With the number of devices accessing its wireless LAN poised to explode, the Jordan School District in Utah deployed a wireless intrusion prevention system (WIPS)
Ron Bird, network and technical services manager for the 50,000-student school district, said the state of Utah and several of the district’s individual school principals are considering equipping every middle school and high school student with laptops or other devices for the duration of their time at the schools. Today, students only access the wireless LAN through rolling computer labs that travel from one class to another for testing and special projects.
Bird’s priority was to select a wireless intrusion prevention system to secure the network, and he evaluated several vendors, including Cisco Systems, Fluke’s AirMagnet Enterprise and AirTight Networks. He first selected AirTight’s wireless intrusion prevention system, but early in the installation, Bird decided to re-evaluate his choice.
“We rolled out about 30 sensors from AirTight and realized that we needed spectrum analysis,” Bird said.
Initially, Bird was going to buy a mobile RF spectrum analysis kit, but he soon realized that wouldn't be enough for a network his size. He had a team of three technicians to manage a wireless LAN consisting of 1,300 access points across 55 schools, not to mention 800 switches and 60 routers and 25,000 total devices.
“We need to be as efficient as we can for three guys to manage a network that size,” Bird said.
HP, Bird's wireless LAN infrastructure vendor, didn't have an RF spectrum analysis product on the market yet, though one was in the works. “Their newest access points have spectrum analysis chips in them, but the software to run that isn’t even available yet on their controllers,” he said.
More on wireless intrusion prevention systems and RF spectrum analysis
Wireless intrusion prevention system: Overlay versus embedded sensors?
WLAN testing: Wireless intrusion prevention systems and centralized testing tools
Wireless LAN troubleshooting: How to get proactive
So Bird stopped his AirTight wireless intrusion prevention system installation and switched to Fluke’s AirMagnet Enterprise product, which also features RF spectrum analysis capabilities. To date, he has deployed 65 of the 200 AirMagnet sensors he’s purchased, providing WIPS and spectrum analysis across seven schools. Ultimately, the school system will need 300 sensors to cover all of its sites.
Pinpointing interference with RF spectrum analysis
Prior to the AirMagnet installation, users would blame the wireless LAN every time there was a performance problem, but the network was rarely the issue, according to Bird. At one particular middle school, wireless LAN availability would disappear in several classrooms at what seemed to be random times of day. Bird’s technicians would go to the school each time, only to find the problem had resolved by the time they arrived.
Finally, a technician waited at the school for several hours until the network went down. He roamed from room to room, visually inspecting for sources of interference, before identifying several wireless cameras in one particular classroom.
“Unknown to us, a teacher had gone out and purchases some wireless cameras,” Bird said. “He put them in his classroom because he would record his classes and put them online so students could look at them later. Every time he turned on the cameras, we would get a call from the school that the wireless was down.”
With AirMagnet’s RF spectrum analysis capabilities, Bird’s technicians no longer have to go hunting for potential sources of wireless interference.
“With the placement of sensors throughout the schools, we actually know which area of the school a device is interfering with the network, whether it’s a camera or a microwave,” Bird said.
“We found some HVAC equipment at one of the schools that had ZigBee devices on them. Those devices collect data and broadcast it at certain times of day to say, ‘This is the data I collected and here is how I’m functioning.’ Then they go back to sleep for awhile. [The signal] wasn’t strong, but it was strong enough that it did cause some interference. I hadn’t even heard of Zygby devices until we got AirMagnet out there and started snooping around [for interference].”
Wireless instruction prevention system helps with policy and access control
Wireless intrusion prevention was Bird’s original priority when he started consulting with vendors like AirMagnet and AirTight, but the technology also offers network access control functions.
“A lot of our schools are in neighborhoods and we know that our wireless network is visible. We didn’t really have a way to protect the network," said Bird. "We had SSIDs and passwords … and we’re close to having Active Directory implemented so we can have usernames and passwords. But I wasn’t confident that we had good security on our wireless.”
AirMagnet’s wireless intrusion prevention system has given him visibility into that airspace and set policies for wireless access. For instance, the system can detect devices in bridging mode. “I’m not sure whether they are bridging to another device in our network or outside, so we block that,” Bird said. Bird’s team has also scanned the floor plans of all 55 schools and is integrating that with AirMagnet so that he can set location-based policies.
“I want to configure AirMagnet to say if you are within the school or 20 to 50 feet outside of the school you can connect to our wireless network only, but if you are beyond that perimeter, you cannot connect to our access points,” he said.
The wireless intrusion prevention system has also shed light on some dubious behavior by some of the schools’ neighbors, Bird said. For instance, he can spot nearby SSIDs with questionable names and pinpoint their locations, particularly those who might be trying to tempt students to connect.
“This individual who has a filthy SSID -- there is no doubt in my mind that he knows he is broadcasting that SSID and I think he’s trying to attract kids to connect, who will because they are curious,” Bird said. “We haven’t done anything about it yet, but we could cause some problems for his SSID. That’s a good way to protect our kids.”
Let us know what you think about the story; email: Shamus McGillicuddy, News Director