UITS Policy for
Departmental 802.11b Wireless Network Equipment
June 15, 2000

UITS has a strategic plan for creation of wireless networking infrastructure statewide over the next two years in areas suitable for such networking. In the meantime, UITS encourages departments to experiment with this emerging technology, but has several concerns about such deployment. We have created this document in order to make departments aware of these concerns and related policies.

The major concerns include security, reliability, and suitability. The security and integrity of the IU network will be maintained, requiring an adequate means of ensuring that only authorized users are able to use the network. Reliability is a concern due to possible radio interference from other wireless (or cordless) devices. Suitability refers to deployment of wireless technology in appropriate locations for a select set of purposes; i.e., wireless technology is not suitable for all locations and applications and is certainly not a strategic replacement for a wired infrastructure.

Current UITS planning calls for testing and evaluation of the technology during summer, 2000. By October 2000, seven test locations will be in use statewide, and fourteen additional test sites will follow by January 2001. Up to 47 production sites will be added during 2001 and again during 2002, for a total of 121 sites.

Security

By January 2001, UITS plans to offer centralized authorization security for wireless connections. In the meantime, departments should take the steps available to them to secure wireless equipment. Specifically, UITS (with concurrence by the IT Policy and Security Offices) requires that by September 1, 2000, installations meet the following standards:

1. Small installations (up to 15 users) must 1) require their wireless card users to know the name of the local wireless network (SSID) and 2) disallow cards set to use ANY network. Departments should give their wireless network a non-obvious name and consider that name a "shared secret", that is, not post the network name publicly. Furthermore, small installations should turn on the wireless equivalent privacy (WEP) encryption feature and inform users how to configure their wireless driver to use the encryption key you provide. Again, the key should be considered a "shared secret" and not posted publicly.

2. Small and medium-sized installations (up to 50 users) must require registration of the Ethernet address, i.e., the media access (MAC) address, and use the MAC address filtering capabilities of the wireless access point to only allow registered addresses to use the access point. Medium-sized installations should consider the options listed in point a. above; however, sharing secrets among more than a handful of users is not highly effective.

3. Departments with a large-scale installation of more than 50 users should arrange a meeting with the University IT Policy Office and UITS Network Engineers by August 10, 2000, to discuss short-term measures that can be taken to secure their installation. The ITPO can be reached at 812-855-9255.

Reliability

1. Advance Notification: When a department plans to install a wireless access point, notification must be made to the UITS Network Operation Center (NOC) of the planned installation, including the data jack ID and frequencies (or channels) to be used by the access point. This will alert UITS to the presence of the device for troubleshooting purposes, and also allow UITS to place wireless traffic on special subnets so that additional security measures can be taken to ensure that only authorized university faculty, staff, and students are using the IU network. The NOC can be contacted at 855-3699 (IUB) and 274-7788 (IUPUI) or mail sent to noc@indiana.edu. There has already been a case of a department experiencing a serious network outage for over a day while the presence of a wireless access point was determined to be the source of the problem.

2. Site Visit: Upon request, UITS will make a site visit to assist local support provider staff in determining the optimal location of the equipment. There is no charge for this service. Request a visit by contacting your campus NOC.

3. Equipment: Despite the existence of an 802.11b standard, campus-wide support will be enhanced by the use of a fairly uniform set of equipment. Therefore UITS strongly encourages departments to buy wireless access points that have been tested for interoperability and feature set. A list and discussion of access point products tested by UITS will be available from a UITS Web page. UITS believes that the model of wireless Ethernet card for end-user computers is less critical, but recommends using well-established vendors.

4. Frequency collisions: Departments should be aware that the FCC does not license use of the frequencies used by 802.11b wireless Ethernet and therefore other devices that use the same frequencies may disrupt wireless communications. Such devices include cordless phones, microwave ovens, and soon, personal network devices (e.g. Palm Pilots) using the emerging Bluetooth technology. There are already numerous reports of such interference, which can be intermittent and very difficult to diagnose.

UITS will resolve frequency conflicts between wireless access points; however, UITS will not be responsible for resolving problems resulting from non-network wireless devices.

5. Traffic Types Allowed: By late fall 2000, UITS hopes to be in a position to provide centralized controls on packets that enter the campus network via a wireless connection. At that time the following controls will be put in place:

a. Only IP traffic, and no IP-multicast traffic, is allowed on wireless network connections. b. SMTP (mail) traffic initiated from a wireless connection will only be allowed if it is destined for the official IU mail servers. c. Certain types of ICMP packets may not be allowed to originate from wireless connections (i.e. PING).

6. Possible Pre-emption by UITS: UITS reserves the right to deploy wireless networking equipment at a later date, possibly requiring the removal of previously installed departmental equipment.

Suitability

UITS does not consider wireless networking to be a replacement for a well-wired campus. In the future, wired access speeds are likely to improve significantly faster than wireless technologies. As applications that require higher bandwidth become commonplace, wireless network technology may not be able to provide a suitable conduit. Thus wireless should be seen as an augmentation to the physical wire plant, extending the network for general-purpose network access into zones of transient use such as common areas. An exception is deployment in places where fixed wiring is not an option, due to building configuration, age, or location; i.e., where installing traditional wiring is either not possible or not practical.

UITS views wireless access as appropriate for "common areas" where students, faculty, and staff gather, and wireless access points should be installed in these places only. Wireless is only appropriate in cases where user numbers are limited and there is the expectation of higher user knowledge of wireless use. Due to the shared bandwidth nature of wireless, it is not the case that a given access point can support an unlimited number of users - the more users, the smaller the share of the bandwidth available to each. Wireless is most appropriate at this time for the most pervasive applications - Web browsing and e-mail.