DURHAM, N.H. -- One day at the University of New Hampshire, Doug Green and Bryan Scovill were discussing ways to create secure wireless hotspots on campus. At one point they looked out the window and saw students congregating. That's when it occurred to them that the task was about more than stopping worms and data thieves.
"We thought about the students instant-messaging back and forth on where to meet and at what time," said Green, network manager for the UNH telecom department. "You don't want the bad guys to intercept those IM transmissions and know where those students are." They realized wireless security is also an extension of public safety -- a way to protect students from predators.
"With a VPN and WPA, you can create a reasonable barrier to eavesdropping, man-in-the-middle attacks, evil twins, and so on," Green said. "But if someone really wants to do something criminal and they have the know-how and drive, they'll find a way and it won't make a difference if it's wired or wireless. We put a padlock on the door, but if you're smart enough, you can take a bolt-cutter or a torch to it."
To minimize the risk, the telecom department quarantines devices and checks them for vulnerabilities before they can access the network. It is also working to phase in technology based on the 802.1x standard, which supports stronger authentication methods. Most important, perhaps, is that Green and his colleagues are sticklers for teaching users to take care of themselves.
"Most users are satisfied not to worry about security," Green said. "We have to remind them. They are learning through their own suffering. Many have learned to patch their Microsoft machines. But there are those who still get Blaster and Sasser, worms and viruses for which there have been patches for over a year."
Wireless doesn't always mean convenience
Wireless access certainly makes life more convenient for students and faculty. If they are doing research in a lab or in the library, they can take their laptops with them without tripping over wires. But fewer wires don't mean more convenience for those who maintain the network. As Network Security Specialist Scovill put it, "One advantage for the IT department is that it lightens the cable load. That aside, expanding the wireless capability is a complex endeavor."
The main network runs through all or parts of 80 buildings across the campus and there are roughly 13,000 Ethernet connections [Green calls them Ethernet drops] -- half of which are in the resident halls. Physically, there are 20 buildings with wireless hotspots in portions of each -- 120 access points and growing, Green said.
"For wireless access you need to create an Ethernet drop, put the wiring in the ceiling and create the access point itself," Green said. The library and other departments pay $12.65 a month for those Ethernet drops. For students in the dorm rooms, the fee is built into the housing costs. "There is no line item in the UNH telecom budget for this," he said. "One way or another, it costs money to provide quality network service."
There are also rogue access points created when students try to activate their own wireless routers. That causes additional interference. "Faculty and staff do this, too," Green said. "It's strictly against our acceptable use policy. But until recently UNH did not have an alternative to offer those who wanted Wi-Fi. Now we do and we expect that users who participate will be good citizens."
Adding to the complexity of maintaining a wireless network, users sometimes misconfigure their laptops and they don't always understand that coverage varies from one part of a building to another. As a result, the help desk is a lot busier.
The push to phase out VPNs, phase in 802.1x
Then there are limits security places on the wireless network. In a perfect world, Green said they'd be using 802.1x. Right now, he said, "for authentication, you need an account and to use the VPN if you want to do more than surf the Web. We let out HTTP port 80 but there are no cleartext passwords, no FTP or Telnet -- those are firewalled off."
This won't be a problem forever, though, Green said. Using technology from Andover, Mass.-based Enterasys, the telecom department plans to start phasing out the VPNs and phasing in 802.1x. "We hope by April to gradually start the phase out of VPN," Green said.
The department is now using Enterasys Ethernet switches and the company's NetSight Atlas policy management software. "We have also written software to link IDS to Atlas to shut off ports, to our DHCP systems to withhold IP address leases; and to our firewalls to block off-campus IPs that exhibit hostile traffic signatures," Green said.
These tools have made a difference, he said. When the department's IDS was first brought online to detect hostile traffic from the outside about two years ago, there were 7,000 hits a week. Now, Green said it's about 1,000 a week.
The art of 'self remediation'
Green said the department's biggest weapon against online threats is education. "People in the IT business must remember: To users, technology is a means to an end and it's a lot of work to update security. Helping users help themselves is the big challenge."
To meet the challenge, the network is set up to force users into patching their machines against security holes, Scovill said. "When we see a new address [accessing the network] they have to register," he said. "Then their machine is checked for vulnerabilities. If they're not patched against specific flaws or if their passwords are weak, they are quarantined and the user is guided to the security measures they need."
The buzzword the department uses to describe this process is "self remediation," Green said. And it doesn't end the first time someone is cleared to access the network. There's intrusion detection at every point on the network and it's tied into the quarantine system. If a computer is infected, Green said it will transmit hostile traffic like network probes and "phone-home attempts." The IDS picks up on it and the computer is sent back to quarantine.
"Then the user has to open his or her browser and they're guided through the process of self remediation," Green said.
Meanwhile, Scovill said, every machine is checked for flaws once a day while they are on the network. If one is found, the user is sent an automated e-mail describing what they must do to fix the problem. If the user takes no action after a week, they're removed from the network.
"This is the process, wireless or not," he said.
Despite the security challenges wireless presents, there is an upside, Green and Scovill said: It's a newer technology coming of age in an atmosphere where security is a much bigger deal.
"Ten years ago security wasn't a factor," Green said. When people are using the programs and devices that have been around that long, they're not as inclined to worry about security. But, he said, "Since Wi-Fi is newer, you can teach people to be more aware of security from the beginning."