UK WLAN Deployment Survey

Tim Chown Electronics and Computer Science

DepartmentUniversity of Southampton (UK)

tjc@ecs.soton.ac.uk

TERENA TF-Mobility Meeting, Amsterdam10th February 2003

UK WLAN survey

• Run jointly by UKERNA and University of Southampton– UKERNA interested in general access for UK

HE community – e.g. includes microwave point-to-point links

– UoS has small JISC-funded WLAN project (MAWAA: Mobile Ad-Hoc Wireless Access for Academia)

• Questionnaire on UKERNA web site– Results collated jointly and being analysed

by UoS with a view to some follow-up visits.

Preliminary survey results

WLAN usage survey

• First stage complete– 37 (+4) survey replies– Quite detailed questionnaire– Probably enough replies to gain some insight into

trends, but over 200 universities and 300+ FE colleges use JANET network

– Appears that most deployments are in early stages, thus timely to recommend best practice

– Figures for UMTS/GPRS/etc not presented here

• Site interviews and visits to follow– Six sites identified– Final survey report by end of February 2003

  Deployed Trialling Planning   Total  

Fixed Wireless:

       

Wireless LAN 802.11a: 4 3 5   12 32%

Wireless LAN 802.11b: 21 6 4   31 84%

HiperLAN1:     1   1 3%

HiperLAN2:         0 0%

Wireless DSL: 3       3 8%

One-way Satellite:     1   1 3%

Two-way Satellite: 1   1   2 5%

Mesh radio: 2   3   5 14%

  

Security/access control

• (Intentional) Guest access – 2 sites• No one reported any wireless-related (known) security

incidents

MAC Filtering 14 38%

WEP 11 30%

Traditional (Firewall & VPN) 10 27%

802.1x / Dynamic WEP 4 11%

Comments on the responses

General concerns (1)

• Security of the wireless medium– Access (MAC filtering acknowledged as weak)– Data snooping where no WEP/VPN

• Publicised issues with WEP– Weak keys, need to see lots of traffic to break

• 802.11b/802.11a interoperability– Fear of future changes making new deployment

obsolete• Marginal connectivity issues

– Users tend to gather near to APs, prefer wires– Many university buildings have very thick walls

• Some hard-to-diagnose WLAN problems– Particularly where large numbers of devices

General concerns (2)

• Bandwidth in large deployment– Impact of multicast

• Wireless to “time consuming” to deploy• Supporting client software where required• Rogue access points on internal VLANs

– Breaks “wired security” of VLAN– Frequency/channel interference

• Rogue access points on same ESSID– Potential man-in-the-middle attacks– 802.1x authentication to wrong AP?

• Offering mobility in multi-subnet wireless network

• Management of large (100+ AP) deployments

Good points

• Very few interoperability issues reported between wireless technologies– But a few reported between vendor equipment– Cheap commodity access points more problematic

• Many universities want to deploy and support campus-wide mobile wireless services– Some plan SMS or GPRS integration– Very few plans for location-aware services yet

• Many different VPN solutions available– But require client software and support– Common comment to treat WLAN like a “dial-up” (with

associated VPN, firewall and other implications)• Can use wireless access controls on wired networks also

Securing access:

• Some FUD factors:-• WEP

– Little confidence in the technology

• VPN/BlueSocket– Perceived as complex

• 802.1x– Perceived as complex– Not widely supported yet

• Thus deployment is cautious

RoamNode

• Developed at Bristol– Freely available, open system

• Integrated authentication, VPN, IDS• Uses NAT internally, Public IPs via VPN• Syslogging can be used• Web-based management

– RADIUS back-end (e.g. FreeRadius)• Runs on commodity PC hardware• Requires client software

– Already present on Windows XP• QoS and SNMP extensions being implemented

WNap

• A community wireless project• Offers initial connectivity to a local WLAN• Private IP address assigned by DHCP

– Can then communicate in the local WLAN

• Must authenticate to and join VPN to access external services– Established via RADIUS back-end

• Similar in spirit to Open.Net– (a system available in Sweden/Stockholm)

BlueSocket

• Commercial solution– Deployment of a “black box” system

• Offers VPN solution– One box can serve a /24 network

• Cost seems high: £5,000 per box?– Do we want to go down proprietary paths?

• Was presented at UK Networkshop 2002• (will determine more from the Open

University site visit)

The MAWAA project

MAWAA project goals

• Embrace pervasive wireless network access• Vision of wireless campus

– Rapidly growing staff + student use of laptops, PDAs– 802.11b now, 802.11a/g becoming available and UK

open– PDAs now available with built-in Wireless LAN

adaptors

• Consistent access method in UK (+ EU) HE• Evaluate security and access mechanisms

– Access control desirable for (civil) accountability– Encryption of Wireless LAN data desirable

• Trial technologies

MAWAA requirements

• Consistent access control mechanism– Needs consistent authentication back-end– The detailed site mechanisms may vary– (Inter)national interoperability is highly desirable– Integration of cheap commodity equipment is desirable

• Support at the IP layer– IPv6 emerging– May wish to apply IP layer security

• Ideally usable at application level– Can we have single access control and resource access?

• Ease of use (for users and administrators)

MAWAA deliverables

• WLAN deployment survey– Look at WLAN deployment barriers– Seek out best current practice in UK HE– Results and interviews (Feb ’03)

• Technology review– Includes promising technology, e.g. 802.1X +

RADIUS– Access technology report (Apr ’03)

• Site deployment trials– Trying best concepts from technology review– Demonstrate interoperability with UK + EU sites– Final report (Jul ’03)