Skip to body

CWU Service Desk

CWU Wireless Networking Strategy (cont...)

Encryption

The 802.11 standard requires products to support 40-bit Wired-Equivalent Privacy (WEP) encryption with static keys, operating at the datalink layer. Most vendors support 128-bit WEP. Unfortunately 40-bit WEP provides only minimal security and even static 128-WEP keys can be broken fairly easily with tools available on the Internet. For these reasons extensions to WEP have been devised by Cisco including dynamic key rotation, message integrity check (MIC) and the temporal key integrity protocol (TKIP). Features such as these are being incorporated into the future 802.11i wireless security standard and into products supporting the interim Wi-Fi Protected Access (WPA) specification. While awaiting a truly secure wireless architecture based on these new specifications many organizations are opting for IPSec encryption at the network layer as an alternative or complement to WEP.

CWU will initially encrypt the data stream via 128-bit rotating dynamic WEP keys. A unicast key is negotiated during the EAP authentication phase and then is renegotiated periodically based on the authentication timeout set by the RADIUS server. Access points will also be configured to rotate broadcast keys. While WEP can be broken, the amount of data required to do so is significant, making compromise unlikely if keys are rotated frequently. For additional protection, users always have the option to further secure traffic at layer 3 by establishing an IPSec tunnel to CWU's VPN concentrator. Static WEP will not be supported, as it is insecure and unmanageable.

As enhanced security features become available, they will be tested and implemented by ITS Networks.

Integration with the Dynamic Network Environment

The CWU network is divided into sectors, each containing a standardized set of VLANs. Though the network segments assigned to these VLANs vary from sector to sector, the VLAN name and number remain the same. This consistency ensures mobility for dynamic hosts. See http://netdb.cts.cwu.edu/dynanet-info.html for details (on-campus browsing only). This existing model will support the addition of VLANs for the wireless network. The VLANs wlan1, wlan2 and wlan3 will be defined for each sector, and network segments will be assigned to them. Initially these VLANs will be globally trunked with their routing handled at the core. This approach is necessary in order to support roaming of devices without loss of IP connectivity. In the future it is likely that a solution to the mobility problem such as proxy mobile IP will be implemented. In that case traffic will be segregated by defining the segments for the WLAN VLANs at each sector router and making the VLANs local to each sector.

Each sector has a native management VLAN where switches reside. For security reasons, the management interfaces of access points will not reside on this VLAN. A new wlanmgmt VLAN dedicated to this purpose will be created for each sector and access points will be homed there. This VLAN will be configured as the native VLAN for the connecting switch port. For security reasons wlan-mgmt will not be mapped to an SSID. This configuration inhibits a host from gaining Layer 2 connectivity to an access point via malicious configuration of its SSID. The access points support 802.1q VLAN trunking on their LAN interface, with the benefit that associated clients can reside on different network segments. Only the registration, wlan-mgmt and wlan[1-3] VLANs will be trunked.

In order to permit registration of a wireless device from the device itself, the SSID 'hostreg' will be defined and linked to the registration VLAN. The hostreg WLAN will be open and unencrypted, will not require MAC authentication, and will have its SSID broadcast. This will permit an unregistered device to associate with it and complete the registration process. As on the wired network, the registration interface will automatically detect the host's MAC address, eliminating transcription errors. Once registered the user must install the supplicant (if required) and wait until the next quarter hour before attempting connection to the production network.

On the wired network, a host is homed on a staff or lab segment based on its Ethernet address. On the wireless network the determination is made based on username. The RADIUS server examines the username and returns attributes to the access point instructing it to place the host on a specific VLAN. Faculty/staff will be placed on wlan1, while students will be placed on wlan2. wlan3 will be reserved for future use. With different classes of users homed on different network segments, access list can be configured on the router to restrict access to services.

Implementation

Implementation of the wireless network will be a multi-year cooperative effort among various groups within ITS and Facilities. Prioritization of buildings is being completed by the University Information Technology Advisory Committee (UITAC). The ultimate goal is to extend wireless coverage to as much of the campus as is technically and financially feasible, including exterior spaces. The project will be implemented in phases as funding is secured. Initial plans are to complete coverage in the Library, Science, Shaw-Smyser, Black, Music, Hebeler, Psychology and portions of the SUB and Bouillon by the end of 2004. Initial outside coverage will include the campus green and the Barge courtyard.

Project Standards

MAC:802.11g, 802.11a (limited deployment)
authentication:802.1x (EAP-TTLS/PAP implementation)
RADIUS:freeRADIUS running on redundant Linux servers (Open Source)
database:Oracle 8i running on Linux with Java interfaces
access point:

Cisco 1220 APs with b/g radio modules

These devices also have a spare slot where we can install a radios (or a different technology when it becomes available) should the need arise for greater bandwidth in specific cases such as Geology or Computer Science. High-gain external antennae for the b/g radios will be utilized where appropriate to provide wider coverage.

The 1220 access points use Power Over Ethernet (POE). We will be installing POE capable switches where funding permits and AP density warrants their use. Otherwise power injectors will be utilized. POE will save us the expense of running power to the devices and will permit us to cold start them remotely.

Since access points are typically installed in locations which are difficult to access, it is desirable to have serial port connectivity to the devices should network connectivity be lost and unrecoverable via a cold restart. Such access has the potential to save many hours in staff time by eliminating the necessity for site visits except in the case of hardware failure. An additional network cable will be run to each access point permitting serial access from the comm room. Depending on budget and AP density, terminal servers may be installed for remote access.

NIC:

WiFi compatible with 128-bit WEP support

Known to work well are Cisco, Linksys, Intel Centrino, Broadcom and Apple AirPort Extreme. For future security capabilities consider a WPA or 802.11i compatible NIC.

supplicant:

Funk Odyssey, integrated Apple OS X supplicant

Known to work but currently unsupported are SecureW2, Meetinghouse AEGIS, and the Dell TrueMobile integrated client.

                  << page 1