University of Glasgow wireless local area network policy

University of Glasgow wireless local area network policy

Purpose

This policy defines how existing and emerging Wireless technologies are to be deployed, administered and supported on the University’s campus networks. Although the main focus will be on wireless technology conforming to the IEE 802.11 standards, other standards including Bluetooth, cellular and 3G cellular will be incorporated when there is a requirement and expertise to do so. The primary concern is to ensure that wireless technology is deployed in a way that preserves the integrity of the University’s information technology infrastructure and delivers an acceptable level of service for the users of that technology; in particular we need to:

  • Establish the rules and support infrastructure required to enable appropriate, secure, reliable and compatible deployments of wireless technology on the University’s campus networks.
  • Safeguard the security of the University’s information resources
  • Prevent (or arbitrate) interference issues between Wireless deployments and or other uses of the relevant wireless spectrum (2.4GHz and 5GHz)
  • Ensure that authorised providers, systems administrators and users understand the security implications and performance limitations of the technology and the service levels achievable

Scope

This policy applies to all uses of 802.11 Wireless LAN technologies on the University of Glasgow campus networks. It covers all deployments inside University buildings and in outdoor areas provided by GUCS, authorised departments or research groups. Such deployments and use are subject to this and all relevant University Information Technology Policies.

This policy defines the roles and responsibilities of GUCS and other authorised providers in the deployment, support and administration of the Campus wireless infrastructure.

Background

Wireless LAN technology has been around for many years providing moderate bandwidth solutions for a variety of network provisioning problems e.g.,

Areas that are difficult to provide ‘wired’ solutions

  • Large open areas
  • Outdoor areas
  • Mobile users requiring network roaming
  • Free space inter building links across busy road ways
  • Disaster recovery situations  

However the technology started to gain widespread acceptance in 1999 with the ratification of the IEEE 802.11b standard for wireless local area networks. Hitherto the IEEE 802.11 specifications provided for relatively low bandwidths (1-2  Mbs); by contrast the  802.11b standard provided for signalling bandwidths of up-to 11Mbs. This performance boost led to a proliferation of low cost, interoperable and more reliable products, which provide a valuable companion to traditional ‘wired’ LAN solutions. The IEEE 802.11 working groups have been successful in developing and gaining standards approval for still higher performance Wireless LAN solutions i.e.,

  • 802.11a - an extension to 802.11 that provides up to 54 Mbps in the 5GHz band. 802.11a uses an orthogonal frequency division multiplexing encoding scheme rather than FHSS or DSSS.
  • 802.11g – an extension to 802.11 that provides 20+ Mbps in the 2.4 GHz band.  

Despite this progress Wireless LANs have their limitations and disadvantages.

Performance

Wireless LAN technology is by nature contention based and analogous to Ethernet hubs, where the available bandwidth is shared (not necessarily equally) between all users of the LAN. Although signalling rates range from 11, 22+ and 54Mbs, useable bandwidth is significantly less than this, typically 5, 10+ and 27Mbs. Useable bandwidth is further reduced by:

  • Environmental conditions
  • Number of users
  • Distance to nearest access point
  • Interference from other radio sources

The level of performance does not compare favourably with the University’s Campus LAN ‘wired’ solutions where contention based 10Mbs Ethernet connections are being replaced by dedicated 10/100/1000Mbs Ethernet connections. Moreover Wireless LAN deployments require detailed planning to maximise coverage, reduce the effects of interference and optimise the available frequency bands. Unless deployments are implemented correctly and in a co-ordinated way then there will be an adverse impact on the service levels achievable.

Security

Out of the box, wireless LAN solutions are inherently insecure. They depend on weak Wired Equivalent Privacy (WEP) payload encryption and service set identifiers (SSIDs) for basic password based association with access points. WEP security has proven inadequacies associated with the WEP key initialisation vector (IV) and keys that remain inordinately static. In addition Wireless LAN sniffing tools are readily available via public domain Wireless LAN analysers; these can easily identify Access points, active SSIDs and potentially user data.

Costs

The purchase cost of Wireless LAN access points and wireless PC cards continue to fall and now offer apparent price competition to Ethernet switches and NICs. However the real costs associated with wireless LAN deployments will be concerned with establishing the administrative, support and security infrastructure to ensure that:

  • Wireless LANS meet University standards and policies
  • Wireless LANs are used for purposes that augment ‘wired’ solutions rather than replace ‘wired’ solutions
  • Wireless LAN devices and users are properly authenticated and authorised before access to University information resources is permitted
  •  An adequate level of encryption is implemented before any sensitive, private or restricted information is accessed via Wireless LANs

Definitions

  • 802.11:  Is a family of specifications for wireless local area networks (WLANs) developed by a working group of the Institute of Electrical and Electronics Engineers (IEEE). At present there are four specifications in the family: 802.11, 802.11a, 802.11b, and 802.11g. All four use the Ethernet protocol and CSMA/CA (carrier sense multiple access with collision avoidance) for path sharing.

The original 802.11 specification applies to wireless LANs and provides 1 or 2 Mbps transmission in the 2.4 GHz band using either frequency hopping spread spectrum (FHSS) or direct sequence spread spectrum (DSSS).

  • 802.11b:  Sometimes referred to as 802.11 High Rate or Wi-Fi, is an extension to 802.11 specification that provides 11 Mbps transmission with automatic fallback to 5.5, 2 and 1 Mbps. 802.11b operates in the FCC unlicensed 2.4 GHz Industrial, Scientific and Medical (ISM) band using Direct Sequence Spread Spectrum (DSSS) technology. Under optimum conditions 11Mbs operation may be achieved at distances up-to 150 feet  (300 feet diameter) indoors or 800 feet outdoors.
  • 802.11a:  An extension to 802.11 that applies to wireless LANs and provides up to 54 Mbps in the 5GHz band. 802.11a uses an orthogonal frequency division multiplexing encoding scheme rather than FHSS or DSSS.  Under optimum conditions 54Mbs operation may be achieved at distances up-to 35 feet  (70 feet diameter) indoors; 802.11a is not suitable for outdoor deployments
  • 802.11g:  The most recently approved 802.11 standard for wireless local area networks, 802.11g offers wireless transmission over relatively short distances at up to 54Mbs. Like 802.11b, 802.11g operates in the 2.4 GHz frequency range and is thus compatible with it.
  • Access point: Sometimes known as AP, wireless access point or base station is a hardware device that acts as an 802.11 shared communication hub for interconnecting 802.11 stations with each other and a  wired LAN.
  • Ad-Hoc mode: A deployment of an  802.11 local area network whereby devices communicate directly with each other, without the use of an access point (AP). Ad-hoc mode is also referred to as peer-to-peer mode or an Independent Basic Service Set (IBSS).
  • Authorised providers: GUCS, University departments and research groups who have been granted authority to provide wireless LAN facilities.
  • Bluetooth: Is an IEEE wireless networking standard (802.15.2) operating in the 2.4 GHz frequency band. It is a short-range (<30 feet) radio technology designed to simplify communications amongst devices; including data synchronisation.
  • GUCS:  Glasgow University Computing Service
  • 3G: Is an ITU specification for third generation mobile communications technology. 3G delivers increased bandwidth, i.e., up to 384 Kbps when a device is stationary or moving at pedestrian speed, 128 Kbps in a car, and 2 Mbps in fixed applications. 3G will work over wireless air interfaces such as GSM, TDMA, and CDMA.
  • Interference: The unwanted effects on wireless communication signals caused by Electromagnetic Interference (EMI), emanating from other sources. EMI can adversely affect wireless LAN performance and in extreme cases render it unusable.
  • SSID: The ‘Service Set Identifier’ may be used as a relatively insecure security key for a wireless LAN, somewhat like a password. If an SSID is configured for an Access Point, then only client wireless systems configured with the same SSID may associate with that Access Point.
  • War Driving: War driving is the act of locating and possibly exploiting connections to wireless local area networks while driving around a city or elsewhere. To do war driving you need a vehicle, a computer fitted with a wireless Ethernet card set to work in promiscuous mode and an antenna that can be mounted on top of or positioned inside the vehicle. Since a wireless LAN may have a range that extends beyond its intended area of coverage, an outside user may be able to attach/associate with a wireless LAN to obtain a free Internet connection, access sensitive information or other restricted resources.
  • WEP: Short for Wired Equivalent Privacy. WEP is the security protocol associated with wireless local area networks as defined by the 802.11b working group. WEPs goal is to provide the same level of security as that found on wired LANs. WEP enables payload data to be encrypted via 40-bit or 128-bit keys. However its implementation and usage have not provided the level of security required by most organisations.
  • Wireless PC Card:  A Network Interface Card (NIC) installed in a client system, normally but not exclusively a PCMCIA Type II slot in a notebook/laptop computer, that enables data communication with an Access Point or other system via radio signals.
  • Wi-Fi:  Short for "wireless fidelity" is a popular term used for a high-frequency wireless local area network.

Policy

General

The University of Glasgow Computing Service department (GUCS) has overall responsibility for the University’s data communications infrastructure. GUCS will therefore be responsible for the deployment, management and support of all wireless local area networks that serve common flexible access areas and all areas where a connection to the University’s campus network is required. If department heads or research group leaders have specialised teaching or research requirements involving wireless LANs, that cannot be satisfied via central provisions; they may seek approval from the Director of the Computing Service to deploy wireless LANs in areas for which they have sole responsibility and a legitimate teaching or research requirement; they will then become authorised providers for those areas. 

GUCS and other authorised providers may only deploy wireless LANs that conform to this Policy and all other University Information Technology Policies.

Only hardware and software conforming to wireless standards approved by this Policy shall be used in wireless LAN deployments

All wireless LAN deployments must be registered with GUCS who will periodically check the deployment for compliance with this policy. If interference problems occur between wireless LAN deployments then GUCS will arbitrate to provide an acceptable resolution.

Suitability

Wireless LANs should not be considered as a substitute for University standard ‘wired’ network connection points. Wireless LANs can be used effectively to augment standard network connection points in the following situations:

Areas where it is difficult or cost prohibitive to provide ‘wired’ solutions

  • Flexible access areas where staff, students and approved visitors may use their own workstations
  • Mobile users requiring network roaming
  • Free space inter building links across busy road ways
  • Temporary solutions for Network service provision
  • Disaster recovery situations

Technology

Initially the 802.11b, 802.11a and 802.11g standards for wireless Local Area Networks will be supported, however central deployments of the 802.11g standard will not occur until it completes the IEEE standardisation process. In order to ensure that current and future deployments conform to existing and planned authentication, authorisation and encryption strategies; equipment choice within these standards will be limited as follows:

  • It is recommended that all Access Points should be purchased from the Cisco Aironet product range. If this is not possible then Access Points that provide support for the following should be purchased:
    • 128-bit WEP keys
    • 802.1x authenticator
    • Dynamic/rotating WEP keys
    • Radius extensions for VLAN assignments and or SSID restrictions
    • Firmware upgradeable to 802.11i Next Generation Authentication and Encryption framework

Existing deployments may continue for as long as they do not breach this Policy and there is a commitment to migrate to an appropriate model when a replacement is required. NB. The University has framework purchase and support agreements for all Cisco products.

  • It is recommended that all wireless PC cards should be purchased from the Cisco Aironet product range. If not then cards that support the following should be purchased;
    • Cards that meet the security policy of the target deployment
      NB for centrally supported deployments this would be:
    • 128-bit WEP encryption
    • 802.1x client (supplicant)
    • Dynamic/rotating WEP keys
    • Cisco VPN client compatible drivers

For centrally managed deployments only the TCP/IP protocol suite will be supported.

Installation and management

Proper installation and management will be critical for a successful wireless LAN deployment. Authorised providers must ensure that:

  • No restrictions on installation or placement of equipment are in force for the proposed location; If in doubt authorised providers should seek advice from Estates & Buildings
  • A site survey is carried out prior to installation to ensure:
    • No interference to/from other radio sources
    • Optimum location for desired coverage including connections to power and ‘wired’ network connection point
  • Installations must comply with all health and safety, building and fire regulations
  • Access Point configuration and client access conforms with this Policy and all other University Information Technology Policies
  • Deployments are fully maintained and supported commensurate with this Policy and the importance of the service offered
  • Installation and support staff with appropriate skill levels are identified together with their roles and responsibilities
  • Deployments are registered with GUCS

On request GUCS will provide advice or fully costed and supported solutions for authorised wireless LAN deployments.

Interference and interference management

At present there are many devices, which operate in the same 2.4GHz frequency band as 802.11b (g) deployments. These devices include microwave ovens, cordless phones some cameras, and Bluetooth PANs etc. To help avoid interference, the use of such devices in areas suitable for wireless LAN deployments are discouraged. At present the 5GHz unlicensed band is far less cluttered, therefore no corresponding restrictions will apply to 802.11a deployments at this time. If after investigation problems are confirmed to be the result of interference then approved 802.11 wireless LAN deployments will have priority, this dictates that users of other radio devices will be required to cease using them. In cases where devices causing interference are being used for critical applications GUCS will work with those involved to find an acceptable solution. In circumstances where interference cannot be remedied by workarounds or arbitration the following priorities will be observed:

  • Heath and safety
  • Teaching applications
  • Research requirements
  • Flexible access provision  

If interference is caused by non-compliant, or unregistered wireless Local Area Networks then these must be removed from operation; It is essential that the University reserves the limited channels available in the 2.4Ghz and 5GHz unlicensed bands for approved deployments.

Registration procedure

All deployments of wireless Local Area Networks must be registered with GUCS. This includes existing deployments as well as new deployments. Authorised providers must register the following information:

  • Purpose of deployment
  • Wireless equipment and 802.11 standards supported
  • Access Point locations and area covered
  • Frequency bands and channels used
  • IP and MAC address of Access points and IP address range of associated stations
  • Wired network connection point details; port id, hub/switch port number, speed and duplex mode
  • Security provisions
    • Physical
    • Authentication and authorisation
    • Virtual Local Area Networks (VLANs) in use if any
    • SSID conventions
    • Encryption used
    • Security awareness
    • Monitoring procedures
  • Support services – where appropriate
    • Radius server details
    • BootP/DHCP server details
    • VPN server(s) details
  • Administrative, technical and maintenance contacts

GUCS will maintain records of all wireless LAN deployments; this information may be provided in a restricted form to other authorised providers

Security and access controls

Security provisions must be inherent in the design and implementation of all wireless LAN deployment. Security provisions must provide adequate measures to guard against unauthorised access to or miss-use of University provided Information Technology resources; in particular measures must be implemented to ensure:

  • User authentication and authorisation credentials must be established before access to other resources are permitted
  • Strong data encryption procedures are implemented on the Wireless LAN before access to other resources are permitted
  • Support staff and monitoring tools are available to help investigate incidents and ensure compliance with this and other relevant University Policies
  • All relevant associations are recorded i.e.,
    • Wireless client with access point, including time stamps
    • Wireless client/user authentication status, including time stamps
    • Wireless client MAC address and assigned IP address, including time stamps
  • Only those servers and services necessary for the legitimate operation of the wireless LAN are connected
  • Stations operating in Ad-Hoc mode are not permitted
  • Stations offering services that compromise security e.g., Proxy, relaying, routing, or BootP/DHCP services are not permitted
  • Stations in breach of this Policy or any other relevant University Policy can be identified and if necessary removed or blocked from accessing the wireless LAN  

Achieving the required levels of security will be dependant on several factors including the purpose and scale of deployment and the features provided by the chosen technology. A deployment designed to support a relatively small close-knit user community may be able to implement an acceptable access control policy based on station MAC addresses and strong data encryption. Whereas deployments that cover large areas and have the potential to support many users will need to implement more robust access controls.

This Policy defines 4 methods for achieving acceptable levels of security namely;

  • Station MAC address access controls with strong encryption via 128-bit dynamic WEP keys for small identifiable workgroups
  • Station MAC address access controls and services restricted to those that provide inherent security e.g., SSH, SSL etc for small identifiable workgroups
  • Implementing a secure Virtual Private Network (VPN) between the wireless LANs and resources on the ‘wired’ network
  • Implementing the 802.1x standard for initial authentication and authorisation together with strong (128-bit) dynamic/rotating WEP keys and radius policy based VLAN or SSID restrictions

Deployments that fail to implement acceptable levels of security will not be permitted

The 802.11 working groups are making significant progress with respect to improving security and performance on wireless LANs. This Policy will be modified as necessary to incorporate new developments and local experiences.

Responsibilities

GUCS will be responsible for:

  • Policy maintenance and updates
  • Recording and reviewing wireless LAN registrations
  • Monitoring wireless LAN compliance with this and other University Policies
  • Resolving interference problems
  • Designing, deploying, supporting and managing wireless LANs in common flexible access areas
  • Designing, deploying, supporting and managing wireless LANs that require connection to the University’s campus network
  • Recording associations i.e.,
    • Wireless client and access point associations, including time stamps
    • Wireless client/user authentication status, including time stamps
    • Wireless client MAC address and assigned IP address, including time stamps
  • Monitoring and recommending wireless LAN standards for use on campus
  • Ensuring other authorised providers understand the support and security overheads associated with wireless LAN deployments
  • Informing users of all Policies relating to the use of wireless LANs
  • Providing assistance to other authorised providers in the design and deployment of wireless LANs

Other Providers will be responsible for:

  • Wireless LAN deployments and ongoing support in areas where they have sole occupancy, responsibility and a legitimate teaching or research requirement that cannot be satisfied via central provisions.
  • Adhering to this and all relevant University Policies, heath and safety, building regulations and national legislation with respect to wireless LAN installation and use.
  • Recording associations i.e.,
    • Wireless client and access point associations, including time stamps
    • Wireless client/user authentication status, including time stamps
    • Wireless client MAC address and assigned IP address, including time stamps
  • Registering their wireless LAN deployments with GUCS.
  • Informing users of all University Policies, security and performance limitations associated with the use of wireless LAN technology.
  • Monitoring conformance, security and performance of their wireless LANs.
  • Providing assistance for resolving incidents that may arise via their wireless LAN deployments.

Users will be responsible for:

  • Adhering to this and all relevant University Policies
  • Providing, registering, configuring and maintaining their own systems for use on the flexible access wireless LAN

References

This policy is based on information gathered from a variety of sources including:

  • Local procedures and experience
  • Consultation with interested parties
  • Other Organisations and Institutions