LIS to improve wireless security

Author: Anthony Adragna

The College remains on schedule for introducing wireless Internet access throughout interior areas of campus by the end of the 2007-08 academic year while retaining a high level of network security.

Creating a new wireless system will actually boost network security by combating existing unsecured student-created networks, according to Network Security Administrator Mike Halsall.

"The expanded wireless network should have a great impact on network security - it'll increase it," said Halsall. "By having LIS [Library and Information Services] create and support the wireless infrastructure in the dorms, students will no longer have a need to create their own wireless networks on our existing network. Because students sometimes leave access points they bring to campus open and unsecured, they create entry points into the network for anyone who wants to hop on and look like they are part of the campus network. Identifying open, unsecured APs is a challenge for every institution, both corporate and educational. We'll be able to eliminate student-run, unsecure access points from the network."

Halsall said the College will continue to use secure networks and encryptions to prevent outside members of the community from attacking the network.

"We currently support, on our secured wireless network 'midd_secure,' a few different authentication/encryption schemes," said Halsall. "These are highly secure encryption mechanisms and would take many times longer than the universe has been around for to break the encryption using today's personal computers. The new wireless network we're implementing will use the same mechanisms so, other than it being much more available around campus, it won't make things any easier or harder to break."

Students will still have access to the open wireless network but should continue to remain cautious when sending sensitive material on it.

"Our unsecured wireless network, "midd_unplugged" sits outside our campus firewall," Halsall said. "As such, to the Middlebury network, any traffic coming from midd_unplugged looks like it's coming from the Internet and stays segregated from the rest of our internal network traffic. Any users using midd_unplugged, however, don't get any encryption because it is an open, public network; because of this, users should always be cautious about sending sensitive/personal information over midd_unplugged as it is traveling through the air unencrypted."

The new system will improve upon the current one by serving more popular areas of the campus as well, according to Halsall.

"Currently, our wireless infrastructure consists of 53 access points [APs] in various spaces," Halsall said. "The initial installations were highly-trafficked public areas and, from there, we started installing them in requested spaces or areas that would seem to be best-suited for wireless."

Selecting the number of access points needed for coverage will vary by building, Halsall said.

"For a full-campus wireless project, the number of access points needed to cover each building will be determined by a site survey," he said. "Each building will be visited, a transmitter will be put somewhere where an AP might be best-suited and then someone with a signal strength meter will start walking around until they start falling out of range. Building construction also plays a huge factor in how much wireless coverage one AP yields - wood buildings are simple, and usually only need one AP while steel-framed structures need quite a few APs as the frame of the building blocks radio reception."

Big buildings on campus will require many more access points to provide adequate service.

"I suspect that Bi-Hall will need something like 20 APs to cover the whole thing and provide redundancy; the APs are smart enough to compensate for one that fails by boosting their power, but you have to be in the ballpark," said Halsall.

The College plans to keep many of the exiting security features and will expand them to the rest of campus. The secure network is currently "midd_secure" which uses several different authentication schemes. PEAP and EAP-TLS, which are options for "midd_secure" use a certificate-based encryption which browses the web talking to a secure server. Both of these methods are considered highly secure throughout the industry. LEAP, another option on 'midd_secure' is easy for Mac users to access and rotates the encryption key every 8 minutes to maintain security. This leaves this server relatively secure and hard to access for someone outside of the college community.

Moreover, Information and Library services (LIS) sent an email two weeks ago emphasizing the importance of frequently changing one's personal password. Past efforts encouraging users to voluntarily change their passwords were unsuccessful. Therefore, in attempt to secure network vulnerabilities, LIS will begin requiring users to do so by through a password expiration procedure for all campus systems and services.