Policy on Wireless Networks

Reviewed By: Administrative Council on December 03, 2001
Approved By: President Karnig on January 22, 2002

Source / Authority

Responsible Departments:
Information Security Officer: 909/537-7262
Telecommunications and Network Services: 909/537-5135
Vice President for Information Technology Services: 909/537-5099

Background

Wireless Local Area Networks (WLANs) are becoming extremely popular because of their relatively minor cost for deployment and the mobility that it provides for users.  As a result, WLANs are expanding rapidly on all CSU campuses.  In fact, the low cost of deployment was one main reason why CSUSB will deploy its first WLAN in the existing student housing residence halls at the beginning of Fall Quarter 2001.  Institutions who have deployed this technology have come to realize that, although this technology is extremely attractive, it can create other serious security and privacy problems; just about anyone can set up an operational WLAN in a few minutes by installing a low cost wireless access node.

  • With the deployment of WLAN, two major concerns regarding issues of security are
  • access control and privacy, and
  • conflict or interference between wireless devices.

Security issues arise because wireless devices transmit data by using radio waves that travel through ceilings, floors and walls, and which can be easily detected and intercepted by unauthorized users located at a significant distance.  Wireless networks use a standard wireless security protocol, known as Wired Equivalent Privacy (WEP), to prevent eavesdropping (by using encryption) and to prevent unauthorized access to the wireless network.  However, several studies have concluded that the 40-bit encryption used by WEP has serious security problems.   These security flaws make it easier to decipher wireless traffic or inject traffic into a wireless network from an unauthorized mobile computer.  This can result in a serious violation of privacy rights -- for instance, FERPA -- if a wireless device is being used to access non-public information such as students' social security numbers or university faculty/staff personal records.  However, there are options that can provide additional security; however, these require the proper configuration and use of ancillary wireless networking products and the deployment of additional telecommunications infrastructure.

The problem of interference or conflict between wireless devices appears when the devices are installed without taking into consideration the proximity of other wireless devices.  Wireless devices present an installation challenge since they must share the available limited airwaves on the campus, which must be used for the benefit of the entire campus community.

The deployment of the first WLAN on campus signals the beginning of "anywhere-anytime" access to telecommunications resources and services provided by the campus.   The demand for the availability of wireless services in other parts of the campus presents a situation that will require careful planning and coordination in order to ensure that the user is not confronted with the need for different applications, logins, passwords, etc., in order to gain access to services from different locations on campus.  The effort to provide this level of accessibility and service will require the deployment of compatible hardware and application software across all WLANs on campus.

Purpose

The purpose of this policy is to manage the deployment of wireless network products and services across the campus.

Policy

Wireless communications become an extension of the CSUSB telecommunications network; and, thus, it is subject to all applicable state and federal laws and to all related CSU and CSUSB policies.

All requests for the deployment and use of a wireless network on the CSUSB campus, whether or not directly or indirectly connected to the CSUSB telecommunications network, shall be reviewed and approved by the Information Security Office before its deployment.  The Information Security Officer will ensure that all practical procedures and safeguards have been considered for preventing the unauthorized use of the WLAN; and, furthermore, that its use will not expose the campus to potential security compromises and privacy violations.

Wireless networking products and services are an extension of the telecommunications network currently provided by the Telecommunications and Network Services Department (TNS).  TNS currently purchases and installs all core networking hardware and services for the campus community.  In an effort to maintain the integrity, interoperability and performance of these services for the campus, all wireless networking products and services will be designed, procured, and installed by TNS.

The requirements

  • that requests for deployment and use of a wireless network be reviewed and approved by the Information Security Office before deployment and
  • that all wireless networking products and services be designed, procured, and installed by TNS

shall not apply to faculty or faculty-supervised deployment and use of a wireless network which has received prior approval by the Information Resources and Technology Committee of the Faculty Senate.   In reviewing requests for faculty or faculty-supervised use of a wireless network, the Committee shall take into account the potential security, interference, and compatibility implications of that deployment or use.

Enforcement

As indicated in the "Acceptable Use Policy for Electronic Communications," the university reserves the right, without notice, to limit, restrict or terminate telecommunication services and to remove equipment when it is necessary in order to protect the integrity, security or functionality of the university's telecommunication services.

University faculty, staff, and students who violate this policy may be subjected to disciplinary action following established university channels for disciplinary matters.   Violators are subject to any and/or all the following:

  • Termination of telecommunication services.
  • University disciplinary action.
  • Removal of wireless equipment if necessary to protect the integrity, security or functionality of the university's telecommunications services.
  • Sanctions for violations to other applicable CSU and CSUSB policies.