Skip Links

Securing Wi-Fi in a public library

Wireless Wizards By The Wireless Wizards,
July 12, 2004 01:22 PM ET - Q: In a public library environment, what are some methods that would allow us to provide "secure" Wi-Fi access (for Web browsing) to the public, while protecting their privacy and minimizing administration time? - Jeanne, Albany, N.Y.

The Wizards gaze deeply into their crystal ball and respond:

Bob Friday, Airespace

That is a great question, and a timely one, given the launch of the newly constructed Central Library in Seattle a few weeks ago. This is meant to be a flagship for the national library system, blending state-of-the-art architecture with best-of-breed networking technology. Delivering secure, reliable WLAN services proved tricky in the Seattle Public Library environment, given the difficult radio frequency characteristics of the building, the mobile nature of the user base, and the tendency for millions of books to absorb radio waves. That environment revealed several key “best practices” that might be applicable to your library environment:

  • Deploy a system that allows multiple Service Set Identifiers (SSID) to run concurrently. A less secure SSID, either completely open or running Web authentication, can be used to provide Web access to library visitors. A more secure SSID, using WPA, 802.1x, or VPNs could be used for library personnel.
  • Your wireless network should deploy radio frequency-related security measures that can dovetail nicely into other wireline security tools. Examples of WLAN specific security features include rogue AP detection, location and containment; ad-hoc prevention (to protect against client-to-client communication); user blacklisting; location-based access control; and protection from RF related attacks, such as Man in the Middle and denial of service.
  • Real-time management is critical. Due to the difficult RF environment, you should make sure that your WLAN system can adapt to changes in real-time. Things like dynamic channel assignment and AP transit power control will come in quite handy. To minimize administrative burdens, these functions should be ingrained in the system. Relying on site survey tools or scheduled sweeps of the RF could be labor intensive – and not work as expected when live traffic is flowing across your network.
  • Use smart antenna technology, such as beam switching, as a way to improve throughput and WLAN reliability. This might be especially desirable if there is a plan to implement voice services alongside traditional data services, as was done in Seattle.
  • Centralized WLAN management is also very important. Being able to visualize the RF will help detect and avoid coverage holes. Having a centralized way of creating and enforcing quality-of-service and security policies will dramatically minimize the time (and resources) you devote to administering your wireless network

Keerti Melkote, Aruba Networks

The main problem with enhancing security and privacy is that it usually involves client software, or at a minimum, configuration of the client devices. In a public access network, asking patrons to configure settings such as WEP keys is not practical. One promising technology is that of Secure Socket Layer VPNs. The client piece of an SSL VPN is typically downloaded as a browser-based applet, and is ostensibly client operating system independent. Although SSL VPNs are not transparent to all types of protocols, they do allow Web browsing while encrypting traffic over the air.

Our Commenting Policies
Latest News
rssRss Feed
View more Latest News