Overview
Purpose
The standard and guidelines described in this document will ensure the uniformity of wireless network access points within the University.
Detail
Development of the Wireless Network Standard
The wireless networking equipment available supports varying levels of industry communication standards. At present, the IEEE 802.11b/g standard is widely accepted throughout the industry and provides the necessary balance of range, network throughput, and support for device mobility to effectively serve most needs of the University community. As newer standards emerge, such as IEEE 802.11 enhancements they will be evaluated and deployed should they offer security and throughput improvements over 802.11b/g.
It is the University's goal to offer the most advanced technology available while ensuring that the University Community benefits from stable and reliable service. Pitt IT will continue to evaluate available wireless network industry standards and equipment to ensure that the University meets this goal.
Definitions
Wireless Access Point
A wireless communications hardware device that creates a central point of wireless connectivity. A wireless access point behaves much like a "hub" in that the total bandwidth is shared among all users for which the device is maintaining an active network connection.
Wireless Port
A network port that has been installed to connect a wireless access point to the University's wired network. Wireless ports provide both data and power service to the wireless access point and are clearly distinguished from ordinary network ports by an affixed yellow warning label. Because wireless ports carry both data and electrical power, ordinary end-user devices could be severely damaged if they are connected to this type of port.
Wireless client software or built in 802.1x supplicant
Pitt IT provides client software client that allows a computer to utilize 802.1x authentication to the wired and wireless networks. Some operating systems have built-in support for 802.1x and can be used for accessing the University’s networks. The University-provided client software will be preconfigured to support the specific setup for PittNet Wi-Fi.
Coverage Area
The geographical area in which acceptable wireless service quality is attainable. Coverage areas for similar devices can vary significantly due to the presence of building materials, interference, obstructions, and access point placement.
Interference
Degradation of a wireless communication radio signal caused by electromagnetic radiation from another source including other wireless access points, cellular telephones, microwave ovens, medical and research equipment, and other devices that generate radio signals. Interference can either degrade a wireless transmission or completely eliminate it entirely depending on the strength of the signal generated by the offending device.
Privacy
The condition that is achieved by successfully maintaining the confidentiality of personal, student, employee, and/or patient information transmitted over a wireless network.
Security
Security is particularly important in wireless networks because data is transmitted using radio signals that, without implementation of specific data encryption mechanisms, can easily be intercepted.
Wireless Network Infrastructure
The collection of all wireless access points, antennas, network cabling, power, ports, hardware, and software associated with the deployment of a wireless communication network.
Wired Equivalent Privacy (WEP)
A security protocol for wireless networks defined within the 802.11b standard. WEP is designed to provide the same level of security as that of a wired network. Recent reports indicate that the use of WEP alone is insufficient to ensure privacy unless used in conjunction with other mechanisms for data encryption.
WPA
Short for Wi-Fi Protected Access, a Wi-Fi standard that was designed to improve upon the security features of WEP. This technology features improved data encryption through the temporal key integrity protocol (TKIP) and user authentication through the extensible authentication protocol (EAP), PEAP – MSChapV2. PittNet Wi-Fi utilizes the WPA protocol.
802.1x
This standard enhances the security of local area networks by providing an authentication framework allowing users to authenticate to a central authority, such as LDAP or Active Directory. In conjunction with 802.11 access technologies, it provides an effective mechanism for controlling access to the wireless local area network.
802.11a
An extension to the 802.11 standard developed by the IEEE for wireless network technology. 802.11a applies to wireless local area networks and supports a maximum a maximum connect rate of 54 Mbps throughput in the 5GHz band. This specification is not backwardly compatible with 802.11b/g and requires special wireless adapters.
802.11b
An extension to the 802.11 standard developed by the IEEE for wireless network technology. 802.11b applies to wireless local area networks and supports a maximum connect rate of 11 Mbps with fallback to 5.5, 2, and 1 Mbps in the 2.4GHz ISM band. This standard was ratified in 1999.
802.11g
An extension to the 802.11 standard that allows for a maximum connect rate of 54 Mbps while maintaining compatibility with the 802.11b standard in the 2.4GHz band This specification is compatible and complimentary to the 802.11b standard.
802.11i
An extension to the 802.11 standard to provide improved security over that which is available under 802.11 extensions. This extension provides for improved encryption methods and for the integration of the IEEE 802.1x authentication protocol as well as advanced encryption mechanisms such as AES (Advanced Encryption Standard), for an optional, fully compliant implementation of 802.11i.
802.11n
Uses multiple transmitter and receiver antennas (also known as multiple-input and multiple-output, or MIMO) to allow for increased data throughput and range. This standard was ratified in 2009. Pre-standard hardware is commercially available and not compatible with PittNet Wi-Fi.
Infrastructure Mode
The operating mode for wireless networks in which each end-user device is configured to associate with a wireless network access point through which network services are accessed.
Ad Hoc Mode
The operating mode for wireless service in which end-user devices interact with each other in a "peer-to-peer" configuration. Ad hoc mode does not require the use of a wireless network access point.
Utilization
Prior to the installation of any wireless devices, Pitt IT will review the usage requirements for the area in question to determine the optimum number of wireless access points needed to efficiently support all users in the area simultaneously. Space configuration, construction materials, anticipated number of end-user devices to be served, and potential sources of radio frequency interference will be taken into consideration when conducting a site survey.
Pitt IT will provide support for infrastructure mode installations only. These installations require at least one wireless access point. Ad hoc wireless mode will not be supported.
In order to prevent problems caused by radio interference, to ensure the integrity of University resources, and to ensure the widest availability of reliable wireless networking services, the University shall remain the sole owner of all unlicensed spectrums of radio frequencies available for use on any of its campuses and related properties.
Network Bandwidth
The maximum network bandwidth available through a single wireless access point under the 802.11b/g standard is 54 Mbps and is shared by all users connected to that access point. A standard wired network port provides switched 100 Mbps dedicated bandwidth.
On a wired network, throughput per user is higher because direct bandwidth competition is eliminated for users of switched ports and a dedicated 100 Mbps is allotted for each user. Because wireless network access users share the available bandwidth, network performance can be diminished as additional wireless users connect to the access point. Bandwidth intensive applications will diminish the available shared bandwidth for all users in the coverage area. Actual throughput within wireless coverage areas will vary depending on the number of users and the types of applications being used on client computers. Client computers using 802.11b only adapters will diminish the available bandwidth significantly because of the way the 802.11b/g standard has been developed to support backward compatibility. As such, Pitt IT recommends that client adapters support 802.11b/g as the preferred access method. Wireless network installations work well for low-bandwidth activities, such as web browsing and email. High-bandwidth activities, including streaming video, MP3 sharing, and videoconferencing are likely to result in reduced performance and should be discouraged by University units until industry standards and equipment become available to support these activities. Current wireless network technology effectively permits from 15-25 users to utilize a single wireless access point effectively despite vendor claims that much larger numbers of users can associate with a single wireless access point. See the Bandwidth Usage Guideline section for additional details.
Wireless Networking Guidelines
Equipment
Integration of wireless network access points or other wireless communications equipment to University of Pittsburgh network will only be performed by Pitt IT.
University students, faculty, staff, and units may purchase the Wi-Fi certified wireless network interface adapters of their choice to connect end-user devices to the University's wireless networks.
University units will be required to remove any wireless network infrastructure equipment (Wi-Fi routers and bridges) not installed by Pitt IT.
Wireless network access points will be connected to the University's wired network by means of a specially designated wireless port that will be installed specifically for this purpose. University units and individuals may not disconnect a wireless access point from its associated wireless port or interfere with any components of the wireless AP assembly including antennas, antenna cables, or management cables. Wireless ports are specially configured to supply electrical power to the wireless access point and may cause permanent damage to an improperly connected end-user device.
Wireless network installations at University locations consist of the necessary Wi-Fi certified wireless access point devices. The number of access points required will be determined by initial estimates of demand for users and the size of the area to be covered. If the number of users to be served exceeds the practical number of users that can connect to single access point with sufficient bandwidth available to each user, additional access points may be installed. In areas with a high density of users, such as classrooms and lecture halls, additional access points will be installed to satisfy the usage requirements. All wireless access point devices will be installed and maintained by Pitt IT.
Network Reliability
In order to ensure the reliable performance of the University's network, Pitt IT will investigate reports of specific wireless devices that are suspected of causing interference and performance problems in the same manner in which Pitt IT investigates reports of specific devices connected to wired ports that are suspected of causing disruption. Although Pitt IT will not actively monitor content carried on the University's wireless network radio frequencies when investigating reports of potentially interfering devices, wireless network detection equipment will be used to detect unauthorized wireless network equipment. Units will be required to remove any such equipment found in unit-controlled University space.
Wireless access service is provided based on the anticipated utilization data gathered during initial site surveys conducted by Pitt IT. As the number of users increases, effective wireless network performance may be diminished.
Current industry standards for wireless network service do not provide sufficient throughput to effectively support bandwidth-intensive applications and network services. Pitt IT prohibits the use of serving-based applications (file, web, media servers) on PittNet Wi-Fi.
Pitt IT will address problems encountered in the use of wireless network services according to the following priority list: public access, academic, research, administrative, and staff use.
Security
Access to the University's wireless networks will require all authorized users in all areas to authenticate to the network using their assigned University Computing Account username and password through the use of University-provided wireless client software or 802.1x supplicant. Network access logs will be maintained containing the username, time of access, and duration of use for all users who access the network using wireless connections. This information and will be provided to authorized governmental authorities if the University is required to release such information.
Wireless technology deployed at the University of Pittsburgh includes the use of WPA (Wi-Fi Protected Access), which provides improved data encryption through the temporal key integrity protocol (TKIP) and user authentication through the extensible authentication protocol (EAP). To provide additional security, all University wireless networks will require authentication of end users to the network upon connection of any wireless end user device using an 802.1x supplicant or provided wireless client software. Each user will be required to authenticate to the network using his or her University Computing Account and password. The University's Central Directory Service will be used as the basis for authentication to services, including wireless network access.
The use of WPA and 802.1x for user authentication will provide advanced security levels for the activities of University wireless network users. Now that Temporal Key Integrity Protocol (TKIP) and even Advanced Encryption Standard (AES) can be practically deployed, Pitt IT will stop supporting older, less secure security methods at some point in the future. Reports have been published demonstrating the weaknesses in the WEP protocol and stating that it should not be used to protect sensitive data, such as identifiable patient information, payroll, and student data. With the use of the newer and more advanced encryption mechanisms and user authentication protocols, these weaknesses are mitigated. Although the security of the wireless network is now as secure as the wired network, the University will prevent wireless access to these kinds of data when such data are stored on protected central services. Units using the wireless network in their areas for day-to-day operations will not be granted exceptions through the Pitt IT firewalls to gain native access to sensitive information via PittNet Wi-Fi without the use of a VPN (Pitt VPN or IPSec).
University students, faculty, staff, and units must follow the terms of all applicable University acceptable use policies, network usage guidelines, and all applicable local, state, and federal regulations when using equipment connected to the University's network whether or not the individual is using wireless or wired network connections. Violations of such guidelines will be reported to the University's computer incident response team and may be forwarded to the appropriate University or governmental authorities.
University students, faculty, staff, and units should be aware that the use of wireless network connections may increase the risk that confidential information can be intercepted by unauthorized or unintended parties. This risk in inherent in wireless network technology irrespective of security measures that can be implemented by the University. Users should avoid sending or receiving confidential or other sensitive data via wireless connections whenever possible.
Wireless Usage
Some services can have a negative impact on a wireless network because they generate a high level of activity on the network. Such services can negatively affect your wireless network performance and the network performance of other wireless users. The wireless network is a shared resource, which means the bandwidth available to each user of an access point will decline as high-bandwidth services are used. If a student, faculty member, or staff member has a need for a service that requires high bandwidth, a wired network connection should be used.
The following list provides examples of high bandwidth usage. Please note that this list is not all-inclusive.
You cannot use the computer you have connected to the wireless network as a server of any kind, such as:
- Web servers
- Peer-to-peer file sharing servers
- FTP servers
- Multiplayer game servers
An unsecured computer may have problems that will also result in high bandwidth usage. The following are examples of possible problems:
- Infections by worms or viruses
- Compromised systems running ftp, IRC, or other services or malicious spyware programs
Some activities may also use excessive wireless bandwidth. The following are some examples of user activities that consume high amounts of bandwidth:
- Reinstalling an operating system
- Downloading and installing applications
- Performing system backups
- Transferring large files (images, video, music, databases) to other systems
Airspace
Problems can occur if other devices use the same radio frequency range (2.4 GHz) as the wireless network. Because of the potential for conflicts, it is important for all users to understand which technologies are permitted in our environment and which are not permitted.
In order to provide wireless network service at the highest level of quality, all non-client devices that use the 2.4 GHz range should be removed from service in any University building. Only devices that are part of the PittNet Wi-Fi network will be permitted to use the 2.4 GHz range.
This includes any device that is used as a wireless base station or router, such as the Apple Airport Base Station, or any other wireless router. Cordless phones, cameras, and audio speakers that use the frequency band of 2.4 GHz or 5 GHz should also not be used in areas with wireless coverage.
If you think you have an existing system that may use 2.4 GHz radios for transmission, please contact the Technology Help Desk at 412-624-HELP (4357) to determine if such devices will interfere with wireless network service in your area.
Pitt IT Responsibilities
- Development and maintenance of the wireless standard and wireless guidelines.
- Installation and maintenance of all equipment supporting wireless network service at the University of Pittsburgh.
- Investigation and resolution of wireless communication interference problems.
- Deployment, management, and configuration of wireless network access in public areas, classrooms, and office areas.
- Development and implementation of wireless network security protocols and practices.
- Provision of user training on wireless network security issues and acceptable use of wireless network services.
- Performance and security monitoring for all installed wireless access points and provision of performance statistics to University units upon request.
- Monitoring of the development of wireless network technologies and evaluation of their potential use within the University's wireless infrastructure.
- Responding to problems reported to the Technology Help Desk in accordance with standard procedures and levels of service.
Wireless User Responsibilities
- Adherence to the wireless network standard and related guidelines and policies established by the University of Pittsburgh.
- Implementation of recommended security software, hardware settings, patches, and protocols on end-user equipment used to access the University's wireless networks.
- Following all relevant University policies and procedures along with federal, state, and local laws pertaining to the security of sensitive and confidential data when working with such data on the University's wireless networks.
- Installation of wireless network interface adapters according to published instructions.
- Assumption of responsibility for support and troubleshooting of problems when using wireless network interface adapters not supported by Pitt IT.
- Immediately reporting known misuse or abuse of the wireless network or associated equipment to the Technology Help Desk.