Published on June 19, 2007
Armed and Untethered:Wireless Security on Campus: Armed and Untethered: Wireless Security on Campus April 18, 2007 Marilyn Hay Manager, Network Management Centre UBC Information Technology UBC Wireless Network - Background: UBC Wireless Network - Background Basic component in 2001 of the University Networking Program (UNP) and E-Strategy RFP completed to choose vendor and integrator Initial scope completed in 2 years, on time and within budget 20% of $30.6M wired network capital project Installation of 1200 IEEE 802.11b Cisco 1131 APs, 200 distribution switches 150+ buildings, covering 600 acres Fiber, gigabit Ethernet core network (4x4507, 2x6509) Wireless authentication gateway/routers (4xColubris CN3500) RADIUS authentication servers (2xLinux Servers with Radiator) AP Manager platform (Cisco WLSE) Wireless Network Management Systems (2xLinux Servers with WNMS, syslog, DHCP) Website for wireless.ubc.ca Upgrade in 2004 to Support newer radios 1400 Cisco AP1200 supporting IEEE 802.11g Wireless Network - Current State: Wireless Network - Current State Upgrade completed in 2006 to ‘Next Generation’ – Cisco Airespace Technology shift to smart central controllers rather than intelligent APs Entered agreement with Cisco to install appliance controllers (4x4404 controllers) with transition to 6509 Wireless Service Modules (WiSM) 8 WiSM blades in production with a failover configuration Equals 16 controllers, each controller can support 150 APs. Each WiSM blade is capable of supporting up to 300 APs each. New software management tools for large installations AirMagnet – RF Surveyor and Management Cisco WCS – Entire Network Monitoring, AP Stats, User Stats Airwave Enterprise – Much like WCS but offers more flexibility Authentication systems upgraded to address number of users 2xColubris CN5500 for UBCV, 2xCN3500 at UBCO, CN3500 at VGH SSIDs in use ubc, ubcsecure, ubcdevice, telephony, FatPort, eduroam Coverage - Point Grey, Robson Square, Kelowna (UBCO), VGH andamp; DHCC (through partnership with Vancouver Coastal Health Authority) Wireless Network Services Overview: Wireless Network Services Overview Lessons Learned: Lessons Learned Utilization High user adoption 1,400 unique users / day in 2003 to nearly 10,000 in March 2007 Challenging for management tools – time to push out config changes, db size SSID: open WEP authentication not offered False illusion of security, easily cracked in a few minutes Open authentication to UBC LDAP services (Campus Wide Login, CWL) with SSL encryption Easier to use for most users - 80% default to Windows wireless networking No security or encryption between client and AP Users are informed on portal to use encryption for applications (UBC VPN service, ssh) Website documentation provided on ubcsecure SSID: ubcsecure (802.1x, WPA,TKIP,PEAP) Slow adoption, more setup steps needed by PC user. No third party client supplicants or installations – this is not supportable Application security is still needed Early Windows Vista incompatibilities – may be fixed by a radiator 3.17 upgrade Security Success Factors and Issues : Security Success Factors and Issues Physical Security of APs Generally APs are hidden from view or locked in enclosures Management software helps to alert missing APs RF Management UBC RF Policy in place Necessary to enable effective policies for interference and rogue APs Enforcement is difficult Housing areas are generally not covered with wireless – too much interference from other devices Management software Required for AP management Campus IT Security and Appropriate Use Policies Dedicated Implementation and Operational Teams Regular service meetings from all support areas FatPort pilot project Extending secure network access for UBC community Removes the need to provide guest / conference UBC accounts and billing Future: Future Extending Coverage - campus Mesh technologies being explored mainly for outdoor and small remote sites Roaming capabilities to be maintained Extending Coverage – off campus – eduroam project Confederation policies between participating organizations required Increase ubcsecure use Awareness campaigns needed for value of security Newer client OS’es are helping to make this easier RF Telephony deployments Possibly increasing the deployment of wi-fi phones Waiting for 3-way and 4-way phones (cellular/802.11b/g/a) Funding Presently there are no client costs - further central funding needs to be secured.