Wireless Networks on the UIUCnet campus - 12/30/1999

 

A Letter to the Computer Consultant Support Program (CCSP) mailing list

I've fielded a number of questions from different groups on wireless lately, and with Apple's new low-price solutions, I'm sure there are more questions about wireless now than ever before. I'm working on a comprehensive document about wireless on the UIUC campus (remember that AppleTalk paper I did a few years ago? -- something similar). I hope to have a draft out before the end of January, but I thought I'd let everyone know what CCSO's been doing with wireless for the past few years, and where things are in brief to answer the questions on many department's minds.

A little background on wireless -- it's a shared media, like a repeater, only one person can talk at a time, and whatever speed it's rated at, is the total speed for all the traffic, not just one user. Wireless is an RF (Radio Frequency) technology, and just like pagers and cell-phones don't always work in the basement, if there are too many walls between the base station that connects the wireless to the Ethernet and the user, it doesn't work or works slowly.

Before I go over what testing we've been doing, don't forget that adding new network equipment to your building without the approval of the NDO (Network Design Office) can cause you to lose your free LAN Maint and NAS support. You do want us to replace that repeater or switch that is in your wiring closet when it fails, don't you? The wireless cards are like Ethernet cards, and can be added at will like any other end station. The base stations are 2-port bridges, and are no different than any other switch, bridge or repeater you might want to add to your network -- it needs to be approved by your network administrator, and they need approval from their designer first. Similarly the new G4 and iMac computers can take an AirPort card, and will soon be able to be used as base stations with the new software. When you do that, you're installing bridge software on the computer, and turning it into a bridge -- be sure you understand the implications, and have it approved by the network administrator and designer for your building.

What we've been doing with wireless:
We've been testing a number of products and researching the field for a few years now. In the spring of 1997 we brought in the first 10 Mbps wireless we'd heard of from RadioLAN, which was proprietary, and only worked with Windows systems. We really got ~10 Mbps with it, but we also could easily sniff other users passwords. It took about 30 minutes for me to install the card in the Win95 notebook, download EtherPeek for Windows, get their software enable password back in email, and catch the telnet password set by the machine sitting beside me over the wireless. At the time wireless was expensive, but looked like it might be cheaper than wiring classrooms with data jacks. We were almost finished moving the rest of CCSO's public sites to switched networks and were requiring classrooms be wired with switched solutions for security from other people grabbing passwords, so we decided RadioLAN wouldn't work well. No one was offering any kind of security, much less multi-platform support on the 10M or faster systems. There were multi-platform, 2 Mbps systems, but we didn't think they would scale for a full classroom, so we didn't spend a lot of time looking at them.

Last spring we spoke with the folks from RayLink, and got one of their demo kits. While they promised multi-platform support, their Macintosh driver wouldn't work with anything newer than a PowerBook 1400. Their PC support was okay, but we didn't have enough PCs to test sniffing issues (but they said we'd be able to sniff data, so we believed them). They said they were working on security, and would keep me informed. I exchanged email with them for a few months then never heard from them again. Last time I checked, their web site still didn't have the new Mac drivers they were going to have out "any day now" months ago. We haven't ruled them out, but they were also proprietary, and we'd prefer a standards-based system. We will be checking back with them, but since they're not on a standards track, we're not sure if we would be happy with them.

Most recently, we've been talking with Lucent and Apple about their solutions, especially the new 802.11 11Mbps standard, and their multi-platform support. Neither of them have per-user security, although they do have some group security. With the Apple Airport system, you have the option of turning on Encryption, and setting a password (don't turn it on and not set a password, getting back into it is difficult!). If no one else knows the password, this should work fine. I've only got 1 iBook, and one AirPort base station, so I haven't tested this thoroughly, but I expect that without the password you wont be able to sniff the data.

The problem with this for anything but single-user systems is that there's only one base password for the entire base station, so every user has to know the password. If two users are using the same password, it's very easy to sniff data -- just as easy as with no passwords. I've tested this with the Apple Engineer's iBook connecting to the network, and our iBook sniffing the data. This means that for classrooms and common areas, there is no security for users' passwords.

With the Lucent base station (which supports more users and hand-off between locations, that the Apple Airport doesn't) there are 4 possible passwords, but you have tell the base station which one to use, so effectively there is only one at a time. I just got our security cards for the Lucent system and haven't done extensive tests yet with encryption on.

Our campus has worked very hard (and your departments have spent a lot of money) to provide security to the students so they know that other students in a lab or classroom can't sniff their password. Currently with wireless it is impossible to provide this security. Because of this major security hole, we are not deploying wireless in any setting that a student would be required to login to a system that used a password. Especially worrisome is the chance to sniff a netid password that is not encrypted. From a security stand point, wireless should be thought of as a giant repeater in the foyer of your building that anyone can connect to without asking first, and then steal any data that flows across that network, from passwords to payroll information.

We also don't want people to set these up in the res halls due to security implications. In apartments people need to be careful and set a password, or you might find your neighbor eating up all your 56k modem bandwidth.

If you use kerberos or ssh connections to get to all your services like email and telnet, then you don't have to worry about your password. However, most systems on campus don't support either of these for POP email (Netscape, Eudora, Outlook, etc. all can use POP to get email off a server) and send your password clear text. There is also no free SSH client for the Macintosh in the USA -- if you are using Nifty Telnet SSH, it's illegal because of patent and copyright issues; it even says on the web site not to use it in the USA.

Also of interest, the Lucent system and the Apple system are supposed to be compatible. So far if passwords are off, they are very compatible- cards from either system can connect to either base station. With passwords on, the iBook can not connect to the Lucent base station, even though I issue the password, while my PowerBook 3500 with a Lucent card can connect with encryption just fine. Also, the PowerBook 3500 with the Lucent card can not connect to the AirPort base station with security turned on, even though the iBook can connect to the AirPort base station with security turned on.. I've exchanged email with Lucent support staff, and this is a known problem. Just because they're both 802.11 standards doesn't mean they work out of the box with each other, even if Apple is talking up that the AirPort system works with the Lucent base station. I'm already talking with both groups about how to meet our security concerns with the password sniffing.

I hope this answers a lot of questions about wireless that people are having, and helps everyone understand how important the security issues are that need to be addressed before wireless can be deployed in a wide-spread manner.

---

27 January 2000, Debbie Fligor

Ported to the CITES website by CITES Documentation