Establishing a secured wireless network is a big job at Texas A&M University, one of North America's largest campuses. In true Lone Star style, a team of network engineers is roping in rogue installations and corralling campus users within a public access wireless LAN (WLAN) on the school's 120 acres in College Station.
"Wireless networking is a neat technology, and there are several areas -- like the dining halls, the library, the student center, large classrooms -- where it would be a good solution," explains Willis Marti, the university's associate director for networks. "Even though it was not -- and is not -- truly ready for prime time, people were deploying it. We stepped in to provide a workable solution now and get access coordinated."
Providing wireless access is a strong recruitment tool at campuses competing for top-notch students, faculty and prestigious conferences. Students like being able to check e-mail or exchange files while snacking at the student center. Professors can use Web-based instructional exercises in large lecture halls, not just small computer labs. And wireless access is a draw for conferences that generate revenue and free publicity.
In an Information Security poll on wireless security, nearly 73 percent of respondents from the educational field said that laptops have wireless access to their networks, well above the percentages for industry and government.
But that rate of WLAN adoption also puts a tremendous burden on network admins to ensure sensitive data remains safe, prevent casual eavesdropping and keep out rogue users. Universities in particular have a problem with unauthorized users, because their network systems tend to be more open and accessible than corporate environments.
Texas A&M is no exception. Although there haven't been any signs of war driving, "I'm sure it's there," Marti says.
Intruder sniffing threatens a lot of sensitive data, adds Ellen Mitchell, team leader of the network services group. This includes not only proprietary or exclusive research data, but also course grades and student information, which are protected under federal law.
The team has implemented a wireless VPN, primarily because it already had a wired version for cable modem users and dispersed students. Users are authenticated through a RADIUS server, which the team is convinced is the only way to provide reasonably secure access to the campus networks.
"It's a lot harder to meld together a bunch of fiefdoms in the wireless world, particularly when you've enforced authentication," Marti explains.
Anyone who uses a laptop or handheld device in an area with a wireless node gets routed to a VPN server. Requiring on-campus users to go through this process cuts down on possible attacks by establishing an IPSec-secured tunnel. The campus network includes Ethernet ports in all dorm rooms, allowing students to log into the campus network using personal desktop or laptop computers. The team has even managed secure access for visitors who use places like campus libraries or the Bush Presidential Center for conferences. They create short-term users in the school's RADIUS authentication server database, giving guests access only while they are visiting.
Texas A&M took advantage of its on-campus expertise when it tested its first wireless network last summer at the main library and one academic department. After a lot of research, telecommunications engineering undergraduates helped design the system, which includes a homegrown firewall. Smaller pilots followed at dining facilities.
The school has adopted the 802.11b standard for its wireless transmission with throughput up to 11 Mbps, but the team plans a transition to 802.11a for faster (up to 54 Mbps) throughput. They're eager to see how the 802.1x standard, which provides strong authentication for both wired and wireless networks, will fare.
"We're a very standards-based organization here," explains Mark Ridgway, a network engineer helping spearhead the multiyear, multimillion dollar wireless project. Ridgway says that interoperability was key when choosing among solutions. "That's what we use as our rule to measure vendors. We're looking at systems where anybody can plug in anywhere."
After evaluating engineering test beds from Cisco Systems, ORiNOCO, Avaya and Enterasys Systems, the wireless team decided to use Cisco and Enterasys APs because of their flexibility with multiple cards. They were also attracted to an upcoming Enterasys feature -- called "key tumbling" -- which changes WEP keys every 60 seconds.
With the library now online, Texas A&M has a long priority list of places to deploy its wireless network, including the student center and classrooms that seat at least 100. Those 51 classes alone will require at least 260 access points at about $1,500 per point (including antenna, wired port and engineering time). Marti says the state school expects to spend $200,000 to $300,000 annually on wireless.
But that doesn't mean Texas A&M is planning to replace the existing LAN. "Wireless is a complement to the network," Ridgeway says. "It allows a little more mobility and flexibility and interoperability with the wired environment. But in no way will it ever replace what the wired network is doing."