Wireless LAN Upgraded to Better Serve the Campus Community By S.K. Tsui

CityU has been offering the Wireless LAN (WLAN) service since 1997. The population of registered WLAN clients has increased more than ten folds from less than 200 at the beginning to more than 3000 clients now.

WLAN technology is changing rapidly and new standards are emerging in the market. Products with higher speed and rigid security are becoming affordable. As our WLAN is already 7 years old, it is about time to replace the old WLAN system with a new one in order to provide more bandwidth and better performance in a more secure way for the benefit of our users.

The Project

The project was started in June 2005 and expected to take several months to complete. The intelligent wireless LAN switching solution from Aruba has been employed to replace the old Vernier Authentication Server and low speed Orinoco Access Points (APs). Initially 400 new APs will be installed to provide a wider coverage than the previous 250 APs by extending to areas such as laboratories within departments.

Our first phase of the implementation will include all existing areas and we expect to complete the set up of the new WLAN and replacement of APs before Semester A of 2005/06. Existing authentication methods (Web and VPN logon) that we are familiar with are still available in the new system. Users may notice that a new login page is displayed when their PCs are attached to the new system.

As the migration period will take quite long, we shall try our best to keep the transition as smooth as possible to avoid any service interruption. If you encounter any difficulties in using the WLAN service during the upgrade period, please contact our CSC Help Desk or write to ccwlan@cityu.edu.hk for our action.

Advantages of the New System

1. Better speed and flexibility
   
   The old system supports only IEEE802.11b (11Mb throughput) while the new system conforms to all IEEE 802.11a (54 Mb), b (11Mb) and g (54 Mb) standards. This provides our users with a broader choice of WLAN products from various manufacturers.
   
   
2. Improved Network Security and Privacy
   
   
   1. Wireless Firewall and Intrusion Protection
      
      The nature of wireless networks makes them attractive to intruders or hackers. The latter may want to gain free access to the campus network, steal data or even disrupt wireless communication. Such activities can be achieved by using simple tools. Two common intrusions and how our new system can deal with them are described below:
      
      
      1. Gain free access to the campus network and/or steal data through Rouge AP
         
         Rouge AP is defined as those APs not registered in our central WLAN system. Hence we don't have any control over these APs and do not know where and what they are used for. Rouge AP may be APs set up by our staff, students or even intruders/hackers.

         If any of our clients attaches to the rouge AP that belongs to a hacker, all the traffic will go through the rouge AP and the intruder can capture sensitive data such as user names and passwords.

         Though they may not be intentionally offering open access wireless connections to the public, our staff or students may bring their own APs and connect them to the campus network without enabling any security mechanism. Thus, intruders may use different probe tools to scan for these unsecured Rouge APs to enable them to gain free access to the campus network without going through any authentication process.

         Fortunately, the new system is capable of detecting rouge AP and has options to dissociate clients attached to it. This can safeguard our WLAN users from leaking their information to unknown parties and protect our network from unauthorized access.

      2. Disrupt wireless communication
         
         Intruders may use different tools to perform Denial of Service Attacks (DoS) to the APs or the control system to disrupt wireless communications.

         In this respect, the new system employs a number of techniques to detect and prevent such wireless attacks.

   2. Rigid authentication and encryption methods
      
      Other than the VPN logon method provided in the current WLAN service, the new system offers more rigid authentication and encryption methods such as WPA and WPA2 to enhance network security and privacy, making the hackers even harder to decrypt the contents of the data sending over the air.
      
      
3. Centralized and Intelligent AP Management Provide Better Performance and Availability
   
   The new system utilizes a central control unit to manage and control all the APs installed. The control unit will keep monitoring the status of each AP and controls the transmission power and frequency channel of individual AP to minimize interferences from each other. Moreover, if any AP fails to work, the control unit will instruct the adjacent APs to increase their transmission power to take up the coverage automatically.
   
   
4. Voice over IP (VoIP) and Video Support
   
   The new system has many built-in features to support VoIP and video applications. However, as these applications are very time-sensitive, it will take us some time to properly configure all equipment involved, to study their limitations, and to iron out various timing issues on different devices before a large-scale deployment can be made.

Copyright© Computing Services Centre, City University of Hong Kong. Best viewed in 1024x768 with IE. Javascript enabled. Last modified on Thursday, 20-Aug-09 16:50:52 .