The Campus Security Imperative
May 20, 2002
Colleges and universities face an ever increasing demand for WLAN access, but once installed the school must deal with unruly users. Here's what some are using to solve security and bandwidth problems from students.
Ask Doug Jackson why he installed wireless LAN security gateways at the University of Texas at Dallas last year and his answer is blunt and simple. "Students," says Jackson, who is the university's director of technology customer services.
"We have large engineering and computer science programs," he goes on to explain. "And [these students] are very adept at being... 'creative.' A lot of them know as much as or more about this stuff than my staff do. We needed some way of dealing with that situation."
They especially needed a way to deal with it after the university decided to extend wireless LAN services to two difficult-to-monitor off-campus housing complexes. It was then that Jackson installed the WLAN security gateways from Bluesocket of Burlington, MA.
The Bluesocket gateways sit between the housing complex wireless LAN segments and the main on-campus WLAN. The campus WLAN has been in operation since 1999. It uses over 100 access points to cover the three-by-two-city-block campus, including interiors of 70 percent of the buildings.
The Bluesocket gateways can, among other things, do wireless link encryption (supporting IPSec and PPTP encrypted tunnels), authentication using built-in databases or links to existing RADIUS servers, role-based access control (specifying what each user can and cannot access) and class of service-style bandwidth management.
Bluesocket, a specialist in WLAN security, says its products particularly appeal to college and university WLAN managers because educational institutions generally face more severe security and network management challenges than most WLAN users.
For example, the threat of students getting creative and breaking into systems "just for fun" or to practice their skills is only the half of it. There is also the real risk of students hacking in to administrative systems and altering marks.
"If students can get to grades, they will modify them," Jackson says with some certainty. He's quick to add, "Of course, it's a very small percentage we're talking about, but there are always students who will do it. And many are now skilled in hacker technology."
Concern about security of administrative systems was paramount at Lasell College, a 900-student, newly co-ed school in Newton MA, a Boston suburb. Lasell installed a network of Wi-Fi hotspots around its small campus last summer -- in the library, study halls, lounges, etc.
Director of IT Deborah Gelch says she would never have gone ahead with the project if she hadn't had confidence in being able to secure the WLAN. She too installed a Bluesocket. It sits between the WLAN, with its 15 to 20 access points, and the school's main wired network.
"One of the critical things for us with the Bluesocket gateway is its ability to let you just drop in an IP address that nobody [from the WLAN] can connect to," Gelch says. "We did that with our administrative server. [That feature] made me feel we could have some control over this."
Gelch also uses the feature to make it impossible for any WLAN user to access the college president's system. Neither the president nor his assistant uses a laptop computer, she points out, so there should never be any need to access it from the WLAN. "And there is obviously some very sensitive data on that system."It's not just administrative systems and tampering with marks either. Many professors keep the results of sensitive grant-based research on their network connected servers. "It needs to not be messed with," Jackson notes drily. Even students hacking in to systems just to find extra space to hide their data -- which they will do, he says -- could jeopardize data, and the projects themselves.
"A security breach could end up costing a university hundreds of thousands or even millions of dollars [in lost research grants]," he says.
In tightly controlled user populations such as in most enterprises, using VPN (virtual private network) technology is probably the best WLAN security available, most experts say. Using VPNs, however, means network administrators need access to all PCs to load and configure VPN software. For colleges, with often hundreds or thousands of users, many using their own machines, this is not practical.
The facilities in the Bluesocket gateway, Jackson says, are an adequate alternative. He makes it clear, however, that he doesn't see it as the ultimate or even necessarily a long-term solution for his campus.
"For now," he says, "Bluesocket is good enough, and so is VPN, but everything out there has to get better."
Another key capability of the Bluesocket gateway for college network administrators is that it lets them easily manage bandwidth. Quality of service in the sense of ensuring low latency for telephony or video is not often an issue, but keeping bandwidth hogs in check definitely is. In a college user population, it's a fair guess that the vast majority are also users of Net-based music and video sharing applications.
Jackson agrees this is a huge problem for colleges, but he already had it covered with a solution from Packeteer of Cupertino CA. The Packeteer device sits in the network operations center. It lets him assign a certain amount of bandwidth to each class of user or to each subnet.
Gelch does use the Bluesocket bandwidth management features. They basically let her deprioritize certain types of traffic, restricting the total amount of bandwidth that can be used at any given time for music downloading, for example. One can imagine students getting fairly frustrated trying to download the latest Barenaked Ladies track when they only have access to a tiny slice of the network pipe.
"What's nice about this," Gelch adds, "is that we can create different rules based on whether it's the wired network or the wireless net. On the wired network, for example, we can deprioritize Napster-type content through the week and let it go on the weekend, while it's deprioritized all the time on the wireless LAN."
The bandwidth management features also let colleges balance traffic over access points in areas where there is more than one to accommodate high user density -- lecture halls and libraries, for example. The tendency otherwise is for the client device to connect to the nearest access point, which can overload one while others have spare capacity.
There are other situations in the college environment that the Bluesocket products address well, the company claims. For example, students frequently change programs and then need access to different data. The Bluesocket gateways make it easy to change user access priveleges. It's not a feature that either Lasell or University of Texas is using, though. They give all students the same access priveleges.
Colleges and universities clearly face a double-whammy when it comes to WLANs. On the one hand, there is increasing competitive pressure on them to provide campus-wide WLAN access -- even at small colleges like Lasell. On the other, they have an unruly population of network users and some fairly serious security exposures.
Bluesocket is, of course, not the only vendor out there. Others have products that are similar or claim similar advantages. They include the major access point vendors as well as specialists such as Fort Lee, NJ-based ReefEdge.