How To Protect Wi-Fi Networks on School Campuses

By Jeff Orloff

Mobile computing is quickly becoming the cornerstone of education in America. Whether schools are purchasing mobile devices for students or they are adopting a BYOD (bring your own device) policy, students who are not incorporating smart phones, iPod touch devices, tablets or laptops into their learning are rapidly finding themselves on the wrong side of a new digital divide.

But of course, to take full advantage of mobile computing in the classroom, you need a connection to the Internet, and for a mobile device, this means a connection via Wi-Fi. This can pose some security risks, especially for schools. When it comes to security, Wi-Fi can quickly turn from a perfect solution to a perfect nightmare because of any number of the following security concerns. Here are the most common security issues and how to solve them.

Rogue Access Points

This threat takes place when the attacker sets up a fake access point that tricks users into connecting to it, rather than through a legitimate connection. Whether it’s a student or teacher connecting, the traffic can be sniffed for any information that passes through the rogue point, compromising confidential information or user credentials.

Additionally, rogue access points cause service degradation in the TTL value in all packets that traverse through it. And if configured to do so, rogue access points can assign IP addresses to wireless devices instead of the school’s DHCP server, causing a loss of service. This is usually one of the first indications that there is a rogue access point on your network.

Once a rogue access point has been identified, locating and removing it is the next step. However, since most rogue access points are hidden, finding the physical device can be difficult.

One of the best methods for locating these devices on your campus is called the convergence method. This requires a WLAN radio card with an omnidirectional antenna (which is what most notebook computers use) and software that will measure signal strength or a specialized hardware RF signal strength meter. Once the signal from the rogue device is picked up, you play a high tech version of hot and cold as the signal strength will increase as you get closer to the access point. The search should be done by segmenting the area into four quadrants. Once the signal is found, the quadrant it is located in should be segmented again, and so on until the device is found.

Multiple Wi-Fi Networks

In many districts, two or more networks are set up. One network is typically for internal employee use and a second network that has been configured for public or even student use. Connecting to the wrong network can mean the difference between sending encrypted data and data in plain text. Without encryption, sensitive student information and employee information, can be easily captured via a traffic sniffer or man in the middle attack.

Even layer two and layer three encryption are often insufficient for sensitive information, so most wireless LANs require application level encryption, as well, to prevent confidential information from being compromised.

To avoid problems associated with multiple networks, users (especially those who deal with confidential data) should be trained to connect to the proper network. Further encryption of confidential data on the clients can be done using software to encrypt the file system and data transmitted via Wi-Fi.

Wi-Fi Configuration

Typically, bigger school districts can employ a large team of IT professionals. Some may specialize in networking, others in server technologies, and others are hired for their expertise in security. For these larger districts, failing to properly configure a Wi-Fi device is less likely.

However there are smaller school districts across the country whose IT budgets don’t allow for the hiring of such personnel. In these instances, it’s likely the IT staff may consist of only a few, or maybe even one person. Having to take on multiple roles can easily lead to a person not knowing enough about wireless security to adequately protect the devices or simply not having the time to do so. When that’s the case, at a minimum, all access points should be configured by:

• Setting WPA2 encryption on all access points
• Changing the SSID on all access points
• Changing the pre-set password on the access points

Further steps to configure your Wi-Fi network can be taken by turning off identifier broadcasting and allowing only legitimate devices to connect via MAC address filtering.

The truth is, most schools are already using Wi-Fi to some extent. However the implementation of more wireless devices is only set to expand as districts evaluate digital textbooks and handheld learning simulation software. The question is, will they be ready to handle the security when the time comes?

What We’re Reading, Week of 5/23

eWeek, Businesses Want Remote Access, Data Protection and On-Premises Backup: Survey
Network World, RSA tokens may be behind major network security problems at Lockheed Martin
InformIT, Data Leakage During a Time of Economic Recession
Los Angeles Times,  Bank of America data leak destroys trust

Interop 2011: Doug Mohney, HD Voice News on Shredding Hard Drives

To usher in the unofficial start of summer, we thought we’d deviate from our usual realm of network security. At Interop, we caught up with Doug Mohney, editor-in-chief of HD Voice News. He told us about his favorite Interop physical security trend — hard drive shredders. Yes, that’s possible.  Mohney explains it better than we can, so we’ll turn it over to him now. Have a great Memorial Day weekend.

Interop 2011: Video Interview with Joanie Wexler, Part 2 – IPsec vs. SSL

 Here’s part 2 of our video interview with Joanie Wexler, a regular contributor to Network World’s WirelessAlert column. We asked Wexler for her thoughts on the IPsec vs. SSL debate. Do you agree with her?

Also, stay tuned for our final Interop video tomorrow (this is a quirky one!), then next week we’ll be resuming our series on Branch Networking and look into Wi-Fi security issues for schools. Lots of good stuff coming up!

Take Two VPN and Call Me in the Morning: Why Healthcare Solution Providers Rely on VPNs to Avoid IT Headaches

By Robert Dutt

For resellers and other IT solution providers supporting healthcare clients, VPN is ubiquitous a tool as is the stethoscope their customers use every day

“We will not support a client without a VPN. Period,” says Moshe Birnbaum, director of operations at EZ MSP, a Yonkers, NY-based solution provider.

Fellow solution provider Stemp Systems Group, out of Long Island City, NY, considers the technology as an equally important component of its healthcare business. President and founder, Morris Stemp, says the company currently maintains some 750 VPN-based connections to its clients.

So, why are VPNs so critical for healthcare solution providers? For one, VPNs are a significant part of the infrastructure these providers deploy and maintain for their customers. And, VPNs are the platform on which to build new applications and solve deep-seeded customer problems.

“Part of the Infrastructure”

Both EZ MSP and Stemp offer managed IT services for healthcare clients  — from doctors’ offices to hospitals. This means, in some cases, the solution providers act as a completely outsourced IT department — especially for many smaller clients. To successfully do this, solution providers need a VPN to quickly access technology on clients’ networks and to make sure everything is running as smoothly as possible.

“We look at [VPN] as part of the infrastructure,” Birnbaum says. “It’s also a service opportunity that’s covered under the company’s support contract with their customers.”

Stemp says that with just an IP address, his company can connect to any of its clients in seconds. To maximize uptime for customers’ mission-critical systems, the company rolls out dual redundant firewalls and Internet connections with clients.

“They simply must always be active in order for us to provide our service to our customers,” he adds.

Also, because the healthcare industry is so highly regulated, VPNs are an apt tool for connecting to medical facilities. In fact, security requirements force most medical offices to have firewalls in place to protect electronic medical records, Stemp says.

“HIPAA requires [medical organizations] have [firewall] technology available, and we take advantage of that functionality,” he says.

And from a managed service provider’s point of view, VPNs offer an elegant and efficient way to have instant access anywhere into a customer’s infrastructure, even amid the myriad devices on diverse networks spread out around a region or even the world.

“It means we’re supporting a centralized appliance as opposed to individually configuring every computer on the network for remote access,” Birnbaum points out.

“It’s Very Different than the Way Most People Use VPNs”

But infrastructure – the plumbing aspect of a technology solution – only goes so far for a reseller. To truly show their customers value and help move them into new levels of efficiency and productivity, solution providers have to continually offer innovation and new functionality.

Although it may seem like a simple and obvious way to use a VPN, Stemp says the biggest game-changer for many of his clients is actually being able to securely connect to data on the customer network away from the office.

“It totally changed the lives of our doctors, who no longer had to rush to the office to check records when a patient calls up outside of business hours,” Stemp says.

Remote access also significantly changed Stemp’s own customer support models. Before remote access, much of the company’s support requirements were during business hours, from an office. But with easy and ubiquitous access anywhere or anytime, Stemp says he has to provide more responsive service for multiple locations at any time, 24/7.

“It magnified our support requirements,” Stemp says. “When [clients] can’t connect, we now have to diagnose that. And that includes on weekends and nights when we were effectively closed.”

Tablet computing is emerging as the next frontier for remote access to electronic medical records. Although Stemp initially struggled with a functional and reliable VPN connection to the Apple iPad, he says, the company has crossed that hurdle and now has doctors using tablets both in the office and securely from just about anywhere.

The biggest challenge remains the lack of electronic medical records applications designed for the touch interface of the iPad or Android-based tablets.

“We need iPad apps from the EMR companies,” he says. “Right now, you’re essentially just doing terminal services to your desktop, and navigating information that’s designed for a 19-inch screen on your nine-inch tablet screen.”

For EZ MSP, VPNs that meet a very specific customer need opens new revenue streams. For instance, in order for medics to be reimbursed for keeping an eye on some key vital sign measurement systems during surgery, those eyes must belong to an MD. But keeping a doctor on-hand for every surgery in every surgical suite is impractical and inefficient. However, since the eyes on the monitor don’t have to be in the surgical suite, EZ MSP sometimes uses a VPN to connect from the surgical suite to a doctor’s office. This way, a remote doctor can monitor the systems in real-time over the network – making this a much more efficient and scalable model.

“It’s still extending the network, but it’s very different than the way most people use VPNs,” Birnbaum adds.

The Cloud Effect

Cloud computing is a megatrend that’s reshaping almost every aspect of the technology industry today, but providers have different perspectives on how their clients are thinking about the cloud.

EZ MSP’s Birnbaum says because critical line-of-business applications are still not offered in hosted or Software-as-a-Service models, the cloud isn’t “much of a factor” for many customers. But that’s not to say that EZ MSP is steering clear of the trend entirely.

“We are pushing people towards going to hosted [Microsoft] Exchange,” Birnbaum points out.

At Stemp, they’re hosting as many as 40 virtual servers for some of their larger clients in Stemp’s own data center, building a private cloud environment, and other clients are re-architecting their own server room or data center for a more flexible, elastic, cloud-like structure.

In both cases, Stemp says, VPN connections remain a key enabling tool.

“It just makes it much easier to get to those hosted services,” he says.