Authentication Gets Into Stanford

So Stanford built more advanced authentication into its wireless LAN, which is deliberately separate from the wired Gigabit Ethernet campus backbone. The authentication architecture uses a combination of an authentication server appliance from start-up Perfigo, the university's MAC address database, a homegrown single sign-on scheme called S/Ident and a Kerberos authentication infrastructure. When a user comes within range of a Cisco Systems access point, he or she gets a pop-up client login screen and then authenticates to the wireless LAN. The university's homegrown client package, called Leland, uses Kerberos to encrypt the user's credentials for transmission to the authentication server.

Wireless users bring their own PCs or laptops and 802.11b wireless interface cards, and Stanford's network services group offers the service at no charge to departments that purchase 16 wired ports under Stanford's managed campus network service. The alternative is a $31 monthly fee for wireless alone. So far, the university's education, humanities and sciences departments, as well as its medical and law schools, are the main wireless customers, along with a couple of dorms. This summer, Stanford will begin offering wireless access in some public spots on campus, including White Plaza, a popular gathering place for student demonstrations and fraternities.

But Stanford's wireless LAN hasn't quite caught on like the university had expected. There are only about 1,000 users out of 17,000 students and 8,000 faculty. Although the network services group has installed some 300 Cisco access points around campus, it has another 300 devices sitting unused in storage. Reese says his group envisioned wireless replacing the wired network for some applications, but that just hasn't happened. "It's because the campus is so well-wired already. People are taking their laptops out in the sun to read their e-mails with wireless, but when they do genetic analysis, they still use the wired network," Reese says. The Gigabit Ethernet backbone shoots 100 Mbps to the desktop, so it's tough to trade that for 10 megabits of wireless when you're running genetic algorithms and other demanding calculations.

What, No More Free Beer?

Network security has become more strategic for Stanford and other universities because they've changed the way they do business. Like many major universities, Stanford maintains closer ties to businesses and other universities for research collaboration, which requires carefully managing who can access what. Stanford's administration also runs a new ERP (enterprise resource planning) system--PeopleSoft Student Administration combined with Oracle Financials--which drove the addition of the firewalls that now sit inside the network to protect sensitive data. It's a sign of the times: The days of free beer and open access to all university data are fading. Authorized access to data will increase, but unauthorized access will be curtailed, Reese says.Today, guest faculty and other official visitors access Stanford's wireless LAN using guest accounts assigned by their hosts. "A guest doesn't show up in our MAC address database but gets an ISP IP address instead of a Stanford one," Reese says. "He or she can then use the network but not access resources that are restricted, like the library."

When Reese and his team first evaluated authentication options last year, they had three main criteria--the solution had to be inexpensive, it couldn't rely on proprietary client software and it had to be compatible with Stanford's Kerberos infrastructure. "Loading a client on thousands of computers would be a huge undertaking," Reese says. "We wanted authentication, not to kill our helpdesk."

But some operations at the university require a client package for authentication. The medical school is using Perfigo's optional SecureSmart client package so it can meet the encryption requirements of the Health Insurance Portability and Accountability Act (HIPAA), and the business school is next in line to go with the Perfigo wireless client. Although the Perfigo client is relatively lightweight, the medical school has set up its own helpdesk to handle support.

The wireless network meets the wired one at a main hub on campus, and the wireless segments are divided into eight areas. But Stanford has found that even within a wireless area, a user can lose his wireless connection if he travels to a nearby building. Then he has to authenticate all over again. "You should be able to close your laptop and walk from one office to another in the same area," Reese says. The problem could relate to how different laptop manufacturers handle hibernation mode, he says, but no one is certain why it happens. So Stanford gave Perfigo its internal APIs to integrate its S/Ident client with the SecureSmart servers. Now the servers automatically request the user's encrypted--and cached--credentials from the client machine. So if you lose a wireless session, Reese says, you don't have to authenticate all over again.

Reinventing WirelessLike the rest of Silicon Valley, Stanford has suffered from the IT industry downturn. Departments face budget cuts of nearly 10 percent this year. So the original justification for wireless--that it's the next big thing--doesn't wash anymore (see The Hard Sell, page 79). Instead, wireless is now being considered as a way to cut infrastructure costs. Instead of wiring new buildings with more cable, the university may equip the buildings with wireless access points. But that's still under debate, since the wireless bandwidth isn't enough for every academic application, and buildings with concrete-lined walls or other physical interference can't support wireless access points.

Stanford will also phase out its homegrown Leland client in the next year or two, Reese says. It may go with a Web-based authentication scheme, or an IPsec (IP security)-based VPN tunnel to the wireless LAN. "Or the next generation of wireless devices may have a whole other solution," Reese says.

Post a comment or question on this story.

Tell us about you Network and we may profile it in a future issue. Send e-mail to [email protected] or call (516) 562-5914.

End users protested the loudest when Stanford University first beefed up authentication to the wireless LAN. "They had been using wireless without doing anything, so there was a bit of noise about it," says Phil Reese, director of network services. But once the Perfigo authentication was integrated with the users' Leland client, the noise died down, he says.

Stanford's key decision-makers in IT and security were on board with the wireless authentication plans from day one. "I got the blessing right away, so it was only a matter of finding the right solution at the right price point," Reese says.

Reese and his network services team spent about $200,000 on the Cisco access points and Perfigo SecureSmart servers, which was right in line with the budget. His team went door-to-door on campus, alerting everyone about the new authentication procedure, with notices and information on how to authenticate to the wireless LAN.

The next battleground is moving authentication into the two dorms on campus that are running wireless tests. The residences don't have the new authentication technology, though it's coming. The plan is to add a SecureSmart appliance to each of those buildings. "We need to win that battle, and I think we will," he says.

With the university's new firewalls on the wired network and beefed-up authentication on the wireless one, security is becoming more a part of Stanford's culture.A year ago, it was a battle just to deploy firewalls. "Now we're deploying one every couple of weeks," Reese says. Security technology is considered a priority, even with the university's budget constraints. "In a period of tight budgets, there's even more interest in security. No one wants to get a bad internal audit," Reese says.

Phil Reese -- Director of network services, Stanford University, Palo Alto, Calif.

Phil Reese, 51, runs Stanford University's Gigabit Ethernet backbone and 802.11b wireless LAN. His duties include overseeing the equipment and support for both networks, and expanding the security architecture for the wireless LAN. He also handles new initiatives, such as studying voice-over-IP for the university. Reese has been with Stanford for one year and in the IT field for 14 years. He holds a bachelor's degree from the University of Wisconsin-Madison, a master's from Stony Brook University and a Ph.D. from the University of California-Berkeley.

Next Time, I'll: Scour more for vendor offerings in this area. We could find only four vendors, but once I had made my decision, 10 different vendors called. I'd also involve the users and university more in the rollout. Even though we let LAN administrators know about the deployment and put up signs in the areas that would be affected, the day of the introduction, people were saying, "You didn't tell us this was coming."

Biggest Security Hole: Conventions and large meetings that come to campus. The attendees want to get wireless, but they may or may not have their NICs registered. That hasn't been a problem securitywise so far, but it's only a matter of time.Biggest Mistake Made in Technology Circles Today: Not having a full plan. Sometimes people start going with an idea and get too far into it before they realize they didn't get the proper sign-offs for the project; then they are stuck with their resources spread too thinly.

Best Advice: Pay attention to the reason for a technology deployment rather than to the technology itself.

For Fun: I've got broadband at home but have yet to find the end of the Internet, even after repeated attempts.

Wheels: Five-year-old Saturn station wagon. It's safe and inexpensive to maintain.