Wi-Fi LAN Security and Co-existence Guideline

Last updated: July 31, 2023

 

Departments with Wi-Fi policy exemption approval from UW-IT to deploy and operate a locally-managed Wi-Fi network must adhere to the following security and coexistence guidelines:

Guidelines for Approved Departmental WLAN Deployment

1.1. Departments MUST get UW-IT approval BEFORE installing any Wi-Fi equipment.

1.2. Departmentally-managed access points must be configured in a way that prevents interference with campus Wi-Fi infrastructure via the methods described below. In particular, a unique Service Set Identifier (SSID) must be used for departmental installations in order to avoid conflicts with campus Wi-Fi infrastructure. Unfortunately, this means that users may need to reconfigure their laptop computers or smart devices when moving between departmental and campus Wi-Fi infrastructure.

1.3. Departments with UW Information Technology approval to deploy or maintain their own Wi-Fi infrastructure are responsible for all security risks and liabilities associated with such installations. Consequently, it is essential that departmentally managed access points implement some form of access control.

1.4. One of the best practices for data security is that no one should rely on link-level network protection (link encryption or other forms of isolation) for either wired or Wi-Fi networks. It is essential that sensitive or critical information be protected at the transport and/or session levels using encrypted protocols such as IPSec, TLS/SSL, SSH or Kerberos.

1.5. When individual network-connected computers endanger the network or other hosts, it is necessary to temporarily disconnect them from the campus network. Similarly, whenever a departmental Wi-Fi access point is configured in such a way that it either interferes with the campus network infrastructure or represents an untenable business risk to the university, it will need to be disconnected until the problem is resolved. This is normally done by having the UW Information Technology Network Operations Center disable the Ethernet port to which the offending device is attached.

1.6. If an attack originates from a client using the departmental access point, that access point (and thus everyone using it) will be disconnected.

Guidelines for Departmental WLAN Access Control

2.1. Due to the potential for misuse by unknown individuals, with little risk of discovery, it is imprudent to deploy Wi-Fi infrastructure without some form of access control. Therefore, departments should deploy at *least* one of the following access control methods in their Wi-Fi access points:

  • Use WPA2-AES to secure and control access to your wireless network.
  • Use 802.1X to authenticate users to your wireless network.

2.2. Be aware that the centrally-managed campus Wi-Fi access control policy requires authentication via UW NetID in order to access resources outside the UW network. This policy is implemented via a “captive portal” approach, wherein first access to websites outside UW forces redirection to a UW NetID Weblogin page. The policy is intended to prevent liability and embarrassment to the University in case a malicious user attempts to launch attacks against other sites using the UW network.

Guidelines for Approved Departmental WLAN Coexistence With the Campus WLAN Infrastructure

3.1. Departments must configure their Wi-Fi access points to:

  • Use a non-default SSID such as “NETGEAR” or “linksys”. (This avoids the problem of campus users getting “stuck” to a department access point with no way to authenticate, and also provides a “branding” capability to clarify who to call for support issues.)
  • Use a unique SSID that does NOT contain “eduroam” OR “UW MPSK” OR “University of Washington”  in order to avoid disruption to service and user confusion.
  • Use a secure authentication method such as WPA2-PSK or 802.1X. Do not use Open System Authentication.
  • Use minimum necessary power to cover your area.
  • Only use channels 1, 6 and 11 in 2.4 GHz band.
  • Only use 20MHz channel widths in either 2.4 GHz or 5 GHz bands.
  • Remove 802.11b rates (if possible).
  • Not use any form of mesh or wireless repeater technology.

3.2. Departments may also be required to configure their Wi-Fi access points to:

  • Use frequencies other than those of nearby campus access points. (Since this will vary with location and time, it is necessary to coordinate with UW Information Technology on frequency use.)
  • Remove low data rates

3.3. Finally, additional best practices include:

  • Use a secure procedure (e.g. in-person, telephone, PGP email) to contact your local IT support staff about any wireless access point deployed by you or by a third party.
  • Ensure those managing the campus Wi-Fi infrastructure have up-to-date contact information for the subnets involved.
  • Give authorized users the technical contact responsible for managing your departmental Wi-Fi access point (wireless router).