Solving Wi-Fi Security at a University
Drexel University's "no user left behind" policy made wireless security even more of a challenge than usual. Learn how the school solved the problems posed by a network comprised of 28,000 users and 40,000 devices.
Universities throughout the country continue to roll out technology to expand their campus wireless networks. The goal seems to be to make sure that no matter where you are, whether it's in administrative offices, lecture halls or dormitories, access must be available. But such wide-ranging access opens the doors wide to potential security breaches. So how are universities making sure they are adequately protected?
Drexel University in Philadelphia, PA, for example, realized a long time ago that the Wired Equivalent Privacy (WEP ) protocol was not robust enough for wireless security. WEP was exposed in a blaze of publicity several years back as having major holes. As a result, the Drexel IT department used to tell wireless users to either use its Virtual Private Network (VPN ) to augment WEP or to only pass private data if their applications provided another layer of security, such as web browsing with Secure Sockets Layer (SSL ).
These days, however, the college has beefed up security as part of a rapid expansion of its wireless network. From 400 wireless access points (APs) earlier this year, it now has 1,000 APs in operation. By the middle of next year, it will have boosted that total up to around 1,600 APs. To make sure the added connectivity doesn't result in greater exposure, Drexel is implementing the Wi-Fi Protected Access (WPA ) protocol.
While WPA implements the majority of the 802.11i wireless standard, it was released ahead of the final release of that standard. This was done as WEP had to be replaced rapidly, yet 802.11i had not yet been fully approved. Once that standard was finally ratified, WPA2 was released as the final version of the security protocol.
With WPA and WPA2 available, then, this effectively gives users a choice. Should they select gear that uses one or the other? WPA implements the bulk of 802.11i as well as functioning well with pre-WPA wireless NICs and many older APs. WPA2, on the other hand, plays less well with older gear, but it gives all the advanced functionality available in 802.11i.
Some prefer to leap straight from WEP to WPA2. But that wasn't the route taken at Drexel. The college felt that WPA2 gear did not yet support the range of equipment utilized by its diverse base of students and faculty members.
"Some cell phones, PDAs and gaming consoles don't yet support WPA2, and we don't want to have to tell students or faculty members they can't use such devices," said Kenneth Blackney, associate vice president of core technology at Drexel University. "Our policy is no user left behind, if we can help it."
Drexel is adding new Aruba 120-family APs by Aruba Networks Inc. of Sunnyvale, CA. These APs make it possible for the college to operate on both 2.4 GHz and 5 GHz spectra. While the usable range of the higher frequency is reduced, it solves other problems for the college. The reasoning is simple. According to Blackney, 2.4 GHz experiences interference from such sources as Bluetooth devices and microwave ovens. Further, most APs available in retail outlets make use of this frequency.
"5 GHz currently has less consumer-grade competition, so in effect we are moving to a quieter neighborhood," said Blackney.
The downside is that the higher frequency means less power at the same distance. However, Blackney predicts that the PCs will be able to hear the 5 GHz APs in any case because of the reduced background noise. Further, the performance boost provided by the new 802.11n APs should compensate.
In fact, in lecture halls, Drexel should experience better performance. 5 GHz offers 12 channels compared to three channels for the 2.4 GHz frequency. Thus students in lecture halls will have better performance as fewer people need to share each AP on the higher frequency.
But with 40,000 devices to deal with per quarter and approximately 28,000 users on an urban campus with two main sites, how do you keep track of who should and shouldn't be on the network? Drexel uses three Aruba Mobility Controllers along with the Aruba Policy Enforcement Firewall. This allows wireless rights to be assigned to each User ID. By setting policy at the controller level, the college is able to handle different levels of authorization with relative ease.
Blackney says his three controllers provide him with plenty for expansion. He can add to up 3 blades to each existing controller. .
"Three controllers are more than enough to take care of 4,000 APs even with redundancy," said Blackney.