PROVIDING LOW COST PUBLIC WI FI IN A GOVERNMENT BUILDING



Similar documents
9 Simple steps to secure your Wi-Fi Network.

What is Bitdefender BOX?

Using Web Security Services to Protect Portable Devices

ADDENDUM 12 TO APPENDIX 8 TO SCHEDULE 3.3

MaaS360 Mobile Service

Cisco Outdoor Wireless Mesh Enables Alternative Broadband Access

Quick Start Guide. WRV210 Wireless-G VPN Router with RangeBooster. Cisco Small Business

INFORMATION TECHNOLOGY MANAGEMENT COMMITTEE LIVINGSTON, NJ ITMC TECH TIP ROB COONCE, MARCH 2008

VIDEO Intypedia012en LESSON 12: WI FI NETWORKS SECURITY. AUTHOR: Raúl Siles. Founder and Security Analyst at Taddong

APPENDIX 3 LOT 3: WIRELESS NETWORK

User Guide. E-Series Routers

Network Security Best Practices

Doing Hotel Wi-Fi the Right Way

Security Awareness. Wireless Network Security

Frequently Asked Questions

Computer Networking. Definitions. Introduction

Guide for wireless environments

Quick Start Guide. Business Wireless Gateway. WiFi Devices. Model Number: DPC3939B. Business Wireless Gateway

Linksys WAP300N. User Guide

Tech Brief. Enterprise Secure and Scalable Enforcement of Microsoft s Network Access Protection in Mobile Networks

Chapter 9 Firewalls and Intrusion Prevention Systems

Section 12 MUST BE COMPLETED BY: 4/22

References NYS Office of Cyber Security and Critical Infrastructure Coordination Best Practices and Assessment Tools for the Household

Cyber Security: Beginners Guide to Firewalls

Cyber Security Beginners Guide to Firewalls A Non-Technical Guide

How To Set Up A Cisco Wap121 Wireless N Access Point With Single Point Setup

Electronic Health Records Are You Ready?

Enabling Multiple Wireless Networks on RV320 VPN Router, WAP321 Wireless-N Access Point, and Sx300 Series Switches

VLANs. Application Note

WineWeb: Point-of-Sale Planning Guide

quick reference guide

SATO Network Interface Card Configuration Instructions

Cisco WAP321 Wireless-N Selectable-Band Access Point with Single Point Setup

Mobile Device Strategy

Network Security. Network Security. Protective and Dependable. > UTM Content Security Gateway. > VPN Security Gateway. > Multi-Homing Security Gateway

BT Business Total Broadband Fibre User Guide

USER GUIDE AC2400. DUAL BAND GIGABIT Wi Fi ROUTER. Model# E8350

Deploying Firewalls Throughout Your Organization

Wireless Networking. Mac/PC Compatibility: QuickStart Guide for Business

Cisco WAP4410N Wireless-N Access Point, PoE/Advanced Security


Quick Start. Nighthawk X8 AC5300 Tri-Band WiFi Router Model R8500. Package Contents. NETGEAR, Inc. 350 East Plumeria Drive San Jose, CA USA

STRATEGIC POLICY. Information Security Policy Documentation. Network Management Policy. 1. Introduction

ROGUE ACCESS POINT DETECTION: AUTOMATICALLY DETECT AND MANAGE WIRELESS THREATS TO YOUR NETWORK

Wireless (In)Security Trends in the Enterprise

Securing end devices

NETGEAR Trek N300 Travel Router and Range Extender

High-Speed Internet Quick Start Guide

RESERVATION TELEPHONE COOPERATIVE BROADBAND INTERNET SERVICE DISCLOSURES

Cisco WAP4410N Wireless-N Access Point: PoE/Advanced Security Cisco Small Business Access Points

Beginner s SETUP GUIDE for NANOSTATION-2 as receiver and other Ubiquity devices using AirOS firmware V3.6 (Windows/MacOS)

Networking. Introduction. Types of Wireless Networks. A Build-It-Ourselves Guide to Wireless Mesh Networks

Cisco WAP4410N Wireless-N Access Point: PoE/Advanced Security. Cisco Small Business Access Points

UNIVERSITY GUIDEBOOK. Title of Policy: Acceptable Use of University Technology Resources

Secure Networks for Process Control

The Hidden Dangers of Public WiFi

NETWORK SECURITY GUIDELINES

Use Host Information in Policy Enforcement

Cisco Small Business 500 Series Wireless Access Points

Security in Wireless Local Area Network

Selecting the Right NAS File Server

Why Switch from IPSec to SSL VPN. And Four Steps to Ease Transition

ADSL2+ BROABDAND INTERNET

ResNet Guide. Information & Learning Services. Here to support your study and research

CMPT 471 Networking II

IT Assessment Report. Prepared by: Date: BRI Works East Main Street, Suite 200 Charlottesville VA

AC750 WiFi Range Extender

Advanced Hotspot Gateway Products

Building A Secure Microsoft Exchange Continuity Appliance

Quick Installation Guide

Cox High Speed InternetSM Connect to your online world faster than you can imagine. Plus, access a whole host of tools to make your Internet

Wireless LANs vs. Wireless WANs

ShareLink 200 Setup Guide

AVG AntiVirus. How does this benefit you?

Home Wi-Fi Gateway Instructions

RAS Associates, Inc. Systems Development Proposal. Scott Klarman. March 15, 2009

Lucent VPN Firewall Security in x Wireless Networks

MN-700 Base Station Configuration Guide

Business ebanking Fraud Prevention Best Practices

a) Encryption is enabled on the access point. b) The conference room network is on a separate virtual local area network (VLAN)

SonicWALL Clean VPN. Protect applications with granular access control based on user identity and device identity/integrity

Quick Installation Guide For Mac users

10 Ways. Cisco Meraki Switches Make Life Easier

Transcription:

PROVIDING LOW COST PUBLIC WI FI IN A GOVERNMENT BUILDING AUTHORS: GARY ARSTEIN KERSLAKE AND JOSE RODARTE (INFORMATION TECHNOLOGY SERVICES BRANCH, CALRECYCLE) ABSTRACT Wi Fi technology is available for very moderate cost, and Wi Fi enabled devices are ubiquitous. CalRecycle has been an early adopter and implementer of Wi Fi technology, and especially public Wi Fi. Since its first Wi Fi implementation almost ten years ago, CalRecycle has extended Wi Fi throughout the organization, and has added semi private and secure private Wi Fi implementations where needed. Analysis of device type connections to the public Wi Fi yielded a substantial variety in device types and a substantial level of use. To the best of our knowledge, CalRecycle is one of only a few California State organizations with this broad level of use of Wi Fi which is available to staff in all of its office buildings throughout the state. PROBLEM/OPPORTUNITY Wi Fi networks have experienced substantial growth since the early 2000 s. Per this 2003 research paper from UCLA, it was estimated that there would be 21,000 hotspots in the United States and 45,000 globally by the end of 2004. Compare this to current estimates that by 2015, users around the world will be able to connect to 5.8 million public hotspots. In 2003, there was already significant adoption of Wi Fi by both individuals and businesses, and this adoption was fostered by the fact that the cost of Wi Fi technology was already relatively low by that time. So, adoption of Wi Fi within a business environment was not a capital intensive undertaking. At the same time, like many IT related endeavors, the fastest and cheapest implementation of a technology is often not the best approach if it doesn t scale well and has substantial maintenance costs. So, these factors were kept in mind by CalRecycle during the implementation of several Wi Fi expansion projects. CalRecycle is a department within the California State government, and it is one of seven organizations located within a 25 story building in downtown Sacramento. CalRecycle also has another division (as of 2010) located in a 20+ story building several block away from the headquarters building along with four small field offices in southern California. CalRecycle and the other departments within the 25 story building have an environmental regulatory role and have a regular schedule of publicly noticed meetings in the building. These meetings can run from several hours to a full day and sometimes can run to a second day, and there is no guarantee that a specific item will be taken up for discussion at a set time. Consequently, for both staff and members of the public or business community who might be participating in the meeting, there may be extended periods of waiting in the audience for an item of relevance to a specific individual to be taken up for discussion. While CalRecycle has also implemented publicly accessible webcasts of the meeting proceedings, which helped for planning and participation at meetings, it was also proposed that CalRecycle provide Wi Fi access during these meetings to facilitate productive use of time during the meetings, for both State staff and members of the public. Page 1 of 5

There were four primary criteria guiding our efforts with respect to implementing Wi Fi access: 1. The Wi Fi network must allow for access by CalRecycle staff along with staff from several other separate government organizations AND members of the public and the business community. 2. The initial focus for Wi Fi connectivity was in the Hearing and Auditorium rooms in the Headquarters building. However, with 60+ conference rooms in the building, there would be significant benefit for extending Wi Fi connectivity to all floors to cover all the conference rooms. 3. As a state government organization, it was imperative that Wi Fi capabilities be implemented for relatively low cost with minimal administrative overhead required to maintain the system. 4. It was critically important that the selected Wi Fi solution provide adequate security to assuage concerns that were rampant in the early 2000 s regarding security exposures with the use of Wi Fi. SOLUTION CalRecycle has taken a stepwise approach to providing Wi Fi access within its facilities. This access includes several different implementation approaches (public, semi private, and private) and the organization is now fully Wi Fi enabled. We re quite sure that CalRecycle has more publicly accessible Wi Fi than any other California state agency, as of the writing of this white paper in November 2013. There are some organizations such as law enforcement entities that have very stringent security constraints for which Wi Fi may not be appropriate. However, we believe the approach we ve used can be adopted by many other organizations and can expand Wi Fi use within their organization while also providing access to members of the public and the business community that interact with the governmental organization. 2003: Wi Fi was experiencing significant rates of adoption for both private and commercial use. The price of the technology had dropped substantially. Following from a request to provide an increased number of wired connections in one of the building s hearing and auditorium rooms, we proposed instead to provide both wired connections plus public Wi Fi wireless in all rooms for the same cost as has been proposed to provide a limited number of wired connections in just one of the rooms! This was our first implementation of Wi Fi which used 802.11a/b technology and served part of the 1 st and 2 nd floors of the building. To address security concerns, the Wi Fi was on a completely separate network connected through a separate DSL connection to the Internet. 2004: Despite early reluctance on the part of some of our organizations related to the use of Wi Fi, by mid 2004 there was rampant proliferation of a mish mash of public and private Wi Fi services on other floors within the building. 2005: In a cooperative effort from among several of the organizations within the building, it was agreed to extend the Wi Fi capabilities to support all twenty five floors in the building, and to upgrade to Cisco Wi Fi devices supporting 802.11a/b/g. To reduce installation costs, the decision was made to use Power Over Ethernet injectors with the existing switch and cabling infrastructure, with new cabling pulled to provide both a management and data connection for each device. A radio survey was conducted to determine appropriate placement of Wireless Access points (WAP) and antennas. Interestingly, a small number of staff expressed concern at seeing the pipe shaped antennas protruding from the ceiling into the work area. And, in some cases, these antenna were later replaced with antennas with a more aesthetically pleasing shape or at least less obvious purpose! During this time, we also implemented web content filtering for the public W Fi service. While this is basically a publicly accessible service, it still exists within the confines of a work environment for which we have established guidelines related to sexual Page 2 of 5

harassment, display of suggestive content, access to hate related content, etc. In a nutshell, it would be inappropriate to allow a circumstance where a CalRecycle employee was performing a work related task sitting in the audience at a meeting but seated next to a public visitor who was accessing the Internet over our Wi Fi and displaying content that violated our own sexual harassment policy. Due diligence required that we take steps to prevent this from occurring, basic web content filtering was implemented in 2005. 2010: As part of an organizational merger that occurred in 2010, CalRecycle acquired several new small field offices. The decision was made to expand Wi Fi connectivity to include separate Wi Fi installations in each of the remote offices. For these offices, the intent of the Wi Fi was to provide more flexibility for connectivity by the office staff, all of whom had a desktop computer but many of whom also used a laptop fairly frequently. Because these offices had limited need for public Internet access, the Wi Fi that was implemented in each of these offices was private, secure Wi Fi, 802.11 b/g/n.. 2012: While the public Wi Fi implemented in Sacramento had always been isolated from internal networks by virtue of the use of a separate VLAN structure, separate DHCP, separate firewall interface, etc., once the network traffic left the organization it was traversing a shared Internet connection. Since public devices connecting to the public Wi Fi are not controlled and do not have to meet any organizational requirements related to installed antivirus software, etc., any more than they would using a public Wi Fi connection at a coffee shop, hotel, bookstore, etc., this means that it is likely that some amount of outgoing traffic could be flagged as anomalous (e.g., port scanning, etc.). In 2012, the decision was made to revert back to using completely separate data connections for the public Wi Fi service (redundant business class cable connections). 2013: Given that the building wide Wi Fi infrastructure had now been in use for seven years, the decision was made to replace the existing technology and upgrade to Cisco Aironet devices supporting 802.11b/g/n. In addition, CalRecycle opted to extend the Wi Fi infrastructure to include several floors in a building located several blocks away that also housed CalRecycle employees. So, all capabilities including Wi Fi content filtering were extended to include three floors in that building. HOWEVER, one thing which differed with this implementation is that we consider the service to be semi private in that it is still publicly accessible and unencrypted (you must bring your own security!), but we are specifically NOT broadcasting the SSID. The reason for this is that this is a multitenant building with both public sector and private sector employees. Since the Wi Fi signal almost certainly will bleed through to some work areas on adjoining floors, we did not want to advertise our public Wi Fi in an environment in which an employer might have very strict security requirements and may restrict any Internet access except with their strict controls in place. Not advertising the SSID is a minor step and could easily be circumvented by an adroit hacker, but it is a reasonable step on our part to limit access to CalRecycle staff or visitors only. RESULTS As described above, CalRecycle Wi Fi services have been in use in one form or another for ten years now. We have evolved the services over time and have refined and upgraded the service offerings. We have had no significant security problems resulting from the availability of the public Wi Fi service. People have been detected using the Wi Fi to download content from services such as bittorrent. But, generally, these uses tend to be restricted by our web content and malware content filtering service. Overall, the extension of Wi Fi to include the entire organization and the broad use of publicly accessible Wi Fi has been very well received. As stated above, to the Page 3 of 5

best of our knowledge, there is no other California State organization with an equivalently broad Wi Fi implementation. Whenever possible, we also seek to collect and analyze data to provide some measure of actual adoption and use of the technologies we implement. Recapping quickly, especially within the headquarters building located in downtown Sacramento, we have the responsibility to ensure that the public has ready and convenient access to public information; that individuals and groups affected by the regulations and statutes under which we operate can at least view if not actively participate in public forums; that persons attending our public meetings for extended periods of time have the same convenient access to basic services like common Wi Fi connectivity that they can get from a mom and pop coffee shop. This is a public Wi Fi, designed to be accessible to members of the public who come into the building to attend publicly noticed meetings or who come in to meet with staff, and these visitors can include vendors, staff from other State and local organizations, representative from regulated industries, etc. The public Wi Fi access is comparable in function to public Wi Fi access provided in any number of public settings by entities such as libraries, colleges, and private companies such as Starbucks, McDonalds, etc. The public Wi Fi is also used heavily by persons who enter the building with SmartPhones, especially staff of Cal/EPA and the BDOs. To assess levels of use, Wi Fi connectivity data was collected for eleven work hours spanning two days in January 2012. Because there is no authentication required to connect to the public Wi Fi, the connected devices were categorized based on their MAC address. *# of unique MACs reported on Wireless Access Points for that floor divided by total staff on that floor The analysis of the data yielded the output shown in the chart above. It provides a good sense of the extent of use and the distribution of use across the various floors, and it seems quite reasonable. Per the data analyzed from that brief time period, we re assuming that we have about 1,000 devices connecting every day to the public Wi Fi network. We were surprised that it appeared that the majority of Wi Fi devices connecting to the network based on MAC address were Apple devices. However, they are extremely popular devices, so this does not seem Page 4 of 5

unreasonable. We also computed the percentage of staff with a Wi Fi device on each floor by dividing the staff counts for each floor with the identified device counts. While the percentage shown for Floor 3 is likely an anomaly due to bleed over into Floor 2 areas (public access space), the reported percentages for all the other floors seem reasonable with highest percentages reported on Floor 5 (many executive staff with assigned Smartphones) and Floor 8, where most of the IT staff have office space. Page 5 of 5

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information