Macquarie University Wireless Network

Local Navigation

• Logging in
• Security
• Network settings
• ICS Users

Wireless Security

Separate Network

The Wireless network is isolated from the campus by a secure gateway and firewall. Users must supply a valid Student-ID (and myMQ Portal password) or an ICS-ID (through a web browser) before they can access the rest of the network.

The gateway assignes the user a Role based on their attributes in the authentication system(s). Different Roles are assigned different levels of network access and bandwidth.

Protection from eavesdropping

Most people don't realise how insecure computer networks really are. Wireless networks are particularly so because they operate over radio waves. It is quite easy for a knowlegable person to eavesdrop.

You have to use secure (SSL) enabled services. Information sent over SSL is encrypted at the application layer, which makes eavesdropping pointless. If a URL begins with https:// (ie 2:32 PM 1/Jun/20052:32 PM 1/Jun/2005not http://), then SSL is in use, and data between you and that URL is encrypted. Application level security is used to protect netbanking websites. Hotmail and Yahoo mail also provide a secure login to protect your user name and password (athough e-mail sent or received are not encrypted).

Wireless access to the insecure services on campus have been blocked for this reason. You will need to use the secure alternatives.

Service	Firewall Action	Recommendation
Telnet	Blocked.	Use SSH
FTP	Anonymous FTP allowed. Authenticated FTP allowed but  strongly discouraged.	Use SCP or SFTP
IMAP and POP	Blocked. See the section on email	Use IMAPS or POP3S email.html
CIFS/SMB (windows file sharing)	Discouraged. Currently limited to a few servers.	Use SCP or SFTP
Printing	To be advised.

 

Virtual Private Networks (VPN)

Each division is responsible for maintaining their own VPN.

• ICS page on VPNs.

Other Issues

There are also other issues that you need to consider when connecting any device to any network, not just wireless:

• Keep your operating system (Microsoft Office, if you use it) up to date. This is the single most important thing you can do. If you don't, it is simply a matter of time until your system becomes infected. Microsoft makes keeping up to date easy with their "Windows Update" system, so there is no excuse.
• Use complex passwords for all accounts, but not so complex that you have to write it down. A good way to make memorable passwords is to think of two short words, and then put some puctuation and/or special characters in between. Also mix in a few capital letters. For example: "pass,=,woRd"
• Consider installing a Personal Firewall.
• Consider installing anti-virus sofware.

Further Reading

The security section of the University of British Columbia (UBC), Canada Wireless Site makes good reading. Many of the ideas presented here come from there.

It is interesting to note that UBC have implemented a new authentication/authorisation system which they call their Campus Wide Login (CWL). The push for this may have come from wireless security needs. As a result, UBC can provide a number of VPN alternatives that our current authentication system is unable to support.

There is a lot of hype about WEP, WEP+, LEAP, PEAP, TKIP, 802.1x and the forthcoming 802.11i security. The security and cross platform issues seem to make this a dog's breakfast of computer networking. 802.1x may be suitable for a small site where hardware and operating sytems can be mandated. This is not the case in Universities. It is difficult to find other Universities using this model of security.

The 802.11i standard seems to be an attempt to clean up the whole mess with a new architecture called "Robust Security Network" or RSN. "Out of the Box" support for RSN is unlikely to be widespread until 2007.

[Back to top]