Issues in Wire(lessing) Your Law LibraryDominick Grillo & Gary MooreHofstra University School of Law

Background of Hofstra Law SchoolAbout 40 full time faculty.843 students (full time, part time day, LLM).School is 30 years old.Two buildings, Koppelman Hall and Axinn Hall. Koppelman Hall built in stages. Axinn built in 1996.School part of university.

Background of Hofstra WirelessNetworkProject first started Fall 1999.At the request of the Dean, Computer Users Committee looks at wiring the law school. Idea is to either wire every seat or potentially use wireless.Idea for wireless first floated by faculty member and director of law library.Committee to give recommendation to Dean.

Background of Hofstra WirelessNetwork (continued)Had obstacles to wiring every seatOld classrooms Library Carrels difficult to wireA lot of concrete, cinder block and steelHad done a project the year before 120 public access wired ports in law library - $40,000 project.

Examples of Library Carrels

Examples of current old classrooms (picture from 2000 before outlets added)

Background of Hofstra Law ITSeparate department from the Law LibraryAssistant Dean of IS (Gary) reports to the Vice Dean & Dean.3 Full Time Staff (Law Library has Head of Electronic Services - Dom).Also have 2 person copy room/media staff that reports to Assistant Dean of IS.Work with University ITUniversity IT responsible for Network Server maintenance, wiring, & email account creation (staff, faculty, admin and students)Any major computer projects must involve University IT

Traditional Law School Wiring10/100 Shared or Switched PortCostsPulling /Terminating Port - $250 per port (outside contractor)Pulling AC to port - $50- $100 per port (Internal Plant Dept)Patch Panel - nominalBlade for Network Switch Cost per port on switch - $100 - $250 per port - For me its $246.00 - recent quote for an Enterasys Switch 112 ports Cost may varyMultiple Blades/Switches depending on # of ports. Large network switch can be $20,000Siben Courtroom 200 seats wired Cost $72,000 for data wiring and network switch

Wired Network Diagram

Traditional Wiring ContinuedBenefitsSpeed Dedicated 10/100 Mbps depending on your configuration. Throughput No noticeable degradation of speed based on 30-50 users on their own ports in a given area.Security User can be identified by specific wired port location using conventional network security programs.

Traditional Wiring ContinuedDrawbacks of Wiring Public Access PortsCost Very Expensive to wire every seat in a law library and/or classroom. Cost of pulling ports, network blades, patch panels, switches and labor. About $300 - $500 per port.Difficult to wire carrels in the middle of the roomUse Wired Public Access Network Ports often not in use. Money being wasted.

Decided to look at Wireless NetworksWireless Ethernet Networking relatively new in 1999References - Nova Southeastern, SMU, UVAThe SMU wireless prophets Greg Ivy and David Whelan setup RadioLAN proprietary 10 mbps. 802.11b wireless ethernet just starting out.

Wireless NetworksHow do they work?Access Point connected to Ethernet port on NetworkHas transmitter card/antenna broadcasts signal over 2.4 GHz (802.11b) or 5.8 GHz (802.11a) to PC laptop/desktop with wireless 802.11 card802.11b/802.11a are shared technology meaning computers share the 11 mbps (802.11b) or 54 mbps (802.11a) bandwidth signal.Wireless user automatically gets IP address through DHCP -Dynamic Host Configuration Protocol.

Wireless NetworkDesign

Wireless Networks Reasons to BuildOlder buildings lots of concrete and steel.Common areas such as lounges, patio areas, hallways.Classrooms especially older classrooms.Access Point generally always in use.Supplement not replacement for wired network.Access for students - eliminate need for additional labs.In most situations, wireless costs much less than wired.

Types of Wireless802.11b, 802.11a, 802.11g EthernetProprietary Wireless Ethernet Proxims first wireless LAN, RADIOLAN proprietary LANPDA via wireless modem

Proprietary Wireless Ethernet NetworksBasically same configuration as 802.11b/802.11aRadioLAN uses 5.8 GHz frequencyAccess Point connected to Ethernet Port on Network, broadcasts signal to Wireless Card connected to desktop/laptopProprietary Can only use their cards with their network, not 802.11 standard. You are tied into their equipment only.

PDA via Wireless ModemWireless Modem network setup in school/campus not Ethernet network.Restricted to Modem speeds (1mbps max?).Examples Pepperdine/Stanford.

How 802.11b worksAccess point connected to ethernet port on network.Access point transmits 802.11b signal to transmitter on wireless LAN card.Works on 2.8 GHz frequency.Direct Sequence Spread Spectrum (DSSS).Shared medium meaning users accessing one access point share the 11 mbps connection.Speed is really 5-7 mbps due to radio frequency overhead.Access points provide overlap coverage user never loses signal, similar to cell phone coverage.Can be peer to peer, adhoc or infrastructure.

802.11B Wireless Access Point Configuration Diagram (courtesy of WLANA.COM)

802.11b ContinuedRange up to 500 feet.Speed depends on distance farther = slower.Signal will drop to 5.5 mbps 2 mbps, 1 mbps depending on distance.Access Points can be configured via Serial Cable or remotely through access point config software.Firmware upgrades software that upgrades Access points.Many PDAs have 802.11b adapters for use with 802.11b networkWiFi standard - (WECA www.wirelessethernet.com)

How 802.11a worksSimilar to 802.11b in configuration.Speed up to 54Mbps shared.Uses 5.8 GHz, higher frequency.Range much smaller 150 feet.As with 802.11b farther away from signal, slower speed. In 802.11a, much more drastic drop in speed.Higher Frequency more vulnerable to interference.

Wireless SecurityThe concerns with wireless networks:1) Non authorized users accessing the network2) Users being able to see or sniff the data on the network. Types of Wireless SecurityAuthentication. Encryption.VPNs (Virtual Private Networks).Third Party Proprietary Systems.

Wireless Security AuthenticationAuthentication users gaining proper access to the wireless networkTypes of AuthenticationSSID or Network NameMAC AddressRadiusEAP/802.1X

Wireless Security AuthenticationSSID/Network NameSimplest form of restriction. Requires user to know network name for use of network.Access points can be setup to broadcast or not broadcast SSID/Network Name.Recommend No Broadcast.MAC AddressOnly registered wireless Ethernet card addresses can access network.Very unwieldy to setup and maintain with current access point software. Need to register MAC addresses for each Access Point.

Wireless Security Authentication - Radius ServerRadius Stands for Remote Access Dial Up Server. A database server that stores authorized usernames and passwords. Users trying to access the network must authenticate to the server.Can pull information in from a directory easier to maintain.Radius is a supported standard of authentication most wireless products support Radius (Cisco, Agere, Enterasys etc).

Wireless Security Authentication - EAPStands for Extensible Authentication Protocol.802.1x IEEE standard AuthenticationPasses messages to a Kerberos or Radius Server.Cisco uses proprietary version called LEAP.

Wireless Security EncryptionEncryption Encoding data that you are sending across the wireless network. Different from Authentication You have the rights to use the network, you now want to encode the data to keep it secure.Based around the use of keys to encode and un-encode data.

Types of EncryptionWEPTKIPIPSECSSL

WEPStands for Wireless Equivalent Privacy.IEEE Standard.64 and 128 bit encryption.Requires users to use keys. Standard WEP must be setup on each access point AND on each wireless network users laptop.Response time diminishes due to encryptionMajor flaws found in WEP length of encryption in key and how key is created. Keys can be reversed. Encryption is only from wireless client to access point.

Wireless Encryption TKIPIEEE 802.11 task force setting up new standard, TKIP to replace WEP.Stands for Temporal Key Integrity Protocol (yes, that sounds very Star Trek like).Three part solution - key-hashing, message integrity check to prevent forgery and dynamic key management (rekeying).Has backing of WECA and most major 802.11 vendors.Same issue encryption only from wireless client to access point.

IPSECShort for Internet Protocol Security.Framework of open standards for ensuring secure private communications over IP networks.Used in VPNs.168 bit key encryption.Open Standard supported by many vendors.Requires IPSec client software.

SSLStands for Secure Socket Layer.SSL works by using a key to encrypt data that's transferred over the SSL connection. Creates a secure connection between client and server. All data between client and server is encrypted.Supported by Netscape and Microsoft IE.By convention, URLs that require an SSL connection start with https.All legitimate credit card and bank web sites use SSL or secure http (which works in conjunction with SSL).

Wireless Encryption Why should I pay for an additional option when it comes standard with the car? (In other words, do I need encryption when the application is already providing it!). Many applications already have 128 bit encryption Email, IE, Netscape, proprietary bank software.If not using a VPN, then encryption should be application based.

VPN/FirewallVirtual Private Network.Isolates traffic by using a dedicated network using Point to Point Tunneling or Layer 2 Tunneling Protocol.Standards based - broad vendor support.Uses IPSec.Firewall a guard at the gate only allows traffic you want to come in and out.

Third Party Security SystemsTrying to fit the niche of providing security to wireless networks, several companies have come up with proprietary security systems.Some systems allow for time restrictions, network policy restrictions, advanced reporting features.

Third Party Security/Proprietary Systems (continued)Some are based on custom proprietary authentication/encryption standards such as Ciscos LEAP.Others are based on hardware/software solution. Companies such as Reefedge and Vernier use an authentication system using a connection bridge that access points connect to and an authentication server that checks users authorization.Supports LDAP (lightweight directory access protocol), Radius, and NTLM.Administrative/Monitoring/Report Capabilities. Systems can restrict users bandwidth.

Web-Based Systems ManagementWeb-based tool for managing the wireless network.

Monitor:

Users Status Privileges IP and MAC addresses

ControllersAccess Points thru port forwardingUsers

Connect ServerSystem profiles

QoSMeter bandwidth based on user class

Hardware/Software Solutions(Continued)Other solutions such as Funk Softwares Odyssey uses EAP authentication so that user must connect to access points via password credentials.Server/client software.Supports multiple Windows Platforms and most standard Access Points.

802.11a vs. 802.11b - Which to Go with? 802.11b provides more coverage.802.11a more speed but in a much shorter distance.As a result, depending on configuration, you will need many more access points with 802.11a, hence greater cost.

802.11a vs. 802.11b - Recommendation802.11b is here now and is a much more mature product than 802.11a.However, strive to choose access points that will support both 802.11a and 802.11b.Note Both 802.11 protocols supported by Windows and Mac based machines.802.11g too far off to consider for now.

Designing/Implementing Wireless LANDo you want to cover just the law library or the law school? Recent Survey done by David Whelan, Director, ABA Legal Technology Resource Center states that 33 out of 52 law schools responding had wireless either in the law school or law library. 28 of the 52 (85%) of those have it in both places, compared to only 63% last year. Last year 8 law schools had wireless only in the library; this year that number is down to 5. Alternatively, 5 law schools responded that only the law school had wireless last year, where the number is down to 3 this year.

Designing/Implementing Wireless LAN (Continued)Access Points should be installed as high as possible to provide the maximum amount of signal reach and to avoid obstacles.Also recommend putting them on high walls in open areas and in ceilings (above drop ceilings) to cut down on potential vandalism.Concrete, steel, and cinder block cut down on wireless radio signal. In older buildings, classrooms may need 1 access point each.

Designing/Implementing Wireless LAN (Continued)If you are building a new building, should you go completely wireless, including faculty/staff/admin offices?No!!!!!! Wireless should be a supplement to wired. 10/100 dedicated wire will be faster than wireless for the foreseeable future.

Designing/ImplementingWireless LAN (Continued)Should I hire an outside consultant to design the network? Thoughts:Vendor RFP Make it a point that vendor must include in the proposal the design of network.See what other similar sized law schools/law libraries did. Post a message on Teknoids!!!Vendor Bidding always get at least 3 bids! In our case, three vendors (Aironet, Enterasys, RadioLAN).Include Maintenance Contracts A must!!!If part of a university, work with the university!

Designing/Implementing Wireless LAN (Continued)Costs802.11b access points - $200 - $1000.802.11a access points -$1000.Wireless Cards - 802.11- $70 -$200.Possible cost - additional blade and/or switches.Third party systems - depends on configuration - anywhere from $25 -$50,000 for one building.

Wireless Technical SupportShould the Library be in the business of loaning out cards?Should the Library be in the business of supporting cards?Standards for students purchasing wireless cards.Laptop Requirements/PC Vendor configurations.Documentation/Installation Instructions and tech support for students.

How did it turn out for us?Wireless network in place since July 2000.Has worked way beyond our expectations.Students love the wireless network.Basic student access is the Internet only. To access printers and student network drives, students needs to install network client to logon. Lab use has dropped significantly.Tech support spikes up at the beginning of the semester then falls off.A perspective each from the library and the IT department on daily wireless use.

What we decided to doWent with Enterasys access points.28 access points in Koppelman Hall. 1 in Axinn Hall.Wireless network was implemented in two months between final walkthrough and installation of wireless access points. Configured access points ahead of time before installation.

PitfallsIdeally, whatever wireless network you choose, make sure that access points will support both 802.11a and 802.11b. In our case, 802.11a was not an option when we purchased ours in 2000.There will be dead zones/interference zones even though you have had a walkthrough. Test a lot once the network is up.Do what we didnt do in the beginning Recommend a specific wireless card/configuration for users. 802.11 is interoperable, butExpect growing pains and offer lots of handholding in the beginning.

Considerations/IssuesPower outlets for laptops.Bandwidth Concerns.Health Risks? - WLANA statement.Increased demand for services Printing.Laptop Operating Systems.Increased Laptop Use The Good and the Bad.

Considerations/Issues (continued)The biggest concern next to security isWireless in the Classroom

Final RecommendationsPurchase/Evaluate a wireless system in a small test environment. Start small.Security-wise Put your wireless network on separate subnet. Keep it away from your wired. If you can, find a solution that allows for common authentication meaning using same username/password for wireless network as for students/users email and network accounts. Keep it simple!Again, talk to other schools, see what they did!

Bottom LineWill the technology change? Yes, its like all other technology, advancements will be madeDont be afraid to jump in. Remember you will only be replacing access points (and wireless cards if you are loaning out) if new technology arises. No need for new wiring.You can make wireless as secure as your existing wired network if you follow steps that were outlined here.

URLs for Further InformationWLANA Wireless LAN Associationhttp://www.wlana.comWECA Wireless Ethernet Alliancehttp://www.wirelessethernet.comABA Legal Technology Resource Centerhttp://www.abanet.org/tech/ltrc/mobicomm.htmlUniversity of Tennessees Wireless Sitehttp://wireless.utk.edu/links.html

With thanks to, for their help..David Whelan, Director, ABA Legal Technology Resource Center & Greg Ivy, Associate Director, SMU Law Library - otherwise known as the Wireless ProphetsDaniel Yu, Systems Manager, Hofstra University. Paul Haller, Reefedge, for using one of his slides.

Contact InformationDominick Grillo, Head of Electronic Serviceslawdjg@hofstra.edu; 516-463-5357

Gary Moore, Assistant Dean for Information Systemslawgpm@hofstra.edu; 516-463-6067

Simplify the management of workstations and TCP/IP addresses. Before, either had to manually configure the address on the workstation or manually put the network adapter address in a table before a TCP/IP address is available for the workstations. DHCP eliminates the labor and time consumption of setting up addresses and updating TCP/IP info on the workstation.

DSSS uses a redundant "chipping code" is sent with each signal burst, and only the transmitter and receiver know the chipping sequenceThe principle of direct sequence is to spread a signal on a larger frequency band by multiplexing it with a signature or code to minimize localized interference and background noise. Sequence spread was first developed in World War II to minimize signal interference.The user will roam from access point to access point depending on which access points signal is stronger.

Range depends on obstacles or lack thereof. WiFi standard a test for a products 802.11b interoperability.Sniffers are hardware or software programs that can be loaded on laptops that can potentially sniff out traffic on networks.

Unauthorized users can access wireless networks if access points are setup to broadcast their network name. Laptops with Windows XP can search for available networks that are broadcasted. Also, you can download software from sites such as Boingo.com that you can load on your laptop to search for available networks (currently only works with Cisco Aironet and Lucent network cards)

If you decide to do the law library only and decide to loan out wireless cards only, you may want to start with only allowing registered the MAC addresses of the loaned out wireless cards.The wireless clients and access points use EAP to authenticate the WLAN client devices and end users against the RADIUS servers. WLAN client devices are configured to use the DHCP protocol for IP configuration. DHCP occurs after the device and end user are successfully authenticated via EAP. After successful DHCP configuration, the wireless end user is allowed access to the network.EAP/Radius resolves the following issues1) Wireless packet sniffersThese threats are mitigated by IPSec encryption of wireless client traffic.2) Unauthorized accessThe only known protocols for initial IP configuration (DHCP) and VPN access (DNS, Internet Key Exchange [IKE], and Authorization policies can be optionally enforced on the VPN gateway for individual user groups.3) IP spoofingHackers can spoof traffic on the wireless LAN, but only valid, authenticated IPSec packets will ever reach the production wired network.Access points can be setup to accept encrypted and unencrypted data.

WEP has had many papers written on the flaw of its encryption key design.

Also WEP is only a first-hop encryption solution. It is only encrypted up to the access point. Once data is decrypted on the access point it keeps flowing through the Ethernet un-encrypted. When deploying IPSec in a WLAN environment, an IPSec client is placed on every PC connected to the wireless network and the user is required to establish an IPSec tunnel to route any traffic to the wired network. Filters are put in place to prevent any wireless traffic from reaching any destination other than the VPN gateway and DHCP/DNS server. IPSec provides for confidentiality of IP traffic, as well as authentication and antireplay capabilities.

Confidentiality is achieved through encryption using a variant of the Data Encryption Standard (DES), called Triple DES (3DES), which encrypts the data three times with up to three different keys.

Though IPSec is used primarily for data confidentiality, extensions to the standard allow for user authentication and authorization to occur as part of the IPSec process.Make sure to enable it if you want to use it. Lexis and Westlaw do allow for complete session encryption. You can enable secure connection for Lexis and Westlaw.Think of driving on the highway in your own personal tunnel.

VPN requirements Remote-access VPN client with personal firewall softwareA software client that provides end-to-end encrypted tunnels between individual PCs and the wireless VPN gateways; personal firewall software provides device-level protection for individual PCs VPN gatewayAuthenticates individual remote users and terminates their IPSec tunnels. RADIUS serverAuthenticates wireless users terminating on the VPN gatewayVPN segregates the wireless network from the wired network.

Third party wireless systems basically setup a virtual private network. In the case of Reefedge, wireless users are cut off from the wired network. The IP address is given to the wireless user by the Reefedge system off a list of its own IP addresses. The user gets an IP address, but then must authenticate with a username and password to access the wireless network.The reefedge system monitors devices on the network and can setup different policies for different groups of users.

You may want to start small and just cover the law library. This way the issue of wireless in the classroom is moot. You may also want to do it as a test to see how wireless works and keep your test area small, which I highly recommend.

New access points only need Ethernet wiring pulls, since they are powered off the ethernet connection, so you will cut down on the need to pull electrical lines through ceilings. Other access points also have optional separate power units as well. Faculty, staff, and administrative ports will be in constant use, thus justifying the cost of using wired ports.

The wireless network should be a separate network from the wired network. Will talk about that more later in recommendations. It is always important to talk to other law schools tech people and law library people about what they do. Post a message on teknoids, the law school technical group list. If your school is a standalone school, you may want to consider an outside consultant. You may not have the personnel to design such a network. The RFP to vendors should include a point that the vendor should be responsible or hire an outside group to design the network. You may be able to save money by having the vendor help design the network and then have internal people install the network, which was in our case.Always get 3 bids at least. If you a part of a university, work with their IT people to see if you can get the best possible price. If your university is a Cisco shop for example, you may get a better discount working thru the universitys vendor rep.Maintenance contracts are a must. If you decide to go with a vendor that also happens to do your network switches, see if you can rework the maintenance agreement to include the wireless. Mention our walkthrough of building with engineer/Plant Department/Telecom 802.11b costs depend on whether you want an access point that will support 802.11a as well.Yes, the library should be the center point of loaning out cards if its decided that you will loan out cards. The infrastructure and loan policy is already in place, plus the library has the constant reference desk staffing that a IT department may not have.Standards for wireless card is a must! Though 802.11b is interoperable, focusing on one or two standard wireless cards cuts down on the probability of having problems with certain card drivers. Recommended laptop configurations are very very important. If you can steer students toward laptops with built in 802.11 support, the easier support will be for your IT department. Also, if you have a discount with a specific PC vendor, work with them on laptop configuration with built in wireless or PCMCIA wireless card.Also, talk about standard operating systems for laptops - XP professional or 2000 professional. NO WINDOWS ME!Documentation and installation instructions are helpful, but offering installation support is a must. Talk about what we did with Open Computer Hours.As for technical, you need to watch out for dead zones, areas that the wireless won't work in, due to interference or perhaps incorrectly configured access points where the channels with two access points are too close together, thus causing conflict with signal. The if you build it, they will come philosophy. If you implement a wireless network, students will bring their laptops into the library or lounges. Battery power will always run out. Students will want outlets. Pure and simple.As far as bandwidth, remember the wireless users are sharing an 11mbps connection, thus it is not taking up as much bandwidth as you might think. However if you have numerous access points in a building being constantly used, there will be a definite increase in bandwidth. Depending on location, you may or may not want access points on their own separate network switch.Health Risks - On WLANAs web site, they state the following"Extensive research on the safety of exposure to radio frequency electromagnetic energy has been carried out for more than four decades. This research is continually reviewed and interpreted by committees of scientists who develop safe limits for exposure. Manufacturers of wireless LANs monitor this research and participate in the consensus standards process and ensure that WLAN products operate within the guidelines of these standards. Consequently, manufacturers of WLAN products believe their products are safeLaptop Operating Systems - again, Windows2000 Professional or XP Professional.Laptop use - Good, less need for additional labs. The bad - more tech support.Printing - can print with network operating system client, such as Novell. Can also print to standalone Lexis and Westlaw printers. Looking to do IP printing with Novell 6 with no need for client software.A) Some third party wireless security systems such as Vernier's solution say that they can actually setup in their configuration, a lockout period where certain wireless access points can be turned off for a period of timeB) With certain network switches you can shut off ports for a set period of time.C) A potential solution would be to put access points on their own separate switch and give the faculty member the ability to shut the switch off for class.Loopholes with this issue - Since wireless access points have a large distance of coverage area, you have to make sure that there is no other access points that can make up for access points shut off in the B or C scenario shown above.I am also going to discuss what most of my faculty have said to me here, which is twofold. One, several facutly tell me they know who is on wireless and they make examples of them/call on them in class. Others have said, even if you pull the wireless out, students will do other non classroom related things on their computers (example, I have heard of students watching motion picture DVDs on their computers in class), meaning that if they want to pay attention they will. Also, what happens if one faculty member wants to use the wireless in his classroom for teaching purposes and another doesn't. The signal will overlap.

Technology is always changing, but its the access point that will change. Current CAT 5 wiring will support wireless access point technology for years to come.

As for security, organizations setup wireless networks because the productivity gains outweigh the security vulnerability/concerns

You can make your wireless network secure if you are willing to setup the design necessary or use a third party security system.

Talk about how many schools take public wired access ports for granted while being concerned about wireless. Talk about the ability of hardware sniffers being able to sniff data on a wired network.

Have a consistent security policy in place.