UCSF home page UCSF home About UCSF Search UCSF UCSF Medical Center

image of letter Email

blank Access mail@ucsf
blank Update spam filter
blank Reset password

image of lock VPN

blank Login to vpn@ucsf
blank VPN Help

image of phone Help

blank Login to help@ucsf
blank email us
blank Call (415) 514-4100,
blank Option 2




Advanced Search
Recent Changes

Wireless Networking Standards

Summary
Background and Rationale

Recommendations
Operational/Functional Impact
Technical Impact
Definition of Terms
Compliance Issues
Security Issues
Acknowledgments
External documents, UC Policies and or standard-setting organizations referenced
Suggested product(s)

Summary

These standards address the need for an organized approach in deploying wireless technologies on the UCSF enterprise network. They recommend simple best practice measures for deploying wireless infrastructure at UCSF in a reasonably organized and secure manner. Adherence to these standards will allow UCSF schools and departments to deploy wireless networks without compromising the integrity of the campus network. These standards also encourage choices that will result in optimal compatibility between campus wireless local area network (WLAN) installations and will facilitate compatibility with the Medical Center's WLAN. Compatibility will result in better user experiences and lower support requirements.

back to top

Background and Rationale

The goal of this document is to provide wireless LAN interoperability, with reasonable security using open standards. However, as of the writing of this document, open standards are not deployed in a mature way for wireless LAN devices. Many wireless LAN solutions remain vendor proprietary or do not have well-developed, highly-supported open standards. Therefore, the realization of this goal is still somewhat far off. Given this, in as far as possible, this document provides standardization for today's wireless LANs with a view toward the open standards that may be deployed in the future. This document will be reviewed by the IT Governance Committee in 12-18 months to ensure that it reflects the current state of the art in wireless technologies.

There is general agreement that the optimal wireless local area network for UCSF should be ubiquitous, reliable, and secure. Some users require interoperability with t he Medical Center's wireless LAN. However, many implementations are being done informally, with little or no planning. This leads to a lack of interoperability with existing WLANs and reduced security. Therefore, wireless LANs connecting directly to the UCSF network are considered part of the UCSF wireless deployment.

Back to top

There are four factors that need to be considered in any UCSF wireless deployment:

  1. Security and access control: Unless steps are taken to protect them, wireless LAN installations, by default, are open to anyone within range of the wireless access point (WAP). If a wireless access point is connected to the UCSF network without restriction, anyone with the proper equipment will be able to access the UCSF network, even from outside the building. Furthermore, anyone with the proper equipment can spy on traffic. They can see users' passwords as well as other potentially sensitive data. As UCSF moves more and more services online, the amount of damage that can be done through unauthorized WLAN access is increasing. At this time, the appropriate wireless LAN authorization, authentication, and accounting systems necessary to provide campus-wide security and access control for wireless networks are not in existence.
  2. Interference: There are a finite number of radio channels available for wireless use. The most common wireless LAN technology (802.11b) defines 14 possible channels. However their frequencies are close enough together that they can sometimes interfere with each other. If wireless LANs are installed without coordination with others in the area, interference is likely. This may result in significantly degraded performance.
  3. Interoperability: UCSF is a physically diverse environment. Students, researchers, faculty, and staff need the same wireless access capabilities, regardless of UCSF campus location or facility. Therefore, it is important that WLANs within the UCSF campus, including the Medical Center, interoperate with each other as much as possible. (Note that interoperability does not mean unrestricted access. For example, individuals or groups of individuals in other campus schools and departments who are not authorized for local access can be blocked from accessing specific wireless LANs.)
  4. Guest access: UCSF entertains a number of guests such as visiting professors, seminar speakers, visiting researchers, and vendors. These guests need access to the commodity/public Internet from both the wired and wireless networks. Therefore, appropriate steps need to be taken to provide convenient wireless LAN Internet access for guests.

Back to top

Recommendations

This section summarizes a simple model that is appropriate for wireless networks. Additional capabilities can be added by users and by Information Technology Services (ITS) as the central Authentication and Authorization system permits. Access points that are configured to support the following recommendations are acceptable for use on the UCSF campus network.

  1. Required Security: Every wireless LAN implementation within UCSF must be done in accordance with a security plan. This plan must address at least the following issues:
    1. restricting access to the network so that only authorized people can use it
    2. preventing unauthorized users from being able to see confidential data appearing on the network, particularly UCSF passwords
    Wireless installations are often done informally by staff or users. If not done with proper planning, such installations can expose sensitive data on networks that most users believe are secure. Technology for wireless security is changing rapidly and is not currently stable enough for us to standardize on a single technology for security and access control. However, there are approaches currently being developed that may permit standardization in the future.
  2. All wireless access points (WAPs) must, at a minimum, support the IEEE 802.11b wireless standard. It is preferred that WAPs also support, or be upgradeable to, the IEEE 802.11g wireless standard.
  3. Wireless access points must support 128-bit wired equivalency protocol (WEP) and should have this feature enabled. Support of 802.11i and WPA (WiFi protected access) is preferred.
  4. Until the central Authentication and Authorization system is in place, campus or building networks, network infrastructure permitting, will direct wireless LAN traffic to the commodity/public Internet and not to the UCSF intranet. If the building network infrastructure does not permit directing WLAN traffic to the public Internet, then access to the WLAN must employ some form of authentication, based either on user ID and password or the client device's MAC address. If WLAN traffic is directed to the public Internet, then wireless LAN users requiring UCSF intranet access should be directed to the UCSF VPN server and must run a supported VPN client (e.g., Nortel Contivity for campus and Cisco VPN for the Medical Center). ITS can assist in the configuration and provide information for upgrading of switches and routers connecting to wireless access points to provide this capability.
  5. Set SSID broadcast to off unless the WLAN is intended for general campus use (e.g. UCSF).
  6. Wireless access points must support SNMP.
  7. All wireless access points must be registered with ITS via a Remedy ticket or other applicable registration method. This is necessary so that, infrastructure permitting, WLAN traffic can be directed to the public Internet and so that access point clients can obtain an IP network address via DHCP.
  8. Wireless LAN implementations are the responsibility of the units that control the space in which they operate. Units are expected to know what is occurring in that space, and to take steps to make sure that all wireless implementations active in their space follow the standards defined here. Every wireless LAN installation within UCSF must be authorized by the leadership of the unit in which it is occurring. While they may choose to delegate details to technical staff, the department chair or other responsible person should know what activities are occurring and take responsibility for verifying that a security plan exists and that proper coordination is occurring with other units close enough that interference might occur.
  9. Conflicts over channel allocation are expected to be handled by the manager of the unit that controls the space, or a designee, with advice from technical staff. Where multiple units are involved, leaders of the units are expected to arrange an equitable allocation of channel space.
  10. All wireless access points must be securely mounted so they are inaccessible to unauthorized personnel.
  11. Residence halls: In the residence halls, students and other occupants may not install wireless LAN systems unless they have obtained permission from the appropriate authorities in Campus Life Services and Information Technology Services. Students and other occupants using permitted wireless access points must register them in the ITS registration database. Students and other residence hall occupants are expected to work with each other to deal with interference. While ITS staff will not manage channel allocation in the residence halls, they may intervene if a particular wireless installation is being operated in a manner that unreasonably interferes with other users, if an installation interferes with University-operated installations, or in support of student-led initiatives to coordinate allocation of channels.
  12. Due diligence: Anyone installing wireless LAN equipment is expected to check the registration database prior to installation, and not to install any new equipment that might reasonably be expected to interfere with existing equipment without first discussing their plans with contacts for the existing equipment.
  13. Although not a requirement, the use of qualified consultants to perform a radio frequency site survey prior to installation of any wireless access point(s) is highly recommended. ITS can assist units in locating qualified consultants to perform this task.

Back to top

Operational/Functional Impact

Wireless access points are radio transmitters and receivers. As such, they do not respect walls, building, or even campus boundaries. They can be subject to interference from other access points just as one radio station can cause interference to another. Therefore, the use of wireless LAN is by default a community matter. Users will have to work collaboratively with others to install wireless technology, and registration of access points to minimize interference and maximize security is essential.

Security of wireless LAN devices remains somewhat proprietary. While there are security standards that are applicable to wireless LANs, such as 802.1X and 802.11i, vendor implementations of these standards vary and do not always interoperate. Additionally, the Medical Center has elected to deploy LEAP for their wireless LAN network. LEAP is considered by some to be vendor proprietary and by Cisco as a variant of the 802.1X specification. Given the wide implementations of security standards, support for multiple vendor wireless LAN products is problematic at this time.


Back to top

Technical Impact

To support implementation of these guidelines, ITS will:

  1. Notify units of nearby wireless LANs when a new wireless LAN is registered.
  2. Create web-based configuration instructions for a limited preselected list of vendor access points.
  3. Assist units with configuration of a limited preselected list of vendor access points.
  4. ITS can assist departments in developing wireless plans if desired.

Back to top

Definition of Terms

Access point: The term access point includes special-purpose hardware as well as general-purpose computers that are configured to act as base stations or transceivers for wireless LANs. For pure peer-to-peer applications (where it may not be clear which system is the base station), one unit should be registered, so that the channel, SSID, and other information are in the database.

Channel conflict: In order to allow all administrative units (e.g. a department) to have access to wireless LAN technology, it may be necessary for some administrative units to adjust the behavior of their wireless network to make more efficient use of radio channels. For example, if one unit has a large number of access points in individual offices, these might exhaust the available radio channels. It would be reasonable to ask such an administrative unit to replace these individual access points with a more-coordinated approach. It may often be advantageous for all the administrative units within a building to implement a single building-wide wireless system.

In addition, users should be aware that electronic devices other than wireless LAN hardware may use the same radio frequencies. For example, certain wireless phones use the same 2.4 GHz frequencies as the common 802.11b wireless systems. For this reason, some universities have prohibited the use of 2.4 GHz wireless phones. While UCSF does not have such a blanket prohibition, the importance of wireless LANs is sufficient that units would be expected to discontinue use of wireless phones or similar equipment if it interferes with the use of wireless LANs. This potentially includes Bluetooth-enabled devices, to the extent that they interfere with wireless LANs, except possibly wireless LANs with just one or two users.

DHCP: Dynamic Host Control Protocol, a protocol that enables client computers to be assigned an IP address automatically.

IEEE: Institute of Electrical and Electronics Engineers, the organization responsibility for setting industry-wide data communications standards including wireless LAN standards.

Interoperability: The ability to move from location to location and still retain access the wireless LAN network. However, access restrictions may be site specific. (For example, the Medical Center might limit the scope of access for non-Medical Center staff.) Users should not be required to change wireless cards or switch wireless software clients as they move from one UCSF wireless LAN to another. Individual log-in at multiple sites is acceptable under this definition of interoperability.

Intranet: A network that belonging to an organization accessible only by the organization's members, employees, or others with authorization.

LEAP: LEAP (Lightweight Extensible Authentication Protocol) is a security protocol devised by Cisco Systems. While based on the 802.1x standard authentication framework, LEAP is a vendor proprietary scheme that mitigates several of the weaknesses of static WEP (see WEP below) by utilizing dynamic WEP key management. It also incorporates MAC address authentication (see MAC Address below).

MAC Address: Short for media access control address, a hardware address that uniquely identifies each node of a network. Some wireless access points allow you to restrict access to specific laptops. In order to use this feature, you must collect the MAC address of every laptop using your system. (Note that this does not protect against someone faking a MAC address. The MAC address is a portion of the data packet that is not encrypted.)

RF Site Survey: A procedure that identifies the optimal locations for access points in order to maximize coverage and minimize interference. Typically this is done with specialized equipment operated by trained personnel.

Secure Mounting: Mounting access points in a physically secure manner introduces physical security in addition to network security. Access points are far less likely to be stolen or removed without authorization. In addition, unauthorized configuration changes to the access points are less likely to occur. Secure mounting is easy to implement, and provides a baseline of security and interoperability.

SNMP: Simple Network Management Protocol. Many devices, including wireless access points, permit management using a standard protocol known as SNMP. SNMP management allows qualified personnel to manage the access points in a more-advanced manner than can sometimes be done using the vendor's GUI interface. However SNMP is also a security issue: it is often shipped using a default password. When changing passwords, make sure to change the SNMP read and write passwords (often called the community). ITS can assist departments in making this change.

SSID: The SSID (Service Set Identifier) is a token in wireless data communication packets that identifies an 802.11 (wireless) network. It identifies the name of a wireless network. All of the wireless devices on a WLAN must employ the same SSID in order to communicate with each other. Wireless access points can be configured to broadcast their SSID or not to broadcast their SSID. It is advantageous to broadcast the SSID in areas where the wireless network is intended for general use, but not to broadcast the SSID in areas where the wireless network is intended for restricted use.

VPN: An approach to providing authentication and secure data communications. VPN (Virtual Private Network) technology creates an encrypted layer of networking on top of another network, including a wireless network. VPN technology provides an effective and secure means of accessing computers on the UCSF network. A user's computer must run VPN client software in order to use VPN technology. VPN client software is available for nearly all computers and operating systems, including laptops.

WAP: Wireless access point. Also sometimes referred to as the wireless base station.

WEP: Wireless encryption protocol. WEP is an approved standard for encrypting data in a wireless network and is intended to protect privacy. An encryption key or password must be specified by the user, and the same key must be used by all parties wishing to communicate. WEP keys can be either 40-bits or 128-bits in length; 128-bit keys provide stronger encryption. WEP does not provide an authentication mechanism; that is, it does not control who can use your network. (The same can be said of any end-to-end encryption protocol, since anyone who knows the encryption key can decrypt encrypted data.)

802.1x: 802.1X is an IEEE standard for providing authentication, controlling user traffic, and dynamically varying encryption keys for both wired and wireless Ethernet networks. 802.1X is particularly well suited for wireless LAN applications because it requires very little processing power on the part of the Authenticator. In wireless LAN applications, the Authenticator is the wireless access point.

Back to top

Compliance Issues

Existing access points are to be migrated to allow access only to the commodity/public Internet. VPN use for UCSF intranet access is permitted. Some existing access points may be grandfathered, but are still subject to item A or D of the recommendations. However, it is recognized that some of the wired infrastructure in the UCSF network is older and not capable of supporting item A. In such cases, until the associated infrastructure is upgraded, a modicum of security for the access points including WEP security and non-broadcast of the SSID must be put in place. ITS-ENS can assist in determining the status of the wired infrastructure connecting to the access point in terms of compliant support of this standard.

A migration strategy will be developed for instances where the supporting wired infrastructure is not capable of supporting item A or D.

back to top

Security Issues

Implementation and enforcement of these wireless networking standards will increase the overall security of campus networks and systems.

Back to top

Acknowledgments

These standards were developed through the efforts of Network Committee members and their advisors.

Back to top

External documents, UC Policies and or standard-setting organizations referenced

Back to top

Suggested product(s)

Please tell us what you think of our new website