Ask Doug Jackson why he installed wireless LAN security gateways at the University
of Texas at Dallas last year and his answer is blunt and simple. "Students,"
says Jackson, who is the university’s director of technology customer services.
"We have large engineering and computer science programs," he goes
on to explain. "And [these students] are very adept at being… ‘creative.’
A lot of them know as much as or more about this stuff than my staff do. We
needed some way of dealing with that situation."
They especially needed a way to deal with it after the university decided to
extend wireless LAN services to two difficult-to-monitor off-campus housing
complexes. It was then that Jackson installed the WLAN security gateways from
Bluesocket of Burlington, MA.
The Bluesocket gateways sit between the housing complex wireless LAN segments
and the main on-campus WLAN. The campus WLAN has been in operation since 1999.
It uses over 100 access points to cover the three-by-two-city-block campus,
including interiors of 70 percent of the buildings.
The Bluesocket gateways can, among other things, do wireless link encryption
(supporting IPSec and PPTP encrypted tunnels), authentication using built-in
databases or links to existing RADIUS servers, role-based access control (specifying
what each user can and cannot access) and class of service-style bandwidth management.
Bluesocket, a specialist in WLAN security, says its products particularly appeal
to college and university WLAN managers because educational institutions generally
face more severe security and network management challenges than most WLAN users.
For example, the threat of students getting creative and breaking into systems
"just for fun" or to practice their skills is only the half of it.
There is also the real risk of students hacking in to administrative systems
and altering marks.
"If students can get to grades, they will modify them," Jackson
says with some certainty. He’s quick to add, "Of course, it’s a very small
percentage we’re talking about, but there are always students who will do it.
And many are now skilled in hacker technology."
Concern about security of administrative systems was paramount at Lasell College,
a 900-student, newly co-ed school in Newton MA, a Boston suburb. Lasell installed
a network of Wi-Fi hotspots around its small campus last summer — in the library,
study halls, lounges, etc.
Director of IT Deborah Gelch says she would never have gone ahead with the
project if she hadn’t had confidence in being able to secure the WLAN. She too
installed a Bluesocket. It sits between the WLAN, with its 15 to 20 access points,
and the school’s main wired network.
"One of the critical things for us with the Bluesocket gateway is its
ability to let you just drop in an IP address that nobody [from the WLAN]
can connect to," Gelch says. "We did that with our administrative
server. [That feature] made me feel we could have some control over this."
Gelch also uses the feature to make it impossible for any WLAN user to access
the college president’s system. Neither the president nor his assistant uses
a laptop computer, she points out, so there should never be any need to access
it from the WLAN. "And there is obviously some very sensitive data on that
system."
It’s not just administrative systems and tampering with marks either. Many
professors keep the results of sensitive grant-based research on their network
connected servers. "It needs to not be messed with," Jackson notes
drily. Even students hacking in to systems just to find extra space to hide
their data — which they will do, he says — could jeopardize data, and the
projects themselves.
"A security breach could end up costing a university hundreds of thousands
or even millions of dollars [in lost research grants]," he says.
In tightly controlled user populations such as in most enterprises, using VPN
(virtual private network) technology is probably the best WLAN security available,
most experts say. Using VPNs, however, means network administrators need access
to all PCs to load and configure VPN software. For colleges, with often hundreds
or thousands of users, many using their own machines, this is not practical.
The facilities in the Bluesocket gateway, Jackson says, are an adequate alternative.
He makes it clear, however, that he doesn’t see it as the ultimate or even necessarily
a long-term solution for his campus.
"For now," he says, "Bluesocket is good enough, and so is VPN,
but everything out there has to get better."
Another key capability of the Bluesocket gateway for college network administrators
is that it lets them easily manage bandwidth. Quality of service in the sense
of ensuring low latency for telephony or video is not often an issue, but keeping
bandwidth hogs in check definitely is. In a college user population, it’s a
fair guess that the vast majority are also users of Net-based music and video
sharing applications.
Jackson agrees this is a huge problem for colleges, but he already had it covered
with a solution from Packeteer of Cupertino CA. The Packeteer
device sits in the network operations center. It lets him assign a certain amount
of bandwidth to each class of user or to each subnet.
Gelch does use the Bluesocket bandwidth management features. They basically
let her deprioritize certain types of traffic, restricting the total amount
of bandwidth that can be used at any given time for music downloading, for example.
One can imagine students getting fairly frustrated trying to download the latest
Barenaked Ladies track when they only have access to a tiny slice of the network
pipe.
"What’s nice about this," Gelch adds, "is that we can create
different rules based on whether it’s the wired network or the wireless net.
On the wired network, for example, we can deprioritize Napster-type content
through the week and let it go on the weekend, while it’s deprioritized all
the time on the wireless LAN."
The bandwidth management features also let colleges balance traffic over access
points in areas where there is more than one to accommodate high user density
— lecture halls and libraries, for example. The tendency otherwise is for the
client device to connect to the nearest access point, which can overload one
while others have spare capacity.
There are other situations in the college environment that the Bluesocket products
address well, the company claims. For example, students frequently change programs
and then need access to different data. The Bluesocket gateways make it easy
to change user access priveleges. It’s not a feature that either Lasell or University
of Texas is using, though. They give all students the same access priveleges.
Colleges and universities clearly face a double-whammy when it comes to WLANs.
On the one hand, there is increasing competitive pressure on them to provide
campus-wide WLAN access — even at small colleges like Lasell. On the other,
they have an unruly population of network users and some fairly serious security
exposures.
Bluesocket is, of course, not the only vendor out there. Others have products
that are similar or claim similar advantages. They include the major access
point vendors as well as specialists such as Fort Lee, NJ-based ReefEdge.
