UGA
Wireless LAN Standards
(Revised
Overview
Wireless LAN communication has become a desirable means of connecting mobile users, primarily with laptop devices, to the Internet. The number of planned and implemented wireless LANs has increased to the point that institutional standards and practices need to be articulated for this network service.
A number of committees of the Institute for Electrical and Electronic Engineers (IEEE) have ratified a family of wireless LAN standards called the 802.11 standards. An IEEE 802.11 network consists of two primary components -- a wireless LAN adapter (typically a removable PCMCIA or Cardbus card in a laptop) and an access point (AP). The following diagram shows these components and how they fit into a wired network.
Each wireless card "associates" (or connects) with a nearby access point if the radio signal from the AP is strong enough and if certain parameters on the card and AP are appropriately configured.
The 802.11b standard (which operates in the unlicensed 2.4 GHz RF band) provides for shared wireless connectivity at theoretical speeds ranging from 1 to 11 megabits per second [Mbps], depending on the distance from the card to the access point. Because of overhead required to support wireless communications, the actual data throughput is roughly between 0.66 and 7 Mbps. Since all wireless cards associated with a given access point share the available bandwidth, as the number of wireless devices increases the amount of bandwidth per device decreases. For example, if 30 wireless devices (a typical maximum number) shared the same 802.11b access point, the maximum bandwidth available per device would be approximately 230 kilobits per second. This amount of bandwidth is sufficient to provide reasonable performance when reading e-mail or surfing the Web for text and simple graphics, but would be unacceptable for multimedia Internet applications such as streaming video. Fortunately, two other wireless standards called the IEEE 802.11g standard (which also operates in the unlicensed 2.4 GHz RF band and is compatible with 802.11b) and the IEEE 802.11a standard (which operates in the unlicensed 5 GHz RF band) are capable of supporting theoretical speeds up to 54 Mbps. Commercial 802.11a wireless products from major communications vendors are available now, and 802.11g products will be available from these vendors by the end of 2003.
In order to provide reliable and secure wireless LAN services for the UGA campus, a number of standards and implementation practices need to be followed. This document articulates standards for the deployment of wireless LANs at UGA in terms of radio frequency management, access point standards and implementation policies.
Radio Frequency Management
Wireless LAN communications are based on the use of radio signals to exchange
information through an association between a wireless LAN card and a nearby
access point. Each access point in an 802.11b/g network is configured to use
one radio frequency (RF) channel. Although the 802.11b/g specifications
indicate that there are fourteen channels that can be utilized for wireless
communications, in the
If two access points that use the same RF channel are too
close, the overlap in their signals will cause interference, confusing any
wireless card in the overlapping area. To avoid this potential scenario, it is
imperative that wireless deployments be carefully designed and coordinated. All
departments that are planning to deploy wireless must work with
EITS Network Operations and Infrastructure (NOI) before procuring and
implementing wireless LANs to ensure that their deployment does not cause
conflicts with existing wireless implementations.
Access Point Standards
In order to provide seamless interoperability across campus, all access points must adhere to the IEEE 802.11b/g wireless specifications. 802.11a wireless networks are not compatible or interoperable with 802.11b/g networks, and are therefore not recommended at the present time for general campus use (i.e., use by all students, faculty and staff). APs must be able to minimally support SNMP V1 network management (RFC 1157), including MIB II (RFC 1213) and the dot1d bridge MIB (RFC 1493) specifications. The dot1d bridge MIB is needed to periodically collect the list of wireless cards that have associated with an access point. That list will be used to track a given card's network address to a specific AP. EITS NOI recommends either the Cisco 1220 or the Enterasys Roamabout R2 or other certified access points.
Wireless access points are often installed in locations that make them easy for someone to steal. Since 802.11b/g AP allows the use of remote antennas (802.11a antenna's must be attached to the AP), we recommend locating the 802.11b/g APs in locked wiring closets and connect them to antennas mounted in ceilings or on walls. If you are deploying an 802.11a AP, or for other reasons it is not possible to locate the AP in a locked wiring closet, the APs should be hidden from sight (e.g., above ceiling tiles), placed in lockable enclosures or bolted down such that removing them would damage them.
One of the problems with wireless data transmission is that, by default, the data can be intercepted by wireless receivers and with the right software (either commercial or public domain) this data can be stored and analyzed. An individual using this combination of wireless receiver and analysis software could be sitting anywhere within reach of the wireless transmission or could be driving past a building from which wireless signals are emanating. This possible scenario constitutes a considerable data security threat.
To combat this security threat, the 802.11 standards allow for the encryption of data between a wireless card and an access point using a protocol called Wired Equivalent Privacy (WEP). WEP uses 40- or 128-bit keys to encrypt the data, and these keys must be distributed and installed on every workstation that has a wireless card. Because of the difficulty in distributing encryption keys (which are relatively easy to obtain anyway), all APs that are designated for general campus use, i.e., for use by all students, faculty and staff, should not have WEP encryption enabled to minimize the possibility that roaming users with misconfigured cards will not be able to communicate over the wireless network. Departments that wish to set up WEP encryption for specialized use may do so. However, because WEP encryption is weak (see http://www.isaac.cs.berkeley.edu/isaac/wep-faq.html) and since data is not encrypted when it goes from a wireless network to a wired one, departments are strongly encouraged to use some form of virtual private network security such as IPSec or Secure Socket Layer encryption, rather than relying on WEP, for all Internet applications. (Note: There is an IEEE subcommittee [802.11i] working on better security standards, and AP manufacturers will be expected to provide firmware upgrades to support these standards in their wireless devices when they have been ratified.)
It would be best to require users to provide authentication credentials before they are allowed to use a wireless network. Some AP manufacturers provide authentication via RADIUS (RFC 2865) which can be back-ended by some type of LDAP enabled directory. An alternative approach is to link the wireless network to the wired one through a gateway that requires user-level authentication before traffic can pass from the wireless to the wired network. EITS has researched a number of commercial and public domain authentication gateways and have standardized on a product called Bluesocket. The Bluesocket gateways provide secure, user-level, UGA MyID authentication for the campus PAWS (Personal Access Wireless/Walkup System) wireless network initiative. These gateways are also capable of providing seamless roaming among access points connected to them. There is an emerging standard for authentication called IEEE 802.1X. Until the IEEE 802.1X standard has been implemented both in access points and in mobile desktop operating systems, authentication through Bluesocket gateways will be required for all access points that are part of the PAWS network.
Implementation Policies
As indicated earlier, wireless networks must be carefully designed so that interference between two access points will not occur. All departments that wish to deploy wireless networks must work with and obtain certification for any wireless design from EITS NOI prior to its purchase and implementation. In return, EITS NOI agrees to contact departments within two business days of receiving a request to schedule a consultation to review a department's wireless plan. Individuals or groups within a department are required to coordinate any wireless implementation either with network support staff in their department, if they exist, or directly with EITS NOI otherwise. In addition, all access points must have their IP addresses & SNMP read community names (for monitoring purposes), RF channel numbers, and building & room locations registered with EITS NOI prior to activation on the network.
To insure that all wireless network cards can obtain valid IP addresses, access points must not be configured to provide them via DHCP but must be configured as "bridge" devices. To facilitate IP address assignment via DHCP, valid IP ranges can either be assigned to Bluesocket gateways or in the absence of this gateway device the wireless network card's address can be registered in UGA's central DHCP database. Although some APs can be set up to use network address translation (NAT) that give out fake IP addresses, no NAT services that provide one public to many private IP addresses will be allowed through access points because any accountability for those wireless devices would be lost.
All access points must be configured with an SSID, and those that are configured for general campus use (i.e., use by all students, faculty and staff) must use the common SSID value of "UGA" with no WEP encryption key set. APs for private departmental use can have a difference SSID than the campus one and can also use WEP keys (preferably 128-bit) for added security.
Access to the wired campus network from wireless APs must be controlled via secure authentication where the authentication credentials (preferably UGA MyID) can be associated with a unique individual, such as the Bluesocket gateway mentioned above (strongly recommended) in order to insure accountability. However, departments will be accountable for activity associated with any credentials that are not UGA MyID userids and passwords. Departments are also expected to review password awareness information found under http://www.infosec.uga.edu. Alternatively, MAC (network card) address authentication can be employed either by populating APs with those addresses or by pointing APs to a Bluesocket gateway or RADIUS server containing the allowed MAC addresses. (Note: Although a measure of accountability is possible through MAC addresses authentication, this method does not provide foolproof accountability because wireless network card addresses can easily be determined and spoofed.)
Departments are strongly encouraged to read the National Institute of Standards and Technology document titled "SP 800-48 Wireless Network Security: 802.11, Bluetooth, and Handheld Devices" as a guideline for best practices in wireless security. This and other security standards documents can be found on the EITS Information Security Standards Web page http://www.infosec.uga.edu/standards.html.