WIRELESS POLICY FOR EAST TENNESSEE STATE UNIVERSITY
Active since: 11/16/06
1.1 Technical Information
The most significant and most difficult issue in wireless networking is security. The current 802.11 wireless network standards do not include authentication of devices and users. In the absence of a standard, companies in the wireless networking industry have adopted the 802.1X protocol as an authentication framework for “wired and wireless Ethernet” (802.11) networks. The 802.1X protocol allows vendors to choose an authentication algorithm to implement in their products. However, this also leads to compatibility issues between vendor specific hardware.
Wireless communication networks use radio frequency (RF) transmissions to transport voice, video and data signals from wireless-enabled end-user devices through a wireless access point (WAP) that is physically connected to the ETSU campus network. A Wireless Network, for the purposes of this document, thus may be defined as a network that is ultimately connected to the wired Ethernet network of ETSU.
When a WAP is connected to a wired network and to a set of wireless stations, it is referred to as a Basic Service Set (BSS). An Extended Service Set (ESS) is a set of two or more BSSs that form a single subnet in the wireless local area network (WLAN). Most WLANs operate in infrastructure mode in which wireless devices can communicate with each other or with a wired network and provide access to network resources, such as file servers, printers etc.
A broadcast Service Set Identifier (SSID) enables a user machine to identify the wireless networks present in an area. The SSID is a unique identifier attached to the header of packets sent over a WLAN that acts as a password when a device tries to connect to a specific WLAN. A device is not permitted to join the BSS unless it can provide the unique SSID. However, since the SSID is transmitted in plain text, it can be easily sniffed over a wireless network, thus drastically limiting the security it may provide to the WLAN. Wired Equivalent Privacy (WEP) keys may be employed to encrypt data transmitted over radio waves so that it is protected as it is broadcast between devices and/or network points. However, WEP does not present a very secure solution as it is used only at the data link and physical layers of the Open System Interaction (OSI) model. The two layers mentioned are the two lowest layers of this model and therefore do not offer end-to-end security.
A major difference between security associated with a wired network and a wireless network is the accessibility of the network outside of controlled environments. A wired network jack requires physical proximity for access, hence increasing the types of security protocols that may be available for implementation. A wireless network, in contrast, allows access without those physical limitations, thus requiring a different design for security concerns. A trusted wired network user may not enjoy the same access privileges on a wireless network, just because they are in an open environment. Some of the issues discussed by this group include:
Who may be deemed a trusted user?
How to deal with vendors and demos and other short-term users?
How to deal with user operated routers and DHCP servers, and multi-port hubs?
Figure 1. Network and data-flow schematic
Security in wireless networks may be classified into three major areas: Device authentication, user authentication, and transactional security. This document addresses all three areas in context of internal and external threat mitigation, as well as, identification, authentication and privacy issues. As is illustrated in the above diagram, a wireless network cloud exceeds that of the physical proximity of the wireless-networked machines. This introduces the possibility of an intruder making unauthorized utilization of the wireless network to either mount attacks on the wired network or gaining unauthorized access to the internet, while circumventing the security blanket of the firewalls. The green arrows depict the traffic flow that we would want, while the red arrows illustrate data pathways that would be a risk to the security of ETSU LAN and WLAN. This necessitates the need to prevent all non-authenticated users and machines from using the networks. Further, since a wireless environment does not provide the physical confines of a wired-network to the data packets traveling between machines, it leaves these packets vulnerable to snooping by intruders or hackers. Hence, the need for transactional security is paramount in a wireless environment. Transactional security has been addressed in WLAN designs by using the same approach as in the wired environment: Secure Shell (SSH) for telnet and ftp, Secure Sockets Layer (SSL) for http, and Virtual Private Network (VPN) for remote access. The overall system security and deployment design depends upon these contributing factors.
The current standards use the SSID for network identification and recommend using the WEP key as a password for devices wanting to join a network. However, in the practical world, the SSID can be sniffed and the WEP key can easily be passed from person to unauthorized person. The current 802.11 wireless network standards do not accommodate generation of dynamic WEP keys for each user as these standards do not include authentication of devices and users. It is expected that the 802.11p, now under consideration by IEEE will address this issue. In the absence of a standard, companies in the wireless networking industry have adopted the 802.1X protocol as an authentication framework for “wireless Ethernet” (802.11) networks. The 802.1X protocol allows vendors to choose an authentication algorithm to implement in their products. However, this also leads to compatibility issues between vendors.
Authentication algorithms are, in turn, based on another protocol called Extensible Authentication Protocol (EAP) that was originally created for use with dial-up networks.1 There are two dominant EAP protocols. The first is Cisco’s LEAP (Lightweight Extensible Authentication Protocol) and Microsoft’s PEAP (Private Extensible Protocol)
Cisco Systems’ implementation of EAP is called LEAP:
“Cisco LEAP (Lightweight Extensible Authentication Protocol), also known as Cisco-Wireless EAP, provides username/password-based authentication between a wireless client and a [Remote Authentication Dial-In User Service] RADIUS server … In the 802.1X framework, a LAN station cannot pass traffic through an Ethernet hub or WLAN access point until it successfully authenticates itself. The station must identify itself and prove that it is an authorized user before it is actually allowed to use the LAN.”2
Microsoft’s implementation of EAP is called PEAP:
A protocol proposed by Microsoft, Cisco and RSA Security for securely transporting authentication data, including passwords, over 802.11 wireless networks. Like the competing standard Tunneled Transport Layer Security (TTLS), PEAP makes it possible to authenticate wireless LAN clients without requiring them to have certificates, simplifying the architecture of secure wireless LANs.
TTLS and PEAP work within the framework of the broad-based IEEE 802.11 wireless LAN standard for authentication known as 802.1X. PEAP and TTLS each use Transport Layer Security - which is often described as a better Secure Sockets Layer - to set up an end-to-end tunnel to transfer the user's credentials, such as a password, without having to use a certificate on the client.
This document addresses wireless networking security challenges by recommending a set of technical solutions in conjunction with a set of policies that takes into consideration the ETSU environment, needs and capabilities. When needed, ETSU’s ITS department can use other forms of security for wireless such as WEP or WPA if LEAP or PEAP cannot be used or other authentication methods are more secure.
For the purposes of this document a wireless network is defined as a radio frequency network that is ultimately connected to ETSU’s wired Ethernet network and as such is to be considered an infrastructure extension of ETSU’s wired network. Further, all wireless devices that ultimately utilize the wired network for connectivity are covered by this document. Wireless devices such as Cell Phones and Pagers are out of the purview of this document, as they do not access the ETSU wired Ethernet networks. However, PDAs are covered along with the wireless networked computers.
Wireless networks extend the reach of the campus network to locations where it is impractical or impossible to provide a physical wired connection. The primary purpose of wireless networking on ETSU campuses is to allow ETSU students, faculty and staff to access e-mail, browse the Internet, do course work, and access networked information resources from anywhere in or near academic buildings without needing a fixed physical network connection (i.e., a cable plugged in to a network jack). However, the configuration, installation, and use of wireless access points could, if unmanaged, disrupt network performance and compromise the overall security and integrity of networked information resources. This policy regulates the configuration, installation, management, and support of wireless communication networks and devices at ETSU.
Top of Page
This policy applies to all users and all wireless networks and devices both within and outside academic and residential buildings on ETSU’s main campus, the College of Medicine campus, and any extended campus sites where the wireless access points (WAPs) providing service may be connected to the ETSU campus network or ETSU supported networks. This policy covers any devices and users to adhere to the rules, regulations and policies concerning security and prevention of interference.
Information Technology Services (ITS) is responsible for the configuration, installation, management, and support of the wired network. Since the campus wireless networking environment is an extension of the wired campus network, ITS will assume the same responsibilities for its configuration, installation, management, and support.
The policies presented in this document are to be considered in conjunction with the various computer use policies and the Code of Ethics already in place at ETSU.
The following assumptions are declared for the purposes of this document:
2.2 Usage Policies
The sponsorship forms will record information about the wireless device to be registered, including the media access control (MAC) address of the network interface; the identity of the non-ETSU person seeking to register the wireless device; a brief statement describing the need and duration for wireless access; and the identity of the verified current ETSU user sponsoring the non-ETSU registrant. Official forms of picture identification will be required from both the sponsor and the sponsored.
2.3 Configuration Policies
The current ETSU campus network environment for end-user connections is 10/100 Mbps switched Ethernet. The standard for the wireless network environment will be “wireless Ethernet”, Wi-Fi, IEEE 802.11a/b/g. Wireless equipment currently recommended and installed by ITS uses the FCC unlicensed 2.4 GHz Industrial/Scientific/Medical (ISM) band and transmissions within this band conform to the IEEE 802.11b/g DSSS (Direct Sequence Spread Spectrum) wireless LAN specification.
When feasible and cost-effective, ITS will recommend and install wireless equipment that uses the same 2.4 GHz band and transmissions but that conforms to the IEEE 802.11g OFDM (Orthogonal Frequency Division Multiplexing) specification. 802.11g is fully backward compatible with 802.11a/b/g.
Wireless equipment that uses the FCC 5.0 GHz Unlicensed National Information Infrastructure (U-NII) band with transmissions conforming to the IEEE 802.11a OFDM (Orthogonal Frequency Division Multiplexing) wireless LAN specification is not currently being recommended or installed by ITS but may be considered when it becomes feasible and cost-effective.
ITS will monitor wireless technology developments and standards and recommend changes to the supported standard through the existing campus IT governance structure. Recommendations for change will include a plan and budget to migrate existing equipment to the new standard.
2.3.3 Authentication and Security
126.96.36.199 Device Authentication
188.8.131.52 User Authentication
Every prospective user of the ETSU WLAN, using a registered wireless device, must be registered as a user before they can use the ETSU WLAN. Each registered user will be authenticated at the beginning of each WLAN session. This process will be similar to that used now to log on to the ETSU domain using wired computers on the ETSU LAN.
184.108.40.206 Packet Security or Transaction Security
Transaction security in the wireless networking environment would require the same approach as in the wired environment: Secure Shell (SSH) for telnet and ftp, Secure Sockets Layer (SSL) for http, and Virtual Private Network (VPN) for remote access.
220.127.116.11 Cisco Devices
ETSU has made a substantial investment in wired campus network infrastructure that consists of equipment (switches, routers, etc.) and software from Cisco Systems, including a RADIUS server. Maintaining compatibility with existing infrastructure would help minimize the costs associated with wireless network implementation, operation, management, and support. Relatively higher initial hardware acquisition cost would be offset by lower operation, management, and support costs. For this reason, LEAP and PEAP supported wireless networking hardware for the ETSU WLAN (network cards and access points) is recommended.
18.104.22.168 Purchase and Installation of Wireless Access Points and Rules
Only ITS may install wireless access points (WAPs). Since WAPs in the wireless network are comparable to switches in the wired network, they are defined as part of network infrastructure for purposes of this policy and as such are to be managed by ITS. Department funds may be used to purchase WAPs through budget transfers to ITS with the equipment entered into ITS inventory.
22.214.171.124 Network Address Translation
No wireless devices that allow unsecured Network Address Translation (NAT), such as wireless routers or gateways, will be allowed to connect to the wired or wireless network. Internal IP addresses of the form 192.168.x.x will be blocked at the switches. This includes all academic and residential buildings along with all ETSU remote sites. If deviations are needed, prior authorization is required by ITS.
126.96.36.199 Previously Installed Devices
ITS must be notified of any previously installed WAPs being used by departments, faculty or staff via “Computer Account Request Form”. A determination will be made as to whether or not the WAP can be made to use the 802.1x security. Devices that do not or cannot be made to use 802.1x security will be removed from the network after the allotted time period. It will be the responsibility of the Department to purchase the compatible WAP that supports 802.1X. All departmental and other non-managed ITS WAP’s will need to be removed upon the installation of ETSU’s ITS managed WLAN.
Other wireless devices exist in the marketplace that also employ the 2.4 GHz frequency band and can cause interference to users of the ETSU wireless networking environment. These devices include, but are not limited to, other IEEE 802.11a/b/g wireless LAN devices, Bluetooth enabled devices, 2.4 GHz cordless telephones, wireless printers, cameras, and microwaves.
To ensure the highest level of service to users of the ETSU wireless networking environment, ITS requests cooperation from all members of the campus community to minimize the potential interference from other wireless devices. ITS reserves the right to request that departments move, remove, reconfigure or shield devices that interfere with users’ access to the ETSU wireless network. Upon the installation of ETSU's wireless network in a given area, all existing wireless devices that have an output power greater than 3 milliwatts, operate in the 2.4GHz or the 5.0GHz range and that are not ITS managed are to be removed or reconfigured to adhere to ETSU’s wireless standards. Some exceptions will be made for device interference caused by microwaves and special requests.
All cordless phones that use 2.4 GHZ are not permitted for use on campus in the academic or residential buildings along with all of the remote sites. Cordless phones that exist in this frequency cause direct interference with the wireless network and makes the wireless network unusable. If ETSU faculty, staff or students require a cordless phone, ITS recommends 900 MHZ cordless phones because they do not interfere in the frequency range of the ETSU WLAN. Currently, 5.8 GHZ cordless phones do not interfere with ETSU’s existing WLAN, but may as the standards evolve. All wireless standards will be updated periodically at the following website: http://www.etsu.edu/ITS/standards/Standards_WirelessHardware.aspx .
If there are cordless phones, ad hoc or peer-to-peer WAP’s in the prohibited frequency, ITS will attempt to notify the user in writing and ask them to remove the device. If the device is not removed within 24 hours, ITS will take necessary actions to stop the interference of the device.
When a non-conforming device is being used for a teaching or research application, ITS will work with faculty to determine whether alternatives exist or the device can be accommodated without causing major interference to other ETSU wireless users after the “Computer Account Request Form” has been received.
Although student housing networks are not part of the ITS maintained ETSU wired networks, student housing wireless networks will be part of ITS ETSU’s network in the fall of 2007. Beginning the Fall of 2007, ITS will reserve the right to remove any wireless device attached to the student housing networks that causes interference or disruption to the ETSU WLAN. In the interim, when interference or disruption to the ETSU WLAN is found in the student housing, ITS will work with Housing and the students to educate and help them remove or reconfigure the device causing interference.
2.4 Security Policies
2.5 Monitoring Policies
To maintain a viable WLAN network and a credible security environment, now and in the future, several types of monitoring are recommended.
2.5.1 Wired-side Network Scanning
Wired-side network scanning can assist in:
2.5.2 WLAN Monitoring
WLAN monitoring by ITS is necessary to:
2.5.3 Technology Monitoring
Since WLAN technologies are changing rapidly, ITS must monitor technology developments and the technology marketplace to:
2.6 Performance Policies
Once a request for a WAP has been initiated by a department, ITS will conduct data traffic surveys to establish competent zones for the placement of the WAP. These surveys will take into consideration overlap zones, number of users, signal strength, antenna types, connection speed, interference issues etc. Once a WAP is established and marked on the campus master map, ITS will be responsible for performance issues related to that WAP. ITS may alter the position, capacity or configuration of the WAP to accommodate performance factors. Departments or users may not move, alter or reconfigure established WAPs.
ITS may monitor data traffic patterns, WAPs in a particular geographical area and other networking resources to establish need and delivery ratios for performance analysis in certain areas. Such data may be used to support decisions in regards to requests for upgrading of WAPs in an area due to performance issues.
ITS will also monitor emerging technologies and products in the wireless networking arena to enhance performance of the WLAN at an infrastructure level. Upgrading and/or replacement of WAPs to accommodate new technologies will be dictated by the upgrade/replacement schedules that ITS works out on an annual basis.
2.7 Support and Maintenance Policies
ITS will maintain all WAPs registered and associated with the ETSU WLAN that are deemed network essentials. WAPs that were installed using departmental or faculty research/grant funds to provide essential networking services or environments will be maintained by ITS after the appropriate “Computer Account Request Form” is completed and submitted to ITS. However, WAPs installed as part of Ad hoc networking test-beds or research projects will not be maintained by ITS, even though these WAPs would still need to be approved by ITS and registered for operation.
2.8 Upgrade Policies
Treating the WLAN as an infrastructure resource, just as the wired network components are, ITS will assume the responsibility for determining an upgrade and/or replacement schedule for the WLAN components that are registered with it that are deemed essential to maintain a network presence.
2.9 Privacy Policies
Both ETSU and non-ETSU users either registering devices or as users will be informed at the beginning of the registration process of the information being collected and the obligations of ETSU vis-à-vis requests by law enforcement and courts to supply this information under certain conditions. Registration will only be completed after acknowledgement and acceptance of these policies by the registrant.
2.9.1 Information Collection
ETSU’s Information Technology Code of Ethics governs electronic records including monitoring, inspection, disclosure, and enforcement. Records pertaining to the WLAN would also be covered by this policy. Also, to better protect the ETSU WLAN environment, certain information will be collected on both the devices in this environment and the people using this environment. This collection may include, but is not limited to:
2.9.2 Information Retention
The ITGC and university administration will review the recommendations presented here by the working group and establish the Information Retention Schedules for ITS to follow and administer. The working group recommends the following:
It is also recommended that this section be reviewed by the University Counsel for compliance with any legal requirements that may exist and revised accordingly.
2.10 Policy Review
ITS will review this document and all the associated policies annually and suggest changes or recommendations to ITGC for review each year. ITGC approved changes will be incorporated into the revised policy document each year.
3. Time Table and Implementation Priorities
It is anticipated that the university will review and adopt these policies so that they become effective on July 1, 2004. At this time, all departments currently using existing WAP will need to complete the “Computer Account Request Form” and submit to ITS. ITS will assess the WAP use and whether it uses LEAP or PEAP authentication and then make a recommendation whether the WAP can continue being used on the University network. In the meantime, ITS should begin to assess the existing infrastructure’s ability to support device and user authentication and network monitoring, gather data on existing WLAN installations, and develop the procedures, forms, and expertise that would be necessary to begin supporting WLAN implementation in FY2004-2005. It can also start work on the development of databases, authentication systems and monitoring systems.
ETSU WLAN deployment will be prioritized based upon need and available resources in ITS. Augmenting or extending the wired network with the WLAN in areas where WLAN would be more cost-effective should be a high priority. A major constraint on WLAN deployment is whether or not the network switches present in the area where WLAN is to be deployed are capable of supporting the Cisco LEAP protocol. For areas that have switches that do not support this, the WLAN deployment may depend upon when ITS is able to afford to upgrade those switches. Departments that wish to have expedited WLAN deployment may be able to expedite these initiatives through fund transfers to ITS to acquire the necessary hardware.
Although WLAN deployment is intended to augment and not replace the wired networks, there may be cost savings associated with WLANs in areas where wired network maintenance and upgrades are exorbitantly expensive. In many cases WLAN implementation may actually be cheaper than providing Ethernet drops in those locations. It is recommended that ITS begin offering WLAN connections as an alternative to wired network connections when feasible and cost-effective.
In general, ITS will identify areas for WLAN deployment based upon their evaluations and recommendations from department Chairs and university administrators. These will then be prioritized based upon a combination of need, cost factors, resources available, existing infrastructure and benefit impact areas. Initiatives fully funded by departmental or grant funds will be afforded top priority. ITS' priority list of WLAN projects for FY2004-2005 should be presented to ITGC in January 2004 to allow for inclusion in strategic and budget planning processes for FY2004-2005. Annual plans should follow the same schedule thereafter.
Certain infrastructure resources need to be established before a comprehensive effort to regulate wireless networks on ETSU campus can be attempted. Some of the infrastructure needs include:
3.1.1 Current Infrastructure Analysis
ITS will need to:
3.1.2 Essential Development
Following are some of the development activities that need to be conducted by ITS before a coherent WLAN plan can be implemented:
3.2 Roles and Responsibilities
3.2.1 ITS will:
3.2.2 ETSU Departments through their Department Chair will:
There are numerous “infrastructure” costs associated with the implementation of the technical plans and policies mentioned in this document. It is strongly recommended that ITS analyze this document from the perspective of implementation and prepare a cost analysis including One-Time costs and recurring costs for a three-year period. Some costs factors identified by the working group include:
A final comment: As mentioned earlier, although WLAN deployment is not intended to replace the wired networks, but to augment them, there may be cost savings associated with this plan, especially in areas where wired network maintenance and upgrades are exorbitantly expensive due to other reasons. WLAN may be a much cheaper solution for some of those problems. In many cases WLAN implementation may actually be cheaper than providing Ethernet drops in those locations. The overall maintenance cost may be lower for wireless.
1 “Under the Hood: Wireless Authentication,” Cisco Packet™ Magazine-Online Exclusive Archive-April 2002; available from http://www.cisco.com/warp/public/784/packet/exclusive/apr02.html ; Internet; accessed 7 November 2003.
2 Phifer, Lisa. “Cisco LEAP (Lightweight Extensible Authentication Protocol), SearchDomino (12 August 2002); available from
gci843996,00.html ; accessed 7 November 2003.