UGA Wireless Network by pengxiang

VIEWS: 48 PAGES: 27

									UGA Wireless Network

  Current Overview and
   Roadmap for FY04
                              Contents

Introduction                                       3

Current PAWS Wireless Network and FY04 Expansion   6

UGA Wireless LAN Standards                         13

Wireless Communication Security Policy             18

Blue Socket Security                               21

Wireless Education and Awareness                   22

Appendix                                           27
     Wireless Networking in Higher Education in
            the US and Canada
     Southern Directors Email Survey
     Georgia Tech Wireless Case Study




                                                        2
                                    Introduction

UGA has developed a comprehensive framework for deploying wireless networks
across campus, known as PAWS (Personal Access Wireless/Walkup System).
This has involved developing wireless network standards, a wireless
communications security policy, and a wireless networking education and
awareness program, as well as other associated procedures for the deployment
of such technology.

This document presents details of each of these areas and provides an overview
of the PAWS deployment from the initial pilot project, through the planned
expansion for FY2004. Analyses of academic wireless networks conducted by
the Educause Center for Applied Research (ECAR), Georgia Tech, and the
Southern Directors of Information Technology are also presented.

The UGA PAWS network has experienced substantial growth since it’s inception
in 2001. Initially it was begun as a collaborative pilot project to provide wireless
access to Herty field, but it has rapidly grown to now include more than twenty-
six locations across campus. Additionally, EITS has planned significant
expansion of PAWS in 2003-2004 including deploying wireless connectivity to a
substantial portion of the outdoor areas on North Campus and to the new
greenway on South Campus. There are also a number of other departments that
have expressed an interest in joining the PAWS network. A visual representation
of this growth is included on page ten of this report.

According to surveys conducted by the Educause Center for Applied Research
(ECAR) and the Southern Directors of Information Technology, UGA appears to
be competitively positioned relative to peer institutions in wireless networking.
This is true in terms of the amount of campus covered by wireless access as well
as wireless networking standards and security. These surveys are available in
the Appendix of this report.

While the PAWS wireless network is grounded in industry standards and security
measures, no network can ever be 100% safe. Therefore, we require that
Bluesocket gateway devices be deployed as a standard component of the PAWS
network. These devices help mitigate risk by requiring anyone attempting to
access the PAWS network to authenticate using their UGA MyID. Details about
Bluesocket devices can be found on page twenty-one of this report.

Unfortunately, there are other wireless deployments around campus that are not
part of the PAWS network and some of these are not secure. Anyone with a
network connection in their office can purchase an access point for less than $50
and plug it into the campus network. Although EITS regularly attempts to identify
these “rogue” wireless networks there is no recourse available when they are
identified. Therefore, we strongly endorse the adoption of a University policy


                                                                                   3
requiring all wireless deployments to be centrally coordinated via the EITS
Network Operations and Infrastructure unit and to abide by the UGA Wireless
LAN Standards beginning on page thirteen in this document. This policy is
currently under review by the UGA Executive Management Team (EMT). These
standards primarily focus upon three major areas:

   •   Radio Frequency Management,
   •   Access Point Standards, and
   •   Implementation Policies.

All are necessary to address issues such as interoperability across campus,
signal overlap, security and similar issues. These standards were developed
according to established industry best practices and are based upon the IEEE
802.11 standard for wireless networks.

In addition to standards, it is essential that UGA adopts a Wireless
Communication Security Policy to govern behavior and usage of wireless
networks. EITS has developed a draft policy that is presented beginning on page
eighteen of this document that focuses upon the following areas:

   •   Code of Behavior
   •   Responsibility and Privacy
   •   The Registration of Access Points and Cards
   •   Approved Technology
   •   Acceptable Service Set Identifiers
   •   Enforcement

Similarly, no initiative of this magnitude will ultimately be effective without the
compliance of departmental technology support staff and the end users of this
technology. EITS is developing a comprehensive education and awareness
program to facilitate a general campus-wide understanding of information
technology security and the associated standards and policies. As part of this
effort, we have developed a short course to be taught at Staff Training and
Development entitled WLAN 101 and Security. An overview of this course is
presented beginning on page twenty-two of this document.

The PAWS network has been deployed over time as funding has been identified
by EITS and other campus units. Funding sources for this expansion have
historically included the EITS general budget, individual departmental budgets,
and student technology fees. This has resulted in a piecemeal deployment
similar to way the original UGA wired network was deployed within most
individual campus buildings a number of years ago.

Despite not being explicitly funded, a significant portion of the campus now has
PAWS wireless network coverage and there is substantial additional deployment
planned and under consideration for FY04. However, should funding become
available for a more immediate ubiquitous campus-wide deployment, the existing

                                                                                      4
PAWS framework is well suited to guide the process. Essentially, PAWS would
just need to be augmented with the establishment of a deployment schedule for
buildings and outdoor green spaces. Whether or not such funding is identified, a
robust and secure wireless network is contingent upon the approval and
enforcement of recommended policies and guidelines that are included later in
the report.

Ongoing annual support will need to be identified as wireless networking is
expanded across campus. Wireless networks are complicated by several factors
including the varying distance between access points, line of sight issues in
some point-to-point networks, the fact that users are mobile, and increased
security issues, among others. A ubiquitous wireless network will certainly
require more resources for support and management than are currently
available. Therefore, if funding for a more ubiquitous deployment is identified, a
portion of it should be identified to cover increased annual support and
maintenance costs.

Irrespective of whether or not additional funding is identified, the EITS FY04
tactical plan includes a project to develop a cohesive roadmap for the
deployment of future wireless LAN technologies on campus. This project
includes the creation of a campus-wide taskforce (which is already in progress)
with the following specific objectives:

   •   Review the current UGA wireless LAN deployment strategy, existing
       deployments, and standards with feedback from industry analysts like the
       Gartner Group;
   •   Review and brainstorm ways to improve on the strategy and standards;
       and
   •   Develop a roadmap for future wireless LAN deployments, including a
       prioritization of deployments both within and between buildings and
       budgetary estimates of the cost of these deployments. The roadmap is
       expected to be completed early in 2004.




                                                                                  5
              Current PAWS Wireless Network and
                         FY04 Expansion

Overview of PAWS

Wireless network technology has matured in recent years to the point that
campus deployment is feasible as an augmentation to the existing wired network.
Faculty, staff, and students are now able to wirelessly connect to the existing
campus network and access network services and the Internet without the need
to sit down at a designated terminal. All that is required is an 802.11b compliant
wireless network card for their laptop or PDA and a UGA MyID for access
security.

Access to the PAWS network is supported through 802.11b compliant Access
Points, which have both a radio transceiver and an Ethernet jack. They are
typically mounted on walls or ceilings to provide a radius of coverage. Users
must be within a certain distance of an Access Point to connect to it. Multiple
Access Points are used to provide continuous coverage over a large area.

The Access Points connect wireless networks to the wired Ethernet infrastructure
through a wireless authentication gateway. The authentication gateways sit on
both the PAWS network and the existing wired campus network. These gateways
only allow authenticated users to access the campus network from the PAWS
network. Users authenticate using their UGA MyID user name and password,
which is checked against a UGA enterprise directory service.

The IEEE 802.11b standard specifies 11 megabits per second (Mbps) raw
throughput, which in practice can be closer to 7Mbps (shared). The typical user
will find this speed acceptable. 802.11b wireless networking has a range of about
100 meters in a large open space and about 30 meters in a typical indoor office
environment. Transmission speeds decrease as the distance between the
wireless device and the access point increases. The network can handle
hundreds of users logged in at once; however, the speed of the wireless network
is shared among all users who are using a particular access point. The more
people actively using the network the slower it gets. The typical number of users
per access point is 30-35 using low bandwidth applications (email, web browsing,
etc.) per access point.

The PAWS network is not intended to replace the wired campus network.
Wireless networking is, by nature, more prone to disruption and cannot easily
handle large amounts of data. Additionally, walls with metal beams and large
metal objects (desks and filing cabinets) can affect the quality of the connection.

Topography, architectural obstructions and other factors have to be considered
along with distance from wireless access points when designing new wireless


                                                                                      6
access areas. Departmental support staff are encouraged to contact the EITS
Wireless Task force for assistance in designing and installing a wireless network
and/or gateway.

Due Diligence Analysis and Standardization of Wireless Gateways

As part of a due diligence process, the EITS Wireless Task Force evaluated six
wireless network gateways using previously defined technical specifications.
These included products from the following companies: Reefedge, Vernier
Networks System, Bluesocket, Sputnik, NoCatNet, and Georgia Institute of
Technology's LAWN (a homegrown solution). The following gateway
specifications were considered:

   •   Customizable web interface
   •   Secure LDAP authentication
   •   External syslog support
   •   SNMP support
   •   Access Point and OS agnostic
   •   Multiple gateways can work alone or together (master - slaves)
   •   Supports Roles for users to enforce use policies
   •   Certificates
   •   SSL support
   •   802.11a/b/g protocol support
   •   IPSec, PPTP, VPN protocol support
   •   Central/Distributed Administration
   •   Ease of use
   •   Ease of deployment
   •   Cost of initial installation
   •   Cost of support

While no single solution can fit everyone's situation, after thorough consideration,
we believe the best gateway solution is the Bluesocket device. Bluesocket is a
stable and growing company and their products continue to receive awards. As
a vendor, they have been responsive to our requests and suggestions, and they
continue to develop their products incorporating the changing standards and
directions of wireless.

As a result of this process the recommended equipment includes for following:

   •   Gateway: Bluesocket gateway (currently the WG-100 SOE, WG-1100, and
       WG-2100 are recommended)
   •   Access Points: any 802.11b compliant access point that meets the criteria
       in the UGA Wireless LAN Standards Policy

Additional wiring may be required, depending on the specific situation.



                                                                                    7
History of the PAWS Pilot Project: Herty Field

The wireless project at Herty Field exists as a result of the collaboration between
Franklin College, the Vice President of Instruction, the Law School, the Honors
Program, and EITS. The project was initiated in June 2001. Franklin College of
Arts and Sciences provided most of the funding but also received a financial
contribution from former Vice President of Instruction, Tom Dyer. The Honors
Program and the Law School agreed to have the access points installed at their
sites. EITS evaluated the wireless gateway solutions and implemented the
authentication and management controls.


FY04 PAWS Expansion at UGA

The PAWS network has developed over time as funding has been identified by
EITS and other campus units. Funding sources for this expansion have
historically included the EITS general budget, individual departmental budgets,
and student technology fees. This has resulted in a piecemeal deployment;
however, the PAWS wireless network is based upon industry standards and
robust security. The maps on page ten contrast existing PAWS locations with
anticipated growth in the PAWS network over this fiscal year without targeted
funding. Future expansion in FY04 is indicated by orange shading: the lighter
orange areas are outdoor green space areas to be deployed by EITS and the
darker orange areas are buildings where units have expressed an interest in
joining the PAWS network.

The EITS FY04 tactical plan includes a project to develop a cohesive roadmap
for deploying future wireless LAN technologies on campus. This project includes
the creation of a campus-wide taskforce (which is already in progress) with the
following specific objectives:

   •   Review the current UGA wireless LAN deployment strategy, existing
       deployments, and standards with feedback from industry analysts like the
       Gartner Group;
   •   Review and brainstorm ways to improve on the strategy and standards;
       and
   •   Develop a roadmap for future wireless LAN deployments, including a
       prioritization of deployments both within and between buildings and
       budgetary estimates of the cost of these deployments. The roadmap is
       expected to be completed early in 2004.

The risk assessment of this project indicates that:

   •   Any implementation of the wireless roadmap is contingent on available
       funding sources. If these sources do not materialize, the roadmap cannot


                                                                                  8
       be implemented. Funding for wireless implementations needs to be
       addressed with the University Administration.
   •   What is the risk of not doing this project? The risk is a haphazard,
       incompatible, and slower deployment of wireless LAN technologies on
       campus.

EITS is also considering the provision of an FTP server where gateway backups
could be stored for disaster/recovery purposes. Currently we have backups of
the gateways taken when they are setup and subsequently upgraded; however,
automatically sending backups once a week to a remote server would provide a
greater margin of safety. A backup file is typically less than 150K, and snapshots
are less than 100k so they are not network or disk intensive.

In addition to policy, standards, and training, EITS will continue to actively assist
units across campus to setup and manage their Bluesocket gateways. We are
also providing the centralized authentication service, SNMP graphing, and
system logging.




                                                                                        9
   PAWS Wireless          Current PAWS Wireless   Anticipated PAWS Wireless
Locations Early in FY02       Locations FY03            Locations FY04




                                                                              10
News and Additional Information about PAWS

EITS Information about PAWS:

   •   PAWS: Bringing wireless access to campus
       http://www.eits.uga.edu/tti/review/2wireless.html
   •   From the CIO's office; Information Technology Strategic Directions
       http://cio.uga.edu/
   •   Wireless security (June 16, 2003)
       http://www.infosec.uga.edu/chiefspeaks/cs20030616.html
   •   UGA'S HERTY FIELD GOES WIRELESS FOR COMPUTER USERS;
       FIRST SEGMENT OF NEW PERSONAL WIRELESS/WALKUP SYSTEM
       ON CAMPUS (August 14, 2002)
       http://www.uga.edu/news/newsbureau/releases/2002releases/0208/02081
       4paws.html

Colleges: (7 of our 14 colleges are participating in PAWS)

   •   NMIX Digital Brown Bag: PAWS -- Wireless on Herty Field (9/18/2002)
       http://www.nmi.uga.edu/brownbags/notes_f2002/paws.asp
   •   NMIX 4510 Capstone Research Page
       http://www.nmi.uga.edu/students/ajedlicka/research.asp
   •   UGA Libraries Wireless Network (April 23, 2003)
       http://www.libs.uga.edu/howdoi/go_wireless.html
   •   UGA Libraries Go Wireless!
       http://www.libs.uga.edu/newsletter/wireless.pdf
   •   UGA'S HERTY FIELD GOES WIRELESS FOR COMPUTER USERS;
       FIRST SEGMENT OF NEW PERSONAL WIRELESS/WALKUP SYSTEM
       ON CAMPUS (August 13, 2002)
       http://www.franklin.uga.edu/chronicle/articles/paws.htm
   •   School of Environment and Design Networking Student Computers
       http://www.sed.uga.edu/facilities/tech/studentcomputers/nsc.htm
   •   School of Environment and Design Wireless Network Setup
       http://www.sed.uga.edu/facilities/tech/studentcomputers/wireless-
       setup.htm
   •   Terry College of Business Wireless FAQ
       http://www.terry.uga.edu/oit/help/faq/wireless.html
   •   Georgia Law Library Wireless Network Access FAQ
       http://www.law.uga.edu/library/cs/wireless.html
   •   Student Learning Center Wireless
       http://www.slc.uga.edu/facility.html
       http://www.slc.uga.edu/technology/wireless.html

WAGzone (Wireless Area Group) news articles:

   •   http://www.grady.uga.edu/topdetails.asp?ID=287



                                                                         11
UGA non-PAWS wireless info: AI Center, Boyd:

  •   http://www.ai.uga.edu/aicenter/Laptop.html




                                                   12
                   UGA Wireless LAN Standards
                             (Revised July 22, 2003)

Overview

Wireless LAN communication has become a desirable means of connecting
mobile users, primarily with laptop devices, to the Internet. The number of
planned and implemented wireless LANs has increased to the point that
institutional standards and practices need to be articulated for this network
service.

A number of committees of the Institute for Electrical and Electronic Engineers
(IEEE) have ratified a family of wireless LAN standards called the 802.11
standards. An IEEE 802.11 network consists of two primary components -- a
wireless LAN adapter (typically a removable PCMCIA or Cardbus card in a
laptop) and an access point (AP). The following diagram shows these
components and how they fit into a wired network.




Each wireless card "associates" (or connects) with a nearby access point if the
radio signal from the AP is strong enough and if certain parameters on the card
and AP are appropriately configured.

The 802.11b standard (which operates in the unlicensed 2.4 GHz RF band)
provides for shared wireless connectivity at theoretical speeds ranging from 1 to
11 megabits per second [Mbps], depending on the distance from the card to the
access point. Because of overhead required to support wireless communications,
the actual data throughput is roughly between 0.66 and 7 Mbps. Since all
wireless cards associated with a given access point share the available
bandwidth, as the number of wireless devices increases the amount of bandwidth
per device decreases. For example, if 30 wireless devices (a typical maximum
number) shared the same 802.11b access point, the maximum bandwidth
available per device would be approximately 230 kilobits per second. This
amount of bandwidth is sufficient to provide reasonable performance when


                                                                                  13
reading e-mail or surfing the Web for text and simple graphics, but would be
unacceptable for multimedia Internet applications such as streaming video.
Fortunately, two other wireless standards called the IEEE 802.11g standard
(which also operates in the unlicensed 2.4 GHz RF band and is compatible with
802.11b) and the IEEE 802.11a standard (which operates in the unlicensed 5
GHz RF band) are capable of supporting theoretical speeds up to 54 Mbps.
Commercial 802.11a wireless products from major communications vendors are
available now, and 802.11g products will be available from these vendors by the
end of 2003.

In order to provide reliable and secure wireless LAN services for the UGA
campus, a number of standards and implementation practices need to be
followed. This document articulates standards for the deployment of wireless
LANs at UGA in terms of radio frequency management, access point standards
and implementation policies.

Radio Frequency Management

Wireless LAN communications are based on the use of radio signals to exchange
information through an association between a wireless LAN card and a nearby
access point. Each access point in an 802.11b/g network is configured to use
one radio frequency (RF) channel. Although the 802.11b/g specifications indicate
that there are fourteen channels that can be utilized for wireless communications,
in the U.S. there are only eleven channels allowed for AP use. In addition, since
there is frequency overlap among many of the channels, there must be 22 MHz
separation between any two channels in use. This constraint limits the number of
useable channels to three (channels 1, 6, and 11). However, 802.11a wireless
networks have eight non-overlapping channels which provide more flexibility in
terms of channel assignment.

If two access points that use the same RF channel are too close, the overlap in
their signals will cause interference, confusing any wireless card in the
overlapping area. To avoid this potential scenario, it is imperative that wireless
deployments be carefully designed and coordinated. All departments that are
planning to deploy wireless must work with EITS Network Operations and
Infrastructure (NOI) before procuring and implementing wireless LANs to ensure
that their deployment does not cause conflicts with existing wireless
implementations.

Access Point Standards

In order to provide seamless interoperability across campus, all access points
must adhere to the IEEE 802.11b/g wireless specifications. 802.11a wireless
networks are not compatible or interoperable with 802.11b/g networks, and are
therefore not recommended at the present time for general campus use (i.e., use
by all students, faculty and staff). APs must be able to minimally support SNMP
V1 network management (RFC 1157), including MIB II (RFC 1213) and the dot1d


                                                                                 14
bridge MIB (RFC 1493) specifications. The dot1d bridge MIB is needed to
periodically collect the list of wireless cards that have associated with an access
point. That list will be used to track a given card's network address to a specific
AP. EITS NOI recommends either the Cisco 1220 or the Enterasys Roamabout
R2 or other certified access points.

Wireless access points are often installed in locations that make them easy for
someone to steal. Since 802.11b/g AP allows the use of remote antennas
(802.11a antennas must be attached to the AP), we recommend locating the
802.11b/g APs in locked wiring closets and connect them to antennas mounted
in ceilings or on walls. If you are deploying an 802.11a AP, or for other reasons it
is not possible to locate the AP in a locked wiring closet, the APs should be
hidden from sight (e.g., above ceiling tiles), placed in lockable enclosures or
bolted down such that removing them would damage them.

One of the problems with wireless data transmission is that, by default, the data
can be intercepted by wireless receivers and with the right software (either
commercial or public domain) this data can be stored and analyzed. An individual
using this combination of wireless receiver and analysis software could be sitting
anywhere within reach of the wireless transmission or could be driving past a
building from which wireless signals are emanating. This possible scenario
constitutes a considerable data security threat.

To combat this security threat, the 802.11 standards allow for the encryption of
data between a wireless card and an access point using a protocol called Wired
Equivalent Privacy (WEP). WEP uses 40- or 128-bit keys to encrypt the data,
and these keys must be distributed and installed on every workstation that has a
wireless card. Because of the difficulty in distributing encryption keys (which are
relatively easy to obtain anyway), all APs that are designated for general campus
use, i.e., for use by all students, faculty and staff, should not have WEP
encryption enabled to minimize the possibility that roaming users with
misconfigured cards will not be able to communicate over the wireless network.
Departments that wish to set up WEP encryption for specialized use may do so.
However, because WEP encryption is weak (see
http://www.isaac.cs.berkeley.edu/isaac/wep-faq.html) and since data is not
encrypted when it goes from a wireless network to a wired one, departments are
strongly encouraged to use some form of virtual private network security such as
IPSec or Secure Socket Layer encryption, rather than relying on WEP, for all
Internet applications. (Note: There is an IEEE subcommittee [802.11i] working on
better security standards, and AP manufacturers will be expected to provide
firmware upgrades to support these standards in their wireless devices when
they have been ratified.)

It would be best to require users to provide authentication credentials before they
are allowed to use a wireless network. Some AP manufacturers provide
authentication via RADIUS (RFC 2865) which can be back-ended by some type
of LDAP enabled directory. An alternative approach is to link the wireless


                                                                                  15
network to the wired one through a gateway that requires user-level
authentication before traffic can pass from the wireless to the wired network.
EITS has researched a number of commercial and public domain authentication
gateways and have standardized on a product called Bluesocket. The Bluesocket
gateways provide secure, user-level, UGA MyID authentication for the campus
PAWS (Personal Access Wireless/Walkup System) wireless network initiative.
These gateways are also capable of providing seamless roaming among access
points connected to them. There is an emerging standard for authentication
called IEEE 802.1X. Until the IEEE 802.1X standard has been implemented both
in access points and in mobile desktop operating systems, authentication through
Bluesocket gateways will be required for all access points that are part of the
PAWS network.

Implementation Policies

As indicated earlier, wireless networks must be carefully designed so that
interference between two access points will not occur. All departments that wish
to deploy wireless networks must work with and obtain certification for any
wireless design from EITS NOI prior to its purchase and implementation. In
return, EITS NOI agrees to contact departments within two business days of
receiving a request to schedule a consultation to review a department's wireless
plan. Individuals or groups within a department are required to coordinate any
wireless implementation either with network support staff in their department, if
they exist, or directly with EITS NOI otherwise. In addition, all access points must
have their IP addresses & SNMP read community names (for monitoring
purposes), RF channel numbers, and building and room locations registered with
EITS NOI prior to activation on the network.

To insure that all wireless network cards can obtain valid IP addresses, access
points must not be configured to provide them via DHCP but must be configured
as "bridge" devices. To facilitate IP address assignment via DHCP, valid IP
ranges can either be assigned to Bluesocket gateways or in the absence of this
gateway device the wireless network card's address can be registered in UGA's
central DHCP database. Although some APs can be set up to use network
address translation (NAT) that give out fake IP addresses, no NAT services that
provide one public to many private IP addresses will be allowed through access
points because any accountability for those wireless devices would be lost.

All access points must be configured with an SSID, and those that are configured
for general campus use (i.e., use by all students, faculty and staff) must use the
common SSID value of "UGA" with no WEP encryption key set. APs for private
departmental use can have a difference SSID than the campus one and can also
use WEP keys (preferably 128-bit) for added security.

Access to the wired campus network from wireless APs must be controlled via
secure authentication where the authentication credentials (UGA MyID) can be
associated with a unique individual, through a Bluesocket gateway mentioned


                                                                                  16
above in order to insure accountability. Departments are also expected to review
password awareness information found under http://www.infosec.uga.edu.
Alternatively, MAC (network card) address authentication can be employed either
by populating APs with those addresses or by pointing APs to a Bluesocket
gateway or RADIUS server containing the allowed MAC addresses. (Note:
Although a measure of accountability is possible through MAC addresses
authentication, this method does not provide foolproof accountability because
wireless network card addresses can easily be determined and spoofed.)

Departments are strongly encouraged to read the National Institute of Standards
and Technology document titled "SP 800-48 Wireless Network Security: 802.11,
Bluetooth, and Handheld Devices" as a guideline for best practices in wireless
security. This and other security standards documents can be found on the EITS
Information Security Standards Web page
http://www.infosec.uga.edu/standards.html.




                                                                              17
      Wireless Communication Security Policy (Draft)
                            (Revised August 26, 2003)

1.0 Principles

As an institution founded to create, acquire and disseminate knowledge, the
University is now providing for members of the community a Wireless
communication infrastructure. This infrastructure is the property of the University
and is provided for the sole purpose of facilitating the business of the University
including teaching, learning, scholarship, research, communication, and other
creative endeavors.

Campus responsibility for electronic wireless communication resources resides
with the Chief Information Officer and the UGA Office of Information Security
(hereafter, referred to as UGA InfoSec). Policies and guidelines for deployment
of these systems are essential to prevent interference between different
departmental implementations, to coordinate other uses of the wireless
spectrums, to insure and safeguard security across the UGA network, and to
maintain a quality of service connection to a diverse user community.

2.0 Code of Behavior

Abuse or interference with UGA network equipment is a violation of acceptable
use. Interference or disruption of authorized communications or unauthorized
interception of network traffic is a violation of UGA policy. In providing and
maintaining its electronic communication infrastructure, the University complies
with applicable federal, state, and local laws; and it requires that users do the
same.

3.0 Responsibility and Privacy

Due to the lack of privacy of network communication over wireless network
technology, all wireless traffic is presumed to be insecure and susceptible to
unauthorized examination. Because of the potential exposure inherent in wireless
technology, users should not use the wireless network to access critical and
essential applications or transmit sensitive material and information, such as
social security numbers or credit card information. Individuals assume full
responsibility and accountability for their actions.

4.0 Purpose

Only wireless systems that meet the criteria of this policy or have been granted
an exclusive waiver by UGA InfoSec are approved for connectivity to UGA’s
networks.




                                                                                    18
5.0 Scope

This policy covers all wireless data communication devices (e.g., personal
computers, laptop computers and other mobile wireless devices) connected to
any of UGA’s internal networks. This includes any form of wireless
communication device capable of transmitting packet data. Wireless devices
and/or networks without any connectivity to UGA’s networks do not fall under the
purview of this policy.

6.0 Policy

6.1 Register Access Points and Cards

All wireless Access Points / Base Stations connected to the UGA network are
subject to registration in a centrally maintained database. These Access Points /
Base Stations are also subject to periodic penetration tests and audits. All
wireless Network Interface Cards (i.e., PC cards) used in UGA laptop or desktop
computers are also subject to registration in a central UGA database.

6.2 Approved Technology

All wireless LAN access must use UGA-approved vendor products and security
configurations as identified in the official UGA Wireless LAN Standards policy.

6.3 Setting the SSID

The SSID shall be configured according to the criteria specified in the UGA
Wireless LAN Standards Policy so that it does not contain any identifying
information about the organization, such as the college or office/organizations
name, division title, employee name, or unique identifier.

7.0 Enforcement

Any student, faculty, or staff found to have violated this policy may be subject to
disciplinary action, up to and including termination of privileges.

8.0 Definitions
Terms                                   Definitions
Service Set Identifier (SSID)           An SSID is referred to as a network name
                                        because essentially it is a name that
                                        identifies a wireless network.

User Authentication                     A method by which the user of a wireless
                                        system can be verified as a legitimate
                                        user independent of the computer or
                                        operating system being used.



                                                                                  19
Wired Equivalency Privacy (WEP)       The Wired Equivalent Privacy (WEP)
                                      algorithm is used to protect wireless
                                      communication from eavesdropping. A
                                      secondary function of WEP is to prevent
                                      unauthorized access to a wireless
                                      network. WEP relies on a secret key that
                                      is shared between a mobile station (e.g. a
                                      laptop with a wireless Ethernet card) and
                                      an access point (i.e. a base station). The
                                      secret key is used to encrypt packets
                                      before they are transmitted, and an
                                      integrity check is used to ensure that
                                      packets are not modified in transit.

9.0 Revision History

July 6, 2003--expanded to support CDI Initiative




                                                                              20
                         Blue Socket Security


Bluesocket gateways create a firewall between the access points (AP) and the
rest of our network. Only authenticated traffic is allowed to pass through the
gateway from the un-trusted WLAN to our trusted network. Wireless clients may
contact gateways through 802.11b/g or Bluetooth access points. Clients
authenticate against a central LDAP server using their MyID and password via an
SSL-enabled browser. Authenticated clients are assigned roles with predefined
access rights allowing us to enforce CoS and bandwidth control.




Each gateway can support 10 to 12 APs, and each AP can support dozens of
connections. Under perfect conditions 802.11b has a maximum speed of 11
Mbps, but typical data transfer rates are 5-7 Mbps. The gateway can deliver up to
100 Mbps of throughput (30 Mbps if IPSec is implemented). The gateways can
also support 802.11a, 802.11g and Bluetooth.

The gateway supports IPSec, PPTP and L2TP security protocols. It can also use
digital certificates, smart cards, and secure tokens. The gateway supports SNMP
for network management tools. The gateway provides roaming between APs
from different vendors on the same subnet and across subnets (via Secure
Mobility) without the need to re-authenticate. Multiple gateways can work
together. One unit becomes the master and other units act as slaves inheriting
the user-defined variables of the master.

 A complete list of the WG-10000 specifications can be found on the Bluesocket
                         web site (www.bluesocket.com).


                                                                              21
         Wireless Security Education and Awareness
WLAN 101 & Security

EITS is building a comprehensive series of training sessions for faculty, staff, and
students. One such course is entitled WLAN 101 and Security that focuses on
security issues related to wireless networking.

Like personal computers in the 1980s and the Internet in the 1990s, wireless
local-area networks - WLANs are proving to be the next major evolution of
communications technology for business & personal use.

The adoption of personal computers in the 1980s led to the creation of local-area
networks that laid the initial roads to allow communication to flow like
automobiles through a city. A decade later the Internet created the highways that
efficiently connect each locality to the other.

Just as businesses and home users were forced to adopt and provide necessary
security for the preceding technologies to keep up with their users, wireless LANs
present similar productivity-boosting opportunities while introducing new security
concerns. However, the benefits far outweigh the risks when appropriate actions
are taken to minimize those risks.

Today, wireless LANs introduce the concept of complete mobility provided by air
travel; communication is no longer limited to the infrastructure of wires. This
provides new opportunities and challenges.

Wireless LANs offer a quick and effective extension of a wired network or
standard LAN. By simply installing access points to the wired network, personal
computers and laptops equipped with wireless LAN cards can connect with the
wired network at broadband speeds from up to 300 feet from the access point.

Over the last few years, most deployments of WLANs have been on the 802.11b
standard that operates over the unregulated 2.4 GHz frequency spectrum. The
802.11b standard offers connectivity of up to 11 Mbps - fast enough to handle
large e-mail attachments and run bandwidth-intensive applications like video
conferencing. While the 802.11b standard now dominates the wireless LAN
market, other variations of the 802.11 standard, such as 802.11a and 802.11g
are being developed to handle increased speeds. Wireless LAN vendors have
committed to supporting a variety of standards.

Wireless Internet access, also known as WiFi, or wireless fidelity, allows you to
get rid of the cables dangling from the back of your PCs by broadcasting Internet
connections via radio waves. Then you just tune in from your computer. Here's
how it works:




                                                                                 22
   •   A transmitting antenna, usually linked to a DSL or high-speed land-based
       Internet connection, uses radio waves to beam signals.
   •   Another antenna, which is in the laptop or PC, catches the signal.
   •   The signal has a range of about 100 feet for most home connections. The
       farther the user is from the signal, the slower the connection speed.

WiFi users can choose from three types of adopted standard wireless solutions:
IEEE 802.11b, IEEE 802.11a, and IEEE 802.11g.

802X Summary:
IEEE 802.11b
      IEEE 802.11b devices operate in the 2.4 gigahertz or GHz frequency
      range (same as microwave ovens and many cordless telephones). The
      official data speed is 11 megabits per second or Mbps, but most
      equipment manufacturers have proprietary tricks to boost speeds up to 22
      Mbps. Maximum range is about 300 feet. These are the least expensive
      wireless devices and most widely adopted. "Hot spots" like Starbucks
      Coffee houses and airport lounges use these.
IEEE 802.11a
      IEEE 802.11a operates in the less crowded 5 GHz frequency range, at
      speeds up to 54 Mbps. The 11a specification supports more simultaneous
      users and offers a slightly more robust encryption feature. But its effective
      range is markedly less than 802.11b, often limited to line-of-sight
      distances within a single room. It's best used in offices, where a ceiling
      antenna can have line-of-sight access to computers in cubicles. IEEE
      802.11a devices can cost twice as much than comparable 11b devices.
IEEE 802.11g
      The IEEE 802.11g specification has recently received final approval, and
      companies are already releasing products based around the specs. At
      this moment 802.11g operates in the same 2.4 GHz frequency range as
      11b, which makes 11g backward-compatible with the big existing 11b
      device market.

The primary advantage of 11g is that it operates at speeds up to 54 Mbps but the
hardware costs only about 10-15 percent more than the cheaper 11b devices.
Most experts expect that 802.11g devices will replace 11b in most installations.

The benefits of wireless computing are being reinforced by the development of
new applications, as well as the extension of existing enterprise applications for
wireless use. Additionally, some enterprises are using wireless-specific
middleware to extend their own applications and gain immediate benefits.

Industries such as higher education, pharmaceuticals, healthcare, manufacturing,
retail and distribution are recognizing the benefits and need of wireless and
mobile computing due to the nature of their business.

The benefits of deploying wireless LANs can be summarized as the following:


                                                                                 23
   •   Mobility - Boost productivity with the convenience of wirelessly
       connecting to the network from any point within range of an access point.
   •   Rapid and flexible deployment - Quickly extend a wired network with the
       ease of attaching an access point to a high-speed connection; add
       additional Access Points as needed.
   •   Application agnostic - As an extension of the wired network, wireless
       LANs work with all existing applications.
   •   Attractive price - Deploying a wireless LAN can be cheaper than a wired
       LAN.
   •   Performance - Wireless LAN offers a relatively high-speed connection.

The very air-borne nature of WLANs opens it to intruders and attacks that can
come from any direction. WLAN traffic travels over radio waves that cannot be
constrained by the walls of a building. While employees might enjoy working on
their laptops from a grassy spot outside the building, intruders and would-be
hackers can potentially access the network from the parking lot or across the
street.




 Intruders and hackers pose three main threats to the security of a WLAN.

   •   Eavesdroppers--Because wireless communication is broadcast over
       radio waves, eavesdroppers who merely listen to the airwaves can easily
       pick up unencrypted messages. Additionally, messages encrypted with the
       Wired Equivalent Privacy (WEP) security protocol can be decrypted with a
       little time and easily available hacking tools. These passive intruders put
       businesses at risk of exposing sensitive information to corporate
       espionage.
   •   Identity Theft--The theft of an authorized user's identity poses one the
       greatest threats. Service Set Identifiers (SSIDs) that act as crude
       passwords and Media Access Control (MAC) addresses that act as
       personal identification numbers are often used to verify that clients are
       authorized to connect with an Access Point. However, existing encryption
       standards are not foolproof and allow knowledgeable intruders to pick up
       approved SSIDs and MAC addresses to connect to a WLAN as an
       authorized user with the ability to steal bandwidth, corrupt or download
       files, and wreak havoc on the entire network.



                                                                               24
   •   Denial-of-Service Attacks--Outsiders who cannot gain access to a
       WLAN can none-the-less pose security threats by jamming or flooding the
       airwaves with static noise that causes WLAN signals to collide and
       produce CRC errors. These Denial-of-Service (DoS) attacks effectively
       shut down the wireless network in a similar way that DoS attacks affect
       wired networks.

Rogue Access Points

Because a simple WLAN can be easily installed by attaching a $50 Access Point
to a wired network and a $50 WLAN card to a laptop, employees are deploying
unauthorized WLANs when IT departments are slow to adopt the new
technology. In August 2001, Gartner Group reported that "at least 20 percent of
enterprises already have rogue WLANs attached to their corporate networks"
from authorized network users. Thus, risk-adverse organizations that consciously
decide to delay deployment of WLANs because of the security risks need to
monitor their airspace to ensure that rogue WLANs do not inadvertently open a
door for intruders.

Incorrectly Configured Access Points

Incorrectly configured Access Points are an avoidable but significant hole in
WLAN security. Many Access Points are initially configured to openly broadcast
SSIDs of authorized users. SSIDs can be incorrectly used as passwords to verify
authorized users, which allow intruders to easily steal an SSID and assume the
identity of an authorized user.

Network Abuses

Authorized users can also threaten the integrity of the network with abuses that
drain connection speeds, consume bandwidth and hinder a WLAN's overall
performance. A few users who clog the network by trading MP3 files can affect
the productivity of everyone on the wireless network.

The attention on the pitfalls of wireless LANs has inspired some enterprises to
ban wireless LANs altogether. However, security conscious enterprises are
fortifying their wireless LANs with a layered approach to security that includes:

   •   Discovery of rogue access points and vulnerabilities.
   •   Access point security.
   •   Encryption & authentication (which may include a virtual private network).
   •   Establishment and enforcement of wireless network policies.
   •   Proactive security with intrusion protection.




                                                                                    25
26
                             Appendix


•   Wireless Networking in Higher Education in the US and Canada
    http://www.educause.edu/ir/library/pdf/ecar_so/ers/ers0202/EKF0202.pdf


•   Southern Directors Email Survey
    http://www.eits.uga.edu/inhouse/memos/public/wireless/sdwsurvey.pdf


•   Georgia Tech Wireless Case Study
    http://www.cc.gatech.edu/computing/Telecomm/seminar/fall01/wireless.pd
    f




                                                                          27

								
To top