Wireless Requirements and Procedures
Information Technology (IT) is responsible for ensuring the stability, performance, integrity, and security of the University of Massachusetts Boston (UMass Boston) network infrastructure in support of UMass Boston’s mission of education, research, and service. Wireless network technologies increasingly play an important role in extending the campus-wide wired data network by reducing the requirements of physical infrastructure, bringing important benefits in convenience, flexibility, and ubiquitous access. Wireless networking enables users to keep laptop and handheld devices connected to the UMass Boston data network in nontraditional locations (e.g., outdoor spaces).
Most commonly used wireless data network equipment operates within the non-licensed portions of the radio frequency spectrum, which is a finite resource shared by all campus users. Although the Federal Communications Commission (FCC) does not license or control the use of these frequencies, standards for their use are necessary to prevent radio frequency interference (RFI) that disrupts other devices that legitimately use these frequencies. For example, the frequencies used by most wireless devices are in the unlicensed 2.4 GHz Industrial, Scientific, and Medical (ISM) band. Devices legitimately using this band include cordless telephones, PDAs, microwave ovens, sprinkler systems, and traffic signals. Moreover, in confined and highly populated areas, RFI from incompatible uses of wireless equipment can result in significant service degradation that limits network access by all members of the UMass Boston community. When deploying wireless services, interference in these frequency bands must be anticipated and dealt with through careful engineering to ensure service quality and reliability for enterprise-wide network use and support.
Wireless network access poses significant risks to campus network security and to the protection, integrity, and reliability of data, including instructional, research, financial, personal, operational, and other sensitive data, that are maintained on or served from university information systems. These radio transmissions can be intercepted by radio receiving devices and the data captured by individuals without university authorization. University owned, leased, or operated wireless devices connected to university network infrastructure must be carefully installed and administered to manage these security risks.
The purpose of this wireless policy is to explicate how wireless devices will be installed and operated to protect the integrity, reliability, service quality, and security of the entire UMass Boston network, and to ensure as ubiquitous wireless coverage as possible in public campus spaces for all members of the UMass Boston community.
This UMass Boston policy is in compliance with the Board of Trustees policy T97-010 (passed February 5, 1997; last revised September 23, 2005) Policy Statement on Data Security, Electronic Mail, and Computer Policy Development, which requires that each campus of the University of Massachusetts (UMass) develop and implement policies, standards, and guidelines related to data security, electronic mail, and acceptable use of computing and data resources. This wireless policy should be read in conjunction with the University of Massachusetts Boston Campus Network and Server Security Policy, which is available online at the IT website.
This policy is subject to change as new technologies and processes emerge.
Ad hoc wireless connection – connection of a computer or peripheral to a network without the use of a wireless router or a router and a wireless access point; typically used for smaller networks, such as a home network.
802.xx standard – Institute of Electrical and Electronics Engineers (IEEE) family of networking standards that covers the physical layer specifications of technologies from Ethernet to wireless. For example, 802.11 covers Wireless Local Area Network Media Access Control and Physical Layer specifications.
Media access control (MAC) address – the unique identifier attached to most network devices for security purposes.
Strong password – passwords easily guessed by an authorized user or computer are known as weak or vulnerable passwords; passwords very difficult or impossible to guess are considered strong. A strong password is sufficiently long, random, and producible only by the user who chose it. It is recommended that passwords use a combination of lower and upper case letters, digits, and symbols (e.g., w5Prti%3T).
UMass Boston computers and networked resources – include all computers and network resources (e.g. routers, switches, print servers, remote access servers) owned, leased, or operated by or on behalf of UMass Boston, as well as all systems directly connected to IT-maintained networks or systems on networks that receive network service from UMass Boston (e.g., campus local area network connections, modem pools, virtual private network connections).
Wireless access point (WAP) –spread spectrum radiofrequency wireless device or technology that provides a common connection point for devices in a wireless network. A WAP uses transmit and receive antennas instead of plug in connector ports for access by multiple users of the wireless network. A WAP can be connected to the wired network to bridge between the campus backbone and a wireless network. A WAP that is connected to the UMass Boston network but not managed by IT is known as an independent WAP.
Wireless client – hardware and software that is installed in a desktop, laptop, handheld, portable, or other computing device to allow it to communicate with a WAP, providing an interface to a wireless network.
Wireless network or wireless local area network (WLAN) – type of computer network spanning a relatively small area (e.g., a single building or group of buildings) that uses high frequency radio waves rather than wire to communicate between nodes (e.g., computer, printer, wired network).
Statement of Policy
As the central support entity for the UMass Boston campus-wide wired and wireless data networks, IT is assigned the following responsibilities and authority concerning the deployment and use of university owned, leased, or operated wireless devices:
- All uses of wireless local area networks, WAPs, and wireless clients on the UMass Boston campus, and at any remote location directly connected to the campus network, must comply with all applicable federal, state, and local laws, rules, and regulations pertaining to wireless networks, with all applicable UMass policies, standards, and guidelines, and with the University of Massachusetts Boston Campus Network and Server Security Policy, which is available online at the IT website.
- IT is solely responsible for the installation, operation, repair, replacement, and security of UMass Boston’s wireless network as an extension of the campus-wide wired network. To ensure the technical coordination required to provide the best possible wireless network for UMass Boston, academic and administrative departments may purchase and install WAPs that comply with IEEE standards and with the deployment and security standards detailed in the UMass Data and Security Standards only after appropriate consultation with IT. Consultation services include pre-engineering review, site survey, review and evaluation of hardware and software to be purchased, and the design of appropriate security schemes. IT is available to install WAPs and to design and implement security schemes for academic and administrative services. There is no charge for these consultation and installation services.
- All WAPs connected to university infrastructure must be registered with IT and must comply with the technical standards and naming conventions specified by IT. The registration process requires information including the responsible university unit and designated liaison, as well as the location, purpose, and technical and operational information about the WAP. Registration can be accomplished using the online form located at the IT website. Such registration is intended for the identification of the WAP, to facilitate communications between all parties responsible for wireless network support and operation, and to ensure compliance with all applicable UMass policies, standards, and guidelines, as well as federal, state, and local rules and regulations.
- Although IT will provide and manage wireless infrastructure for the UMass Boston campus, each academic or administrative unit is responsible and accountable for the operation of any wireless devices within their physical or administrative areas of responsibility. This includes independent WAPs and other wireless devices. Therefore, deployment of wireless devices must be approved in writing by the responsible administrator (i.e., vice chancellor, dean, director, chairperson) of the unit responsible for the area where the wireless device is located.
- Ad hoc wireless connections are not permitted on any computer connected to the campus wired or wireless network infrastructure. These types of connections are inherently insecure and pose a risk to UMass Boston’s computing environment. IT will periodically perform network scans for unregistered WAPs. If an unregistered WAP is identified, or if a WAP is identified that does not appear to be compliant with this policy, then IT personnel will attempt to contact the appropriate individual to register the WAP or to bring the wireless device into compliance. If contact cannot be made, IT personnel are authorized to temporarily disconnect the WAP or device from the UMass Boston network until such time as the access point is properly registered and fully compliant.
- Wireless devices deployed and used in a legitimate and compliant manner by one unit (e.g., teaching about or pursuing sanctioned research into wireless technologies) may not be compatible with another unit’s legitimate and compliant use of wireless devices (e.g., wireless network access) or may be incompatible with UMass Boston’s data network and security systems. In these cases, IT will assist units with engineering efforts necessary to resolve the incompatibility issues or to negotiate an acceptable compromise arrangement. If resolution cannot be achieved, then IT is authorized to temporarily disconnect the wireless device from UMass Boston network pending resolution after consultation with proper university officials.
- As with access to the campus wired network, access to the campus wireless network or to Internet services through independent WAPs must require user authentication and authorization for university faculty, staff, and students, as well as provide provisioning services for HTTP only and HTTPS with rate limiting for guests. The independent WAP must also provide automatic logging or these connections. Logs should be maintained for at least 90 days and should include at least the identity of the user or equivalent information, the date and time of access, and the IP address assigned for the session. Logging and user authentication capabilities of WAPs provides the necessary data to investigate specific security incidents as required by the UMass Boston network security policy and by the University of Massachusetts Computer, Network, and System Records, Logs, and Structures Policy.
- Any unauthorized use of the campus wireless network is prohibited. Unauthorized uses include: attempts to sniff or capture wireless data, attempts to disrupt or jam the wireless network, altering a wireless client media access control (MAC) address to attempt to evade security, attempts to break into or gain unauthorized access to any computers or systems from a wireless connection, installing a personal WAP on the network, mass emailing (spamming) on the wireless network, running servers on the wireless network, or any type of denial of service attack using the wireless network.
- In an emergency situation, IT is authorized to take whatever reasonable steps are necessary, including denial of network access, to protect the integrity and security of the UMass Boston data network and systems, safeguard the safety of university community members and property, and protect UMass Boston from liability
- Disputes arising because of this policy should be directed to the CIO. Matters that cannot be resolved will be directed to the provost and senior vice chancellor for academic affairs whose decision will be final.
Recommended Wireless Computing Habits
The risks of wireless communications can be minimized through good wireless computing habits. Following the guidelines below will decrease these risks.
- The campus wireless network has been designed and implemented as an adjunct to the wired data network and should not be used as one’s primary network connection. The wireless network is best used for light and brief network access needs (e.g., Web browsing, reading email).
- When submitting a username, password, credit card number, bank account number, or social security number on a website through a wireless network, make sure the website uses Secure Socket Layer (SSL) encryption to protect data being sent back and forth between the wireless client and the website.
- A wireless network connection must not be used to access any UMass Boston or UMass business application (e.g., PeopleSoft web services) or system that contains private, restricted, or confidential data (e.g., student information) even if an encrypted communication protocol and secure transport protocol are being used. WAPs will be programmed to disallow access to high-risk business applications and data systems.
- Changing a password should only be done from a non-wireless device (e.g., desktop computer) connected to the wired campus network.
- Turn off any drive sharing on a computer when using the wireless network. If sharing of files and drives is necessary, make sure to use a strong password to protect the drive shares.
- Users should connect to the wireless network only when they are actively using the network, allowing the maximum number of IP addresses to be available for others to access the network.
- Research groups and labs should be aware that the terms and conditions of some federal grants and contracts specifically include data protection and confidentiality. Data protection and confidentiality cannot be guaranteed on a wireless network.
- All wireless access must be in conformance with the UMass Boston Information Technology Acceptable Use Policy, which is available from the IT website, as well as the applicable UMass policies, standards, and guidelines.
- IT provides up to date information for the campus community on the IT webpage concerning security issues related to the use of wireless devices. In addition, IT provides support for the campus community through the IT Service Desk for the selection of wireless cards, configuration of PCs, and network connectivity issues.