broadband speeds.
There are 2 types of satellite broadband available to consumers. They are: -
- 1 way satellite broadband: This type allows users to only download data via a satellite. Uploading of data is done through a dial-up connection. Data travels in one direction (refer to figure 1 below - one way satellite broadband).
- 2 way satellite broadband: This type is the quicker of the two. It allows a user to both download and upload data via a satellite (no telephone line is required). Data travels both ways (refer to figure 2 below - Two way satellite broadband).
Above Reference on 1 way and 2 way satellite broadband - http://www.broadbandwatchdog.co.uk/satellite-broadband.php
2 way satellite broadband technology is the best option of the two as it offers much faster upload speed and no telephone line is necessary, so it can be utilised anywhere within the satellite coverage area e.g. in very remote locations with no terrestrial telecommunication infrastructure (REFERENCE).
There are several 2 way satellite broadband services available targeting home users in remote locations of the UK e.g. Astraconnect by SES Astra, Avanti by Avanti communication, Tooway by Eulelsat communication etc.
The 2 way satellite broadband service offering the fastest download and upload speed at affordable rates is Tooway. Tooway is based on SurfBeam technology developed by ViaSat and Eutelsat's extensive satellite coverage together with its operating and commercial experience through its subsidiary Skylogic. Tooway currently offers satellite broadband link speeds of up to 3.6 mbps download and 384 kbps upload which is, so far, the fastest in the market. It is expected to increase its broadband access link speeds to up to 10 mbps in the second half of this year (2010). The current broadband speeds are offered in a range of four packages (i.e. Basic, Bronze, Silver and Gold) to cater for different home and or small business user requirements. End-user tariffs are determined by the local service providers It is available everywhere in the UK and Western Europe regardless of location. (REFERENCE ).
The consumers in this remote rural community will be sharing the same internet connection. They therefore require to be on the same network. Wireless technology will be used to connect the users in this remote rural location to the local area network (LAN). This is because there is no physical network cable infrastructure in place and putting one in would be too expensive compared to using wireless technology that allows devices to connect to each other or a network via radio frequency (RF) transmission.
A local area network (LAN) using wireless technology is known as a wireless local area network (WLAN). Unlike switched wired networks, WLANs provide shared network connections. Radio frequency (RF) is prone to signal loss as a result of physical objects on its path that absorb the signal.
The main advantage of setting up a WLAN, in a remote rural location with an approximate radius network coverage of 3.5 miles, is its cost. It costs less to implement a network in such an area with wireless technology than wired. It also has less impact on the environment as no trenches have to be dug that can cause disruption to transport, e.g. roads being dug up, or disfigure the environment aesthetically.
The wireless protocol(s) for building the low cost WLAN will come from the 802.11 protocol family which is the industry standard set for wireless protocols by the Institute of electrical and electronic engineers (IEEE). The wireless protocols will be determined by the radio frequency used on the network. The radio frequencies to be considered for the wireless network are in the 2.4 GHZ and 5GHZ ranges (refer to figure 6 below)
Wireless Local Area Network Topologies:
The common types of WLAN topologies are:
- Ad-hoc mode - This type of topology can be loosely referred to as peer to peer mode. Communication between end user network devices (e.g. client workstations) is direct. No access point is used to enable communication between the devices. Ad-hoc mode is also known as independent basic service set (IBSS).
- Infrastructure mode - This type of topology uses an access point to enable communication between client stations on a WLAN; i.e. an access point is used to facilitate communication between computer A and computer B. Infrastructure mode is also known a basic service set (BSS). BSS WLAN coverage area is larger than that of an ad-hoc WLAN. Basic service area (BSA) is the term used to describe both an ad-hoc mode and infrastructure mode coverage area.
- Extended service set (ESS) - In this type of topology two or more BSS are combined. A Basic service set identifier (BSSID) is used on each BSS to differentiate them. BSSID is the MAC address of an access point on a WLAN. Extended service area (ESA) is the term used to describe an ESS coverage area. Through the use of Common distribution system ESS can be used to improve radio frequency coverage of a single BSS. Common distribution system makes the extended service set (ESS) appear as one basic service set (BSS). This is achieved by having a common Service Set identifier (SSID) set up on an ESS to allow the user to roam i.e. roam from one access point to another on the ESS.
Wireless networks are more prone to security threats than wired networks. This is because a potential attacker possessing the necessary skills and tools; within range of an unsecured / poorly secured WLAN access point radio frequency; could easily gain entry without any physical connection required. Threats that could lead to unauthorised access are generally caused by 3 main types of groups i.e.:
- War drivers - These are attackers with the necessary scanning devices who drive around looking for unsecured systems or networks to exploit.
- Hackers or crackers - These are malicious intruders or attackers who exploit a network's or a system's weak security to gained entry and cause harm.
- Authorised network users - Authorised WLAN users could quite innocently introduce a rouge access point; e.g. one meant for home use; that could create a security hole on the WLAN thus enabling unauthorised access. At the same time this type of user could configure their rogue access point to capture network data and use it for their own gain.
The main attacks on a wireless local area network are:
- Man in the middle attacks (MITM) - This is where an attacker places them self between the target, e.g. host machine, and wireless router or access point so as to intercept data and use it for their own gain
- Denial of service (DOS) attacks - This is where an attacker floods a network or system; using up services and other resources e.g. bandwidth meant for genuine network devices e.g. host workstation. Persistent DOS attacks can easily overwhelm a network or system and cause it crash.
Security issues on WLANs can be mitigated by implementing the following security measures:
- Use a server running a remote authentication dial in user service (RADIUS) protocol; e.g. Authentication, Authorisation, and Accounting (AAA) server; on the WLAN to enhance security by providing centralised network authentication. This type of server strengthens the network by ensuring that clients wanting access have to go through an additional authentication / log in process before being granted access.
- Use Wi Fi alliance Wi Fi protected access (WPA) and Wi Fi protected access 2 (WPA2) on the WLAN to strengthen the network. An example of WPA is temporary key integrity protocol (TKIP) which is a wireless security encryption method that performs encryption and ensures that a message is not tampered with by carrying out a message integrity check of the encrypted packet. WPA2 does everything that WPA can do and more plus it enhances security by having the ability to connect to a RADIUS server or database. An example of WPA2 is advanced encryption standard (AES) encryption which is a more superior encryption method than TKIP as it can use data from a MAC header to enable destination hosts to see if bits that are not encrypted have been compromised. It also sequences data headers that have been encrypted. NB: TKIP and AES are IEEE 802.11i specified enterprise level encryption mechanisms that have been adopted by the Wi Fi alliance as WPA and WPA2.
- Conceal service set identifiers (SSID) by preventing access points from broadcasting SSIDs
- Control end user device admission to access points by implementing media access control (MAC) address filtering. This involves building a table on the access point with information of the MAC addresses (physical hardware addresses) of client machines that have access. Any client machine not in the table will not be granted access. NB: Mac address is also referred to as the physical hardware address which is hard coded in the network interface card (NIC) of a client machine.
- Use access control lists (ACL) to control the flow of traffic and ensure that users on the network only access their required resources e.g. internet.
- Use intrusion detection and prevention systems to mitigate unauthorised network or system access e.g. snort.
- Use a proxy server on the network and ensure that all internet access goes through it. Proxy servers control what network users can access from the internet and can also acts as a network firewall.
- Encourage a policy of security program utilization e.g. firewall, anti malware etc on the network.
- Create a demilitarised zone (DMZ) on the network and place the network device that exposes the network's services to the outside world in it e.g. proxy server. This will contain any attack from an external network e.g. internet to the DMZ and thus prevent the rest of the network from being compromised.
- Control the clients that access the WLAN by implementing media access control (MAC) address based connection control on the access point. This method creates a database of legitimate clients who have access. Any client with a MAC address not identified as legitimate is refused access.
- Use wireless Virtual local area network (VLAN) to control traffic and user access. VLANs group users into their respective function groups and controls what resources they can access e.g. users in an accounts department will only be able to access network resources assigned to them via their VLAN group.
Wireless local area network (WLAN) topology:
The wireless local area network (WLAN) will be designed using an extended service set (ESS) topology with a common distribution system. Each of the homes of the users in the community will represent a basic service set (BSS) topology on the WLAN that are combined to form an extended service set (ESS) topology. Common distribution system will be used by enabling a common Service Set identifier (SSID) on the ESS to allow for roaming subsequently making the ESS appear and behave like a BSS.
Access points (APs) set to bridge mode; better known as wireless bridges or WLAN bridges; will be used to combine the WLAN's basic service sets into an extended service set plus transmit, receive and extend the radio frequency (RF) band signal; with the help of the common distribution system; throughout the WLAN coverage area. The WLAN bridges will use IEEE 802.11a/b/g standards and have dual radio frequency band capability. The radio frequency (RF) signal on the WLAN will be the unlicensed 5 GHz and 2.4 GHz band ranges. Dual RF band or mixed mode will be set on the WLAN bridges with external antennas attached to the homes of the users within the WLAN and placed high enough to avoid any obstruction to the RF. The WLAN's backbone RF signal will be operating in the 5 GHz band range. The backbone signal located at Andrew's property ( base station) will come from a wireless bridge with an omni-directional antenna attached to a tall mast; placed high enough to avoid any obstruction e.g. tree lines etc; and directed towards the wireless bridges attached to the homes of the users. This form of communication is known as point to multipoint connection.
The homes of the users numbering approximately fifteen will each require a wireless bridge with an external antenna attached to it together with a least one computer with a network interface card to enable WLAN access and subsequently internet access. Each user will access the WLAN via a wireless bridge connected to an external antenna situated at their house. The base station located at Andrew's property will be approximately 100 metres away from the main homestead. The base station will be home to the following network hardware devices:
- Three Tooway Satellites together with their modems
- Wireless bridge attached to an external waterproof omni directional antenna with a coverage area of not less than 3.5 miles radius. Cable and bracket will also be required.
- Personal computer (PC) acting as the network server
- Ethernet cable
The Tooway satellite broadband package will be gold with download and upload speeds of 3.6 mbps and 384 kbps respectively together with a 12 GB monthly data quota. There will be a 1 month service deposit + 3 months in advance thereafter monthly tariff charges of 115 UK pounds (£) inclusive of VAT per satellite package from Satellite solutions worldwide Ltd (Tariam) which is the preferred Tooway ISP distributor. Tariam's customer premises equipment (CPE); i.e. Tooway's satellite dish and modem cost; is 428 UK pounds inclusive of VAT. The installation cost is optional and is an additional 271 UK pounds inclusive of VAT. The figures 9, 10 and 11 below illustrate the above.
The WLAN will have approximately 30 users (i.e. 2 users per homestead) who require internet access. There will be a bandwidth allowance of between 1 to 2 gigabytes (GB) per month for each user. Three satellites each providing 12 GB bandwidth allowance will be required to meet the users' bandwidth demands. Since internet connection is a wide area network (WAN) connection the satellites together with their modems will be connected to a router (gateway) with network address translation (NAT) configured. The router will have a wireless bridge with an omni directional antenna connected to it that will carry the WLAN's backbone RF band signal and also provide a point to multipoint connection to the WLAN. Users in the WLAN will be able to access the internet via their wireless bridges by connecting to the main wireless bridge with the omni directional antenna; attached to a tall mast located at the base station; that carry's the WLAN's backbone RF band signal. The WLAN's backbone RF band signal will carry data to and from its gateway router. Note: The satellite dishes will be placed on the same mast as the omni directional antenna.
The WLAN router will be used to route data to and from the internet and also load balance network traffic between the 3 satellite dishes for efficient bandwidth utilisation. It will also use quality of service (QOS) to prioritise web traffic by allocating most of the bandwidth to internet traffic that does not consume a lot of bandwidth and is important e.g. The router will assign more bandwidth to the less consuming hypertext transfer protocol (HTTP) traffic than file transport protocol (FTP) traffic which is famous for consuming huge amounts of bandwidth. By doing this all the users will be able to get their fair share of the internet.
The WLAN server running on a Linux platform will function as a proxy server to improve the overall web performance. This will be achieved by configuring the proxy server with transparent proxy cache that stores static web pages e.g. hypertext markup language (HTML) and images for later use when requested. Transparent proxy cache mode allows for all web traffic to be automatically intercepted and forwarded to the proxy server without explicitly configuring the user's browser to use it. All the users' web traffic will first go through the proxy server to have their hypertext transfer protocol (HTTP) requests served. If the proxy server does not have the required data then the request is passed on to the web server located in the internet. This saves on time and available bandwidth as the internet will not need to be accessed if the data is already in the proxy server. Squid is the proxy server of choice as it is free and runs on a Linux operating system that is also free. The Linux server will also run the management software that will enable the network administrator to monitor all the network users internet usage statistics and also provide an email service to alert those who are about to consume up all their bandwidth. Remote access to the Linux server and router will be granted only to the network administrator whose duty it is to manage the network resources.
All the users' end user network devices will be configured with static Internet protocol (IP) addresses. Network devices on the WLAN will share the same subnet mask, broadcast address and network address. In other words they will all belong to the same network. Virtual length subnet mask (VLSM) or classless subnetting is the preferred IP addressing scheme as it helps prevent the wastage of IP addresses. A 62 IP address host range will be used. This meets the current IP addressing needs of the WLAN and at the same time provides room for expansion when the need arises (refer to figure 9 below).
To ensure that the WLAN is secure the following security measures will be incorporated in the design:
- Wi Fi protected access 2 (WPA2); e.g. advanced encryption standard (AES); will be used as the security encryption method
- Media access control (MAC) address filtering to control end user device access to the WLAN's access points will be used.
- Access control lists (ACL) will be used to control the flow of traffic and ensure that users on the network only access their required resources e.g. internet.
- An intrusion detection system will be used to help mitigate unauthorised network or system access e.g. Snort.
- An intrusion prevention system will be used to help mitigate unauthorised network or system access e.g. Snort.
- The use of firewalls e.g. windows firewall on all end user devices will be encouraged on the WLAN.
- The use of anti malware e.g. Nortons, Mcafee etc on all end user devices will be encouraged on the WLAN.
- A proxy server will be used on the network to control what network users can access from the internet and act as a network firewall.
- The proxy server will be placed in a demilitarised zone (DMZ) on the network. This will help contain any attack from an external network e.g. internet to the DMZ and thus prevent the rest of the network from being compromised.
- Prevent access points from broadcasting their service set identifiers (SSIDs)
- All unnecessary open ports that can be used to access the network's resources will be closed.
- Passwords and encryption will be used on the router to secure the network.
- A server with remote authentication dial in user service (RADIUS) protocol should be considered for a later date to provide centralised network authentication by ensuring that all clients have to go through an extra authentication or log in process before being granted access to the WLAN.
Evaluation (reflective diary)
The first phase of the project was to understand what was expected to be accomplished from the scenario given.
The next stage was to gather information that would assist in the design of the network. This involved:
- Research into the different types of wireless local area network (WLAN) topology. This took a lot of time to understand. The network design was based largely on information collected from books and websites (see bibliography), and knowledge gained from my studies in networking at college
- Research into the different types of networking devices to use. The choice of network devices was based largely on information collected from books and website (see bibliography), and knowledge gained from my studies in networking at college.
- Research into the different types of satellite technologies in use commercially and their costing. The choice of satellite technology together with ISP provider was based largely on information collected from books and website (see bibliography).
- Setting up network security. Knowledge gained on network security was based largely on my studies in networking and security at college.
In the design stage the wireless network together with satellite internet broadband was quite difficult to design as this was new territory. This is because the knowledge I have on wireless networks is very limited. The knowledge I processed on satellite technology was next to none before going into this project. I found that security was the easiest part of the whole design stage.
The implementation stage took longer than expected and at times I was very frustrated by the results. I believe I underestimated the level of difficulty in configuring security on a router.
Next was the testing stage. Surprising enough everything went smoothly, with the required results been achieved
Lastly typing the report has proved to be very slow and frustrating. I will have to improve my typing speed.
Reliability and significance of the information collected are as follows:
- The information gathered, especially the types of WLAN topology, satellite technology and security, has aided in the network design.
- The results of the tests prove how reliable the information collected has been in the design of the network.
- Without collecting information related to the project, it would have been very difficult to design the network. The network would most likely have been flawed and network specifications, e.g. network security, internet connectivity and WLAN connectivity not achieved.
Conclusion and Recommendation
The WLAN with satellite internet connection design project has achieved its objective of:
- Incorporating security into the network design
- Offering an affordable satellite internet connection to the rural community.
- Providing users in the community a WLAN to enable connection to internet.
- Providing detailed documentation about the network design in a prescribed form
The new network design meets the requirements set by the client for this project.
Further testing of the network should be done to address any areas not in the clients requirements brief. Once this has been done any recommended improvements to the design should be made, after which the proposed network project should replace the existing one.