Upload
susan-porter
View
213
Download
0
Embed Size (px)
Citation preview
UK WLAN Deployment Survey
Tim Chown Electronics and Computer Science
DepartmentUniversity of Southampton (UK)
TERENA TF-Mobility Meeting, Amsterdam10th February 2003
UK WLAN survey
• Run jointly by UKERNA and University of Southampton– UKERNA interested in general access for UK
HE community – e.g. includes microwave point-to-point links
– UoS has small JISC-funded WLAN project (MAWAA: Mobile Ad-Hoc Wireless Access for Academia)
• Questionnaire on UKERNA web site– Results collated jointly and being analysed
by UoS with a view to some follow-up visits.
Preliminary survey results
WLAN usage survey
• First stage complete– 37 (+4) survey replies– Quite detailed questionnaire– Probably enough replies to gain some insight into
trends, but over 200 universities and 300+ FE colleges use JANET network
– Appears that most deployments are in early stages, thus timely to recommend best practice
– Figures for UMTS/GPRS/etc not presented here
• Site interviews and visits to follow– Six sites identified– Final survey report by end of February 2003
Deployed Trialling Planning Total
Fixed Wireless:
Wireless LAN 802.11a: 4 3 5 12 32%
Wireless LAN 802.11b: 21 6 4 31 84%
HiperLAN1: 1 1 3%
HiperLAN2: 0 0%
Wireless DSL: 3 3 8%
One-way Satellite: 1 1 3%
Two-way Satellite: 1 1 2 5%
Mesh radio: 2 3 5 14%
Security/access control
• (Intentional) Guest access – 2 sites• No one reported any wireless-related (known) security
incidents
MAC Filtering 14 38%
WEP 11 30%
Traditional (Firewall & VPN) 10 27%
802.1x / Dynamic WEP 4 11%
Comments on the responses
General concerns (1)
• Security of the wireless medium– Access (MAC filtering acknowledged as weak)– Data snooping where no WEP/VPN
• Publicised issues with WEP– Weak keys, need to see lots of traffic to break
• 802.11b/802.11a interoperability– Fear of future changes making new deployment
obsolete• Marginal connectivity issues
– Users tend to gather near to APs, prefer wires– Many university buildings have very thick walls
• Some hard-to-diagnose WLAN problems– Particularly where large numbers of devices
General concerns (2)
• Bandwidth in large deployment– Impact of multicast
• Wireless to “time consuming” to deploy• Supporting client software where required• Rogue access points on internal VLANs
– Breaks “wired security” of VLAN– Frequency/channel interference
• Rogue access points on same ESSID– Potential man-in-the-middle attacks– 802.1x authentication to wrong AP?
• Offering mobility in multi-subnet wireless network
• Management of large (100+ AP) deployments
Good points
• Very few interoperability issues reported between wireless technologies– But a few reported between vendor equipment– Cheap commodity access points more problematic
• Many universities want to deploy and support campus-wide mobile wireless services– Some plan SMS or GPRS integration– Very few plans for location-aware services yet
• Many different VPN solutions available– But require client software and support– Common comment to treat WLAN like a “dial-up” (with
associated VPN, firewall and other implications)• Can use wireless access controls on wired networks also
Securing access:
• Some FUD factors:-• WEP
– Little confidence in the technology
• VPN/BlueSocket– Perceived as complex
• 802.1x– Perceived as complex– Not widely supported yet
• Thus deployment is cautious
RoamNode
• Developed at Bristol– Freely available, open system
• Integrated authentication, VPN, IDS• Uses NAT internally, Public IPs via VPN• Syslogging can be used• Web-based management
– RADIUS back-end (e.g. FreeRadius)• Runs on commodity PC hardware• Requires client software
– Already present on Windows XP• QoS and SNMP extensions being implemented
WNap
• A community wireless project• Offers initial connectivity to a local WLAN• Private IP address assigned by DHCP
– Can then communicate in the local WLAN
• Must authenticate to and join VPN to access external services– Established via RADIUS back-end
• Similar in spirit to Open.Net– (a system available in Sweden/Stockholm)
BlueSocket
• Commercial solution– Deployment of a “black box” system
• Offers VPN solution– One box can serve a /24 network
• Cost seems high: £5,000 per box?– Do we want to go down proprietary paths?
• Was presented at UK Networkshop 2002• (will determine more from the Open
University site visit)
The MAWAA project
MAWAA project goals
• Embrace pervasive wireless network access• Vision of wireless campus
– Rapidly growing staff + student use of laptops, PDAs– 802.11b now, 802.11a/g becoming available and UK
open– PDAs now available with built-in Wireless LAN
adaptors
• Consistent access method in UK (+ EU) HE• Evaluate security and access mechanisms
– Access control desirable for (civil) accountability– Encryption of Wireless LAN data desirable
• Trial technologies
MAWAA requirements
• Consistent access control mechanism– Needs consistent authentication back-end– The detailed site mechanisms may vary– (Inter)national interoperability is highly desirable– Integration of cheap commodity equipment is desirable
• Support at the IP layer– IPv6 emerging– May wish to apply IP layer security
• Ideally usable at application level– Can we have single access control and resource access?
• Ease of use (for users and administrators)
MAWAA deliverables
• WLAN deployment survey– Look at WLAN deployment barriers– Seek out best current practice in UK HE– Results and interviews (Feb ’03)
• Technology review– Includes promising technology, e.g. 802.1X +
RADIUS– Access technology report (Apr ’03)
• Site deployment trials– Trying best concepts from technology review– Demonstrate interoperability with UK + EU sites– Final report (Jul ’03)