Oct 08 2008

Clean Air

Secure the rapid expansion of campus wireless nets.

Higher education institutions find meeting the demand for wireless connectivity a tough challenge as students, faculty and staff clamor for the same wireless capabilities on campus that they have at home. As a result, colleges and universities have been installing or expanding networks to supply wireless access on a massive scale.

For instance, Northwestern University in Evanston, Ill., currently has almost 1,000 access points and has plans for 500 more. Similarly, Philadelphia’s Drexel University is ramping up deployment of APs across its campus this fall. “We are moving from 400 APs to 1,000 this year and then to about 1,600 next summer,” says Kenneth Blackney, associate vice president of core technology infrastructure at Drexel.

Huge increases in APs magnify the risk of a security breach for each institution. University databases, with their concentration of students’ financial data, e-mail addresses and Social Security numbers, are prized targets for hackers. The more people allowed on the network, the greater the exposure to potential misuse and the greater the need for network protection.

‘X’ Marks the Spot

Universities rely on a range of technology — and sometimes just plain horse sense — to protect their wireless facilities. Chris Hart, a network engineer at Northwestern, found 802.11x authentication ideal for limiting access. He implemented the capability using a Juniper Networks Steel-Belted Radius server and can use it to authenticate both wired and wireless networks.

Hart refuses to operate an unauthenticated network and believes it is vital to tie every device to a specific user on the network. “Each user puts in their name and password, so you link them to a specific MAC address or IP address,” says Hart. “That allows the security team to contact the individual directly concerning any issues.”

The user ID and password are part of the school’s central directory services for the network. The Radius server obtains the data from Lightweight Directory Access Protocol (LDAP) servers to determine whether access should be granted, he says.

Establish Control

With so many APs to monitor, universities must maintain as much control as possible. Northwestern employs the AirWave Wireless Management Suite to manage network settings, poll both Cisco and Aruba APs and gather statistics. It also uses AirWave to detect rogue APs. Students in residence halls, for example, sometimes set up their own unauthorized wireless APs, further exposing the university’s network to security risks. “We pay attention to ensure that all APs are ours,” says Hart. “By adding another 475 Aruba APs to improve coverage in the residence halls, we expect to see a marked reduction in rogue incidents.”

Consider the Complications

The wireless arena has diverse security standards and protocols, from the old wired equivalent privacy (WEP) to wireless protected access (WPA and WPA2). With such an abundance, changing protocols can complicate network management, especially if multiple changes are made over a short period, say university IT officials.

Three years ago, for example, Northwestern had to decide whether to move from requiring Vitual Private Messaging (WEP was not used) to WPA or WPA2. Hart opted for the more secure WPA2 instead of first transitioning to WPA gear.

Paul DeBeasi, a senior analyst at Burton Group, agrees. “A surprising number of organizations still use the insecure WEP protocol for wireless security,” he says. “They should migrate their networks to WPA2.”

Universities are moving away from WEP, finding ways to transition. “We tell wireless users to use Drexel’s VPN to augment WEP, or to pass private data only if their applications provide another layer of security such as web browsing with SSL,” says Blackney.

By moving away from WEP, Drexel had the option of selecting WPA or going directly to WPA2. Unlike Northwestern, however, Drexel chose to go to WPA, which is built into many types of wireless gear.

“Some cell phones, PDAs and gaming consoles don’t yet support WPA2, and we don’t want to have to tell students or faculty members they can’t use such devices,” says Blackney. “Our policy is no user left behind, if we can help it.”

Change the Spectrum

Universities are one of the markets that are leading the installation of 802.11n-based wireless networks, with 2.3 percent penetration, so far. Source: ABI Research

Drexel is implementing Aruba 120-series APs as part of a broad expansion of its wireless network. The previous network operated on the 2.4 gigahertz spectrum, but Drexel is using the new APs at both 2.4GHz and 5GHz. While the effective range of the higher frequency is reduced, the choice solves other problems.

“Bluetooth, microwave ovens and other sources can interfere with 2.4GHz, and it is the same wavelength used in most consumer-grade APs available in retail outlets,” says Blackney. “Five GHz currently has less consumer-grade competition, so in effect we are moving to a quieter neighborhood.”

Even though using the higher frequency means less power at the same distance, Blackney predicts notebook computers will be able to hear the 5GHz APs anyway because of the reduced background noise. The Aruba APs support 802.11n, boosting performance compared with the 802.11b/g network.

Blackney says 2.4GHz provides only three channels that don’t overlap, whereas 5GHz offers 12 channels. “That means that we can saturate a lecture hall so that fewer students need to share each AP,” he says.

Set Policy on Wireless Rights

Drexel uses three Aruba Mobility Controllers with Policy Enforcement Firewall to run its APs. This allows wireless rights to be assigned to each user ID. By setting policy at the controller level, the university is able to handle different levels of authorization with relative ease.

“Many are now using controller-based architectures with lightweight APs,” says DeBeasi. “A controller provides a network management focal point that simplifies, automates and centralizes AP management.”

Pepperdine University is another proponent of policy management. It uses Campus Manager by Bradford Networks to identify users before allowing them onto the network.

“We set policy on who gets onto the network, what privileges they have and what segments of the network they can visit,” says Tim Chester, Pepperdine CIO. “Visitors are segmented away from our main wireless network.”

Pepperdine installed 161 Wi-Fi arrays at the school’s Malibu, Calif., campus. The school’s network encompasses 80 buildings across five sites and about 10,000 users. The core of the network is built upon a number of Cisco Systems routers and switches.

Currently, Pepperdine manually configures all student machines at the beginning of each semester to verify wireless security settings, ensure the Trend Micro antivirus software is up to date and apply all necessary security patches.

“The next step is to tie in the Bradford authentication management software with antivirus and patch management,” says Chester, “so that every time a student attempts to log onto the network, their antivirus signatures and patches are applied before they are granted access.”

Many paths lead up the same mountain when it comes to wireless network security. Universities and colleges use a combination of approaches, such as authentication, network scanning and acceptable-use policies. Choosing the path, however, is not as important as deciding to make the trip in the first place.

Cooperation is Key

Tim Chester, CIO at Pepperdine University, doesn’t hesitate when asked to name the most important ingredient of a successful wireless security plan: It’s teamwork, he says.

“Having a collaborative, interdisciplinary team has really helped us to implement security measures and wireless changes in a seamless manner,” Chester says.

The university’s networking practice group consists of representatives from network engineering, information security, server management and the student body. The team is involved in product and policy implementation and ensures that a proper balance is maintained between security requirements and ease of access.

“Using a committee like this moves you from having to react to issues among the user community to dealing with them proactively,” says Chester.