Wireless Networking at VCU

Executive Summary
Business Drivers
Current Status
Deployment Plan
Estimated Budget
Future Plans


Access Point Standards
Client Card Standards
Wireless Networking Conditions of Use


Introduction

This proposal and associated standards were approved by the University Information Technology Advisory Council on February 22, 2002. 

Virginia Commonwealth University will deploy wireless networking as necessary to meet evolving business needs. Wireless networking shall be deployed in such a manner as to ensure interoperability and ease of use across all installations on campus, provide adequate reliability, and maintain an appropriate level of information security.

Technology Services will provide oversight of the installation of the wireless network and supporting infrastructure. Schools and departments will identify needs and provide funding for installations in their areas, as well as appropriate user support.

Executive Summary

This document provides a road map for wireless deployment for VCU. The centralized IT units can best handle some aspects of wireless technology; Schools and departments can customize other aspects to best meet their needs. The primary issues that must be addressed include information security, client support, bandwidth management, potential sources of interference, and funding.

VCUnet will be responsible for the enterprise wide aspects of wireless technology. They will create the underlying wired infrastructure necessary to support wireless access points, create interoperability and security standards, and minimize interference between units by installing and configuring access points in accordance with standards. Under this proposal, VCUnet will also provide a limited amount of open-air coverage of common spaces. Schools and departments will provide client support and, in conjunction with VCUnet, create customized coverage plans for programmatic spaces. 

Business drivers include

  • Improving the learning experience by exposing students to technology that is increasingly found in the corporate environment
  • Facilitating interaction between faculty, students, and staff by providing ubiquitous access
  • Reducing installation costs in hard to cable buildings
  • Maintaining a competitive stance compared to peer institutions. 

The projected first year budget for establishing the central IT related infrastructure is  $69,000. $62,000 is HEETF eligible and the remaining $7,000 will be covered by other E&G funding. Schools and departments will have additional expenditures based on their programmatic needs. The existing and proposed wireless deployments covered under this proposal should be considered pilot programs and used to learn about the technology and to determine future needs.

Budgets for follow on years are impossible to project at this time since expansion plans should wait until the viability of the technology is proven and actual utilization is reviewed. Additionally, the technology is changing rapidly and plans will need to be adjusted as new standards and products emerge.

Return to Top

Business Drivers 

  1. Student exposure to wireless technologies is required to teach information and knowledge management skills needed to compete in the job market (SCHEV mandate for Computer Competencies).
  2. Wireless networking can provide ubiquitous access to learning resources available at VCU and on the WWW, which will increase the use of e-mail, Internet, digital media, and other instructional technologies and will enhance learning opportunities.
  3. Wireless technologies can facilitate greater interaction, collaboration, and communication among faculty, students, and staff.
  4. Wireless technology can cost effectively provide access in hard to cable locations (asbestos, open areas, areas subject to frequent reconfiguration, etc.)
  5. The deployment of wireless networking is required to maintain a competitive stance with other universities and colleges.

Return to Top

Current Status as of January 2002

A number of pilot programs have been started at VCU. The majority were installed during the summer of 2001 for evaluation during the fall 2001 semester. Since most of these installations were added onto the existing wired infrastructure, security is a concern. Once an appropriate infrastructure is established for wireless networking these installations will be migrated in order to provide appropriate security.

School of Pharmacy: In conjunction with the School's Student Laptop Initiative, The School of Pharmacy has installed nine access points in the Robert Blackwell Smith Building, providing nearly building wide coverage. Forty client adapters were purchased. Thirty-five were provided to student participants and four to faculty participants. An additional five students purchased their own adapters. The Pharmacy provided adapters were issued for one semester and participants are required to complete a wireless LAN survey at the end of the semester.

VCU Libraries: Four access points were installed in the James Branch Cabell Library and four in the Tompkins-McCaw Library. Ten client adapters are available for short term (four hour) check out in each building.

School of Business: Four access points were installed on the fourth (?) floor to support the Executive MBA program. Students are required to provide their own client adapter.

School of Engineering: A single access point was installed in the Engineering building for evaluation.

Trani Center for Lif Sciences: A single access point was installed in the Life Sciences Building for evaluation.

Common spaces: Technology Services installed access points in the VCU Meeting Center, Hunton Hall, and the Larrick Center to provide general access and to evaluate the acceptance of wireless technology around the University.

Return to Top

Deployment Plan

Wired Infrastructure

There are two primary issues to be addressed when planning the wired infrastructure for supporting the wireless network: security, and ease of use.

Wireless solutions are inherently less secure than their wired equivalents. Care must be taken when attaching access points to the existing network to avoid compromising security.

To maximize the ease of use, users should have the same experience attaching to the wireless network regardless of where they are on campus. Additionally, users will want to roam between access points.

The proposed wired infrastructure plan addresses both issues. Rather than tie access points into the existing network, which would lead to security breeches and heavily segmented networks, a bridged overlay network will be created for the sole purpose of supporting wireless. A bridged overlay network will allow all access points to appear on the same network segment, thus allowing roaming between locations without the need to get a new address. Specialized protective access lists can be put in place to secure the wireless network without impacting existing network segments.

Network configuration

Initially, one 100Mbs router port on each campus will act as the gateway between the wired and wireless networks. Additional ports will be added if usage warrants greater bandwidth capacity. A non-connectable Class B address will be assigned to serve all wireless devices via a DHCP server. Traffic destined for the Internet will be re-addressed by the VCU firewall to a connectable address. Traffic will be limited to IP only.

The Wireless Workgroup has established access point standards that will be applied to all access points. Please see attachment 1.

Common Space Coverage Area

Common Space is defined as VCU spaces that are not assigned to a specific educational department. The intent is to provide wireless coverage for the VCU community in "public" spaces, such as the Student Commons and on-campus outdoor areas. Common Space Coverage is not intended to serve the general public nor extend beyond the contiguous campus.

A number of areas will be provided a minimum level for wireless access point coverage as a part of the central infrastructure. The following areas are targeted for central IT support as Common Spaces:

  • VCU Meeting Center
  • Hunton Hall
  • Larrick Center
  • Student Commons
  • Open space between Commons and Business
  • Sanger Hall garden area

School based plans

Areas not covered by the Common Space access plans will be the responsibility of the schools and departments that have a business need to provide wireless coverage. Schools and departments wishing to deploy wireless solutions will be required to work with VCUnet when designing and installing access points to ensure an interoperable installation that does not interfere with other units.

Access Point Placement Planning Recommendations

The following recommendations were developed by the Wireless Committee to provide guidance on locating access points.

  • If you want coverage over a wide area, keep the access points separate yet have their transmissions areas overlapping somewhat. The access points should be on different channels for wider coverage and less interference.
  • For higher redundancy, the areas overlap with access points on the same channels (not separate channels)
  • Generally, use bipolar antennas for areas outside of buildings and high-gain antennas for inside buildings.
  • Use low-frequency channels for outside areas. Use high-frequency channels for inside areas.
  • Consider placing access points towards the center of a building to reduce unwanted public exposure.
  • The Wireless committee recommends the following priority order when considering placement of wireless networks:
    • Libraries
    • Student Commons
    • Lecture Halls
    • Classrooms/Floors
    • Research Labs.
    • Note: Computer Labs are to be wired to allow maximum bandwidth. A wireless network may be used as a supplemental network if some mobility is required.
  • VCU should communicate and collaborate with entities within close proximity of the University campuses to minimize specification and interference issues

 End user support

 The existing help desks will provide user support. Supporting wireless clients is expected to present about the same level of effort as supporting wired clients. Access points will be installed at the Technology Services help desks in Cabell Library basement and Sanger Hall third basement, and the Humanities and Sciences help desk in Hibbs basement as a part of this proposal. The help desks will utilize VCUnet when necessary as second level support. 

A web page devoted to wireless networking at VCU will be established on the VCU web site. Wireless cards that have been tested and verified to work on the VCU network will be listed on these web pages.  As additional cards are tested and verified, they will be added to the list of supported cards.  

The Wireless Workgroup has established client configuration standards and installation guidelines. Please see attachment 2. 

Authentication and Security

Wireless connections are not as secure as their wired counterparts. Security features provided by manufacturers have proven to be inadequate - a person with freely available software could capture and decode traffic on the wireless network without too much difficulty. Because the traffic is broadcast, the person does not even need to be on VCU property to capture the data. Likewise, someone could access the VCU network anytime they are within range of a transmitter. There is currently no way to authenticate a user as valid or as an intruder.

Developing an authentication mechanism is outside the scope of this initiative. Because authentication is needed in several technology areas it is being handled as a separate project. Once a solution is identified it will be applied to the wireless network.

Manufacturers are working on developing a stronger security scheme for wireless devices. In addition, VCU is also working on strong security solutions such as VPN (Virtual Private Network), SSL (Secure Socket Layer) and other security technology. Until such time as both authentication and security are improved, the wireless network should be considered as non-secure and open.

A Conditions of Use for Wireless Connections is provided as Attachment 3. Essentially, wireless connections should be used to access non-critical and non-sensitive data only. Academic uses such as Internet browsing and e-mail is acceptable. Access to administrative applications is disallowed, as is access to any mission-critical or sensitive data and applications. Sensitive data include student grades, social security numbers, or any other information that falls under privacy protection acts or HIPPA requirements. Establishing servers over a wireless link is not allowed.

Access rules will be established on the router interfaces to enforce the approved conditions of use to the extent possible.

Return to Top

Estimated Budget

Description     Cost  Expected Life Cycle
Router components $27,000 3 years

Distribution Electronics 

 $26,000  3 years

6 Access Points for public access

 $9,000 1 to 2 years

Access Point installation

 $4,000  10 years

20 Client Cards

 $3,000  1 to 2 years
Total $69,000  

Notes:

  1. Existing network infrastructure (routers, fiber optic cable, etc) will be utilized, but is not reflected in costs.
  2. Maintenance for router and distribution components are covered under an existing contract. Maintenance for access points is not recommended due to their short life span.
  3. Due to the rapidly changing nature to the industry, access points are expected to become obsolete fairly quickly. Upgrade costs should be considered in overall budget planning.
  4. Client cards (approximately $150 each) will be purchased by the user.

Proposed funding sources

We propose using VCUnet HEETF allocations to fund the router components, distribution electronics, and access points for the initial installations. The remaining $7,000 could be covered from budget savings or other E&G sources.

School and department based installation would be funded by the requesting units.

Users would need to purchase their own client adapters unless funded under a school or department based initiative.

Return to Top

Future Development

The information provided in this proposal pertains to the current wireless standard, 802.11b, and will need to be updated as newer standards emerge and products based on these standards appear in the market. 

Many other devices, such as some cordless phones and remote control devices utilize the same radio frequencies as wireless networking. Should interference from these devices significantly impact wireless data communications it may become necessary to develop an Airspace Policy that outlines guidelines for using the 2.4 GHz radio frequency.

Return to Top

Access Point Standards

Basic Access Point Requirements

  • Access points must adhere to IEEE 802.11b standards.
  • Access points must provide roaming.
  • Access points must be capable of accepting a common set of identifying alphanumeric characters (SSID field)
  • Access points must be capable of disabling broadcast SSID.
  • Access points must be capable of providing WEP 128 bit encryption or better security.
  • Access points must have flash upgradeable firmware.

Access Point Purchasing Recommendations

The following access points have been tested and conform to all requirements of this standard:

  • Cisco Wireless LAN 350 Access Points

Access Point Installation Requirements and Enforcement Procedures

Failure to comply with the requirements found in this document will be considered a violation of the Computer and Network Use Policy.

  • Access Points may not be installed or operated by anyone other than VCUnet or others designated by VCUnet. Access Points are considered to be network equipment, similar to hubs and switches. As such, they fall under the VCU Information Security Policy and may be attached to the VCU network only by VCUnet staff or others designated by VCUnet. Any access point found improperly installed, as defined herein, is subject to removal from the network. Access points installed by unauthorized personnel, even if properly configured, will result in a disciplinary letter sent to the responsible party's management by Technology Services.
  • An area being considered for wireless LAN coverage will be site surveyed by VCUnet to determine placement of the access points and range of coverage. VCUNet will identify possible interference sources and the impact of the new access point on existing University and Health System environments. Should it appear that a new AP would interfere with an existing installation, VCUnet will attempt to reach a mutually agreeable resolution between the affected parties. If an agreement cannot be reached preference will be giving to the existing installation. The rejected installation request may be appealed to VCU senior management.
  • Wireless network transmissions must not interfere or impact any clinical activity or other mission critical operation. If it is discovered that a specific access point is associated with such interference or impact it will be disabled immediately.
  • All access points are to be connected to the special wireless infrastructure. Access points may not be connected to the normal wired infrastructure due to security concerns. Any access point discovered on the normal wired network after the transition period will be disabled immediately and the responsible departmental contact notified. Repeat offenders will be reported to their management and the access points physically removed until the situation is corrected.
  • VCUnet will configure all access points with the following critical parameters:
  • Broadcast SSID must be disabled on all access points attached to the network.
  • Multi-domain roaming (Cisco) or Extended Roaming (3Com) must be enabled.
  • SIDD parameter will be set to the approved common VCU alphanumeric characters string.
  • The password on all equipment must be changed from the default to a strong password.
  • Individual units will develop WLAN coverage maps for all buildings for which they are responsible.  Coverage maps will be submitted to VCUNet.
  • Any unit desiring to install a private wireless network, (i.e. not part of the campus roaming infrastructure, but still attached to VCUnet) may request an exception to these requirements. VCUnet will work with the requesting department to construct a customized wireless plan, but the security of the University network must not be degraded.
  • Generally, these requirements are not meant to apply to standalone wireless installations where no device is attached to the University network. Departments are free to experiment in a non-connected environment. However, departments should consider the security needs of any devices attached to the standalone wireless network. The potential of an accidental cross connection with an attached wireless network cannot be ignored, so departments should still coordinate with VCUnet before energizing any access points.
  • Wired Equivalency Protocol (WEP) is the data encryption mechanism that is defined in the 802.11b standard.  WEP provides for two levels of encryption:  64-bit or128-bit encryption.  WEP has a number of flaws that make it vulnerable to snooping, and the current implementation of WEP is generally considered to be insecure.  Additionally, there are reported problems with cross-vendor implementations of WEP. Accordingly, VCU will not use WEP until the manufacturers can correct these issues. The requirement for 128-bit WEP and flash upgradeable firmware when purchasing access points is in recognition that compatibility and security issues will in fact be corrected and VCU will then require that these features are enabled.

       Return to Top

Client Configuration Standards

System - Dependant Information

It is assumed that any wireless NIC meeting the 802.11b standard should work with the VCU wireless network although it is not guaranteed and will not be supported until the card is tested and verified by Technology Services. The following is a list of wireless NICs that have been tested and verified to work with the VCU wireless network

Wintel Platforms 

  • Dell TrueMobile PC Card

  • D-Link Systems DWL-650 Wireless PCMCIA Card

  • Linksys WPC11

  • Cisco Aironet 340 Series

  • Cisco Aironet 350 Series

 Apple Computers

Apple Computer offers AirPort, a wireless local area network (LAN) technology. The following computers support AirPort:

  • iBook - all models

  • PowerBook (FireWire)

  • PowerBook G4

  • iMac - iMac (Slot-Loading), iMac (Summer 2000), iMac (Early 2001)

  • Power Macintosh G3 (Blue and White)

  • Power Mac G4 - all models.

Personal Digital Assistants (PDAs)

Almost all current generation PDAs have expansion capabilities, and many can communicate wirelessly with the addition of a 802.11b wireless PCMCIA (PC Card), Compact Flash (CF), Secure Digital (SD) or a wireless plug-in module (e.g., Springboard module for Handspring PDAs).

The Cisco Aironet 340 Series has been verified to work in the Compaq iPAQ Pocket PC.

Wireless Card Configuration

There are certain configuration parameters that must be set correctly for the wireless NIC to communicate on the network.  These parameters include ESSID (Extended Service Set Identifier/Wireless Network Name), Network Operation/Infrastructure Mode, WEP (Wired Equivalent Privacy), Transit Rate/Data Rate and Card Power Management/Power Save Polling Mode (PSP).  Other configuration parameters are not specified on all brands of wireless NICs, and their absence will not affect the performance of the wireless connection. However, if these options are present on the particular brand of NIC, they need to be set correctly.

ESSID (Extended Service Set Identified)/Wireless Network Name

A wireless network name is the name of the wireless infrastructure network.  Each access point (AP) in a wireless network is configured with the name of that network.  Access to that network requires the correct network name in this field, which is case sensitive.  VCU wireless clients should check with their local IT administrator or help desk to find out the VCU SSID. 

Network Operation/Infrastructure Mode

There are two modes in the 802.11b standard:  infrastructure and ad hoc.  Infrastructure means that the clients communicate with each other and to the campus networks through an AP.  Ad hoc mode is two or more wireless NICs communicating with each other without an AP.  VCU wireless network will use infrastructure mode.

WEP (Wired Equivalent Privacy)

WEP is the data encryption mechanism that is defined in the 802.11b standard.  WEP provides for two levels of encryption:  64-bit or128-bit encryption.  WEP has a number of flaws that make it vulnerable to snooping, and the current implementation of WEP is generally considered to be insecure.  Additionally, there are reported problems with cross-vendor implementations of WEP. Accordingly, VCU will not use WEP until the manufacturers can correct these issues.

Many wireless cards come with WEP turned off by default, but some vendors such as Intel ship cards with WEP encryption enabled and require users to set up a unique network name. 

If applications or users need a higher level of secure communication, use application layer security such as SSH (Secure Shell).  SSH is site-licensed by VCU and available for download and is also available on the Digital Toolkit CD for faculty and staff. 

Transit Rate/Data Rate

The transmit rate identified the preferred data rate of the client's connection and should be set to "Auto Rate".  This setting will enable the client to move to a slower rate as the signal strength drops.  This feature is useful when clients are on the fringes of a wireless cell or are experiencing performance problems due to interference. 

Card Power Management/Power Save Polling Mode (PSP)

Power management causes the client to sleep for short periods of time and can increase battery life.  The access point will buffer its messages during this sleep period and then transmit them when the client is active again.  Power management does cause a more active use of the wireless medium and can lead to collisions and transmission delays.  VCU recommends not using power management and users should turn this feature off.  Some wireless NICs have options for Continuous Awake Mode (CAM) and Power Save Polling mode (PSP).  The setting should be to CAM.

Other NIC-Specific Configuration Parameters:

BSSID (Basic Service Set Identifier)

The BSSID is the name given to an individual access point.  Two or more Basic Service Set Identifiers form an Extended Service Set (ESS).  This is an option on a few brands of wireless NICs, and generally the field should be blank.

Maximum Sleep Duration

The maximum sleep duration is an interval that a wireless device will listen to detect traffic directed to itself.  The default value of 100 milliseconds should be kept.

Receive All Multicasts

This option should be enabled since it is necessary for proper connectivity to the campus network.

Interference Robustness

This option can be activated when in-band interference such as from microwave ovens slows the performance of the wireless network.  Usually, this feature should be turned off unless there is an unusual amount of interference that is affecting signal quality.  VCUNet should be contacted for assistance if in-band interference is suspected.

AP Density

This option is used to optimize load balancing of the number of users in areas where clients can choose from more than one AP.  This option should be left at Low. 

Client Name

This option has no bearing on connectivity or performance, and the field can be left blank. 

MAC Address

This field should be left blank.

Installation Guide for Wireless on Windows-Based Computers
  1. Load the PC Card drivers that are on the CD that you should have received with the wireless card.
  2. The parameters covered in Appendix A should be used.  During the installation of the drivers, you will be asked for the SSID or ESSID, which is the wireless network name.  You need to contact your local IT administrator to obtain this name. Using the default ANY is not recommended for security reasons. 
  3. For Network Mode, select "Infrastructure" to connect to an access point. 
  4. Wired Encryption Privacy (WEP) encryption should not be enabled.  Consider using SSH Secure Shell for more robust security and protection of your passwords and data.  SSH is site-licensed by VCU and available for download.  
  5. Complete the installation of the driver software by following the directions and prompts.
  6. Install the wireless PC Card in your laptop's PC Card slot, and Windows should recognize this new card.  If prompted, restart the computer.

Installation Guide for Wireless on Apple Computers

Mac OS 8.6 or later is required to run AirPort.  The parameters listed in Appendix A should be used when configuring the client. The AirPort card is designed for user installation and is easily installed by plugging the card into the appropriate slot and running the installation software.   An iBook can be purchased with wireless capability or an AirPort Card can be added later.

For further information see:

 http://til.info.apple.com/techinfo.nsf/artnum/n58414
 http://til.info.apple.com/techinfo.nsf/artnum/n58415
 http://til.info.apple.com/techinfo.nsf/artnum/n60422

Installation Guide for Wireless on Personal Digital Assistants (PDAs)

A number of wireless card vendors provide updated drivers for PDAs and configuration and install guides on their web sites:

Cisco Aironet Card for Pocket PC:

http://www.ciscosystems.com/univercd/cc/td/doc/product/wireless/airo_350/350cards/win_ce/index.htm

Symbol CF Wireless LAN Card:

http://www.symbol.com/products/wireless/la4137.html

Novatel Guides:

http://www.novatel.com/Products/productmanuals.html

Compaq wireless card information:

www.compaq.com

The University of Minnesota Duluth has published configuration information for the iPAQ PocketPC: http://www.d.umn.edu/itss/computing/ipaq/wireless.html)

Return to Top

Conditions of Use for Wireless Connections

Current wireless network technology provides very little in the way of information security and significantly lower bandwidth than a traditional wired connection. These Conditions of Use take the limitations of wireless technology into consideration and are designed to protect your valuable information and privacy as well as provide an equitable access opportunity for all users.

  1. Failure to comply with the requirements found in this document will be considered a violation of the Computer and Network Use Policy.
  2. Faculty and staff are prohibited from accessing critical administrative and academic servers from the wireless network.
  3. Wireless networks should not be used to transmit any sensitive information, such as social security numbers, account numbers, PINs, clinical information associated with a specific patient, etc. All users should consider the danger of accessing any resource that requires an ID and Password login sequence. Data is relatively easy to capture from the wireless network. Users should refrain from accessing any critical or sensitive resource using the wireless network. For example, faculty members should not log into the Blackboard server using wireless technology since doing so could allow someone else to capture the ID and password, thus compromising grade books, course material, and so on.
  4. Users shall refrain from transmitting or downloading files over the wireless network large enough to negatively affect other users.
  5. Users will not establish servers on the wireless network.
  6. Users will comply with all other requirements found in the VCU Information Security Policy.
  7. All devices connecting to the wireless network must have virus protection software installed and enabled and up-to-date virus definitions files loaded.

Return to Top

 

701 W. Broad St., Box 843059
Richmond, VA 23284
(804) 828-1177
RSS

 
VCU