WIRELESS POLICY FOR EAST TENNESSEE STATE UNIVERSITY Active since: 11/16/06
1.1 Technical Information
The most significant and most difficult issue in wireless networking is security. The current 802.11 wireless network standards do not include authentication of devices and users. In the absence of a standard, companies in the wireless networking industry have adopted the 802.1X protocol as an authentication framework for “wired and wireless Ethernet” (802.11) networks. The 802.1X protocol allows vendors to choose an authentication algorithm to implement in their products. However, this also leads to compatibility issues between vendor specific hardware.
Wireless communication networks use radio frequency (RF) transmissions to transport voice, video and data signals from wireless-enabled end-user devices through a wireless access point (WAP) that is physically connected to the ETSU campus network. A Wireless Network, for the purposes of this document, thus may be defined as a network that is ultimately connected to the wired Ethernet network of ETSU.
When a WAP is connected to a wired network and to a set of wireless stations, it is referred to as a Basic Service Set (BSS). An Extended Service Set (ESS) is a set of two or more BSSs that form a single subnet in the wireless local area network (WLAN). Most WLANs operate in infrastructure mode in which wireless devices can communicate with each other or with a wired network and provide access to network resources, such as file servers, printers etc.
A broadcast Service Set Identifier (SSID) enables a user machine to identify the wireless networks present in an area. The SSID is a unique identifier attached to the header of packets sent over a WLAN that acts as a password when a device tries to connect to a specific WLAN. A device is not permitted to join the BSS unless it can provide the unique SSID. However, since the SSID is transmitted in plain text, it can be easily sniffed over a wireless network, thus drastically limiting the security it may provide to the WLAN. Wired Equivalent Privacy (WEP) keys may be employed to encrypt data transmitted over radio waves so that it is protected as it is broadcast between devices and/or network points. However, WEP does not present a very secure solution as it is used only at the data link and physical layers of the Open System Interaction (OSI) model. The two layers mentioned are the two lowest layers of this model and therefore do not offer end-to-end security.
A major difference between security associated with a wired network and a wireless network is the accessibility of the network outside of controlled environments. A wired network jack requires physical proximity for access, hence increasing the types of security protocols that may be available for implementation. A wireless network, in contrast, allows access without those physical limitations, thus requiring a different design for security concerns. A trusted wired network user may not enjoy the same access privileges on a wireless network, just because they are in an open environment. Some of the issues discussed by this group include:
Who may be deemed a trusted user?
How to deal with vendors and demos and other short-term users?
How to deal with user operated routers and DHCP servers, and multi-port hubs?
Figure 1. Network and data-flow schematic
Security in wireless networks may be classified into three major areas: Device authentication, user authentication, and transactional security. This document addresses all three areas in context of internal and external threat mitigation, as well as, identification, authentication and privacy issues. As is illustrated in the above diagram, a wireless network cloud exceeds that of the physical proximity of the wireless-networked machines. This introduces the possibility of an intruder making unauthorized utilization of the wireless network to either mount attacks on the wired network or gaining unauthorized access to the internet, while circumventing the security blanket of the firewalls. The green arrows depict the traffic flow that we would want, while the red arrows illustrate data pathways that would be a risk to the security of ETSU LAN and WLAN. This necessitates the need to prevent all non-authenticated users and machines from using the networks. Further, since a wireless environment does not provide the physical confines of a wired-network to the data packets traveling between machines, it leaves these packets vulnerable to snooping by intruders or hackers. Hence, the need for transactional security is paramount in a wireless environment. Transactional security has been addressed in WLAN designs by using the same approach as in the wired environment: Secure Shell (SSH) for telnet and ftp, Secure Sockets Layer (SSL) for http, and Virtual Private Network (VPN) for remote access. The overall system security and deployment design depends upon these contributing factors.
The current standards use the SSID for network identification and recommend using the WEP key as a password for devices wanting to join a network. However, in the practical world, the SSID can be sniffed and the WEP key can easily be passed from person to unauthorized person. The current 802.11 wireless network standards do not accommodate generation of dynamic WEP keys for each user as these standards do not include authentication of devices and users. It is expected that the 802.11p, now under consideration by IEEE will address this issue. In the absence of a standard, companies in the wireless networking industry have adopted the 802.1X protocol as an authentication framework for “wireless Ethernet” (802.11) networks. The 802.1X protocol allows vendors to choose an authentication algorithm to implement in their products. However, this also leads to compatibility issues between vendors.
Authentication algorithms are, in turn, based on another protocol called Extensible Authentication Protocol (EAP) that was originally created for use with dial-up networks.1 There are two dominant EAP protocols. The first is Cisco’s LEAP (Lightweight Extensible Authentication Protocol) and Microsoft’s PEAP (Private Extensible Protocol)
Cisco Systems’ implementation of EAP is called LEAP:
“Cisco LEAP (Lightweight Extensible Authentication Protocol), also known as Cisco-Wireless EAP, provides username/password-based authentication between a wireless client and a [Remote Authentication Dial-In User Service] RADIUS server … In the 802.1X framework, a LAN station cannot pass traffic through an Ethernet hub or WLAN access point until it successfully authenticates itself. The station must identify itself and prove that it is an authorized user before it is actually allowed to use the LAN.”2
Microsoft’s implementation of EAP is called PEAP:
A protocol proposed by Microsoft, Cisco and RSA Security for securely transporting authentication data, including passwords, over 802.11 wireless networks. Like the competing standard Tunneled Transport Layer Security (TTLS), PEAP makes it possible to authenticate wireless LAN clients without requiring them to have certificates, simplifying the architecture of secure wireless LANs.
TTLS and PEAP work within the framework of the broad-based IEEE 802.11 wireless LAN standard for authentication known as 802.1X. PEAP and TTLS each use Transport Layer Security - which is often described as a better Secure Sockets Layer - to set up an end-to-end tunnel to transfer the user's credentials, such as a password, without having to use a certificate on the client.
This document addresses wireless networking security challenges by recommending a set of technical solutions in conjunction with a set of policies that takes into consideration the ETSU environment, needs and capabilities. When needed, ETSU’s OIT department can use other forms of security for wireless such as WEP or WPA if LEAP or PEAP cannot be used or other authentication methods are more secure.
For the purposes of this document a wireless network is defined as a radio frequency network that is ultimately connected to ETSU’s wired Ethernet network and as such is to be considered an infrastructure extension of ETSU’s wired network. Further, all wireless devices that ultimately utilize the wired network for connectivity are covered by this document. Wireless devices such as Cell Phones and Pagers are out of the purview of this document, as they do not access the ETSU wired Ethernet networks. However, PDAs are covered along with the wireless networked computers.
Wireless networks extend the reach of the campus network to locations where it is impractical or impossible to provide a physical wired connection. The primary purpose of wireless networking on ETSU campuses is to allow ETSU students, faculty and staff to access e-mail, browse the Internet, do course work, and access networked information resources from anywhere in or near academic buildings without needing a fixed physical network connection (i.e., a cable plugged in to a network jack). However, the configuration, installation, and use of wireless access points could, if unmanaged, disrupt network performance and compromise the overall security and integrity of networked information resources. This policy regulates the configuration, installation, management, and support of wireless communication networks and devices at ETSU.
Top of Page
This policy applies to all users and all wireless networks and devices both within and outside academic and residential buildings on ETSU’s main campus, the College of Medicine campus, and any extended campus sites where the wireless access points (WAPs) providing service may be connected to the ETSU campus network or ETSU supported networks. This policy covers any devices and users to adhere to the rules, regulations and policies concerning security and prevention of interference.
The Office of Information Technology (OIT) is responsible for the configuration, installation, management, and support of the wired network. Since the campus wireless networking environment is an extension of the wired campus network, OIT will assume the same responsibilities for its configuration, installation, management, and support.
The policies presented in this document are to be considered in conjunction with the various computer use policies and the Code of Ethics already in place at ETSU.
The following assumptions are declared for the purposes of this document:
- Any and all devices utilizing radio frequencies (RF) for the purposes of transporting voice, video and data signals from wireless-enabled end-user devices through at least one wireless access point (WAP) that is ultimately physically connected to the ETSU campus network will be deemed Wireless Devices.
- A Wireless Network (WLAN), for the purposes of this document, is defined as a network that is ultimately connected to the wired Ethernet network of ETSU
- All wireless devices in the ETSU WLAN environment, or making use of other devices within the ETSU wired or wireless Ethernet networks shall be registered with OIT prior to accessing any part of the ETSU WLAN or wired networks.
- Peer-to-peer or Ad Hoc wireless networks are not permitted on the ETSU network. Any deviations will need prior approval by OIT.
- The WLANs are to be considered an extension of the wired ETSU networks, hence an integral part of the ETSU networking infrastructure.
- Since OIT is responsible for the ETSU networking infrastructure, OIT will also be responsible for the ETSU WLAN infrastructure.
- The computer use policies, Code of Ethics, and other relevant policies that apply to use of computers and computer networks at ETSU will also apply to wireless devices as defined above.
2.2 Usage Policies
Three types of users are defined for application of these policies:
- A current verified ETSU User is defined as a currently registered ETSU student or a currently employed faculty, staff, and/or administrator, whose identity has been verified and is registered to use the ETSU computing facilities.
- A Non-ETSU Long-Term User is defined as a user not defined as an ETSU User above, but associated with ETSU in activities and functionality approved by ETSU as legitimately requiring access to ETSU networks. Examples: Bookstore and/or food service contract holders.
- A Non-ETSU Temporary User is defined as a user not covered in the two categories mentioned above, but requiring approval from ETSU to use ETSU networks for a temporary period not exceeding 24 hours. Examples: Guests, conference attendees, Press members, Library users etc.
- Existing computer use policies, Code of Ethics, and other relevant policies that apply to use of computers and computer networks at ETSU will also apply to all users and wireless devices as defined above.
- Use of network sniffing devices and tools without prior written permission from OIT is strictly prohibited.
- Unauthorized access of any ETSU network component, both wired and wireless is strictly prohibited.
- Only registered wireless devices are permitted to access any part of the ETSU WLAN or wired Ethernet connections.
- ETSU Students, faculty, staff, administrators and/or ETSU departmental representatives will be authorized to register wireless devices with OIT.
- ETSU Students, faculty, staff, and/or administrators wishing to use the ETSU WLAN will be required to register as users with OIT, if not already registered and authorized to use the ETSU wired Ethernet.
- Current ETSU user verification protocols will be applicable to the ETSU WLAN as well.
- Non-ETSU users, both long-term and temporary, wishing to access the ETSU WLAN or any component of the ETSU WLAN will be required to register the non-ETSU wireless device and the wireless device user with OIT. At least one form of official picture identification (e.g. a driver’s license) will be required from the person wishing to register the device and/or as user.
- To register as a non-ETSU temporary WLAN user, a verified current ETSU user will be required to sponsor the request from a non-ETSU person. The sponsorship forms will record information about the identity of the non-ETSU person seeking to register as user, along with a need statement, duration of registered status requested, and identity of current verified ETSU user sponsoring the non-ETSU personnel for registration as user. Official forms of picture identification will be required from both the sponsor and the sponsored.
- A verified current ETSU user will be required to sponsor the request from a non-ETSU person seeking to register a wireless device.
-The registration of a wireless device by a non-ETSU person must be accompanied by registration of the same non-ETSU person as a Non-ETSU user.
-Authorization for access to the ETSU WLAN granted to non-ETSU users/devices will have a stated expiration date that applies to both user and device. Expiration dates should be synchronized; in the event of a discrepancy the shorter of the two dominates.
The sponsorship forms will record information about the wireless device to be registered, including the media access control (MAC) address of the network interface; the identity of the non-ETSU person seeking to register the wireless device; a brief statement describing the need and duration for wireless access; and the identity of the verified current ETSU user sponsoring the non-ETSU registrant. Official forms of picture identification will be required from both the sponsor and the sponsored.
- Non-ETSU Long-Term Users may only be sponsored by ETSU department chairs, their equivalents in non-academic units, or their designees through a request to OIT. Non-ETSU Long-Term users may not be sponsored for registration by individual ETSU users.
- Non-ETSU Temporary Users may be sponsored by any currently valid ETSU user.
- Non-ETSU users, both long-term and temporary, may not sponsor anyone for registration.
- OIT has the right to refuse or terminate registration at any time for cause and must provide the basis for the action.
- OIT will maintain records of all such requests as mentioned above for a duration to be determined by the ITGC and/or ETSU Administration.
2.3 Configuration Policies
- The wireless networking environment at each wireless-equipped ETSU campus will consist of a single public (secured) zone, enabling authorized users to move around freely yet maintain their access to the network. Departments may request private areas for testing, instruction, or research with the approval of the Office of Information Technology (OIT). Individual WAP zones will be determined by OIT to best suit the WLAN architecture.
- Requests for WAP zones will be forwarded by department Chairs to OIT and a project plan will be developed by OIT in consultation with the department Chair or their designee. OIT will develop the individual WAP zones, taking into consideration existing zones, overlap, bandwidth, number of users, access point accessibility, and security. OIT will be responsible for the installation of the WAP in the new zone on the timetable identified in the project plan.
- OIT will maintain an updated WAP location and WLAN accessibility zone map for all ETSU campuses at all times.
The current ETSU campus network environment for end-user connections is 10/100 Mbps switched Ethernet. The standard for the wireless network environment will be “wireless Ethernet”, Wi-Fi, IEEE 802.11a/b/g. Wireless equipment currently recommended and installed by OIT uses the FCC unlicensed 2.4 GHz Industrial/Scientific/Medical (ISM) band and transmissions within this band conform to the IEEE 802.11b/g DSSS (Direct Sequence Spread Spectrum) wireless LAN specification.
When feasible and cost-effective, OIT will recommend and install wireless equipment that uses the same 2.4 GHz band and transmissions but that conforms to the IEEE 802.11g OFDM (Orthogonal Frequency Division Multiplexing) specification. 802.11g is fully backward compatible with 802.11a/b/g.
Wireless equipment that uses the FCC 5.0 GHz Unlicensed National Information Infrastructure (U-NII) band with transmissions conforming to the IEEE 802.11a OFDM (Orthogonal Frequency Division Multiplexing) wireless LAN specification is not currently being recommended or installed by OIT but may be considered when it becomes feasible and cost-effective.
OIT will monitor wireless technology developments and standards and recommend changes to the supported standard through the existing campus IT governance structure. Recommendations for change will include a plan and budget to migrate existing equipment to the new standard.
2.3.3 Authentication and Security
18.104.22.168 Device Authentication
- As discussed in 1.2 above, the 802.11x standards do not include authentication of devices and users so companies in the wireless networking industry use the 802.1X protocol as an authentication framework. Since the authentication algorithms are vendor specific they are not always compatible with each other and wireless network device configuration utilities also vary from vendor to vendor. Given the resources available to support networking at ETSU it is practically impossible to support a variety of devices and utilities from multiple vendors. In order to accommodate authentication of devices to the network, OIT will support any WAP or Wireless card that supports Cisco Wireless EAP (LEAP) and/or Microsoft’s PEAP authentication. Any OIT supported WAP will need to support one of the two authentication methods.
- Cisco hardware forms a majority of the WLAN equipment in use by ETSU at this point in time. Therefore, WLAN equipment standardized to use Cisco hardware is recommended. Cisco WLAN equipment will support LEAP and PEAP authentication.
- For existing hardware that is not Cisco Wireless EAP compatible, Microsoft’s PEAP authentication can be used. For hardware that supports neither LEAP or PEAP a software solution is recommended that will enable the wireless client to get authenticated by the network. The software client will enable users of existing non-compliant wireless network cards and integrated wireless devices (e.g., PDAs) to comply with this requirement of device registration and authentication.
- An individual WAP when connected to the wired network will seek authentication against the registration database. Once authenticated, the switches will allow traffic to conduct through the network port that the WAP is attached to. In case of denial of authentication, the network switch will automatically turn off the port from which the WAP sought connectivity. The port may be re-enabled only through a support/help ticket with OIT.
- It will be the responsibility of OIT to upgrade the infrastructure of the WLAN to accommodate the current proposed authentication protocol and any 802.1xx standards that emerge in the future.
- It will also be the responsibility of OIT to recommend patches, software and hardware to users as needed in light of changes instituted by OIT to the WLAN infrastructure that affects authentication protocol or capabilities.
- Only OIT will be authorized to issue SSID and WEP key(s) to any WAPs on the ETSU WLAN. General broadcasting of SSIDs is not permitted. Further, it will be the responsibility of OIT to explore and implement the dynamic WEP key technology if and when such technology emerges.
22.214.171.124 User Authentication
Every prospective user of the ETSU WLAN, using a registered wireless device, must be registered as a user before they can use the ETSU WLAN. Each registered user will be authenticated at the beginning of each WLAN session. This process will be similar to that used now to log on to the ETSU domain using wired computers on the ETSU LAN.
- OIT will provide the means necessary for registered users to be authenticated against the user registration database. In the near term, this would most likely be via RADIUS or similar means.
- OIT will continue to be responsible for maintaining the user registration and authentication databases, as is the case now.
- It is strongly recommended that a Lightweight Directory Access Protocol (LDAP) database be created for user registration and authentication purposes. The current protocol for establishing user affiliation and identity is not a clean process and the definitions of ETSU-affiliated, ETSU-associated and other classes are murky. A dedicated LDAP application will enable OIT to sort out vendors, guests, faculty, staff, students, and affiliates in a more reliable and efficient manner. LDAP is a set of protocols based on standards within the X.500 standard for accessing information directories. It supports TCP/IP, which is necessary for any type of Internet access, it is an open protocol, i.e. applications need not be concerned about the type of server hosting the directory, and is versatile enough to accommodate almost any application running on virtually any computer platform to obtain directory information (including user and/or device registration information in our case). This will also help with the Apple vs. Windows authentication protocol issues as well.
126.96.36.199 Packet Security or Transaction Security
Transaction security in the wireless networking environment would require the same approach as in the wired environment: Secure Shell (SSH) for telnet and ftp, Secure Sockets Layer (SSL) for http, and Virtual Private Network (VPN) for remote access.
188.8.131.52 Cisco Devices
ETSU has made a substantial investment in wired campus network infrastructure that consists of equipment (switches, routers, etc.) and software from Cisco Systems, including a RADIUS server. Maintaining compatibility with existing infrastructure would help minimize the costs associated with wireless network implementation, operation, management, and support. Relatively higher initial hardware acquisition cost would be offset by lower operation, management, and support costs. For this reason, LEAP and PEAP supported wireless networking hardware for the ETSU WLAN (network cards and access points) is recommended.
184.108.40.206 Purchase and Installation of Wireless Access Points and Rules
Only OIT may install wireless access points (WAPs). Since WAPs in the wireless network are comparable to switches in the wired network, they are defined as part of network infrastructure for purposes of this policy and as such are to be managed by OIT. Department funds may be used to purchase WAPs through budget transfers to OIT with the equipment entered into OIT inventory.
- Each registered WAP will be assigned a static IP address that will be authenticated against the MAC address of the WAP at the switch. If the authentication goes through, the port to which the WAP is connected will be enabled. If the authentication fails, the port will be disabled. To re-enable the port, an OIT Help Desk ticket will have to be obtained.
- Authentication protocol at the switches will also disable ports that utilize unauthorized network hubs to attach multiple devices to a single network port. Exceptions to this rule may be obtained from OIT, prior to installing the hubs.
- OIT will maintain a campus-wide master map of all the registered WAPs in deployment and their zone coverage. OIT will have the right to remove any WAPs that are not OIT managed or not registered.
- Internal DHCP servers will not be allowed to generate IP addresses, except by OIT or OIT authorization.
220.127.116.11 Network Address Translation
No wireless devices that allow unsecured Network Address Translation (NAT), such as wireless routers or gateways, will be allowed to connect to the wired or wireless network. Internal IP addresses of the form 192.168.x.x will be blocked at the switches. This includes all academic and residential buildings along with all ETSU remote sites. If deviations are needed, prior authorization is required by OIT.
18.104.22.168 Previously Installed Devices
OIT must be notified of any previously installed WAPs being used by departments, faculty or staff via “Computer Account Request Form”. A determination will be made as to whether or not the WAP can be made to use the 802.1x security. Devices that do not or cannot be made to use 802.1x security will be removed from the network after the allotted time period. It will be the responsibility of the Department to purchase the compatible WAP that supports 802.1X. All departmental and other non-managed OIT WAP’s will need to be removed upon the installation of ETSU’s OIT managed WLAN.
Other wireless devices exist in the marketplace that also employ the 2.4 GHz frequency band and can cause interference to users of the ETSU wireless networking environment. These devices include, but are not limited to, other IEEE 802.11a/b/g wireless LAN devices, Bluetooth enabled devices, 2.4 GHz cordless telephones, wireless printers, cameras, and microwaves.
To ensure the highest level of service to users of the ETSU wireless networking environment, OIT requests cooperation from all members of the campus community to minimize the potential interference from other wireless devices. OIT reserves the right to request that departments move, remove, reconfigure or shield devices that interfere with users’ access to the ETSU wireless network. Upon the installation of ETSU's wireless network in a given area, all existing wireless devices that have an output power greater than 3 milliwatts, operate in the 2.4GHz or the 5.0GHz range and that are not OIT managed are to be removed or reconfigured to adhere to ETSU’s wireless standards. Some exceptions will be made for device interference caused by microwaves and special requests.
All cordless phones that use 2.4 GHZ are not permitted for use on campus in the academic or residential buildings along with all of the remote sites. Cordless phones that exist in this frequency cause direct interference with the wireless network and makes the wireless network unusable. If ETSU faculty, staff or students require a cordless phone, OIT recommends 900 MHZ cordless phones because they do not interfere in the frequency range of the ETSU WLAN. Currently, 5.8 GHZ cordless phones do not interfere with ETSU’s existing WLAN, but may as the standards evolve. All wireless standards will be updated periodically at the following website: http://www.etsu.edu/oit/standards/Standards_WirelessHardware.aspx.
If there are cordless phones, ad hoc or peer-to-peer WAP’s in the prohibited frequency, OIT will attempt to notify the user in writing and ask them to remove the device. If the device is not removed within 24 hours, OIT will take necessary actions to stop the interference of the device.
When a non-conforming device is being used for a teaching or research application, OIT will work with faculty to determine whether alternatives exist or the device can be accommodated without causing major interference to other ETSU wireless users after the “Computer Account Request Form” has been received.
Although student housing networks are not part of the OIT maintained ETSU wired networks, student housing wireless networks will be part of OIT ETSU’s network in the fall of 2007. Beginning the Fall of 2007, OIT will reserve the right to remove any wireless device attached to the student housing networks that causes interference or disruption to the ETSU WLAN. In the interim, when interference or disruption to the ETSU WLAN is found in the student housing, OIT will work with Housing and the students to educate and help them remove or reconfigure the device causing interference.
2.4 Security Policies
- Only registered and authenticated users and devices are allowed to use the WLAN or access resources on the wired network via the WLAN or wireless devices.
- ETSU rules, regulations, and policies that apply to users of wired network will also apply to wireless network users. Wireless network users may be subjected to additional rules, regulations and policies.
- All wireless devices and users will be authenticated for each session
- All non-registered WAPs will be considered as “Rogue” Access Points and be removed by OIT.
- SSIDs and WEP keys may only be generated by OIT.
- No Ad Hoc or Peer-to-Peer networks to be allowed without prior written permission from OIT via a “Computer Account Request Form”.
- DHCP servers not allowed, other than those run or authorized by OIT.
- IP addresses not generated by OIT will not be allowed and the ports on which devices using these non-authorized IP addresses are detected, will be shut down.
- Sniffing or snooping on the WLAN, unless authorized by OIT in writing, is considered an illegal activity and may result in action being taken against the user.
- Sharing of passwords is illegal. The user may be held responsible for activities conducted under their authentication.
- A sponsor may be held responsible for the activities of the person he or she sponsored.
- All of the policies listed in 4.3 are included by reference in this section.
2.5 Monitoring Policies
To maintain a viable WLAN network and a credible security environment, now and in the future, several types of monitoring are recommended.
2.5.1 Wired-side Network Scanning
Wired-side network scanning can assist in:
- Tightly controlling the IP addresses accessing the ETSU networks and the internet.
- Restriction of non-OIT generated IPs and unauthorized DHCP servers
- Presence of rogue WAPs.
- Analysis of traffic between the wired networks and the WLAN WAPs.
- Monitoring of restricted or illegal activities by users on the networks.
2.5.2 WLAN Monitoring
WLAN monitoring by OIT is necessary to:
- Detect rogue WLANs, including soft WAPs
- Detection and restriction of Ad hoc networks
- Detection and restriction of unencrypted or unauthenticated traffic, unauthorized/unregistered devices, insecure end-points or stations, and unauthorized vendor hardware
- Monitoring and maintenance of performance thresholds, data rates and local zone definitions
- Policy implementation
2.5.3 Technology Monitoring
Since WLAN technologies are changing rapidly, OIT must monitor technology developments and the technology marketplace to:
- Identify and evaluate new technology and standards
- Obtain, distribute, and install software patches and equipment upgrades
- Recommend changes to the WLAN infrastructure including budget impact
2.6 Performance Policies
Once a request for a WAP has been initiated by a department, OIT will conduct data traffic surveys to establish competent zones for the placement of the WAP. These surveys will take into consideration overlap zones, number of users, signal strength, antenna types, connection speed, interference issues etc. Once a WAP is established and marked on the campus master map, OIT will be responsible for performance issues related to that WAP. OIT may alter the position, capacity or configuration of the WAP to accommodate performance factors. Departments or users may not move, alter or reconfigure established WAPs.
OIT may monitor data traffic patterns, WAPs in a particular geographical area and other networking resources to establish need and delivery ratios for performance analysis in certain areas. Such data may be used to support decisions in regards to requests for upgrading of WAPs in an area due to performance issues.
OIT will also monitor emerging technologies and products in the wireless networking arena to enhance performance of the WLAN at an infrastructure level. Upgrading and/or replacement of WAPs to accommodate new technologies will be dictated by the upgrade/replacement schedules that OIT works out on an annual basis.
2.7 Support and Maintenance Policies
OIT will maintain all WAPs registered and associated with the ETSU WLAN that are deemed network essentials. WAPs that were installed using departmental or faculty research/grant funds to provide essential networking services or environments will be maintained by OIT after the appropriate “Computer Account Request Form” is completed and submitted to OIT. However, WAPs installed as part of Ad hoc networking test-beds or research projects will not be maintained by OIT, even though these WAPs would still need to be approved by OIT and registered for operation.
- OIT will be responsible for the installation of all approved WAPs.
- OIT will provide user support for installation and configuration of LEAP and PEAP enabled wireless access cards.
- OIT will provide support for the authentication software client installation and configuration by WLAN users not using Cisco wireless access cards.
- OIT will provide support to all departmental requests for WAP installations. This will include zone coverage design, WLAN component analysis, security and needs analysis and performance policy application recommendations.
2.8 Upgrade Policies
Treating the WLAN as an infrastructure resource, just as the wired network components are, OIT will assume the responsibility for determining an upgrade and/or replacement schedule for the WLAN components that are registered with it that are deemed essential to maintain a network presence.
- WLAN components that are not deemed network essentials, but paid for by departments to enhance network accessibility, for convenience, or research purposes will have to be upgraded using departmental funds. Departments seeking accelerated deployment or upgrades would be allowed to transfer funds to OIT to accomplish the same.
- Departments and/or individuals may not alter registered WAPs or introduce new ones as replacement for older ones without approval from OIT.
- OIT will not be responsible for upgrading or replacing individual wireless cards in machines accessing the WLAN, unless referring to machines in the OIT supported computer labs.
- OIT will not be responsible for any upgrades, replacements or support for machines registered by, or for use by, non-ETSU users.
- OIT will not be responsible for providing support to non-ETSU users registered to use the ETSU WLAN.
2.9 Privacy Policies
Both ETSU and non-ETSU users either registering devices or as users will be informed at the beginning of the registration process of the information being collected and the obligations of ETSU vis-à-vis requests by law enforcement and courts to supply this information under certain conditions. Registration will only be completed after acknowledgement and acceptance of these policies by the registrant.
2.9.1 Information Collection
ETSU’s Information Technology Code of Ethics governs electronic records including monitoring, inspection, disclosure, and enforcement. Records pertaining to the WLAN would also be covered by this policy. Also, to better protect the ETSU WLAN environment, certain information will be collected on both the devices in this environment and the people using this environment. This collection may include, but is not limited to:
- Unique identifiers, such as the MAC address and the serial number on the wireless devices, as defined earlier.
- Registration of device information and registration of user information as described in section 4.2 of this document.
- Correlating information on the wireless device, sponsor and sponsored user.
- Correlating information on ETSU-User and the non-ETSU user sponsored by the former.
- Exact DHCP IP lease times and device authentication times for devices in operation.
- Correlated data on device and user authentication logs to establish the identity of the user and the device being used, and the duration of the authenticated session.
2.9.2 Information Retention
The ITGC and university administration will review the recommendations presented here by the working group and establish the Information Retention Schedules for OIT to follow and administer. The working group recommends the following:
- For registration information collected during the device registration process – information be retained for up to 3 months following the last use of the device or registry expiry period, whichever comes later.
- For registration information collected during the user registration process – information be retained for up to 6 months following the last use by the user or registration expiry period, whichever comes latter. This would include the information on the user, the sponsor and the correlating data.
- DHCP IP lease times, device authentication logs and user authentication logs should be retained for two weeks from date of entry
It is also recommended that the above information be kept only electronically and no paper reports be generated unless specifically required to comply with legal obligations. The electronic copies are to be destroyed according to schedule and no back up copies are to be retained past the expiration of the original copy’s schedule, unless dictated by legal or investigative reasons.
It is also recommended that this section be reviewed by the University Counsel for compliance with any legal requirements that may exist and revised accordingly.
2.10 Policy Review
OIT will review this document and all the associated policies annually and suggest changes or recommendations to ITGC for review each year. ITGC approved changes will be incorporated into the revised policy document each year.
3. Time Table and Implementation Priorities
It is anticipated that the university will review and adopt these policies so that they become effective on July 1, 2004. At this time, all departments currently using existing WAP will need to complete the “Computer Account Request Form” and submit to OIT. OIT will assess the WAP use and whether it uses LEAP or PEAP authentication and then make a recommendation whether the WAP can continue being used on the University network. In the meantime, OIT should begin to assess the existing infrastructure’s ability to support device and user authentication and network monitoring, gather data on existing WLAN installations, and develop the procedures, forms, and expertise that would be necessary to begin supporting WLAN implementation in FY2004-2005. It can also start work on the development of databases, authentication systems and monitoring systems.
ETSU WLAN deployment will be prioritized based upon need and available resources in OIT. Augmenting or extending the wired network with the WLAN in areas where WLAN would be more cost-effective should be a high priority. A major constraint on WLAN deployment is whether or not the network switches present in the area where WLAN is to be deployed are capable of supporting the Cisco LEAP protocol. For areas that have switches that do not support this, the WLAN deployment may depend upon when OIT is able to afford to upgrade those switches. Departments that wish to have expedited WLAN deployment may be able to expedite these initiatives through fund transfers to OIT to acquire the necessary hardware.
Although WLAN deployment is intended to augment and not replace the wired networks, there may be cost savings associated with WLANs in areas where wired network maintenance and upgrades are exorbitantly expensive. In many cases WLAN implementation may actually be cheaper than providing Ethernet drops in those locations. It is recommended that OIT begin offering WLAN connections as an alternative to wired network connections when feasible and cost-effective.
In general, OIT will identify areas for WLAN deployment based upon their evaluations and recommendations from department Chairs and university administrators. These will then be prioritized based upon a combination of need, cost factors, resources available, existing infrastructure and benefit impact areas. Initiatives fully funded by departmental or grant funds will be afforded top priority. OIT’s priority list of WLAN projects for FY2004-2005 should be presented to ITGC in January 2004 to allow for inclusion in strategic and budget planning processes for FY2004-2005. Annual plans should follow the same schedule thereafter.
Certain infrastructure resources need to be established before a comprehensive effort to regulate wireless networks on ETSU campus can be attempted. Some of the infrastructure needs include:
3.1.1 Current Infrastructure Analysis
OIT will need to:
- Conduct a survey to establish the Cisco LEAP implementation and Microsoft PEAP implementation capabilities for all network switches on campus.
- Devise a strategy, cost analysis and time-table to enable all switches to be able to authenticate in the near future.
- Develop a campus master map showing existing WAPs, their coverage maps and all other relevant information that would be available from a typical registration entry.
- Analyze existing WAP deployments for compliance with the recommended ETSU Wireless policies and recommend actions (unplug, upgrade, etc.) based on that analysis.
3.1.2 Essential Development
Following are some of the development activities that need to be conducted by OIT before a coherent WLAN plan can be implemented:
- Develop forms (paper and electronic) and procedures for user (applicable to all users as defined earlier) and device registration including identity verification data.
- Electronic and/or paper references to the policies to be developed by OIT, including privacy and security policies, that a user would receive upon registering a wireless device and/or as a user.
- Obtain electronic record retention schedule identified in 4.9.2 above.
- Develop device and user authentication protocols and capability to be implemented via LEAP authentication through switches against RADIUS/LDAP databases.
- Develop databases to correlate DHCP entries with device registration data, and authentication queries with IP lease and registration periods.
3.2 Roles and Responsibilities
3.2.1 OIT will:
- Provide consulting services to departments requesting wireless networks to design and implement appropriate solutions.
- Maintain a database describing installed wireless equipment and its performance characteristics to assist users in planning wireless projects.
- Maintain web-based user support documents like a map showing wireless availability, configuration instructions for supported hardware/software, and lists of recommended/supported hardware/software.
- Implement and maintain a centralized authentication database(s) for resource access; Lightweight Directory Access Protocol (LDAP) based on the campus-standard Microsoft Windows Active Directory is recommended.
- Install, configure, monitor, maintain and support all authorized wireless access points.
- Have the authority to shut down unauthorized wireless access points.
3.2.2 ETSU Departments through their Department Chair will:
- Register all wireless devices currently in use with OIT to assist in planning wireless projects. [See section on interference from portable phones, etc.]
- Request future wireless network access from OIT through the Help Desk to obtain project planning and implementation services.
- Cooperate with and assist OIT in implementing the policies listed above.
There are numerous “infrastructure” costs associated with the implementation of the technical plans and policies mentioned in this document. It is strongly recommended that OIT analyze this document from the perspective of implementation and prepare a cost analysis including One-Time costs and recurring costs for a three-year period. Some costs factors identified by the working group include:
- Personnel cost for implementing the WLAN plan in terms of design, planning and monitoring
- Support staff, i.e. help desk people, networking personnel
- Database developers and maintainers
- Cost to upgrade or replace switches
- Cost to buy in bulk the software clients for software based LEAP solution. This cost may be passed on to the individual users or departments that need to use it.
- Cost to have OIT computer labs specifically have Cisco wireless cards, instead of generics or other vendors.
- Effective cost for a department seeking a WAP deployment and a comparison with wired network drops.
A final comment: As mentioned earlier, although WLAN deployment is not intended to replace the wired networks, but to augment them, there may be cost savings associated with this plan, especially in areas where wired network maintenance and upgrades are exorbitantly expensive due to other reasons. WLAN may be a much cheaper solution for some of those problems. In many cases WLAN implementation may actually be cheaper than providing Ethernet drops in those locations. The overall maintenance cost may be lower for wireless.
1 “Under the Hood: Wireless Authentication,” Cisco Packet™ Magazine-Online Exclusive Archive-April 2002; available from http://www.cisco.com/warp/public/784/packet/exclusive/apr02.html; Internet; accessed 7 November 2003.
2 Phifer, Lisa. “Cisco LEAP (Lightweight Extensible Authentication Protocol), SearchDomino (12 August 2002); available from http://searchnetworking.techtarget.com/originalContent/0,289142,sid7_
gci843996,00.html; accessed 7 November 2003.