Wireless LAN Security and Co-existence Guideline

Departments with wireless policy exemption approval to deploy and operate a locally-managed wireless network must adhere to the following security and coexistence guidelines:

Guidelines for Approved Departmental WLAN Deployment

1.1. Departmentally-managed access points must be configured in a way that prevents interference with campus wireless infrastructure via the methods described below. In particular, a unique Service Set Identifier (SSID) must be used for departmental installations in order to avoid conflicts with campus wireless infrastructure. Unfortunately, this means that users may need to reconfigure their laptop computers or PDAs when moving between departmental and campus wireless infrastructure.

1.2. Departments with UW Information Technology approval to deploy or maintain their own wireless infrastructure are responsible for all security risks and liabilities associated with such installations. Consequently, it is essential that departmentally managed access points implement some form of access control.

1.3. One of the best practices for data security is that no one should rely on link-level network protection (link encryption or other forms of isolation) for either wired or wireless networks. It is essential that sensitive or critical information be protected at the transport and/or session levels using encrypted protocols such as IPSEC, SSL, SSH, or Kerberos.

1.4. When individual network-connected computers endanger the network or other hosts, it is necessary to temporarily disconnect them from the campus network. Similarly, whenever a departmental wireless access point is configured in such a way that it either interferes with the campus network infrastructure or represents an untenable business risk to the university, it will need to be disconnected until the problem is resolved. This is normally done by having the UW Information Technology Network Operations Center disable the Ethernet port to which the offending device is attached.

1.5. If an attack originates from a client using the departmental access point, that access point (and thus everyone using it) will be disconnected.

Guidelines for Departmental WLAN Access Control

2.1. Due to the potential for misuse by unknown individuals, with little risk of discovery, it is imprudent to deploy wireless infrastructure without some form of access control. Therefore, departments should deploy at *least* one of the following access control methods in their wireless access points:

  • Enable some level of wireless network access control such as WEP, WPA, or WPA2, and make sure the key is only available to authorized users. (In particular, if this is your preferred way to control access, the key MUST NOT be posted on a website.)
  • Limit access by MAC address of authorized computers and PDAs.
  • Restrict wireless access to authenticated VPN connections only.
  • Implement a "captive portal" authentication system such as Bluesocket or NoCatAuth.

2.2. Be aware that the centrally-managed campus wireless access control policy requires authentication via UW NetID in order to access resources outside the UW network. This policy is implemented via a "captive portal" approach, wherein first access to websites outside UW forces redirection to a UW NetID Weblogin page. The policy is intended to prevent liability and embarrassment to the University in case a "drive by" wireless hacker attempts to launch attacks against other sites using the UW network.

Guidelines for Approved Departmental WLAN Coexistence With the Campus WLAN Infrastructure

3.1. Departments must configure their wireless access points to:

  • Use a non-default, non-null SSID. (This avoids the problem of campus users getting "stuck" to a department access point with no way to authenticate, and also provides a "branding" capability to clarify who to call for support issues.)
  • Use a unique SSID that does NOT contain "University of Washington" in order to avoid user confusion.
  • Use minimum necessary power to cover your area.

3.2. Departments may also be required to configure their wireless access points to:

  • Use different frequencies than those of nearby campus access points. (Since this will vary with location and time, it is necessary to coordinate with UW Information Technology on frequency use.)
  • NOT broadcast its SSID. (Again, to avoid "trapping" unsuspecting campus wireless users.)

3.3. Finally, additional best practices include:

  • If departmental support staff are not the ones deploying the access point, be sure at least to inform them of any/all passwords needed to configure the access point.
  • Ensure that those managing the campus wireless infrastructure have up-to-date contact information for the subnets involved.
  • Ensure that departmental wireless users are given the departmental wireless contact information for support questions, so they know not to call the UW Information Technology help desk or UW Information Technology Network Operations directly.

Last modified: July 9, 2013