Wireless Network Policy


To understand the need for a policy that prescribes a centrally managed wireless network, it is helpful to understand some of the premises and principles that guide Webster University in constructing and operating an enterprise-wide wired network. These policies will be logically extended to wireless networking for some very compelling technical and operational realities.

Note: The following information was borrowed with permission from the University of Kansas. It has been extensively adapted to reflect Webster University's unique environment and current situation relative to wired and wireless networking. Definitions of technical terms used in this article are provided at the end of the page.

The Enterprise Wired Network at Webster University

Economy derives from controlling the total cost of ownership to Webster University by reducing the total number of separate and distinct systems required to service all the diverse information transport needs. Coordinated standardized purchases, and coordinated infrastructure maintenance creates a synergy that increases buying power and decreases labor costs. Economy also derives from providing one ubiquitous and uniform network so that connectivity is provided everywhere at anytime. Last but not least, economy derives from adopting standards for network infrastructure construction, standards for network protocols, and network acceptable use.

An aggregation of separate, discrete, and departmentally-managed networks or extended site-managed networks would not constitute an infrastructure that can meet institutional goals in terms of its effectiveness nor would it provide for the best and most efficient return on Webster University's investment. In many cases it may appear that a department or extended site can build an internal network that costs less and is more effective in meeting the unique need of that particular department. However, when many or all departments/sites build and run their own private networks, the expense is far greater than when one centrally administered network is constructed.

Enterprise class networks on the other hand, by definition, provide for the most reliability, capability and security for the least cost to the institution as a whole. Webster University has therefore adopted the premise that institution wide enterprise telecommunication networks are the most effective way to provide for its information access and transport needs.

Enterprise level networks require a high level of coordination in planning, management and maintenance to ensure the reliability and the integrity of the information services they support. One proven way to provide for this coordination is through central administration and management. Through central administration and management, Webster University also ensures that the resource itself is constructed and operated in an integrated, cost-efficient and effective manner. It is only through centrally coordinated information technology strategic planning and implementation that the core technology goals of the institution are met.

A major component of implementing an enterprise class network is the adoption of a uniform set of components, installation practices, and operational criteria in the construction, use and ongoing management of its enterprise networks. This is the common method used by universities to prescribe a uniform set of standards in components, construction practices, and usage rules, is to create and adopt a institutional level policy.

Extension of an Enterprise Wired Network Policy into the Wireless Implementations

The utility of wireless network technology can have a positive effect on teaching, learning, and administration. Webster University has now concluded that wireless network technology has advanced to the degree such that an institution wide approach to their construction and operation should be adopted. For the same reasons Webster University has adopted the practice/policy that centrally managed enterprise wired networks are the most effective way to provide its constituency with reliable, capable, secure and economical wired connectivity, Webster University is now extending that notion to its wireless network space and implementation.

One consequence of the decision to view wireless as a University resource rather than a department or site resource, is the realization that wireless local area networks, when connected to Webster University wired network, are an extension of the enterprise University wired network to which they are connected. This means that all University policies concerning Webster University enterprise wired network also should apply to wireless connections.

It is required therefore, that all end-user devices providing wireless access, or end-user systems connecting to the wireless enterprise network distribution infrastructure should comply with the same policies, procedures, and practices governing the use and operation of any end user device or system connecting to Webster University enterprise wired network.

A second realization is that a decision on whether to allow private wireless systems (departmentally, site, or individually owned/managed systems) to exist or not needs to be made. After much discussion on the pros and cons of this approach, the decision is that no private wireless networks are to be allowed at Webster University, either on main campus or at extended domestic sites. (Some latitude will be allowed for international extended sites, although a high degree of coordination will be required.)

Just as for enterprise wired networks, the creation of an enterprise level wireless data network require the adoption of a uniform set of components, installation practices, processes, procedures and operational criteria. Just as for Webster's enterprise wired networks, a central management entity is designated to insure uniformity. Therefore, a central entity should be responsible for establishing and maintaining standards for 802.11x wireless access points (equipment and installation) for use at Webster University across all locations. Additionally, all WLAN systems should be installed, configured and managed by a central entity, just as all wired networking components are installed, configured, and managed by a central entity.

Challenges Of Wireless Networks

Additionally, wireless presents its own unique challenges as we try to provide for reliability, capability, security and economy. These challenges relate to spectrum allocation, interoperability, security, and overall network performance.

Spectrum Allocation

802.11x wireless LAN technology operates in an unlicensed portion of the electromagnetic spectrum. This means that the FCC has no role in preventing interference caused by interference deriving from other users of 802.11x technologies or from the myriad of other devices designed to operate in this spectrum. Well known conflicts in the 802.11b and 802.11g 2.4ghz spectrum include 2.4GHz cordless phones, and even some older makes of microwave ovens. Furthermore, some laboratory equipment operating within the same frequency range may also cause interference. Other wireless technology such as Bluetooth, also uses the 2.4GHz range, another potential source of conflict. The 802.11b technology operates in the 5ghz band and also may interfere or be interfered with with/by numerous other consumer wireless technologies.

For Webster University, this interference can have a detrimental impact on the utility of 802.11x technologies as more wireless devices are deployed.

For example, what would happen if two departments each installed an access point (AP) in two adjacent areas of one physical location? And, to provide better coverage, one department also installed an antenna that boosted the signal strength of one of their AP. This would probably result in both departments not enjoying much in the way of wireless access since the RF signals from one AP would most likely interfere with those of the other.

There is great potential for the proliferation of wireless communications products (not just wireless data networks) in the next few years. The resulting likelihood of interference between such devices and services using the wireless communications spectrum make it essential that wireless activities across the university be centrally coordinated. This is particularly important in "public" areas, or in buildings which house multiple departments or organizations, where several groups may have an interest in using or even providing wireless service. The shared spectrum of wireless technology does not allow for an unlimited number of these devices to be placed into service and requires coordination in order to maximize this technology's potential for Webster University as a whole.

As the number of wireless communications devices increase, so does the potential for channel interference. To avoid spectrum conflicts and to maximize the efficient utilization of this scarce resource in supporting Webster University's mission, central coordination in the use of this unlicensed spectrum by Webster University constituency is essential. For this reason, we have a central authority (The NTS department of IT) that both authorizes and monitors the use of frequencies (in much the same way that Webster's IP address space is currently assigned and controlled). To decrease the potential for interference and to maximize the effectiveness and efficiency in the use by Webster University of the wireless spectrum, the following operational principles are adopted:

  • Within its geographic/building boundaries, unlicensed spectrums should be viewed as being "owned" by Webster University and use of the spectrums should be coordinated centrally
  • No wireless implementation should be placed into operation without advance consultation and coordination with Networking and Technical Services of IT
  • All WLANs will be operated in such a manner that they do not interfere with other WLANs or Webster University's enterprise wired data network
  • Networking and Technical Services will resolve and manage frequency coordination. However, it must be noted that the central entity cannot guarantee interference-free operation of any WLAN from other unknown or non-university WLAN systems or from other devices operating in the same unlicensed spectrum as the WLAN.

Interoperability

To allow devices, networks and systems to communicate with each other, all must use common language. To promote the idea of a common language, information systems rely on the concept of standards. In information systems, standards relate to adherence common hardware and software. To maximize the ability of systems to be interoperable, institutions can issue a list of standards that must be adhered to and/or delegate the responsibility of choosing, implementing, and managing a standard to central coordination entity.

Most institutions find that the skill sets of central entity allows for a focus on technology in a way that exceeds the ability of any individual department/site to maintain over time. A central entity can devote its entire time as its central mission, whereby individual department most of the time cannot afford the ongoing resource commitment.

For wireless, even with the existence of standards, compatibility and seamlessness would be enhanced by a uniform set of equipment being deployed. Networking and Technical Services has working relationships with several vendors with proven high quality networking products, whose products have proven ability to interoperate with each other, and with whom we can be assured of reliable technical support to work out unforeseeable issues. Incompatibilities between vendor specific standards and implementations can be minimized, as will the "finger pointing" between competing vendors. Utilizing a standard set of equipment will ensure a seamless network as wireless connectivity grows, as well as consistent management of devices across the multiplicity of main campus buildings and extended campus sites.

Additionally, since 802.11x wireless devices and systems extend Webster University's enterprise wired environment, these devices and systems can have a detrimental impact the performance and/or integrity of Webster University's wired networks. To provide for interoperability between the wired and wireless networks therefore, wireless must not only adopt interoperability standards in the wireless space but also be made compatible with the wired space.

To achieve the notion of one interoperable enterprise wireless network system, the following operating policies/principles can be seen as important:

  • That all WLAN systems should be considered University systems
  • That a central entity should be responsible for establishing and maintaining standards for 802.11x wireless access points (equipment and installation) for use across Webster University, and that any WLAN component will be placed into operation only by the Networking and Technical Services department of central IT (or with their coordination and instructions),
  • That all WLAN components and systems should be installed, configured and managed by Networking and Technical Services (with some latitude for international sites).

Security

At this time, "out-of-the-box" 802.11x technology is inherently insecure. Security mechanisms built into the wireless access point provide very little in the way of preventing unauthorized access and protection of the data being transmitted from unauthorized access. Attention to security is a priority within Webster University Information Technology. Protection against unauthorized access to sensitive institutional data includes securing the network itself. Security concerns related to the adoption of wireless networking technologies far outweigh all other aspects of the 802.11x environment, including those of convenience and access.

Unlike switched wired networks, wireless transmissions are much more easily intercepted by network hackers (infiltrators). Sensitive clear text information such as passwords to enterprise systems, credit card numbers and e-mail can be easily "sniffed" and abused. Even more troubling is the problem of a session being hijacked. It is possible to intercept a user's wireless conversation with a server and then to masquerade either as the user, or as the server to which the user thinks he is dialoguing. For example, you perform a wireless login onto e-Bay and your login is intercepted by a rogue server that emulates e-Bay. You provide your credit-card number and, viola, your purchases are mailed elsewhere but the bill gets charged to your credit card.

To avoid these problems it is important to implement a mechanism whereby wireless users must identify and authenticate before access is granted and to encrypt wireless transmissions.

Authentication

To protect Webster's network resources, access to the Webster wireless network is restricted to members of the campus community who have a valid Connections ID and password.

The Webster wireless network will use a web-based authentication scheme to authenticate a wireless session via a Connections ID and password. Users will open an SSL-enabled web browser to any page, and will be redirected to the Webster Wireless Network login page, where they will need to enter their Connections ID and password. If authenticated, the user will be redirected to their original web page. This method has the advantage of not requiring additional client software or firmware upgrades (most everyone has a web browser available), nor is it vendor-specific.

Encryption

The 802.11x security standard, WEP (Wired Equivalent Privacy), has been proven to have inherent flaws that render it largely useless, particularly for large-scale enterprise level deployment. WEP relies on a shared key (password) between the access point and the client for encryption/decryption. Unfortunately, this is usually a single key which all prospective users must share, which means that the password is no longer very private and when one loses the key (shared/lost to an unauthorized user), a new key must be re-issued to all authorized users. Even when WEP is available, users very often deliberately fail to turn it on because it makes both setup and long-term management of the wireless network more difficult.

Some vendors (e.g., Cisco and Lucent) have recently announced 'dynamic' WEP algorithms that dynamically allocate keys on a per-user, per-session basis. However, these schemes are vendor-specific, so they won't interoperate with other vendor's client cards.

The industry is continuously working on newer and better encryption mechanisms and the hope is that at least one of these will emerge as a standard. When one does Webster University will adopt it as appropriate.

In order to effect the wireless authentication and encryption, the following principles are being put into practice:

  • All wireless network access should utilize the enterprise authentication via Connections ID and the authorization and encryption mechanisms prescribed by IT.
  • The Webster University WLAN system will provide for this option during the initial user authentication process.

Performance

There is an unprecedented amount of research ongoing in the wireless industry today. New compression algorithms, protocols and modulation techniques promise to revolutionize wireless and allow speeds that rival wired systems. For now however, 802.11x technology is a shared bandwidth technology running at speeds at or even below those of 10 year old 1st generation shared Ethernet hubs. As such, advanced network applications that rely on appropriately configured switched electronic network architecture and/or high bandwidth will not effectively work in a wireless environment.

There's no way any wireless infrastructure will perform like a 100Mbps switched wired network, and this will become critical in classrooms for any serious amount of data transfer (especially any multimedia applications). The idea that wireless equals wired in terms of performance, especially in the density of people and usage of a classroom, is simply still a pipedream. It may seem that capacity is not an issue when the experience is related to a home DSL connection or printing to a network printer, but that's not the same as an entire class attempting to watch a video or collaborate with data. If you plan on using computers in the classroom, and are doing more than sporadic access to the Internet, you need a wired infrastructure in the rooms. Many universities have learned this lesson and are now advocating and planning to rewire rooms that were thought would be "just fine" with wireless.

Some institutions bet the farm and opted for a wireless environment in an effort to avoid costly wiring strategies. These institutions are now undergoing the pain and expense of ripping out their wireless infrastructure and replacing it with a wired one. Wireless is currently a supplement for wired technology and while extremely useful and convenient for access to some applications, especially where mobility is required, it has some extreme limitations. The absolute worst application is in the classroom when large numbers of users desire to access the network simultaneously.

Wireless LANs therefore cannot considered to be a replacement for a well-wired campus since WLAN technology has not developed to the point of being equal in performance to that of a wired environment or being capable of enabling advanced network applications. WLANs are best suited for applications or environments where mobility or un-tethered network connectivity is a major requirement, and where performance and security are less of a concern. Thus, wireless networks are viewed as a supplement only to Webster University's enterprise data network, enabling it to be accessed by general purpose, security insensitive applications in zones of transient public use.

Caveats to the Developing Webster Wireless Policy and Implementation

Some departments or units have already installed WLAN equipment (e.g., Apple Airport base stations, Linksys, Belkin, d-Link, etc). These wireless projects have no common goal or cooperative effort involved, yet are connected to the campus network; the same infrastructure which supports university business, teaching and research. This lack of coordinated effort and a university-wide standard with regards to wireless technology is having a direct and negative effect on the campus wired network and network attached resources, especially insofar as security is concerned.

Therefore, if any department/site installed equipment exists, Webster University through its central IT organization will claim the right of 'eminent domain' and ask that the local equipment be removed.

Note: Any local wireless equipment that is not connected to the Webster University wired enterprise network must still be registered with Networking and Technical Services for airspace control reasons but may not necessarily need to comply with component standards.

Wireless-Related Definitions

Access Point (AP)

The WLAN "base station" that provides the interface between Wireless User Devices and Webster University public wired data network

Advanced Network Applications

Any of a number of recently developed high value Information Technology applications such as those requiring IP Multicast, Quality of Service or substantial bandwidth for their operation, for example video, voice-over IP, and multimedia web browser access

Bluetooth

An IEEE wireless data networking standard (802.15.2) operating in the 2.4 GHz unlicensed frequency band, designed to use less power over shorter ranges than the IEEE 802.11 WLAN technologies. It was designed to eliminate cabling on the desktop (e.g. a mouse or keyboard cable)

General Purpose Applications

Any of a number of legacy Information Technology applications such as email or low level web browsing not requiring advanced networking capabilities or high bandwidth for their operation

IEEE 802.11a/b/g

Standards for providing wireless Ethernet connectivity

MAC Authentication

A method of providing User Authentication on WLANs by using the Media Access Control (MAC) address of the network interface card (NIC). When using MAC Authentication, a Wireless Device may not communicate with an Access Point unless the MAC address of the Wireless Device is first registered in a table contained in the AP.

Radio Frequency (RF)

A portion of the electromagnetic spectrum

Service Set Identifiers (SSID)

An identifier of up to 32 characters used in IEEE 802.11 devices in an effort to ensure only authorized personnel access the data network

Strong Security

A strategy by which a system limits uncontrolled access to use of the system and/or system data. Strong security encompasses the idea of user authentication, encryption, logging and auditing, and automated management and monitoring.

Wired Equivalent Privacy (WEP)

A method of encrypting data traversing the wireless network in an effort to secure the privacy of the data itself. There are two versions of WEP: 40-bit which uses ten hexadecimal characters and 128-bit which uses twenty-six hexadecimal characters as the encryption key. WEP keys can also be assigned in either a static or dynamic manner.

Wireless LAN (WLAN)

An IEEE 802.11a/b/g based system consisting of Wireless User Devices and one or more Access Points that provide wireless based Ethernet connectivity to Webster University Public Wired Data Network

Wireless User Device

The end user system or device that accesses the WLAN for data communications purposes. This will normally be a computer or Personal Digital Assistant containing an appropriate wireless network interface card