Best Practices: Wireless Security

As manager of network and PC services for Adams 12 Five Star Schools in Thornton, Colorado, Scott Friberg has spent the last two years building an extensive wireless network that spans 47 schools and serves 36,500 students and 4,500 staff members. School CIO spoke with Friberg about the challenges of securing the network and making sure its wireless traffic is safe.

Q. What kind of wireless network do you have?
A. We’ve had some form of wireless for about five years now, but we launched our current iteration about two years ago. Today, we’re using equipment [from a company] called Chantry, who has recently been bought out by Siemens. [The product is a] centrally controllable appliance called BeaconMaster, but Siemens renamed it the C1000 series. It’s like a router, but a router that talks to all of the access points. With this, we can have all of the programming, control, and security in one central location, and use that to control all of our access points. We have 150 access points in all, delivering wireless to all of our schools. On top of that, most of our schools have wireless labs—laptop carts with access points built in.

Q. How are you securing the network?
A. Obviously, we’ll use Wired Equivalent Privacy (WEP) or Wi-Fi Protected Access (WPA). Those are huge pieces of it. We have either 64- and 128-bit encryption turned on at all times. We like to have access lists if we can, which list approved users by the Media Access Control (MAC) addresses of their machines. We like our users to authenticate through the system. We like to check and make sure that in each school there’s not a lot of bleed of signal outside the building. We’ll turn the signal down on perimeter locations so people outside school can’t access it. We also have a couple of different networks. We have one network where users can get on the Internet and nothing else. Users on another network can access printers, servers, and other things. This way, anyone can walk in and do some basic Internet but he can’t get into his e-mail or servers because he doesn’t have those rights.

Q. What kind of threats are you most worried about?
A. One of the threats is just bandwidth use. It’s a threat to have connectivity and know that our users can saturate the bandwidth easily, depending on the application. We definitely don’t want people from the outside getting in as this saps bandwidth big-time. Another reason we require that only people affiliated with the schools can get in is because we want to make sure users have all of the latest anti-virus software. The last thing we want is someone unknowingly releasing a virus on the network. I’d say that’s the biggest threat—people getting on to your network with equipment that’s not up to the same security standards as everything else.

Q. What has been the biggest challenge for you in securing wireless?
A. A big challenge is getting enough access points to get the coverage we need in our buildings. Our staff was so desperate for wireless that they wanted it everywhere. We didn’t want to provide that. Having wireless inside our buildings and outside so kids can wander aimlessly with laptops creates too many challenges. We figure if we limit access to inside the buildings, we can control it better. Supervision is a huge challenge. You just can’t have everybody walking around able to use network resources without some type of supervision.

Q. Do your users know the network is secure?
A. They do. We work with them on passwords and access codes and policies and expectations. You’re not going to just walk into a building and get on our networks. You have to have all the codes and pieces to make them work.

Q. Would you ever consider running VoIP over wireless?
A. We’re talking about that sort of thing now. The brand we bought, Siemens, is good at doing voice-over wireless. The question is all about quality of service. Can you deliver voice-over wireless and compromise neither data nor voice? Bandwidth is a key to answering that question—we need to be able to support every teacher picking up a phone at the same time. Until we can do that, I don’t think we’ll go there.

Matt Villano is contributing editor of School CIO.