Home > Security News > Wireless security concerns shared at college campuses
Security News:
EMAIL THIS LICENSING & REPRINTS

Wireless security concerns shared at college campuses

By Bill Brenner, News Writer
23 Nov 2005 | SearchSecurity.com

Security Wire Daily News
Digg This!    StumbleUpon Toolbar StumbleUpon    Bookmark with Delicious Del.icio.us    Add to Google

DURHAM, N.H. -- One day at the University of New Hampshire, Doug Green and Bryan Scovill were discussing ways to create secure wireless hotspots on campus. At one point they looked out the window and saw students congregating. That's when it occurred to them that the task was about more than stopping worms and data thieves.

"We thought about the students instant-messaging back and forth on where to meet and at what time," said Green, network manager for the UNH telecom department. "You don't want the bad guys to intercept those IM transmissions and know where those students are." They realized wireless security is also an extension of public safety -- a way to protect students from predators.

Security pain points
To date, their security procedures have been successful. But they always worry about the hidden security hole or the hacker who may be a few steps ahead of them.

"With a VPN and WPA, you can create a reasonable barrier to eavesdropping, man-in-the-middle attacks, evil twins, and so on," Green said. "But if someone really wants to do something criminal and they have the know-how and drive, they'll find a way and it won't make a difference if it's wired or wireless. We put a padlock on the door, but if you're smart enough, you can take a bolt-cutter or a torch to it."

To minimize the risk, the telecom department quarantines devices and checks them for vulnerabilities before they can access the network. It is also working to phase in technology based on the 802.1x standard, which supports stronger authentication methods. Most important, perhaps, is that Green and his colleagues are sticklers for teaching users to take care of themselves.

"Most users are satisfied not to worry about security," Green said. "We have to remind them. They are learning through their own suffering. Many have learned to patch their Microsoft machines. But there are those who still get Blaster and Sasser, worms and viruses for which there have been patches for over a year."

Wireless doesn't always mean convenience
Wireless access certainly makes life more convenient for students and faculty. If they are doing research in a lab or in the library, they can take their laptops with them without tripping over wires. But fewer wires don't mean more convenience for those who maintain the network. As Network Security Specialist Scovill put it, "One advantage for the IT department is that it lightens the cable load. That aside, expanding the wireless capability is a complex endeavor."

The main network runs through all or parts of 80 buildings across the campus and there are roughly 13,000 Ethernet connections [Green calls them Ethernet drops] -- half of which are in the resident halls. Physically, there are 20 buildings with wireless hotspots in portions of each -- 120 access points and growing, Green said.

"For wireless access you need to create an Ethernet drop, put the wiring in the ceiling and create the access point itself," Green said. The library and other departments pay $12.65 a month for those Ethernet drops. For students in the dorm rooms, the fee is built into the housing costs. "There is no line item in the UNH telecom budget for this," he said. "One way or another, it costs money to provide quality network service."

More on this series

UNWIRED: A look at four IT shops and the push for secure wireless networks

War drivers, evil twins and data hackers, be damned. Despite a variety of security threats, enterprises have launched ambitious plans to boost wireless capabilities. This series looks at what IT departments from four different business sectors are doing to minimize the security pain points and maximize workforce mobility and efficiency.

SERIES MENU
Day 1: Wireless security: Companies deal with software updates
Day 2: Wireless security crucial to railway safety
Day 3: Wireless security: Public Wi-Fi could open security holes
Day 4: A wireless threat to student safety
And while they strive for quality, a lot of things can get in the way of a strong wireless connection. "We use 802.11b, a, etc., and it's an unlicensed frequency band," Green said. "Microwave ovens, cell phones and other things can interfere with the network."

There are also rogue access points created when students try to activate their own wireless routers. That causes additional interference. "Faculty and staff do this, too," Green said. "It's strictly against our acceptable use policy. But until recently UNH did not have an alternative to offer those who wanted Wi-Fi. Now we do and we expect that users who participate will be good citizens."

Adding to the complexity of maintaining a wireless network, users sometimes misconfigure their laptops and they don't always understand that coverage varies from one part of a building to another. As a result, the help desk is a lot busier.

The push to phase out VPNs, phase in 802.1x
Then there are limits security places on the wireless network. In a perfect world, Green said they'd be using 802.1x. Right now, he said, "for authentication, you need an account and to use the VPN if you want to do more than surf the Web. We let out HTTP port 80 but there are no cleartext passwords, no FTP or Telnet -- those are firewalled off."

This won't be a problem forever, though, Green said. Using technology from Andover, Mass.-based Enterasys, the telecom department plans to start phasing out the VPNs and phasing in 802.1x. "We hope by April to gradually start the phase out of VPN," Green said.

The department is now using Enterasys Ethernet switches and the company's NetSight Atlas policy management software. "We have also written software to link IDS to Atlas to shut off ports, to our DHCP systems to withhold IP address leases; and to our firewalls to block off-campus IPs that exhibit hostile traffic signatures," Green said.

These tools have made a difference, he said. When the department's IDS was first brought online to detect hostile traffic from the outside about two years ago, there were 7,000 hits a week. Now, Green said it's about 1,000 a week.

The art of 'self remediation'
Green said the department's biggest weapon against online threats is education. "People in the IT business must remember: To users, technology is a means to an end and it's a lot of work to update security. Helping users help themselves is the big challenge."

To meet the challenge, the network is set up to force users into patching their machines against security holes, Scovill said. "When we see a new address [accessing the network] they have to register," he said. "Then their machine is checked for vulnerabilities. If they're not patched against specific flaws or if their passwords are weak, they are quarantined and the user is guided to the security measures they need."

The buzzword the department uses to describe this process is "self remediation," Green said. And it doesn't end the first time someone is cleared to access the network. There's intrusion detection at every point on the network and it's tied into the quarantine system. If a computer is infected, Green said it will transmit hostile traffic like network probes and "phone-home attempts." The IDS picks up on it and the computer is sent back to quarantine.

"Then the user has to open his or her browser and they're guided through the process of self remediation," Green said.

Meanwhile, Scovill said, every machine is checked for flaws once a day while they are on the network. If one is found, the user is sent an automated e-mail describing what they must do to fix the problem. If the user takes no action after a week, they're removed from the network.

"This is the process, wireless or not," he said.

Despite the security challenges wireless presents, there is an upside, Green and Scovill said: It's a newer technology coming of age in an atmosphere where security is a much bigger deal.

"Ten years ago security wasn't a factor," Green said. When people are using the programs and devices that have been around that long, they're not as inclined to worry about security. But, he said, "Since Wi-Fi is newer, you can teach people to be more aware of security from the beginning."



Sound Off! -   Be the first to post a message to Sound Off!


Tags: Wireless Protocols and StandardsWireless Access ControlWireless LAN ArchitectureWindows XP and Server SecurityVIEW ALL TAGS

Digg This!    StumbleUpon Toolbar StumbleUpon    Bookmark with Delicious Del.icio.us    Add to Google


TechTarget Security Media
Information Security View this month\\'s issue and subscribe today.
Information Security Decisions Apply online for free conference admission.
SearchSecurity.com
HomeNewsMagazineWebcastsWhite PapersLearningAdviceTopicsEventsAbout Us
SEARCH :     Advanced Search | Site Index Powered by: Search Powered by Google

About Us  |  Contact Us  |  For Advertisers  |  For Business Partners  |  Site Index  |  RSS
TechTarget provides enterprise IT professionals with the information they need to perform their jobs - from developing strategy, to making cost-effective IT purchase decisions and managing their organizations' IT projects - with its network of technology-specific Web sites, events and magazines.

TechTarget Corporate Web Site  |  Media Kits  |  Reprints  |  Site Map




All Rights Reserved, Copyright 2003 - 2008, TechTarget | Read our Privacy Policy 		  TechTarget - The IT Media ROI Experts