Transcript Overview about UKERNA survey

UK WLAN Deployment Survey
Tim Chown
Electronics and Computer Science Department
University of Southampton (UK)
[email protected]
TERENA TF-Mobility Meeting, Amsterdam
10th February 2003
UK WLAN survey
• Run jointly by UKERNA and University of
Southampton
– UKERNA interested in general access for UK
HE community – e.g. includes microwave pointto-point links
– UoS has small JISC-funded WLAN project
(MAWAA: Mobile Ad-Hoc Wireless Access for
Academia)
• Questionnaire on UKERNA web site
– Results collated jointly and being analysed by
UoS with a view to some follow-up visits.
Preliminary survey results
WLAN usage survey
• First stage complete
– 37 (+4) survey replies
– Quite detailed questionnaire
– Probably enough replies to gain some insight into trends,
but over 200 universities and 300+ FE colleges use
JANET network
– Appears that most deployments are in early stages, thus
timely to recommend best practice
– Figures for UMTS/GPRS/etc not presented here
• Site interviews and visits to follow
– Six sites identified
– Final survey report by end of February 2003
Deployed Trialling Planning
Total
Fixed Wireless:
Wireless LAN
802.11a:
4
3
5
12 32%
Wireless LAN
802.11b:
21
6
4
31 84%
HiperLAN1:
1
1
3%
0
0%
3
8%
1
1
3%
5%
HiperLAN2:
Wireless DSL:
3
One-way Satellite:
Two-way Satellite:
1
1
2
Mesh radio:
2
3
5 14%
Security/access control
MAC Filtering
14
38%
WEP
11
30%
Traditional (Firewall & VPN)
10
27%
4
11%
802.1x / Dynamic WEP
• (Intentional) Guest access – 2 sites
• No one reported any wireless-related (known) security
incidents
Comments on the responses
General concerns (1)
• Security of the wireless medium
– Access (MAC filtering acknowledged as weak)
– Data snooping where no WEP/VPN
• Publicised issues with WEP
– Weak keys, need to see lots of traffic to break
• 802.11b/802.11a interoperability
– Fear of future changes making new deployment obsolete
• Marginal connectivity issues
– Users tend to gather near to APs, prefer wires
– Many university buildings have very thick walls
• Some hard-to-diagnose WLAN problems
– Particularly where large numbers of devices
General concerns (2)
• Bandwidth in large deployment
– Impact of multicast
• Wireless to “time consuming” to deploy
• Supporting client software where required
• Rogue access points on internal VLANs
– Breaks “wired security” of VLAN
– Frequency/channel interference
• Rogue access points on same ESSID
– Potential man-in-the-middle attacks
– 802.1x authentication to wrong AP?
• Offering mobility in multi-subnet wireless network
• Management of large (100+ AP) deployments
Good points
• Very few interoperability issues reported between wireless
technologies
– But a few reported between vendor equipment
– Cheap commodity access points more problematic
• Many universities want to deploy and support campus-wide
mobile wireless services
– Some plan SMS or GPRS integration
– Very few plans for location-aware services yet
• Many different VPN solutions available
– But require client software and support
– Common comment to treat WLAN like a “dial-up” (with
associated VPN, firewall and other implications)
• Can use wireless access controls on wired networks also
Securing access:
• Some FUD factors:• WEP
– Little confidence in the technology
• VPN/BlueSocket
– Perceived as complex
• 802.1x
– Perceived as complex
– Not widely supported yet
• Thus deployment is cautious
RoamNode
• Developed at Bristol
•
•
•
•
– Freely available, open system
Integrated authentication, VPN, IDS
Uses NAT internally, Public IPs via VPN
Syslogging can be used
Web-based management
– RADIUS back-end (e.g. FreeRadius)
• Runs on commodity PC hardware
• Requires client software
– Already present on Windows XP
• QoS and SNMP extensions being implemented
WNap
• A community wireless project
• Offers initial connectivity to a local WLAN
• Private IP address assigned by DHCP
– Can then communicate in the local WLAN
• Must authenticate to and join VPN to
access external services
– Established via RADIUS back-end
• Similar in spirit to Open.Net
– (a system available in Sweden/Stockholm)
BlueSocket
• Commercial solution
– Deployment of a “black box” system
• Offers VPN solution
– One box can serve a /24 network
• Cost seems high: £5,000 per box?
– Do we want to go down proprietary paths?
• Was presented at UK Networkshop 2002
• (will determine more from the Open
University site visit)
The MAWAA project
MAWAA project goals
• Embrace pervasive wireless network access
• Vision of wireless campus
– Rapidly growing staff + student use of laptops, PDAs
– 802.11b now, 802.11a/g becoming available and UK open
– PDAs now available with built-in Wireless LAN adaptors
• Consistent access method in UK (+ EU) HE
• Evaluate security and access mechanisms
– Access control desirable for (civil) accountability
– Encryption of Wireless LAN data desirable
• Trial technologies
MAWAA requirements
• Consistent access control mechanism
–
–
–
–
Needs consistent authentication back-end
The detailed site mechanisms may vary
(Inter)national interoperability is highly desirable
Integration of cheap commodity equipment is desirable
• Support at the IP layer
– IPv6 emerging
– May wish to apply IP layer security
• Ideally usable at application level
– Can we have single access control and resource access?
• Ease of use (for users and administrators)
MAWAA deliverables
• WLAN deployment survey
– Look at WLAN deployment barriers
– Seek out best current practice in UK HE
– Results and interviews (Feb ’03)
• Technology review
– Includes promising technology, e.g. 802.1X + RADIUS
– Access technology report (Apr ’03)
• Site deployment trials
– Trying best concepts from technology review
– Demonstrate interoperability with UK + EU sites
– Final report (Jul ’03)