NYURoam Security

search the site

As with the wired NYU-NET network, ITS has designed the NYURoam wireless network for maximum security. Once you have properly installed and configured your wireless hardware and software, NYURoam will secure your data transmissions for you. Nonetheless, it is always a good idea to take some extra security precautions when working in any wireless environment, whether at NYU, at home, or in your travels. We recommend that you follow the Steps You Should Take to Enhance Wireless Security, below. For those of you who are interested, the remaining sections on this page outline the technical details of wireless network security practices.

Wireless Security Background

The original wireless Local Area Network (LAN) protocol standard, IEEE 802.11, was inherently insecure. Because 802.11 networks are shared (in effect "hubs"), wireless clients could see each other's traffic. So, unless a wireless user took extra steps to secure (encrypt) their data transmissions, all transmitted information could easily be compromised.

When the IEEE 802.11b standard emerged, it increased the wireless LAN bandwidth from 2 Mbit/sec to 11 Mbit/sec, and it introduced Wired Equivalency Privacy (WEP) as an encryption methodology for securing wireless LANs. What WEP does is utilize either 40 or 128 bit encryption keys to encrypt the data portion of a transmitted IP packet.

WEP was believed to be the answer to 802.11b's security weaknesses. However, early in 2001, computer scientists at the University of California at Berkeley found that there were vulnerabilities with WEP that weakened its security claims. Vendors began searching for a solution. Unfortunately, this led to non-standardized approaches to securing wireless transmissions.

WEP's vulnerability is that over time, using the appropriate hardware and software, a hacker can monitor WEP-encrypted transmitted data, and crack the WEP key being used by the wireless clients. Frequently changing the keys used by the clients goes a long way toward thwarting a hacker. However, WEP is based on a shared key system. Also, there is some incompatibility between vendor implementations, and there have been reports that the WEP encryption mechanism can easily be cracked.

Despite this, the two NYU secure wireless LAN models use WEP are considered "secure" because they use the Lightweight Extensible Authentication Protocol (LEAP), in which wireless clients don't share a common WEP key. A unique key is generated on a per user, per session basis. This decreases predictability to a hacker and severely minimizes attack windows. The Cisco Aironet-based model offered by NYURoam goes a few steps further, employing additional non-standard security features. The most aggressive security feature is one that hashes a unique encryption key on a per packet, not per session, basis. Note that a vulnerability in the LEAP protocol was also exposed in 2004. However, the strong password requirements now enforced by NYU ITS mitigates this significantly, as the nature of the vulnerability relies on discovering or "cracking" weak passwords.

NYURoam's Secure Wireless Networks

The access points used by NYURoam provide a critical function that allows us to significantly benefit from the existing infrastructure. Our single radio infrastructure can support multiple, logical radio networks and corresponding VLANs (Virtual LANs) on the wired network.

NYURoam is currently comprised of three wireless services, defined by access methodology. They support the following wireless access models:

Users with Cisco Aironet NICs & client
Users with Macintosh AirPort NICs & client
Users with generic 802.11b or 802.11g standard NICs using a Virtual Private Network (VPN) client

No matter how subtle the distinction is between security models, each one must be handled as a separate, logical network.

Steps You Should Take to Enhance Wireless
Security

As an added level of protection, use "secure applications" whenever possible. In the case of telnet, we recommend the use of an SSH client. You can find a list of free SSH clients at: http://www.nyu.edu/its/security/ssh/. Most of the SSH applications also support SCP (Secure Copy) or SFTP, which are secure replacements for FTP. Their use is also encouraged.
As a general practice, you should consider protecting the content of your email messages. For the highest level of security for mail content, you should use PGP (Pretty Good Privacy, a public key encryption program). For information and a free copy of PGP you can go to: www.pgpi.com.

Also note that when accessing NYUHome using the wireless network, you benefit from the fact that the login information is already encrypted via the SSL (Secure Socket Layer) protocol. However, individuals who prefer POP- or IMAP-oriented email clients are transmitting their username (NetID) and password in clear text to their email server. Under normal circumstances this is a huge vulnerability, and a prime example of why our efforts to secure and encrypt wireless data transmissions is of the utmost importance. Despite the "in the clear" transmission of this sensitive information, NYURoam (when accessed as we recommend on this website) will protect this data from hackers.

Further information about computer and network security is available on the Computer and Network Security pages: http://security.nyu.edu/.

How Does Each Model Work?

Cisco Aironet & Macintosh AirPort

The Cisco and Macintosh service offerings are very similar. Users with either a Cisco Aironet or Macintosh AirPort NIC will connect to the wireless network using an authentication method known as LEAP (Lightweight Extensible Authentication Protocol). The distinction between the two arises from the fact that the Cisco Aironet NIC/Client can support additional, non-standard wireless security features. All of these additional features are enabled on the access points.

The common element to both is LEAP. This is how LEAP works:

The user's wireless client connects to a nearby access point.
The access point blocks all unauthenticated attempts by the client to gain access to network resources. The authentication process starts when the client sends an EAP-start message, which happens when you open your wireless client software.
The access point then replies with an EAP "request identity" message to obtain the client's authentication information. This is where the user supplies a NetID and password via the wireless client software. Until the client has authenticated, only IEEE 802.1X traffic is forwarded. Protocols such as DHCP, HTTP, FTP, SMTP and POP are blocked.
When mutual authentication of the access point and the client is successfully completed, the authentication server and the client determine a Wired Equivalency Privacy (WEP) key that is distinct to the client and provides the appropriate level of network access, approximating the level of security inherent in a wired switched segment to an individual desktop. The client software loads this key and prepares to use it for the logon session.
The authentication server sends the WEP key, called a session key, over the wired LAN to the access point.
The access point encrypts its broadcast key with the session key and sends the encrypted key to the client, which uses the session key to decrypt it.
The client and access point activate WEP and use the session and broadcast WEP keys for all communications during the remainder of the session.

Virtual Private Network (VPN)

For those using generic 802.11b standard NICs and software clients, we authenticate the user and secure radio-transmitted data through a Virtual Private Network (VPN) client. The user connects ("associates") to an access point without any encryption. The user then starts a VPN client on their device and establishes a VLAN between the access point and a VPN Concentrator. The user then authenticates and creates an IPSec connection to one of our VPN concentrators. At that point all data moved between the client and concentrator is encrypted. The concentrator then permits access on to NYU-NET proper and the Internet.

Page last reviewed: August 23, 2006