School Computing

Wireless Networking & Security

681pages on
this wiki
Add New Page
Talk0 Share

For more general discussion of network optimization, see Internet & Network Bandwidth & Monitoring & QOS

Wireless networking has allowed increased computing mobility by allowing end-users to connect to LAN's without cables. Basic wireless networking requires two pieces, a wireless transceiver "Access Point" connected to your LAN, and a wireless network card in your laptop or desktop (most laptops have this built in). These two basic pieces create a wireless network connection.

Installations can get very complicated when you take the following into account: security, encryption, physical building attributes (size, elevator shafts, concrete, etc), network management, and more. There are many wireless network consultants who will perform a site audit, and propose the best course of action in terms of placing your access points. Homegrown or consulted, wireless networking can benefit greatly from pre-planning!

Typical Issues Afflicting WiFi NetworksEdit

  1. Limited bandwidth
  2. Bandwidth choked by automatic updates of OS, virus updates, etc.
  3. Channel interference
  4. Access points on different subnets
  5. Outdated Firmware on APs
  6. Minimal or no security
  7. Multiple brands of APs
  8. SSID beacon transmission left on
  9. Different names (SSIDs) for different APs

Security Issues and SolutionsEdit


Q: What are you doing to secure your wireless networks? Are you using encryption only, or are you using an additional enterprise tool that ensures that no one gets on the wireless network without up to date virus definitions and service packs?

A: There are really two issues at work here. One is how to secure wireless networks so that people can't sit in their cars or even in neighboring homes and use your wireless network. The second is a means of checking each computer that connects to that network to ensure that it has the current service packs and virus definitions.

As to the first issues. There are several approaches with both positive and negatives. Most can be used in combination. At the outset let me say that NOTHING you can do will keep someone who is intent on doing so from getting into your network -- even wired networks have weak points such as wiring closets and off site phone interfaces that permit an intruder to connect. That said there are these approaches:

WEP and other SSID pass-phrase: These are the old standby of wireless networking. Every wireless router has them and they are minimally effective. The problem in a big school setting is that you end up with many access points all of which have the same pass-phrase, if not, students would need to reset the pass-phrase each time they connected to a new point. The result is that everyone knows the pass-phrase for the whole school. Any time you have pass-phrase known by 100's of people you might as well not have one at all. Also your pass-phrase is only as good as the physical security of all the portables, if one is stolen or sold you're going to have to change it for everyone.

NIC or MAC address restriction This is a bit better than the pass-phrase system. In this system you collect the NIC or MAC address of each of the computers. In theory these addresses are all unique. You can then tell a DHCP server to hand out IP addresses only to computers with those addresses. You could even bind a particular IP address to a particular computer with DHCP.

As with everything there are weaknesses here as well. While no one who isn't in the list will get an IP address from your DHCP server, if someone discovers your network setting they can bypass the DHCP server by hand -- editing the IP address and setting it in their computer. There are some advanced wireless router that prevent this by working only with IP delivered by the DHCP server. It is a simple matter to reprogram the NIC address if you know a good one or are scanning the network looking for connections from known good NICs.

Power Over EthernetEdit

POE can be supplied through a switch that is POE enabled or through an one port power injector which can be added to a non POE switch. The biggest benefit of POE is the ability to locate an Access Point anywhere it is needed. Without POE, APs must be located near appropriately placed, exiting power outlets.[1]

VLAN Virtual Network OptionsEdit

Schools may wish to restrict network access to only allowed computers, or may wish to offer some level of access. Virtual network management devices are one solution.

Network Access Control (NAC) SolutionsEdit

  • Lockdown
  • Campus Manager (a Cisco product)
  • iPass can be configured to prevent a machine from joining the network unless it meets criteria (latest AV software, Windows updates, recently scanned, etc.).
  • Symantec Network Access Conrol - Symantec Network Access Control 11.0 securely controls access to corporate networks, enforces endpoint security policy and easily integrates with existing network infrastructures. Regardless of how endpoints connect to the network, Symantec's award-winning network access control solution discovers and evaluates endpoint compliance status, provisions the appropriate network access and provides automated remediation capabilities.
  • Sophos Network Access Control

VLAN DiscussionEdit

We permit, and encourage students to bring their own computers to school, we do not issue or have school laptops. As we do not have servers with storage or that people connect to we have few concerns as to security. We do check the windows PC's for anti-virus software before permitting them to connect. We keep the wireless network separate from the wired one and the Administration computer are on a physically separate network that can not be accessed from the academic one.

Jason Hyams of St. Agnes (Houston, TX): We use HP Procurve switches which are configured for QOS with priority for our VoIP phone traffic. You can setup QOS per VLAN but I have never tested it. For the wireless network we use Meru Networks 3075 controllers. The new firmware release 3.4 allows has per client firewall and QOS per ESSID. Each of our ESSID's are configured for separate VLans. Currently we do not have QOS setup but I do plan on using the per user firewall to allow specific traffic on to our wireless network. Our Juniper Netscreen firewall also has traffic shaping per profile. Each VLAN can be a separate profile. I have used this feature and it is effective for slowing down video traffic from the internet to the inside network. Currently our security is at the perimeter of our network. The new feature from Meru will allow us to push security to the access points. 40% reduction in service requests since implementing this portal based system. Peaks at 750 laptops online at same time. Podcast Describing this Portal System

  • campus-wide secured wireless network; open wireless network, captive portal which authenticates users
    • home environment provides same resources & access as school network
    • implementing single sign-on this summer
  • students own the laptops, bringing them into school, similar to university environment
  • secure perimeter
  • packet shaping capability
  • personal firewall capability at the AP (restrict clients to certain ports at the APs)
  • at the moment, all users are treated as "untrusted device"
    • content filter (blocks shopping & video to improve bandwidth)
    • intrusion detection
    • firewalls
    • various zones
  • web-based hot-spot printing "PrinterON" universal printer driver
    • print-release stations (reduces printing waste)
    • hot-spot based printing removes issue of default printer waste
    • blocked externally
  • exchange email & calendaring
  • file storage
    • provides a file back-up solution
    • webDAV "My Files" button, (Xythos digital locker; java-based server)
    • authenticates
    • drag & drop
    • students can share & collaborate on assignments
    • hidden pick-up and drop-box folders
    • similar to mapped drive, but web-based
    • bookmarkable
    • shareable
  • on-site repair center
  • application streaming server
    • streams electronic books from OSP
    • streams applications ("virtualizes" it)
    • off-lines the books (with a removal date)
    • blogging server
    • help desk online (php sql based homegrown, available on request; touchscreen controlled)
  • Internet pipe is expandable on demand from 10Mb-1Gb

I am also using HP Procurve switches and the newer models allow bandwidth management via a network management console snapin called "Identity Driven Manager".

Guest VLANS and Public Hot-spotsEdit

Key School mentions their vlan:

We're implementing a guest VLAN on our wireless AP's and network switches for this purpose. The guest VLAN runs through a captive portal which prompts for their username/password, and then grants them Internet access. Students can access email through OWA, My Documents through WebDAV, and just about anything else through our intranet sites. The only issue I have yet to work out is printing. I'm playing with using IPP on a few public laser printers, and just allow packets between the guest DMZ and the internal LAN to those IP addresses/ports. The trick is easily setting up the IPP connections for the users. This is easily scripted via a webpage for IE/Windows computers, but anything else is going to be a bit tricky.

Stuart-Hall describes their public hot-spots:

I'm actually doing something similar with an open-source gone commercial hotspot solution (Sputnik) using RADIUS authentication against the domain controller. Printing's not an issue after they authenticate and they can get to their H: drives on the file server. We also have the students using OWA although faculty and staff use Outlook clients.

Key School:

We have a secondary SSID on our wireless AP's that's on a guest VLAN. That guest VLAN is off a DMZ on our firewall which provides basic Internet access (HTTP/S, DNS) for visitors and faculty/student owned machines. They have no access to our internal LAN other than what's = already accessible from the Internet (webmail, webdav for folders, etc). Most business-class APs, and all enterprise-class ones I'm aware of, = support multiple SSID/security profiles and VLAN tagging, and most firewalls over $500 support a DMZ zone. We do this with Netgear WG102 APs and a pfSense open-source firewall, and I'm very happy with it.

We have a VLAN set up off a DMZ of our firewall that provides throttled Internet access. This VLAN is accessible via a second SSID on our AP's that's completely open. You can also jack into any switch port, and if your MAC address isn't known to our RADIUS server, you'll also be thrown onto that guest VLAN. In the future, we'll probably add captive authentication to this Internet access to prevent neighborhood abuse, but if we do so we'll need to work out access for guests/parents/etc.

If you want to be able to control student laptop access to the network based on policies -- e.g. "access is allowed as long as long as you don't have programs x, y, and z installed" -- then you need a NAC solution. Complicated and probably expensive, but might be the only way to go. Cisco's solution uses an agent that gets installed on the laptop and reports the "compliance level" back to an AAA server, which determines whether to grant access. If you just want to stop any student laptop from using a wired connection, it's easier: 1. On all your computers and especially servers, use a static arp table entry for the gateway address. This should prevent man-in-the-middle attacks via arp cache poisoning. 2. If you use Cisco switches, set address learning on "exposed" ports to 1, The switch will remember the MAC of the first node plugged into a port, and then deny access to any node with a different MAC plugged into that same port. This will block unauthorized laptop's access to the network, unless the kids are smart enough to spoof the MAC of the computer that's supposed to be plugged into that port. OR, 3. Use a DHCP reservation for every legit computer. Student laptops that don't have a reservation won't get an IP address.

Dense or Mesh Wireless NetworkingEdit

Retrieved from ISED-L 2/15/08, 3/26/08 CC3

Q. We're currently considering Meru Networks WiFi solutions for our school or Xirrus. I was wondering if anyone has had good or bad experiences with them and would be willing to share?

A. St. Agnes has been a Meru customer for over two years. We have two enterprise controllers, 75 inside abg access points, 2 radio switches which handle about 250 clients each and an outdoor ap for our wireless security cameras. You know my bias for Meru Networks. We had Cisco, Aruba and Meru conduct an onsite test before going with Meru. Both Cisco and Aruba could not place enough access points on our first and second floor to achieve optimal bandwidth requirements for each classroom. I was never able to get enough bandwidth for our classrooms using micro-cell technology (HP Procurve solution). I had to move to single channel architecture to eliminate the co-channel interference (Meru Networks solution). Novarum has recently published an enterprise wireless study highlighting Cisco, Aruba and Meru. It highlights the benefits of single channel over micro-channel technologies. You will find that Meru was the clear choice in dense environments.

A: I had Xirrus come in and give us an estimate. While they claim to need less access points, the number of radios for each point can climb to 16. This made them very expensive. The price they quoted was double the price for a Cisco solution.

Retrieved from ISED-L list-serv 3/09, CC3.0 a, s-a, nc license

A: We have looked at Aruba, Trapeze, Meru, Cisco, Apple Xirrus and Ruckus . In each case we asked the vendors to come out, show us the product, demo it and do a site survey to determine the proper placement of APs based on our requirements for coverage, density and throughput. I would highly recommend getting someone it or at least take the time time to do a site survey on your own. We did our site survey for our Apple BaseStations years ago and it was time well spent and money saved. As for Meru, they were the only controller based system which operated on a single channel. This to me was a little concerning. I understood how they said it worked, but as with so many of these solutions it all comes back to the controller and in the Meru case having to have the controller monitor all the traffic AND maintain the single channel I was and continue to be skeptical. The only two solution I looked at that offered something different were Xirrus and Ruckus. Xirrus, based on cost and application didn't make the most sense for us. They number of APs spec'd and the overall cost was more than any other vendor. Ruckus now has our attention. They offer an AP that is managed by a controller, but is not reliant on the controller as with the other systems. It manages the APs but does not get in the way of the data and therefore does not represent a single point of failure on the system. The way in which their APs work seem to do a better job at delivering the most focused bandwidth per user than any other solution we've looked at. With all that said, we are still looking and asking questions, but have narrowed things down to really considering Aruba and Ruckus.

A: I am reading all of the posts about the on going battle of what wireless solution is better and why. Price seems to be the big issue of choosing an industrial grade wireless solution. When companies come to you and preform the site survey is the survey free and guaranteed? Meaning if additional APs are required the company gives them to you. When a vendor gives you a price is that it? Take it for face value? Xirrus cut my number of AP's in half and that included a new building. They came to me with a huge price and I sent it back for a do over. The site survey was guaranteed. If a problem comes up someone is on the phone with me and/or standing in my doorway ready to work. I may have paid a little more for my solution but it was well worth it.

A: We went with Ruckus and have been very happy with it. We probably don't have all the demands you all might have, but a huge upgrade from the cobbled-together wireless network I inherited.

A: We have turned into a huge supporter of Xirrus after switching over to them last year. We did the free live site survey and were amazed at the improvement. The service is incredible and they provide a full 5 year warrantee on HW. We have had a 1:1 program for 10 years and we now use 75% fewer switch ports (I counted) with much greater distance, coverage and throughput. A separate controller is not necessary to run the arrays because the controller and switch are built into each array. The single point of failure issue is a good point but we were running a wireless system managed by a single controller which was also a single point of may not be if you have multiple controllers. Bottom line...our teachers are using tons of video, DyKnow and web 2.0 programs without having the signal droppage that we have had to deal with in past years. Also, even though they are new, I think they have only been in business for 5 years, many well respected institutions are switching over to them. I am certainly not a wireless expert but we have been extremely happy with our choice.

Detecting Rogue UsersEdit

Q: This year we implemented DHCP throughout campus to help with administrating the network. In doing so has giving the students the capability to unplug network cables from a lab machine and plug their own laptop in the internet connection. What are some tools/programs (free or cheap) that I can use to make sure no external machine is connected to the network/internet connection? We currently do not have a CA deployed which I know is an option. We also don’t have Linux but may consider it if it is the way to go for free tools.

A: We don't do this ourselves, but most DHCP servers allow you to specify what IP address to give to each machine based upon their MAC address. Then to not provide a valid IP address to any device that is not in the MAC address table. This should do what you want, though can be a hassle to keep the MAC address tables up to date as you add and remove devices. Keep in mind that this also means other network devices like printers, etc.

A: Static mapping MACs to an IP via DHCP is one option... (a pain for administrators, but a gaurentee that students will not beable to do what you are asking... other options....You can assign MAC addresses via secure port settings (if you are in a cisco environment) I've done this in the past.... it's also a pain...but at a switch level you can then be able to manage what connects in a specific room... Final option: Are you aware of Bradford Network's Campus Manager appliance? I would plan on purchasing this appliance if I were you. This is a great product to have on your network.

A: What you're looking for is a way to authenticate either a machine or a user before giving them network access. Campus Manager was designed to do exactly what you want. It is certainly not cheap. I'd also look into using a RADIUS server in conjunction with your switches and access points. Depending on the equipment you have you can perform some VLAN switching and put unregistered user/computers on a VLAN without any access priviledges. The biggest hassle is that you'll need to maintain a database of either usernames/passwords, machine names or MAC addresses. However you should be able to get the RADIUS server to talk to Active Directory to do this.

A: I agree, all of these products are very expensive compared to any other single devices we add to our networks. Regardless, our environments can hardly do without. I don't have the time or inclination to manage mac addresses on all of our switches and WAP. I have looked intensively for a Network Access Control solution that works for both wired and wireless environments. The vulnerability of our networks via untrusted devices by trusted users increases everyday.

I'm considering Campus Manager and Lockdown. I'd appreciate hearing about any other products or specifically about either of these. I know that several of you use CM. I'm especially interested to hear more on CM "shortcomings" since it seems to be the device of choice for academic environments.

Lockdown is also very interesting. They are not in the ed market, but want to break into it. They may even be willing to do a deal if there is more than one of us interested.

A: Check out It allows you to control the distribution of DHCP addresses. I think it does require a Linux-based DHCP server, but I might be wrong.

Vendors Offering Surveys, Audits, and Security ConsultingEdit

Also see: Student Owned Laptop Programs

Ad blocker interference detected!

Wikia is a free-to-use site that makes money from advertising. We have a modified experience for viewers using ad blockers

Wikia is not accessible if you’ve made further modifications. Remove the custom ad blocker rule(s) and the page will load as expected.