- Enterprise Networking
- Services
- Network Engineering
& Operations - OSUNet
- Network Policies
- Wireless
- Communications
- Netwog
- Department Network
Administrators (DNAs) - Best Practices
- Training
- Tools
- FAQ
- Hostmaster FAQ
- Network Security FAQ
Technical Standards and Operational Requirements for Wireless Data Networks
1. Supported protocols and standards
2. Security Precautions
3. Authentication
4. Address Translation
5. Access Point Addresses
6. Access Point Radio Frequency Channels
7. Access Point Radio Frequency Interference
8. Wireless Base Station Naming Convention
9. Additional Security Issues
10. Shared Resources
Enterprise Networking
Office of Information Technology
The Ohio State University
June 29, 2004
These technical standards and operational requirements for wireless data networks have been established under the university policy on deployment and use of wireless data networks.
Contact OIT Network Engineering or Network Security through 8-help for assistance in implementing, evaluating, or recommending changes to these standards, requirements, and recommendations.
1. Supported protocols and standards
Currently, three wireless data network standards are supported for use on the Ohio State University campus. These are:
a. 802.11b (with speeds of up to 11Mbps)
b. 802.11g (a proposed extension to 802.11b allowing speeds of up to 54Mbps
c. 802.11a (a different approach, allowing up to 70Mbps)
Other protocols and standards will be added as they are developed and evaluated.
a. To protect user communications and the campus network, whenever possible traffic through campus wireless access points should be encrypted.VPN technologies are more robust than WEP encryption and are preferred. However, if a VPN solution is not available, WEP encryption at 128 bits when possible and encryption with a key of no less than 5 characters is recommended. Due to the inherent weaknesses in WEP technology, the use of rotating or dynamic WEP keys is highly recommended.
b. The university policy requires logging all access to ensure that users can be identified. If the access point cannot supply the needed information, you can use an external authentication device to comply with the requirement.
Some form of authentication is required. The use of technologies such as LEAP and PEAP are strongly recommended. But if these approaches are not practical, MAC address filtering may be used. If MAC address filtering is used, the administrator of the wireless access point must register users and maintain registration records for at least 30 days after a user becomes inactive.
a. Whenever possible private non-routable addresses and network address translation (NAT) should not be used with wireless access points. Instead, an OSU unit should use
addresses from currently allocated address blocks for wireless access point clients. Please contact the OIT Network Operations Group through 8-help 688-HELP(or 8help@osu.edu) if additional IP addresses are needed for wireless access.
b. If an access point does not work without private addresses or NAT, the addresses to be used must be registered during the access point registration process.
For security and operational integrity reasons wireless access points must use a permanent static IP address in a routable address space. This means that access points may not use addresses dynamically assigned from a pool by a DHCP server
6. Access Point Radio Frequency Channels
a. The radio frequency channels used in the 802.11b and 802.11g standards are not completely discrete. There is substantial overlap of the channels and this requires
careful engineering and coordination to avoid interference and service degradation among adjacent wireless access points.
b. In general, with 802.11b only channels 1, 6, and 11 do not overlap each other and are the best choice for general use. However, multiple adjacent access points on
any one of these channels may interfere with each other. When you configure or update an access point you must specify the channel you intend to use as a part of the access point registration process. OIT will confirm your choice or request a channel change within three business days of registration.
7. Access Point Radio Frequency Interference
While the Federal Communications Commissions regulates the use of the bands used by access points, it does not license use of the frequencies. Other devices that use the same frequencies may disrupt wireless data network communications and wireless data communications may interfere with these devices. The frequencies used by the 802.11b standard are in the unlicensed 2.4 GHz Industrial, Scientific and Medical (ISM) band. Future implementations of other 802.11 standards are planned for other unlicensed bands. Other devices that also use these unlicensed bands include cordless telephones, cameras, microwave ovens, cordless speakers, sprinkler control systems, traffic light signaling and others. In the event of interference, OIT Enterprise Networking will attempt to negotiate an acceptable compromise.
8. Wireless Base Station Naming Convention
All campus wireless access points which must be installed with the following naming conventions to identify themselves both on the wireless network (SSID), and on the campus wired network. The naming convention assigns names based on three identifiers:
[Building ID]-ap-[Group ID]-[Unique ID].[Domain]
Building ID
This is the campus building ID (2 - 3 letters), as shown on the official campus map. The campus building numeric ID can be used instead of the letter designation, prefixed with the letter N.
Examples: BE or N280 = Baker Systems Engineering, HI = Hitchcock Hall
ap
This is a constant identifier for AP's, and provides a standardized character string to help identify Access Points.
Group ID
This is a string of up to 10 characters which should identify the group and/or department responsible for the AP. The string should include some type of abbreviation of both the group and department, if the AP is installed by a group and not by the department's IT group.
Example: OITNSEC = OIT Network Security Group
Unique ID
This should be a unique identifier for the AP, limited to up to 5 characters. The room number where the access point is located can be used, although this does divulge the exact location of the AP. Therefore, the room number should only be used as the unique ID if the AP is in a fully secured room. Alternatively, the administrator's room number can be used instead.
Example: 449 (secure room #), F2NE1 (floor 2, northeast 1)
Domain
Example: net.ohio-state,edu, Domain used by Enterprise Networking
Example: A station BE-AP-OITNSEC-449, should be registered as
be-ap-oitnsec-449.net.ohio-state.edu on the OIT 8help wireless registration form, during the registration process the AP will be registered in the OSU Domain Name Service (DNS).
a. When setting up the SNMP management for an access point, choose robust passwords
for both the private and public SNMP strings. Do NOT use the default passwords for either
the private or public passwords. Even the ability to read SNMP data from the access
point may give an attacker valuable information. Passwords should be a minimum of 8 characters long.
b. On some access points, the SSID or radio name of a base station can be suppressed for additional security.
c. If a wireless access point can offer DHCP addresses on the wired network as well as the wireless, this feature must be disabled.
It will often interfere with currently configured DHCP servers, and may cause serious network interruptions.
d. Default access point management ID's and passwords must be changed. If possible, web interfaces be moved from the default port
must be password protected. Again, passwords should be a minimum of 8 characters long.
e. If an access point cannot be properly secured by changing its configuration, a firewall must be used to prevent access to the
AP's management or administrative interface.
Shared resources such as printers, servers, etc., should not be added directly to the wireless network.
Copyright, 2004. The Ohio State University.
This page is maintained by: Enterprise Networking
If you have trouble accessing this page and need to request an alternate format, contact .