Content

Free to roam Tackling WLAN security

When employees of the city of Tallahassee asked for wireless access, finding a secure solution seemed almost impossible, says Curtis Franklin

A quiet revolution is taking place among employees of the city of Tallahassee, Florida. Computer users now have the freedom to roam from building to building, and even out in to the street, without losing their secure connections to City Hall's systems.

The new way of working is the result of a project spearheaded by Terry Baker, the city's Technology Infrastructure Division administrator, and it is already delivering greater efficiency for the city's workers who serve a local population of nearly 250,000.

But as Baker recalls, it took quite a while to find a coherent way of running wireless networks securely. "I originally banned wireless systems attached to our networks," he says. "If we were going to do a wireless system, we wanted to do it within our complete enterprise environment."

Baker's situation was complicated because he is responsible for both general city government IT and law enforcement IT, each with their own special set of requirements. "We terminate a virtual private network (VPN) in the law enforcement building because that's what the FBI requires," he says.

Even with the complexities of adhering to prospective guidelines for city government and law enforcement infrastructures, computer users in the city were pushing for wireless access.

Trying out the options

With project funding finally available - always a consideration in government installations - Tallahassee's IT division began putting together a pilot infrastructure for wireless network access. The first and most significant issue in Baker's mind was wireless security - how to make sure that only authorized users could gain access to the city's network, applications and information.

The city's IT staff experimented with a number of different security options. "We did tests with no encryption, full encryption, all sorts of authentication; we really ran the gamut," Baker says. "Our wireless access point didn't have any authentication, so there were questions about the DHCP server, and then the RADIUS server, and whether they should be on the protected or unprotected side of the network."

Along with security came the overall issues of managing the services and resources available via the wireless network. In addition to the difficulties of user authentication and data encryption, the Tallahassee team had to deploy a firewall to enforce user access policies. Baker says that the different components of the security system made design and management of a truly secure system complicated and lowered the team's confidence in the ultimate security and workability of the final solution.

The IT division called on Bluesocket, deploying a Bluesocket WG-2000 Wireless Gateway. Baker says the tool dramatically cut the complexity and was a welcome departure from earlier tests.

"The Bluesocket Wireless Gateway was plug-and-play and gave us what we needed for wireless security," explains Baker. "It has its own DHCP server, its own VPN, a dedicated relay to the RADIUS server, and domain authentication all in one box. Now, users are authenticated on the Bluesocket gateway and the other authentication servers, and the Bluesocket WG-2000 also acts like a firewall in enforcing policies and restricting users to those services for which they've been authorized."

One of the capabilities most requested by potential wireless networking users is the ability to roam between offices or buildings while already securely logged into their email, calendar/ scheduler or other applications. Most wireless systems are capable of allowing users to roam between access points, as long as the access points are part of the same subnet of the network.

Creating persistent connections

In the past, roaming between access points on different subnets, say, between the subnet for law enforcement and another for the public works department, was beyond the capabilities of most wireless systems. Baker says that the Bluesocket appliances allow single login, secure roaming between any number of subnets.

"With other products, roaming is a bit clumsy because you have to re-authenticate if the connection drops," he explains. "Bluesocket allows for persistent connections. You can set a time limit within which the Bluesocket system will go out and check with the client to make sure it's still there and authenticated."

The freedom to roam has been accompanied by solid performance from the Enterasys access points deployed by the City of Tallahassee, Baker adds. "Our mobile employees love it. All our test areas have shown good bandwidth and access speed." Users have access to the full range of government-provided computer services via the wireless network. "We house all servers in-house except for computer-aided dispatch," Baker says. "We have mail, file, major ERP, major law-enforcement, DNS and the internet front-end running here at City Hall."

Baker says that the growing success of the wireless network is leading to the development of expanded wireless access beyond the city offices - an enterprising undertaking for offices located in a geographically remote location like Tallahassee, where 3G service from major wireless providers is likely to be many months or years away. 802.11 WiFi networks seem to be the answer.

"We have a beta system called the Digital Canopy out there on the street," Baker says, explaining that it is for employees sitting in coffee shops and restaurants. "We're looking at it for our inspectors and permit people, to allow them to log in and conduct their work while they're out of the office and are on site, on the streets of Tallahassee."

Curtis Franklin is president of CF2 Group, a technology consulting and communications firm in Gainsville, Florida. The city of Tallahassee can be found at www.talgov.com.

 

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.