Evaluate Weigh the pros and cons of technologies, products and projects you are considering.

Exposing and addressing wireless security concerns

Campus IT managers' emphasis on wireless security puts them at the head of the class.

They may be among the nation's "best and brightest," but the 700 students and 13,000 instructors, researchers, residents and interns at Harvard Medical School in Boston were creating a huge headache for its IT department.

We recognized the need for security before we ever deployed wireless.

Joe Bruno, Harvard Medical School

Students, staff and faculty wanted to use wireless-enabled devices, be it to e-mail a friend on a lunch break or to download a journal article for a lecture. But nobody seemed to use the same platform or operating system. High turnover and a decentralized population made security that much tougher.

Pass the aspirin, please.

"This is a very demanding community. It's important we do the right things the right way," says Joe Bruno, associate dean for IT at the nation's No. 1 medical school. "That may sound like a simple statement, but, for sure, there's a lot involved in it."

Bruno is far from alone. All over the country, college campuses, large and small, are building WLANs to meet staff and student demand and stay competitive. Students and faculty want wireless as a learning tool, and guests coming to campus for conferences and other gatherings want wireless capabilities. This is forcing colleges to cobble together a secure solution to make sure potentially sensitive information is protected and only authorized users can get onto the new network--and gain access to the colleges' wire-based resources.

Universities are among those leading the charge to secure wireless networks.

"Educators usually are early adopters of technologies because they have a few advantages," says Patrick Rafter, director of communications for wireless security provider Bluesocket. "They don't have the strictures that conventional enterprises have, and they have a lot of free labor that can experiment with lots of things. They're also open to new ideas."

They also tend to be more open to attacks, since university networks must serve an ever-changing, sophisticated population that expects their wireless devices to work on campus with as few restrictions or hassles as possible.

"Students are, by nature, mischievous and far more technically apt than their elders," Rafter adds.

Therein lies the conundrum for college IT network and security officers and administrators. If you build it, they will hack it. That is, unless you figure in security from the get-go.

Several years ago, as demand for wireless connectivity grew among Harvard Med's student and faculty, Bruno was attuned to the dangers of WLAN-based intrusions and rogue users. "We recognized the need for security before we even deployed it. We never went live with a production wireless platform until we addressed the security issues," he says.

The IT department settled on a multitiered approach led by Bluesocket's Wireless LAN Gateway because of its ability to integrate nicely with Harvard Med's extensive LDAP directory and leverage multiple methods of authentication.

Because the hospitals associated with Harvard Medical School are run independently, compliance with the Health Insurance Portability and Accountability Act (HIPAA) wasn't an issue for Bruno and his staff.

The U.S. Military Academy at West Point, N.Y., on the other hand, must comply with federal security regulation. The academy is undergoing one of the nation's largest 802.11a deployments to secure its expansive wireless network. Because the military academy is run by the U.S. Department of the Army, West Point must ensure any wireless security solution meets encryption requirements under Federal Information Processing Standard 140-2.

By fall 2003, says Col. Donald Welch, associate dean for information and education technology, the entire 25,000-acre campus, which includes a large military training site, will be hooked up to a WLAN so that all 4,000 students and 760 faculty and staff members can access the campus network without plugging in their laptops.

To meet security requirements, the school settled on Cranite Systems' WirelessWall Software Suite, which uses AES instead of the more vulnerable Wired Equivalent Privacy (WEP). The solution also includes a policy server to help enforce security policies for devices and end users; an access controller to encrypt authorized traffic; and client software installed on mobile devices to encrypt data as it's transmitted.

That, from Welch's standpoint, fit the bill and has worked as planned so far. West Point's IT staff have another advantage over other colleges--standardization. At West Point, every one of the 1,000 incoming cadets is issued a laptop with wireless capabilities.

But it's not just about security, mandated or otherwise. Welch is sold on the dimension wireless adds to education.

"I remember from my college days just sitting there listening to professors drone on. We know this is not the best way to learn," Welch says. "If you can set up an environment where students are actively using their minds and providing real-time feedback to instructors, we can do a much better job transferring knowledge. We believe a wireless computing environment facilitates this kind of learning."

For example, in composition classes, students can write and then immediately post paragraphs to be critiqued on a big screen. "This, we believe, is better than the traditional lecture mode," Welch says.

VPNs are a popular security solution for colleges and other organizations. But they pose some problems for some universities, such as Texas A&M, which is having trouble getting end users on board.

"The biggest barrier to increased usage of wireless is the VPN," explains Marti Willis, the university's associate director for networks. "Installing it on a Microsoft operating system can be a pain. Those people that do it, use it all the time. But there's a little bit of a hump to get people to put the client on their boxes. That's the single biggest barrier right now."

Willis's IT department is steadily working toward establishing hundreds of access points along its growing WLAN 1. Last year, major academic buildings, large lecture halls and common areas, like dining halls, were rigged for wireless access. A RADIUS server provides authentication and the network itself is protected by a homegrown firewall.

The proliferation of wireless handheld devices has exacerbated the problem. These units have less capacity for CPU-intensive clients, such as compatible VPN software. "We're still working to find a server and solution we can recommend," says Ellen Martin, team leader of the network services group.

Those who are aware of the new security policy at Texas A&M comply--or at least try to, Martin adds. "Those that don't usually are cases where they're not aware of the policy. When they learn about the vulnerabilities [with unprotected WLANs], they are willing to work with us."

This was last published in April 2003

Dig Deeper on Wireless network security