UIUCnet Wireless Design Guidelines (Draft)

Last content modification: February 2006

A. Introduction

The expected proliferation of wireless communications products in the next few years and the resulting likelihood of interference between devices and services using wireless make it essential that wireless activities on the Urbana-Champaign campus be coordinated. This is particularly important in public general-access areas where several campus activities may have an interest in a similar wireless service. This document sets out procedures to provide that coordination. It also describes a cooperative network project that will encourage an organized approach to uniform 802.11-based wireless data networking in general-access and departmental areas.

B. Key points

CITES is creating a subsidized 802.11-based general-access network for the campus called UIUCnet Wireless. This network will be the campus standard for general-access wireless networking. The security policies established for UIUCnet Wireless provide both access control and security for its users.

Other campus networking options are available, but must be both coordinated and secure, as described in section B.2 below.

B.1: About UIUCnet Wireless

UIUCnet Wireless is an 802.11-based wireless network on the Urbana-Champaign campus, intended for use by University students, staff, faculty, and guests who have received either short-term or long-term guest access accounts.

B.1.a: Authorized users

UIUC general-access network infrastructure, including wireless infrastructure, controls network access by using standard campus network usernames and passwords.

Only authorized individuals will have the Network ID (or guest account name) and password needed to access the full UIUCnet network and the Internet through UIUCnet Wireless. Departments can also give visitors a short-term guest account and password that gives temporary access to some resources.

Requiring either a regular NetID or a valid guest account ID prevents unauthorized users from gaining network access through UIUCnet Wireless.

B.1.b: DHCP address assignment, tracking, and control

When a user logs in, the computer's MAC address will be tied to the user's NetID (or guest account) and DHCP-assigned IP address.

IP addresses will not be reserved; they will be assigned randomly at the time of connection, and a time-out feature is built in to both QuickConnect and the VPN server, since UIUCnet Wireless is not designed to provide a computer's primary source of 24/7 connectivity.

Relatively short lease times are used, to allow collection of retired addresses. Leases are renewed automatically and continue to be usable until the station goes offline. The short lease time ensures rapid detection of the disappearance, not short address use times.

An access list at the router limits access from the wireless network to the VPN end point. Only users who have authenticated themselves as described above will be allowed to access network resources off the wireless network.

To inhibit use of an address by a rogue station, ARP tables and switch address tables can be inspected to see that the IP address is being used by the station to which it is registered.

B.1.c: Authentication and security

Currently, two authentication mechanisms are available.

The campus VPN server: Authentication plus encryption for data security

CITES has installed a centralized VPN end point for use by external or general-access network users of campus services. This end point will provide both authentication and encryption for clients using wireless access. In order to use the VPN server, users must install VPN client software on their computers.

UIUCnet QuickConnect: Authentication only

UIUCnet QuickConnect provides authentication and limits access to known insecure services, but does not provide data encryption for wired equivalent security. QuickConnect does not require any additional software; users authenticate through a web browser.

Comparing the VPN and QuickConnect:

The VPN server provides data security through encryption as well as authentication, but is more complex to use. UIUCnet QuickConnect is simple, requires no additional software, and provides authentication, but does not provide any additional security. To counteract this, many insecure services are not permitted through QuickConnect, and only commonly available, reasonably secure, and/or carefully selected services are provided. For more information, see UIUCnet QuickConnect and Security.

B.1.d: Security methods NOT accepted for UIUCnet Wireless

No shared-key WEP

The Wired Equivalent Protocol (WEP) that is available in most access points and wireless cards does not provide effective security in its current implementation. WEP also makes configuration of clients more difficult.

WEP is not secure because it relies on an encryption key that must be entered by the user. Once that key is public knowledge, anyone can use it to eavesdrop on conversations. There have also been a number of published papers on ways to crack the encryption key. Both passive and active attacks have been published.

No MAC-address-controlled access

The MAC address restriction mechanism that is available in most access points makes it difficult to provide access to guest and roaming stations.

In the interests of making UIUCnet Wireless easily accessible by authorizing specific users (with identities and passwords) rather than specific machines (which could be stolen or replaced), MAC address restrictions will not be used as a method of controlling UIUCnet Wireless network access.

B.1.e: Supported protocols

TCP/IP is the only supported protocol over UIUCnet Wireless; Appletalk and IPX are not broadcast over the network. IP addresses are assigned via DHCP.

B.1.f: Moving while connected

If UIUCnet Wireless users move through different locations, they may find the connection has been terminated and needs to be renewed in the new location. The VPN server expects near constant communication with the client software, and signal fluctuations or changes in access points can disrupt this connection. The QuickConnect system does not expect constant communication between the computer and the gateway, so it provides a more stable connection in areas where signal is marginal or there is interference. However, moving from one subnetwork to another (or being positioned in a location where your computer's wireless card detects signal from two different access points on two different subnetworks) may cause your QuickConnect authentication to become invalid and force a renewal.

B.2: About other campus wireless options

B.2.a: Unsecured general-access wireless networks are not allowed

Departments should not create unsecured general-access wireless networks in their areas for two reasons:

1. According to campus information technology policies, network access should be limited to University students, staff, faculty, and approved guests who have requested access.
2. Unsecured wireless networks will compromise both data and password security.
3. The campus will explore the possibility of a special simple-access wireless network that will be open to all users, including campus visitors, without requiring authentication methods such as a NetID or guest ID. However, users will have only carefully restricted access through this network in order to limit the potential for abuse and for security vulnerabilities.
   
    If such a network is deployed, it will be placed on the outside of the campus firewalls, as though it were part of the Internet rather than the campus network. This measure will be taken in order to protect the campus network from abuse by any security-compromised computers that could take advantage of the simple-access network's lack of authentication.
   
   In addition, the CIO would have to grant security exceptions to each location that offered this type of unrestricted wireless access.

B.2.b: Partially or completely department-restricted wireless networks need to be coordinated and secured

Departments that wish to set up partially or completely department-restricted wireless networks will be required to guarantee a level of security that is the same as or better than UIUCnet Wireless, as described in the Wireless Service Implementation Options pages.

Acceptable equivalent security:

WPA and 802.1x are both considered acceptable equivalent security for units implementing independently secure departmental wireless solutions.

Unacceptable security:

WEP is NOT considered acceptable equivalent security because of the availability and ease of use of WEP cracking tools.

Using MAC addresses to control access, while sufficiently secure, is not acceptable for campus use because of the difficulty of use in the campus setting. Specifically, the MAC address restriction mechanism that is available in most access points makes it difficult to provide access to guest and roaming stations.

Departmental networks should not depend on MAC-address-based mechanisms for general access control. The UIUCnet Wireless general-access network may move into an area and require removal of the mechanism. In situations where multiple access points cover an area and one of them uses MAC address restriction, a client may lock on to an access point that it can't use.

C. Policies, guidelines, and procedures

C.1: Acceptable use policies

Wireless equipment and users must follow general communications policies. Wireless services are subject to the same policies that govern other network and communications services at UIUC. See in particular the following:

• UIUCnet acceptable use policy
• Information security policy
• Campus policies and procedures manual
• Abuse or interference with other activities is a violation. Interference or disruption of other authorized communications or unauthorized interception of other traffic is a violation of policy.

C.2: Radio interference

Because of its dependence on a scarce shared resource, radio communication is subject to additional rules concerning interference and shared use.

Equipment must meet all applicable rules of regulatory agencies such as the FCC.

Equipment must be installed so as to minimize interference with other RF activities, particularly as described below.

C.3: Tracking wireless equipment on campus

All wireless network transmission equipment must be registered and coordinated with CITES. "Wireless network transmission equipment" is defined as equipment such as wireless base stations, where the main purpose is to create connections between different computers, typically over distances greater than six feet. (Wireless equipment intended for personal area use only, including items such as wireless keyboards and wireless mice, do not need to be registered. Wireless cards inside laptops also do not need to be registered, since it is assumed that their locations will change frequently and that they will not serve the primary purpose of allowing other computers to connect to the network.)

The limited radio spectrum available (particularly in unlicensed frequencies) and the resulting likelihood of interference require that all wireless network transmission equipment used on campus must be registered in a central database so that the campus community can track the use of the radio spectrum.

Any conflict between wireless devices will be resolved in favor of the general-access network, as a cooperative effort both to eliminate interference and to prevent future interference.

C.3.a: Covered technologies

Most wireless networking equipment must be registered, including at least:

• 802.11-based technologies (802.11a, 802.11b, 802.11g, and any future variations)
• 2 Mbit/sec. wireless
• Point-to-point microwave
• 2.4 and/or 5.5 Ghz radio transmitters and phones
• Bluetooth (when used for networking, rather than for keyboard, mouse, or other personal-area purposes with a signal radius typically under 6 feet)

C.3.b: Data elements collected

CITES will maintain a registry of devices that includes these data elements:

• Location
• Frequency
• Usual power output
• Approximate coverage area
  • Intended
  • Active
• Technology
• Responsible parties
  • Administrative
  • Technical

You can register devices by contacting ndo@uiuc.edu. Information about registered stations will be available to authorized parties.

C.3.c: Wireless VLAN organization

• Base stations are connected to multi-VLAN-capable switch ports.
• Since we use a VPN solution, the campus will be set up as a single virtual private network for greater mobility on campus.

C.4: 802.11-based network guidelines for UIUCnet Wireless and other campus wireless installations

802.11-based networking is an inexpensive shared-medium technology that uses unlicensed 2.4 and 5.5 GHz frequency bandwidth to create small local area network cells. These cells can be further linked together over an underlying wired network to create an extended wireless network covering whole buildings or wider areas. The success of any wide deployment of 802.11-based networking requires that all equipment be carefully installed and configured to avoid physical and logical interference among components of different network segments. This can be particularly difficult when there are hidden devices that are visible to or interfere with only some of the devices in an area. To minimize this kind of interference, UIUC Wireless guidelines require that all installations of 802.11-based wireless networks must be coordinated through CITES.

C.4.a: Areas where CITES will control wireless placement

CITES will install UIUCnet Wireless access in general-use areas in campus buildings. A general-use area is defined as:

• Public access and general conference room areas
• Open seating areas where members of the campus community may sit and work, including:
  • Cafes
  • Lounges
  • Lecture halls
  • Meeting rooms
  • Classrooms

As part of the Campus Network Upgrade Project, CITES is also installing UIUCnet Wireless coverage in certain department-specific shared areas in buildings connected to the UIUCnet network, including:

• Conference rooms
• Office areas
• Many lab areas

The campus upgrade funding does NOT provide funds for covering private spaces such as individual staff offices, research-only labs, and the like. However, if the department wishes to have wireless coverage provided for those areas as well, arrangements should be made at the same time that the rest of the area and/or building is having its wireless placement designed.

For more information, see http://www.cites.uiuc.edu/projects/netupgrade/wireless_status.html.

C.4.b: Coordinating private wireless network equipment placement with CITES

It is essential that the installation of any private wireless equipment be coordinated. UIUCnet Wireless guidelines encourage the incorporation of any private equipment into the general-access infrastructure, so that it uses the same access authentication mechanisms and accounts, and so that clients may easily move from private networks to general-access networks without the need for configuration changes.

For more information about the options available for semiprivate and private departmental networks on campus, see http://www.cites.uiuc.edu/wireless/admin/options.html.

C.4.c: Equipment compatibility across campus

No wireless service and/or equipment that is incompatible with the described UIUCnet model should be deployed anywhere on campus. Any wireless networking equipment on campus must be coordinated through the Network Design Office in CITES. To minimize future conflicts between the general-access infrastructure as it expands, any equipment placed on campus (even in private areas) should be compatible with that used in the general-access network.

• Private equipment must be adjusted or removed when it interferes with the general-access infrastructure, even when the general-access equipment is installed later. (More details are given in section C.4.f below.)
• Be careful with Bluetooth placement; Bluetooth is known to interfere with 802.11-based wireless.

C.4.d: Types of equipment in use

Any networking equipment should be approved for campus use before purchasing or installation. Prior approval by the NDO before placing an order for wireless network equipment is suggested to avoid restocking and/or return shipping charges.

To be included in the general-access network, 802.11-based equipment must be WECA Wi-Fi [Wireless Fidelity] rating certified equipment. See http://www.wi-fi.org/ for more information.

Supported base stations: As of February 2006, the general-access wireless network is being built from Meru Networks' series of products. Support also continues for the legacy Cisco 1200 access points that were previously installed.

No longer supported base stations: At one time, Apple AirPort base stations were in use. These are no longer supported as part of the UIUCnet Wireless infrastructure.

Supported wireless cards: CITES strongly recommends that any wireless network cards installed in a computer should be both Wi-Fi certified and 802.11a/b/g compatible for the broadest range of connection compatibility.

Unsupported wireless cards: Any wireless card that does not include 802.11-based technology (for example, a Bluetooth-only wireless networking card) will not be able to connect to UIUCnet Wireless.

C.4.e: Placement of equipment

All wireless equipment must be placed in locations and set to frequencies that coordinate reasonably with campus network mechanisms. Appropriate arrangements include:

• Using channels 1, 6, and 11 (802.11b/g only).
  
• Placing base stations in protected closets or office spaces.
  
• Placing specialized antennae to provide required coverage of surrounding areas.
  
• Adjusting receiver levels to avoid interference in high-density areas. (These adjustments are the most difficult aspect of deploying wireless base stations and should be carefully coordinated through CITES. Interference between adjacent buildings or floors can create hidden station problems, and the human population of an area can also affect the signal reception.)

C.4.f: Conflicts are resolved in favor of general-access equipment

Private equipment placed by users must be adjusted or removed when it interferes with general-access equipment, even when the general-access equipment is installed later. Because of the ongoing Campus Network Upgrade Project, new centrally-funded wireless installations continue to be made across campus in general-use areas of many buildings. Conflicts may arise with privately placed networks that were established before the campus wireless network expansion began.

CITES will work with any affected units to eliminate interference if possible. However, if the interference cannot be avoided, the private network must be adjusted so that it does not interfere with the general-access network, or else it must be incorporated into the general-access network as part of the general infrastructure.

C.4.g: Coordination services will be provided by the CITES Network Design Office

Among the coordination services provided are:

• Site survey and frequency coordination
• Installation
• Configuration
• Data collection as described in section C.3.b

For more information, see the CITES Wireless Network Design Practices page.

C.5: Other wireless technologies

C.5.a: Consult with the Network Design Office before any installation

Before installing other wireless technology, members of the Urbana-Champaign campus community should consult with the NDO to help us understand how that technology may influence existing and future mechanisms.

C.5.b: Bluetooth interactions

An alternative device connection technology called Bluetooth is used in many kinds of electronic devices, including cordless phones, computers, and appliances, to allow them to interact and control each other. Bluetooth uses the same RF spectrum as 802.11b and can interact badly with it. Devices that use this technology should be placed carefully to avoid problems with 802.11-based networks in the area.

C.5.c: Other wireless technologies

Some of the other non-802.11 wireless technologies in use include:

• Zigbee
• Point-to-point links
• Infrared

None of these are used as part of the campus wireless networking infrastructure, although technologies such as infrared have found common uses in short-distance applications such as synchronizing PDAs and providing wireless keyboard or mouse control.

C.6: CITES Documentation responsibilities

CITES Documentation will maintain this and other documents to inform campus network administrators and departmental personnel about wireless policies and guidelines, including but not limited to:

• Notification to campus of requirements
• Collection of wireless station information
• Deployment procedures
• Support, installation, and coordination information for network administrators
• End-user installation, configuration, and usage documents

Other documents you may wish to read:

UIUCnet Wireless Access

Wireless,VPN, and QuickConnect FAQs and Troubleshooting

UIUCnet Wireless Documentation for Administrators

CITES Wireless Network Design Practices

Campus Network Upgrade documentation: UIUCnet Wireless

UIUCnet Wireless Service Level Definition