WiBy Baselinemag | Posted 2003-11-01 Email Print
Modernizing Authentication — What It Takes to Transform Secure Access
Wireless local-area networks are notoriously insecure. But that's not stopping companies from cobbling together technologies.
-Fi for Gen Y">
Wi-Fi for Gen Y
St. John's University
Executive Director for Information Technology
New York, N.Y.
Manager's Profile: Tufano oversees information-technology planning and operations on the five-campus private university with 18,000 students. His team supports 2,900 on-campus computers as well as Web-based applications, some of which give students wireless access to pay fees and look up grades online.
Why Wi-Fi: University leaders decided all students should be provided with laptops and Internet access "for educational reasons," Tufano says. Because students spend much of their time in common areas such as the library, "it made no sense to try to provide Internet access without wireless."
The Project: This past spring, Tufano's team began rolling out a wireless network that will eventually cover "all areas of the university except two parking garages and outdoor athletic fields. And we're looking at those."
The Cost: $7 million covers the wireless network on campus plus IBM Thinkpad notebook computers given to 3,000 freshmen. In part to pay for the program, St. John's increased tuition by 10% this year.
The Original Security Plan: Tufano hoped to protect Wi-Fi traffic with a version of the interim 801.1x protocol called the Protected Extensible Authentication Protocol (PEAP). He says St. John's picked that protocol over Cisco's version of the standard-in-the-making—called LEAP—because "PEAP has much broader industry support, while LEAP is more proprietary to Cisco."
What Had to Change: Because he couldn't be sure that all student laptops would initially be able to work with PEAP, Tufano came up with a revised security plan: Protect faculty and administrator laptops with PEAP; use less-secure static 128-bit encryption keys that rely on the Wireless Equivalent Privacy standard; and authenticate the Internet addresses of student machines before allowing access to the network.