Wireless policies change

Switch to WPA2, ban on personal routers

Over the next few months, several network infrastructure changes will roll out from DotCIO, including new wireless connection options and the blocking of external Domain Name Service queries.

RPI currently provides secure wireless across the campus with the 802.1x WEP enterprise encryption protocol. This protocol is not well supported by all devices, notably Android phones and tablets. A new network—called “rpi_wpa2”—is now available in the Rensselaer Union, the Darren Communications Center, and several other campus buildings (including many residence halls). “[WPA2] offers better encryption, better support of newer devices, and is the same speed as 802.1x on the same access point,” said Computer Science System Administrator Steven Lindsey in an email to the department.

There is no new hardware for this addition—the same access points broadcast and handle both security protocols. According to Senior Network Security Analyst Nigel Westlake, the 802.1x network will most likely remain up for a few years. A third protocol is also being tested in the Union, rpi_webauth, which authenticates through a web browser as a fallback.

In addition, DotCIO is working to expand and improve wireless coverage across campus. “We just put up 40 new access points in the Quad,” said Westlake. However, there are a limited number of wireless channels, and too many access points in a small range can cause interference. This is more of a problem in residence halls, where many students have set up their own wireless routers. According to Lindsey, personal access points will eventually be banned. Until full coverage is achieved, however, personal routers are still allowed as long as they do not cause interference, and they are named to indicate their location and owner.

To finish improving coverage, DotCIO needs student feedback. “Any student with any wireless or network problem, for the love of God, email the helpdesk,” said Westlake. He requested students send both the location of the bad connection, and whether their connection was dropping or if they simply could not connect at all.

Another big change regards DNS. Locations on the internet are described by IP addresses (such as 66.102.15.42), but users mostly use only domain names to find websites (such as google.com). A web browser translates the domain into an IP address using a DNS query—it asks a DNS server, which has a list of domain names and the IP addresses they correspond to. RPI has its own set of DNS servers, which most students use by default, but some elect to use third-party servers like Google Public DNS or OpenDNS.

Next year, network users will not be able to query external DNS servers; instead, everyone will have to use the RPI servers. This is intended to allow better security, giving DotCIO better diagnostic information and allowing them to block known malware sites. For example, a phishing attack using a “fast flux” technique (where the IP address changes every few minutes) is very hard to block without control of the DNS servers.

Although this policy would make the RPI DNS servers a single point of failure for the network, Westlake is confident they can support the load. Last Thursday, a diagnostic tool reported that the network was handling an average of 278 packets per second. RPI has over a dozen DNS servers, each alone rated for more than five times that much traffic. These local servers are also significantly faster than both Google DNS and OpenDNS, according to tests run by Westlake.

The benefits of having the entire network on local DNS servers are mainly in security and malware prevention. “The last two notifications I got from off campus were DNS changers,” said Westlake. In addition, DotCIO would have access to a good deal of diagnostic information—if a bunch of machines are repeatedly querying a potentially malicious domain name, they can notify the owners of the machines.

There are other ways to achieve these security benefits while still allowing other DNS servers; however, such methods are more intrusive, usually involving the installation of sniffer programs on everyone’s computers. “We don’t want root access to any student equipment,” stated Westlake.

These policies are still awaiting finalization by DotCIO, and will most likely go into effect at the start of the Fall 2012 semester.

Leave a Reply