Unplugged, but Locked Down
While planning its wireless implementation, tech leaders at Dickinson College in Carlisle, Pa., hadn't given much thought to security issues until a guest speaker at a college-sponsored conference complimented the college's chief information officer, Robert Renaud, on the excellent wireless service.
Baffled, Renaud asked her how she'd managed to get online, considering that Dickinson's system wasn't operational yet. As it turned out, she'd tapped in to something else--wireless service of the local public library, located near the college president's house.
In recalling the incident, Renaud laughs, but the implications of having an insecure system, like the library had, didn't strike him as amusing. "The incident reminded me of the need to include security in our wireless network planning," he says.
As colleges and universities go from wired to unplugged, staff have found that security risks go along with the transition. IT administrators now have to fret about non-university individuals hopping onto the network for nefarious reasons, and can envision confidential records and student information being grabbed out of midair.
Companies, too, are facing wireless security issues, but academic institutions have different kinds of challenges when it comes to locking down, says Greg Murphy, chief operating officer of AirWave Wireless, a firm that secures Wi-Fi systems at institutions of higher ed. Whereas companies can standardize which laptops and desktops are used, as well as set policies and dictate which security patches can be downloaded, university IT departments have to deal with multiple devices and computer brands, rogue access points, and open-ended technology policies. Also challenging is the 24/7 usage, and limited IT resources, Murphy notes.
"A campus is like a little city," he says. "The problem is that wireless adds complexity, so trying to tackle all these issues on such a large scale can feel overwhelming. That leads colleges to take different approaches to simplify, using the mix of resources and technology they have on hand."
University Business went behind the scenes at several IHEs that make significant use of wireless to find out what they're doing to help keep their networks secure, and how they're policing their "little cities" in the wireless age.
Thanks to the speedy pace of technology, a student or faculty member can now get a laptop or PDA that can access a wireless network. Even some cell phones can tap into network resources. But what seems like a wonderful spectrum of choices at the electronics shop can feel like a headache in the campus IT department.
Some colleges have chosen to address the problem with a hands-on approach. At the University of Denver, which has wireless throughout its entire campus, IT staff members got increasingly annoyed at the lack of security they saw on students' own machines, especially on those owned by freshmen. Rather than send out e-mail messages about configuration strategies, the university simply requires freshmen to bring in their wireless-enabled devices to IT before they first access the network.
"We see every single freshman computer and handheld device," says Marcelo Lew, wireless network specialist for Technology Services. "It's the only way we can make sure everybody has up-to-date patches, a firewall that's turned on, and other security measures."
The tactic takes time, Lew admits, but it has proven to prevent problems for the rest of the year. Also, most students retain the settings throughout their journey from freshman to senior, meaning that one time-consuming check actually saves IT time in the long run.
The pace of technology, rather than specific devices, is what's being examined at the University of Tennessee, which implemented wireless four years ago, earlier than many other schools. IT leaders there are trying to create a strategy that can incorporate older laptops into the mix. But it's not easy.
"We don't want students with laptops that are a few years old feeling like they have to buy a new computer just to get wireless," says Chief Information Officer Brice Bible. "We've also been looking at how to simplify capability for students, so they don't feel like they have to be a systems administrator just to configure a new machine."
The university is currently in the late stages of a major upgrade to its wireless system, Nomad, in which it's placing stronger, voluntary encryption measures that will eventually be mandatory. The tighter security will be achieved by having each student and faculty member download a small piece of software, or client, to their computers; the client will cause every surfing session to be encrypted.
In the meantime, UT's tech staff sometimes has to tweak individual devices. For example, university senior Joseph Hubbard had trouble when he first brought a new PocketPC handheld onto campus. It picked up the campus wireless signal, but couldn't access it. After five minutes at the tech support center, the problem was fixed. Overall, this is the kind of simplicity that UT wants, where students don't have to think about which device they're using to surf or access databases; they can just log on and get going. That makes establishment of wireless security even more vital, since students often take it for granted.
choices at the electronics shop can feel like a
headache in the campus IT department.
"At this point, I don't even think about it," says Hubbard. "I use the PocketPC for everything, and I've never felt insecure about it. I just assume that the tech guys have security handled."
At many colleges, the line between a campus's physical boundaries and its actual reach is a blurry one. Even if certain apartment buildings or coffee shops are outside of the school's actual limits, often they're close enough to not only be gathering places for students, but also candidates for wireless access. As Dickinson College discovered, competing wireless access points can be a concern, even as IT works to make sure that students can connect from far-flung dorms.
Some schools try to take a relaxed approach when it comes to access points, but not always because they want to. At the University of Arizona, for instance, researchers tend to buy their own wireless equipment out of grant money, and IT simply has to work around these homemade hotspots. The university has much of the campus unwired, but since its grounds cover 350 acres and it's split in two by a major highway, creating a seamless wireless network is still proving to be a challenge.
"Researchers have their own computing needs, so they go off and do their own thing," says Ted Frohling, the university's assistant director of network technology solutions. "For many of them, security seems like a hindrance to getting things done."
That's a tough situation for Frohling, who's trying to balance user needs with university policies. Currently, he uses a Virtual Private Network (VPN) client to route users to appropriate access points that don't conflict with others on or around the campus, but he admits this is a temporary solution. Also, as the wireless network grows, the IT department will likely have to limit the number of access points near the researchers, to prevent interoperability issues.
"We're expecting that it will become progressively much easier to control these multiple access points and secure them," says Frohling. "But it's going to take some workarounds and creative thinking to get there."
If devices and computers are properly configured for wireless security, and there's no interference from rogue access points, the next link in the security chain is authentication. Simply put, institutions need a way to find out if students and faculty members are who they say they are.
In doing authentication, colleges have adopted a range of strategies. Some prefer multilevel access with locks on every tier, while others separate only very sensitive information like medical records or admissions information.
Some colleges give users more decision-making power by warning them about safe surfing practices, and then taking a step back. At the University of Dayton (Ohio), which has its entire campus on a wireless network, once a student or staff member logs in, the user is free to access most of the network, except for certain protected areas. "We've taken a minimalist approach, and left security up to the individual user as much as we can," says Michael Skelton, associate director of network services at UD. "In the future, we plan to do more with assigning levels and roles, but for right now, this is minimizing confusion."
Even if a college has taken a more advanced strategy, it may get a nasty surprise, however. In computer science classes at the Pennsylvania College of Technology in Williamsport, students who are learning the nuances of computer security have sent messages to the college's chief technology officer, Jim Cunningham, showing him how they've used the wireless network to capture and decipher the user IDs and passwords of other students.
"Obviously, if some students were willing to tell us about their exploits, there are probably some who are doing the same thing and not telling us," he acknowledges. "We need to continue advising everyone not to use the open wireless to transmit their information."
For sensitive information, the college does have a more encrypted area, and it uses the open wireless for students and guests who simply want to access the internet. The dual-tier strategy is what allows Cunningham to be amused by his hacker students, since it ensures that confidential data is behind stronger, locked virtual doors.
One of the benefits of advanced or multilevel authentication tactics is network monitoring, says Tom Zeller, telecommunications technical advisor at Indiana University, which has the majority of its campus on a wireless network. "We were worried about eavesdropping, and people picking up passwords over wireless links," he says. "Part of addressing that problem is being able to track who's using the network, and when."
When IU put its wireless system in place a few years ago, it tackled the issue by routing all of its wireless traffic through a VPN server. But because the number of users got too high, it's now looking for a better way to do monitoring. "Every wireless environment, including ours, definitely has room for improvement," he notes.
At corporations, IT is king when it comes to setting policies about wireless. The department can create and enforce mandates about downloading security patches, using company-owned laptops to tap into other networks, and accessing data at multiple levels.
But many colleges don't have the ability to craft similar policies for their institutions. Even if they did, some think it's likely that they wouldn't want to anyway.
"Many colleges set up minimal policies in terms of wireless network access," says AirWave Wireless's Murphy. "Instead, they focus on setting up different levels of privileges and trying to circumvent policy-making that way."
Most likely, institutions feel that students and faculty will flinch with too many rules, Murphy adds. Unlike in the corporate arena, where there are policies for nearly every form of activity and interaction, colleges are usually seen as more collaborative, freedom-loving spaces. "IT types at universities just don't want to be seen as limiting what people do. Also, schools with a huge number of visitors may see policies as tough to enforce," he says.
But some colleges are stringent about policies and eager to put controls in place. At the University of Pennsylvania, a representative group of administrators and IT staff members crafted an initial policy in 2004, and then made it available on the web to members of the university community. The policy was approved after comments were incorporated in subsequent versions.
The technical implementation of the policy involves the use of authenticating gateways, notes Deke Kassabian, senior technology director at UPenn. This gives the university the ability to prevent users from getting on the wireless network until they've been authenticated. Also, it prevents rogue access points by specifically outlining what kind of network jacks can be used.
With this policy in place, the university is looking forward to using it for stronger security measures. "We plan to combine this with the ability to disallow access to wireless devices that are, or are at serious risk to be, compromised," says Kassabian. "Having already identified the user, we can notify them and advise them on how to get their wireless laptop or handheld patched and ready to access the network."
Even as security takes a more prominent role in university wireless implementations, many believe that there's still a long way to go until authentication, access, and policies reach the level at which they need to be.
"Are universities doing a good job with wireless security?" asks Vinnie Gupta, market development manager at Sun Microsystems. "Unfortunately, the answer is no. Overall, I'd say they're struggling. But the good news is that they recognize that this is a problem area."
A major issue is that hackers are continually trying to crack into college and university databanks wirelessly, notes Gupta. Since IT has to deal with many tasks, and the hackers are single-minded, the situation ends up being a case of a very small cat attempting to stop a city-size rat.
never felt insecure about it. I just assume
that the tech guys have security handled.
-Joseph Hubbard, student, University of Tennessee
Still, many university IT managers feel up to the task. They recognize the panoply of issues with wireless security, but they feel that their universities are moving closer to having systems that are secure and reliable.
"We see some exciting developments in wireless technology coming along," says University of Pennsylvania's Kassabian. "In particular, standards for still higher bandwidth and for scalable data encryption seem to be coming along nicely. We're watching these spaces closely."
As technologies evolve, IHEs are hopeful about providing plenty of bandwidth to students, faculty members, and guests, without having to warn them about security issues, making their "little cities" safe and sound.
Elizabeth Millard is a freelance writer based in Saint Louis Park, Minn., who specializes in covering technology.