UBC gets top marks for wireless security

In 2001, the university embarked on a program to improve its technology
infrastructure, which included upgrading the wiring on campus. But it
wasn’t reaching all areas of campus, particularly classrooms.

“We have a very technology-literate body here, particularly in faculty
and staff,” says Marilyn Hay, manager of UBC’s Network Management
Centre. “Some of the departments were trying to set up their own
wireless networks and [we could see] some of the issues they were
having. Wireless isn’t something that’s easy to contain in small
spaces.”

As a result, the university spun off a sub-project to install
wireless across the entire campus, which would be managed by the
central IT department. This included a Cisco Wi-Fi wireless local area
network (WLAN), a Nortel Connectivity virtual private network (VPN) and
Colubris authentication servers. By 2003, it had installed 1,200
wireless access points across campus.

A campus-wide login system propagates through the authentication
servers, explained Hay, which means users can’t access the Internet
unless they have an account with UBC. When students or faculty log in,
they have full access to the Internet, but their sessions are not
encrypted unless they use the VPN — which is not a requirement but
provided as an option.
The university has a student population of 40,000 to 50,000 and, as
such, there are security incidents on a regular basis.

“There’s always
somebody trying to do something,” says Hay. “It doesn’t matter what
network they’re on.”

UBC has an IT security team that deals with
hacking and other security incidents. If need be, a situation is
escalated to authorities such as the RCMP.
“Because you have to be authenticated to get on the system, we know who
is using the system at any one time and what IP address and what MAC
address [they’re using],” says Hay.

“We also use Cisco’s management
software for wireless called Wireless Control System and it provides
very good information as to what systems are connected to which access
points, so we have monitoring in place for being able to follow that as
we need to.”
UBC was an early adopter of large-scale access point deployments across
campus, but as wireless standards changed, the university had to be
able to support those changes.

“It was challenging because the wireless
network went through three technology changes over the course of four
years,” says Hay. The adoption of the 802.1x standard (which provides
port-based network access control) has been slow because it requires
users to go through several steps on their Windows machine to get it
set up properly. “We’re hoping that as the operating systems mature for
supporting wireless that will become easier,” she says.

Around 2004, as standards were better defined for wireless access, UBC
rolled out its second service set identifier (SSID) — the ID of a WLAN
”“ called UBC Secure. This means if users have an 802.1x-compliant
machine, they can connect with UBC Secure using that protocol, which
provides encryption.
Every day during the school year, more than 9,000 students and faculty
use wireless Internet access on campus, and at any one point in time
there are about 4,000 people logged in to the system.

“That stretches
the limits of the authentication system in place,” said Hay, “so we’re
looking at how we can address that a little bit better.” There’s also a
need for more awareness campaigning so students choose to use more
secure access methods, such as the VPN.
Some universities provide public access to the Internet, which means
it’s unprotected, but at the same time must protect their internal
private network.

This means networks in university settings are
typically segmented, says Doug Cooper, country manager of Intel of
Canada, which uses Cisco extensions in its Centrino chips to
interoperate with a Cisco WLAN infrastructure. At UBC, for example,
anyone can access its library site because it’s a public institution,
but they can’t get into any of the underlying databases that are
registered for university use only.

Despite the challenges, wireless is becoming more ubiquitous in
university settings because it offers more flexibility in the classroom
— and students have come to expect it. Microsoft Windows XP Service
Pack 2 has added more support for wireless, such as prioritizing
profiles, which means the system naturally gravitates to certain
connections over others — and users can stop it from connecting to
rogue networks. “So it’s getting a lot easier,” says Cooper. “We’re
actually starting to use the encrypted protocols from the access point
directly with the notebook.”

If the notebook itself uses standards for
security, users can authenticate, connect and have a secure connection
without a VPN.

“That’s better because there’s no additional software
needed on the system,” he says. “It does the authentication with the
access point.”

This is actually more secure than a wired connection, he
says, because most wired connections are unencrypted. “The perception
is still there that wireless networks are not secure,” he says. “More
people, though, are aware of the fact that they can be made secure and
the access point vendors are getting smarter about making it easy to
configure them so they don’t require you to enter Web keys — and it
becomes more transparent.”