Oct 31 2006

How to Safely Implement Wireless Technology on Campus

Maintaining a secure wireless airspace takes diligence to ensure integrity. Here are some ways leading institutions are tackling the challenge.

While others exult in the virtues of wireless networking, H. Morrow Long prefers to approach the topic with a bit of caution. It's not that the director of the Information Security Office at Yale University is opposed to wireless technology; on the contrary, he believes it's the wave of the future, and he's currently rolling it out across the New Haven, Conn., campus. “The reality is that without the proper safeguards and policies in place, there's room for a lot of problems,” he says.

These days, Long isn't taking any chances. In order to use the Yale wireless network–which offers 11 megabits per second (Mbps) access in dorms, libraries, common areas and many classrooms–students, faculty and staff must abide by a set of strict policies and authenticate themselves when they log on.

In addition, the school relies on a variety of security tools–including system monitoring, encryption and the use of separate virtual local area networks (VLANs) and Internet Protocol (IP) subnets–to reduce risks for both the school and its students.

 Yale University isn't the only school to get smart about wireless security. While many individuals view today's untethered connections as a new and exciting frontier, CIOs, network engineers and security officers are taking an increasingly closer look at how to manage airspace and resources.

“With so many different types of users connecting to the network–and the large number of profiles, environments and applications present–there's a good deal of risk,” explains Rachna Ahlawat, a research director at Gartner, a research firm in Stamford, Conn.

Indeed, network intrusions, bandwidth theft, spamming, phishing, pharming, identity theft and data theft are just a few of the potential problems, says Yale's Long, who also serves on a security task force for EDUCAUSE, a nonprofit education association with offices in Washington, D.C., and Boulder, Colo. Schools that do not adequately manage their airwaves can also experience lagging performance and potential legal issues.

“It's wise to develop a strategy and policy up front,” Long advises.

On the Right Frequency

It's no secret that the enormous growth of wireless networking has profoundly changed life and learning on university campuses. Since the 802.11b standard emerged in 1999, hundreds of schools that are eager to position themselves as leading-edge and user-friendly have begun deploying wireless access.

However, in the rush to tap into this new frontier, many schools opened up access to wireless networks and only later looked at how to adequately manage and secure them.

That's changing. At the University of Cincinnati, Vice President and CIO Fred Siff is heavily involved with issues relating to the airwaves. The school has introduced a logon portal that clearly identifies the official site and requires authentication based on student ID numbers and passwords.

In addition, it has encrypted the entire network using 128-bit Wired Equivalent Privacy (WEP) in order to minimize the risk of security breaches. The university plans to migrate to the more stringent WPA2/802.11i 9 (Wi-Fi Protected Access) over the next 12 to 24 months.

The university uses a number of other techniques to maintain integrity over its entire campus, including both wired and wireless networks. It has installed intrusion prevention, a firewall and an intrusion-detection system to thwart attackers. It constantly monitors its 585 access points and looks for rogue access points that can sap bandwidth and hurt performance.

“We shut them down not because they're illegal, but because they interfere with the regular network,” Siff explains. Throughput speeds that are limited to 10- to 25Mbps and radius accounting that's enabled to track users are two factors that effectively mitigate the number of students using the wireless network for peer-to-peer applications.

Because access points are a potential Achilles' heel, it's important to develop policies early on and control how they are used. Although some schools allow rogue access points and others–despite having policies against them–avoid any enforcement action, the bottom line is that without monitoring in place, it's possible for someone to engage in “drive-by” attacks, including Web site spoofing, identify theft and sending illicit traffic, such as spam, through the access point and into the network.

Gartner's Ahlawat says that universities should also consider moving toward a more advanced model that requires authentication at a central controller, rather than at the access point. This approach makes it possible to manage privileges and protect against stolen or shared passwords. It also allows IT to manage an array of network devices and protect the core network. “It offers a more sophisticated approach,” Ahlawat explains.

Making the Grade

Another school with an eye on wireless security is the Illinois Institute of Technology (IIT), a private, Ph.D.-granting university based in Chicago. The school's wireless network covers about four square blocks and provides access to approximately 4,500 students, instructors and administrators. About half of the two dozen buildings on campus are set up for 802.11b/g access, including common areas and dormitories. The school requires a usage agreement, and it authenticates individuals through the Media Access Control (MAC) address on their computer, as well as their IIT e-mail address and password.

The school does allow rogue access points in places where it has not yet provided wireless networking, but it does not monitor their use or provide support or troubleshooting, says Felix Lin, senior network engineer. From a security standpoint, they are treated like other nodes on the network, requiring authentication and registration. IIT also caps bandwidth so users can't spam or use peer-to-peer applications. Once users hit a predefined limit, their connections slow down. “It's an ongoing challenge that we take very seriously,” Lin says.

Yale's Long believes that, in the end, it's best to balance security tools and human discretion. While technology can address many challenges, it's wise to give instructors latitude about whether they want wireless in their classrooms. Likewise, it's important to allow a business school or law school to provide wireless access to guests or those attending a symposium.

“The key is to put systems in place to provide monitoring and protection,” Long concludes. “Solid planning and an effective design can go a long way toward ensuring a safe environment.”

5 Steps to Wireless Security

Map out an airspace-management strategy. Every school has different needs and expectations; there's no cookie-cutter solution for managing wireless networks. The key is to create a system that offers the desired services while protecting the school and students.

Put the necessary security solutions in place. Technology is advancing quickly, and the right hardware and software can go a long way toward managing the airwaves and protecting users. It's also important to think through network topology and use firewalls, virtual private networks and other tools, as necessary.

Develop a solid set of policies and create a user agreement. A clear set of guidelines and rules eliminates potential confusion and misunderstandings. It lets everyone know what the school expects up front.

Monitor systems closely. With hardware, software and policies in place, it's still essential to keep tabs on users, systems and potential threats. Systems that are effective today may not be tomorrow, as more sophisticated hacking and intrusions take place.

Educate students, faculty and other users. It's essential for those using the wireless network to understand the importance of secure browsing, encrypted e-mail and recognizing potential problems, such as phishing and pharming schemes. Regular bulletins and communication can help alleviate problems.

Samuel Greengard is a freelance writer in Portland, Ore.