UITS Policy for
Departmental 802.11b Wireless Network Equipment
June 15, 2000
UITS has a strategic plan for creation of wireless networking infrastructure
statewide over the next two years in areas suitable for such networking.
In the meantime, UITS encourages departments to experiment with this
emerging technology, but has several concerns about such deployment.
We have created this document in order to make departments aware of
these concerns and related policies.
The major concerns include security, reliability, and suitability.
The security and integrity of the IU network will be maintained, requiring
an adequate means of ensuring that only authorized users are able to
use the network. Reliability is a concern due to possible radio interference
from other wireless (or cordless) devices. Suitability refers to deployment
of wireless technology in appropriate locations for a select set of
purposes; i.e., wireless technology is not suitable for all locations
and applications and is certainly not a strategic replacement for a
Current UITS planning calls for testing and evaluation of the technology
during summer, 2000. By October 2000, seven test locations will be in
use statewide, and fourteen additional test sites will follow by January
2001. Up to 47 production sites will be added during 2001 and again
during 2002, for a total of 121 sites.
By January 2001, UITS plans to offer centralized authorization security
for wireless connections. In the meantime, departments should take the
steps available to them to secure wireless equipment. Specifically,
UITS (with concurrence by the IT Policy and Security Offices) requires
that by September 1, 2000, installations meet the following standards:
1. Small installations (up to 15 users) must 1) require their wireless
card users to know the name of the local wireless network (SSID) and
2) disallow cards set to use ANY network. Departments should give their
wireless network a non-obvious name and consider that name a "shared
secret", that is, not post the network name publicly. Furthermore,
small installations should turn on the wireless equivalent privacy (WEP)
encryption feature and inform users how to configure their wireless
driver to use the encryption key you provide. Again, the key should
be considered a "shared secret" and not posted publicly.
2. Small and medium-sized installations (up to 50 users) must require
registration of the Ethernet address, i.e., the media access (MAC) address,
and use the MAC address filtering capabilities of the wireless access
point to only allow registered addresses to use the access point. Medium-sized
installations should consider the options listed in point a. above;
however, sharing secrets among more than a handful of users is not highly
3. Departments with a large-scale installation of more than 50 users
should arrange a meeting with the University IT Policy Office and UITS
Network Engineers by August 10, 2000, to discuss short-term measures
that can be taken to secure their installation. The ITPO can be reached
1. Advance Notification: When a department plans to install a wireless
access point, notification must be made to the UITS Network Operation
Center (NOC) of the planned installation, including the data jack ID
and frequencies (or channels) to be used by the access point. This will
alert UITS to the presence of the device for troubleshooting purposes,
and also allow UITS to place wireless traffic on special subnets so
that additional security measures can be taken to ensure that only authorized
university faculty, staff, and students are using the IU network. The
NOC can be contacted at 855-3699 (IUB) and 274-7788 (IUPUI) or mail
sent to firstname.lastname@example.org. There has already been a case of a department
experiencing a serious network outage for over a day while the presence
of a wireless access point was determined to be the source of the problem.
2. Site Visit: Upon request, UITS will make a site visit to assist
local support provider staff in determining the optimal location of
the equipment. There is no charge for this service. Request a visit
by contacting your campus NOC.
3. Equipment: Despite the existence of an 802.11b standard, campus-wide
support will be enhanced by the use of a fairly uniform set of equipment.
Therefore UITS strongly encourages departments to buy wireless access
points that have been tested for interoperability and feature set. A
list and discussion of access point products tested by UITS will be
available from a UITS Web page. UITS believes that the model of wireless
Ethernet card for end-user computers is less critical, but recommends
using well-established vendors.
4. Frequency collisions: Departments should be aware that the FCC does
not license use of the frequencies used by 802.11b wireless Ethernet
and therefore other devices that use the same frequencies may disrupt
wireless communications. Such devices include cordless phones, microwave
ovens, and soon, personal network devices (e.g. Palm Pilots) using the
emerging Bluetooth technology. There are already numerous reports of
such interference, which can be intermittent and very difficult to diagnose.
UITS will resolve frequency conflicts between wireless access points;
however, UITS will not be responsible for resolving problems resulting
from non-network wireless devices.
5. Traffic Types Allowed: By late fall 2000, UITS hopes to be in a
position to provide centralized controls on packets that enter the campus
network via a wireless connection. At that time the following controls
will be put in place:
a. Only IP traffic, and no IP-multicast traffic, is allowed on wireless
network connections. b. SMTP (mail) traffic initiated from a wireless
connection will only be allowed if it is destined for the official IU
mail servers. c. Certain types of ICMP packets may not be allowed to
originate from wireless connections (i.e. PING).
6. Possible Pre-emption by UITS: UITS reserves the right to deploy
wireless networking equipment at a later date, possibly requiring the
removal of previously installed departmental equipment.
UITS does not consider wireless networking to be a replacement for
a well-wired campus. In the future, wired access speeds are likely to
improve significantly faster than wireless technologies. As applications
that require higher bandwidth become commonplace, wireless network technology
may not be able to provide a suitable conduit. Thus wireless should
be seen as an augmentation to the physical wire plant, extending the
network for general-purpose network access into zones of transient use
such as common areas. An exception is deployment in places where fixed
wiring is not an option, due to building configuration, age, or location;
i.e., where installing traditional wiring is either not possible or
UITS views wireless access as appropriate for "common areas"
where students, faculty, and staff gather, and wireless access points
should be installed in these places only. Wireless is only appropriate
in cases where user numbers are limited and there is the expectation
of higher user knowledge of wireless use. Due to the shared bandwidth
nature of wireless, it is not the case that a given access point can
support an unlimited number of users - the more users, the smaller the
share of the bandwidth available to each. Wireless is most appropriate
at this time for the most pervasive applications - Web browsing and