Securing Wi-Fi in a public library

Q: In a public library environment, what are some methods that would allow us to provide “secure” Wi-Fi access (for Web browsing) to the public, while protecting their privacy and minimizing administration time? – Jeanne, Albany, N.Y.

The Wizards gaze deeply into their crystal ball and respond:

Bob Friday, Airespace

That is a great question, and a timely one, given the launch of the newly constructed Central Library in Seattle a few weeks ago. This is meant to be a flagship for the national library system, blending state-of-the-art architecture with best-of-breed networking technology. Delivering secure, reliable WLAN services proved tricky in the Seattle Public Library environment, given the difficult radio frequency characteristics of the building, the mobile nature of the user base, and the tendency for millions of books to absorb radio waves. That environment revealed several key “best practices” that might be applicable to your library environment:

• Deploy a system that allows multiple Service Set Identifiers (SSID) to run concurrently. A less secure SSID, either completely open or running Web authentication, can be used to provide Web access to library visitors. A more secure SSID, using WPA, 802.1x, or VPNs could be used for library personnel.

• Your wireless network should deploy radio frequency-related security measures that can dovetail nicely into other wireline security tools. Examples of WLAN specific security features include rogue AP detection, location and containment; ad-hoc prevention (to protect against client-to-client communication); user blacklisting; location-based access control; and protection from RF related attacks, such as Man in the Middle and denial of service.

• Real-time management is critical. Due to the difficult RF environment, you should make sure that your WLAN system can adapt to changes in real-time. Things like dynamic channel assignment and AP transit power control will come in quite handy. To minimize administrative burdens, these functions should be ingrained in the system. Relying on site survey tools or scheduled sweeps of the RF could be labor intensive – and not work as expected when live traffic is flowing across your network.

• Use smart antenna technology, such as beam switching, as a way to improve throughput and WLAN reliability. This might be especially desirable if there is a plan to implement voice services alongside traditional data services, as was done in Seattle.

• Centralized WLAN management is also very important. Being able to visualize the RF will help detect and avoid coverage holes. Having a centralized way of creating and enforcing quality-of-service and security policies will dramatically minimize the time (and resources) you devote to administering your wireless network

Keerti Melkote, Aruba Networks

The main problem with enhancing security and privacy is that it usually involves client software, or at a minimum, configuration of the client devices. In a public access network, asking patrons to configure settings such as WEP keys is not practical. One promising technology is that of Secure Socket Layer VPNs. The client piece of an SSL VPN is typically downloaded as a browser-based applet, and is ostensibly client operating system independent. Although SSL VPNs are not transparent to all types of protocols, they do allow Web browsing while encrypting traffic over the air.

Marcel Wiget, Chantry Networks

In order to protect privacy for public access, some sort of user or session encryption is required. An obvious choice in an enterprise environment is to use Wi-Fi Protected Access (WPA) combining Temporal Key Integrity Protocol (TKIP) and 802.1x/EAP. Every user, after being authenticated, is given a unique initial encryption key that is changed over time (simplified here, I recommend reading more about TKIP). In a public environment however, users must be somehow instructed on how to use 802.1x, yet might not have the support in their device for it.

I would recommend using a captive portal without WEP or WPA on one broadcast SSID. This captive portal contains a security warning for using this public access and information on how to use WPA, made ideally available on a hidden SSID. The reason to hide the SSID is not to be “undetectable,” but to make certain that new users don’t end up accidentally on that SSID. Check for wireless systems that either support WPA and captive portal on the same SSID or have multi-SSID support with per SSID authentication and privacy settings.

Rohit Mehra, Bluesocket

Protecting the privacy of library patrons and minimizing administration time needn’t be mutually exclusive goals. By adding a wireless infrastructure solution (such as a wireless gateway, switch or appliance) to secure and manage its WLAN, a library can provide: seamless Web-based authentication to enable patrons to log on to the library’s wireless network using their familiar library card number without staff assistance, access control to limit access to library servers and services to only authorized patrons, and bandwidth management to prevent patrons from hogging the airwaves while downloading large files (MP3 files, videos, etc.). This also provides several options for airlink security to protect staff and patrons’ private information, examples being 802.1x, IPSec, L2TP or PPTP. An alternate but cumbersome approach would be to use multiple SSIDs and virtual LANs to segregate public traffic from that of library staff so as not to compromise internal administrative user data.