The last shoe to drop was the Wireless setup. I had been hanging an AP off of one of the switches to cover the needs of the few "for the time being." Now that the festival began, and all hands were on deck, I decided the network needed as much flexibility as possible. (There was no telling who would show up at any given moment. Maybe Clint "The Man with No Name" Eastwood would stroll in with a wireless PowerMac and start getting pushy...)
There are two major types of wireless encryption: WEP and WPA.
At the time I was creating the network, WEP typically came in 64-bit 10 hex digit or 128-bit 26 hex digit configurations. WEP, like PPTP, became very popular because of its low processing/bandwidth overhead and its widespread availability. Unlike PPTP, however, there is no modern advantage to its availability, because WPA is just as commonly used.
There are two types of WPA (Wi-Fi Protected Access) authentication: one in which a group of Clients, such as those in our network, can be given one Pre-Shared Key (PSK) that is identical and will work for all Wireless Clients; and the other, in which a server assigns an individual key for each client. While having a single PSK for an entire group of users opens the Wireless network to the same type of vulnerability as WEP, TKIP (Temporal Key Integrity Protocol) is far superior, in that the keys are randomly changed while in use.
I decided to go with WPA TKIP PSK, as opposed to the less popular (from a security point of view) WEP, while simultaneously defending HQ's choice of the less-secure PPTP VPN setup. The reason was that nobody really knew, or could guess, of the existence of the VPN tunnel we had created—or a network of the magnitude I'd created at all; however, just about everybody in town would be snooping around for a free Internet connection. Even if the SSID wasn't broadcast, there were bound to be endless users running around with Netstumbler looking for their chance to check up on Friendster. WEP was too common and easy a nut to crack.
It wasn't worth the time and effort of setting up or connecting to a RADIUS server. Your average Wi-Fi roamer would be easily dissuaded by strong TKIP encryption. So it simply became a matter of choosing the best physical layout for the access points, sharing the key, and letting the users loose.
Figure 5: The AP Layout.
Our final chart shows the layout of Cisco APs for the Wireless Network. I placed one in each of the four corners of the room, as well as a central point in the middle of the server farm. DHCP was disabled on all the access points, as all DHCP tasks were being handled by the Domain Controller/DHCP Server. I merely assigned a static IP Address to the access points, enabled WPA TKIP encryption, and shared the key with the people who required it.
At some point, during the height of the festival, I took the added step of filtering the Clients through their MAC addresses... just to be on the safe side. For those who have the Comments box open and are ready to flame, I should point out that, yes, I am aware that it's very easy to spoof MAC addresses; however, my only intention was to discourage "doorknob rattlers". A properly-equipped war driver can have a WEP key cracked in minutes. But when they see a strongly encrypted wireless network with both TKIP PSK and MAC filtering, they are more likely to keep looking for a WEP or "Open" network.
The next couple of weeks can only be described as a dizzying circus. The build-up before the festival was nothing compared to the spiraling maelstrom of activity that occurred during it. Productivity rose ten-fold as distribution deals were made, films were re-cut and edited, and the marketing and design teams went into full effect—soliciting actors and directors alike, along with the journalists that had come to weigh in on all these hundreds of would-be "next-big-things."
On the networking front, there was a temporary outage because of an electrical grounding problem. The servers held because they were connected to backup power supplies, but some of the client machines were not so lucky. The access points were plugged into outlets on the ceiling lights, which were connected, most fortunately, to an old backup generator that looked like something out of Rocketman. This meant the battery powered laptop users didn't miss a beat, while the Media clients were out half a day's work (the other half being available on the Media backup server).
There was the occasional problem of a user not being able to access resources over the VPN (mostly due to changes in the Remote Access Service policy on the HQ end). Every hung-over morning someone would forget his or her password. By and large, however, the network held. My weekend trip up to the mountains had been a success.
The Media and Office teams kept working for another month after the festival. There was a lot of work to be done. Films that had been signed to distribution deals had to have the intro and credits altered. Some of them required additional editing. Contracts had to be drawn up, sent out, received, and archived by the legal department. There was constant traffic between the HQ and Utah accounting departments... But for the most part, the lion's share of my own work had been completed thirty days earlier.
I remember staring out the big glass windows of my room at the Park City Marriott. Thousands of trees were angling their way up the side of what looked like the largest mountain in the universe from where I stood on the third floor of the hotel at the bottom of it. I imagined half of the executive staff calling in sick and taking one more dash down the slaloms. I knew for a fact that the Marketing team would have to work three times as hard.
"What's this mountain called, anyway?" I asked.
Mary was still towel drying her hair as she squinted out the windows. "I think it's Pike's Peak," she said.
On a normal day, Pike's Peak is in Colorado. Today, I was more than happy for it to be wherever the Marketing Director wanted it to be.