These are the tangible benefits of mobility. And while many experts say that such benefits must come with noticeable increases in security risks, our experiences at Mount Allison University have indicated otherwise.
Despite the well-known shortcomings in the security features of 802.11-based wireless LANs, our campus has not fallen prey to any greater security risks – at least not greater than any other forms of network security risks.
Of course, security remains a top concern for our Sackville, New Brunswick, Canada-based university, where wireless access is provided throughout a campus that includes 40 buildings, 2,250 students and over 400 faculty and staff. Security can never be taken for granted, as all IT managers are aware. That is especially true when you're talking about enhanced mobility privileges. After all, the very objective of wireless networking – increased ease-of-use and simplicity – are the same factors that can make networks more vulnerable. The good news, however, is that WLAN security can be managed. The latest standards, security tools and techniques exist today to minimize wireless LAN risks.
Many security fears in the wireless world stem from the original 802.11 standard that includes a set of security features known as Wired Equivalence Privacy (WEP). Today, everyone agrees that WEP lacks adequate authentication mechanisms, making it susceptible to attacks. But once again, there is good news.
WEP has been replaced with Wireless Protected Access (WPA), adding longer keys, a key rotation mechanism to help defeat hacker tools, key distribution, improved message integrity and support for the popular IEEE 802.1x authentication protocol. WPA has been further strengthened with WPA v.2, which supports the AES (Advanced Encryption Standard), the strongest wireless encryption. This is the basis for the new 802.11i standard. WPA stands up well as an authentication system against "man-in-the-middle attacks" that compromise security.
At Mount Allison University, our wireless network's security is also bolstered by the integration with the Microsoft Windows 2003 Internet Authentication Service. The university also put in safeguards for rogue access point detection. Many wireless LAN switches operate at Layer 2, essentially functioning as an overlay network and not as an integrated network. We wanted our wireless controller to be a Layer 3 router so that it could integrate with existing switches and routers already deployed throughout the campus. The Layer 3 requirement was one of the reasons we chose the Siemens HiPath Wireless solution. The Siemens solution, communicating at the IP Layer, functions just like another router on our wired network.
With our current architecture, most campus users access the network via an encrypted WPA connection with 802.1x authentication. The Captive Portal feature – also part of the Siemens solution – directs an unauthenticated user to a web page where the user must provide login information prior to receiving authorization to access the wireless network. The Captive Portal also provides access for legacy devices that do not support 802.1x and WPA, a major benefit to enable Mount Allison to stretch its investment in legacy equipment.
With a comprehensive approach to security – including strong mobile user and policy management – we are certain that the greater mobility, productivity and convenient access to information resources gained from wireless connectivity far outweigh the risks.