The Nuts & Bolts of Purple Air

WARNING: Techie Talk to follow!

Williams College Wireless provides convenience and mobility, but it also presents several security challenges. Security for 802.11 networks can be broken down into three categories: the authentication framework, the authentication algorithm, and data frame encryption. The technology behind Purple Air focuses on the authentication framework and data frame encryption.

network diagram

Current authentication in the 802.11 standard is focused more on WLAN connectivity than on verifying user or station identity. For enterprise wireless security to scale to hundreds or thousands of users, the current method of authentication must be replaced by an authentication framework that supports centralized secure user authentication.

Williams uses 802.1x on the network to better protect users from security breaches. Since wireless traffic is sent over the air, it is easy for someone to intercept the traffic; 802.1x encrypts this traffic so that it is more difficult to translate data. Encrypted traffic may still be intercepted, but it cannot be easily decoded.

The 802.1x standard is designed to enhance the security of wireless local area networks (WLANs) that follow the IEEE 802.11 standard. 802.1X provides an authentication framework for wireless LANs, allowing a user to be authenticated by a central authority. The actual algorithm that is used to determine whether a user is authentic is left open and multiple algorithms are possible.

Purple Air utilizes a protocol within the WiFi protected access enterprise certification software (WPA/WPA2) called the Protected Extensible Authentication Protocol (PEAP), for message exchange during the authentication process.

PEAPv0/EAP-MSCHAPv2 is the technical term for what people most commonly refer to as “PEAP”.  There are many variations of PEAP.  Behind EAP-TLS, PEAPv0/EAP-MSCHAPv2 is the second most widely supported EAP standard in the world and is one of the reasons we chose to deploy it.

When connecting to Purple Air with 802.1X, a user (known as the supplicant) requests access to an access point (known as the authenticator). The access point forces the user (actually, the user’s client software) into an unauthorized state that allows the client to send only a PEAP start message. The access point returns a PEAP message requesting the user’s identity. The client returns the identity, which is then forwarded by the access point to the authentication server, which uses an algorithm to authenticate the user and then returns an accept or reject message back to the access point. Assuming an accept was received, the access point changes the client’s state to authorized and normal traffic can now take place.

Anyone with a Williams account can use 802.1x; however, there are restrictions on client technology:

OIT supports the following Operating Systems with 802.1x:
Microsoft Windows XP/Vista
Macintosh Mac OS 10.4.1 (Tiger) or later.

Other unsupported operating systems, such as Ubuntu, will work with Purple Air.

Williams’ implementation of 802.1x technology requires a wireless network card that supports Wi-Fi Protected Access (WPA\WPA2).  Please refer to our online support page for additional information.

More Information about Wireless Networking:

Some of the above information was drawn from Wikipedia. Wikipedia copyright notice.

Disaster Recovery Plan

If a major disaster hit the Williams campus, what would happen to our computer networks? Which services and systems are essential and would need to be restored as quickly as possible, and which ones could wait longer? What steps could we take now to minimize the impact of a disaster?

Networks & Systems had a busy summer answering these questions and revising OIT’s disaster recovery plan. Jesup is a vital hub in the College’s network, and houses most of our servers and wireless controllers. If Jesup were partially or totally destroyed, the network would be crippled. Creating a redundant hub located away from Jesup that could replicate the College’s most critical services became our top priority in preparing for disaster recovery.

What if Jesup were destroyed?

Broken

Working with the College’s administrative offices, we determined which services and systems counted as critical, and prioritized them into categories:

Level 1– critical services that must be restored within 72 hours with minimal data loss. Data is backed up regularly in a co-location facility in Albany.
Level 2a – critical services to be restored immediately following Level 1 services, with a larger tolerance for data loss. Data is backed up in a co-location facility in Albany, but less frequently than Level 1.
Level 2b – services to be restored after Level 2a systems that do not require off-site backups.
Level 3 – systems that can wait until new equipment is purchased.

We are working with facilities to prepare a data closet that will store enough servers and storage to replicate all Level 1 and 2a services. The redundant systems are not as powerful as the main ones, but will be adequate to carry us through a disaster until new hardware can be procured.

The data closet equipment will be a combination of physical and virtual servers. Properly configured virtual servers can be quickly and easily migrated from one environment to another. Level 1 and 2a systems will either have their data replicated in the closet, or be synchronized with remote data sources so that they can continue to function. Although our original plan gave us 72 hours to get these systems up and running, our new configuration will allow us to get all Level 1 services restored within 8 hours or less, and possibly all Level 2a systems by the next business day.

In addition to the servers and storage array, we will also be moving some core network gear into this facility. By moving a core router in to the data closet, we should be able to keep about 70-80% of our wired network buildings up. After patching fiber, we could get all but a few buildings back online. We also plan to move half of our wireless controllers away from Jesup. That way if we lost Jesup, we would still be able to support nearly 500 of our 800 access points. By purchasing additional controllers at the time of the disaster, we could increase that coverage up to nearly 100%.

Printing Quota

In a previous article, we talked about why Williams decided on a printing quota. In this one, we’ll focus on how it will be implemented.

Student allotment

Free printing per semester:

Underclassmen: $50
Seniors: $75

This is equivalent to 500 (750 for seniors) black-and-white double-sided pages worth of free printing, which according to the data we collected last semester, should meet the needs of 90% of all students with no change in printing habits.

At the end of each period (semester, winter study, and summer), any unused portion of the free allotment will be removed, and a new allotment will be credited at the beginning of the next period. Any remaining purchased printing credits will be carried forward each semester during your time at Williams.

Uncollected printouts from Saywer library

Collaboration station in Jesup 316

You can log in to your PaperCut account (http://papercut.williams.edu) at any time from on-campus to check how much printing you have left.

Running low

If you are getting close to using up your allotment, you will be notified three times by email that you are approaching the end of your print allotment: once when your account credit drops below $10.00 (about 100 double-sided pages remaining), again at $5.00, and finally at $2.50.

If you do not have enough pages in your current allotment for a print job, a pop-up notification will alert you and you will not be able to print it on a networked printer until you add credits to your account.

Buying more printing credits

Online:

  1. Log in to your PaperCut account with your username and password.
  2. Click on “Add Credit Online” on the left hand side.
  3. Select an amount from the drop down and click the “Add Value” button.
  4. Fill in the credit information.

Via the Bursar’s Office:

  1. Purchase a $5, $10, $20, $50, or $100 PaperCut redemption card from the Bursar’s Office in Hopkins Hall.
  2. After purchasing the card, login to your PaperCut account.
  3. Choose Redeem Card from the left-hand side menu.
  4. Enter the number on the front of the card and your account will be credited for the value on the card.
Printing for departments & organizations

Student groups and organizations can obtain a shared printing account, or pre-pay for printing credits. Alternatively, a student organization may opt to assign someone to print on their behalf. It is then up to the student to be reimbursed by the organization.

If you have student workers that print on behalf of your department, you should request a departmental account. After it is created, your student workers will be able to select the departmental account when they print. You will receive a weekly report showing the printing activity associated with the account.

To set up an account for your department or organization, email printadmin@williams.edu. You will be asked to provide a list of students that are allowed to print using the account.

For more information, visit the Printing @ Williams FAQ.

Purple Help & Purple Air

The Office for Information Technology is excited to announce the launch of two new wireless network spaces, Purple Help & Purple Air.

Purple Help is what we suggest all wireless users to first connect to when arriving on campus. Once connected, launch a web browser of your choice and you’ll be redirected to our online support site for wireless. There our wireless community will find detailed instructions on how to connect to our new secure wireless network, Purple Air.

You may be asking yourself, “Why does the college want or need this new Purple Air wireless network thing?” This is a fair question that deserves an answer. Purple Air will offer very strong over the air security for the entire time a user is connected to campus wireless. The purpose is to make it nearly impossible for others to eavesdrop on you. We at OIT feel very strongly about protecting your identity from those who would use it for illegal or malicious purposes. The chances of this actually happening on our campus are likely low. However, as long as the possibility exists, we must provide a solution to protect.

Another driving force for Purple Air, has been the students’ dislike in having to log in to the wireless network through the captive web portal. Purple Air, once configured on a laptop, will automatically connect wireless users to the network. It will appear very similar to how a computer works when plugged into a wired network, albeit slower at times, depending on proximity to an access point. The only time a person should be asked to log back in is at the time of password expiration or manual password change. Windows users will have to reinstall the software utility we have provided on our Purple Help support page. Please visit http://purplehelp.williams.edu for detailed information about this exciting new change and how to use it.

Load Balancing

When an organization reaches the breaking point of having too much web traffic for one web server to handle, the solution is to have multiple back end web servers dole out the requests. The problem then becomes how to make these multiple servers look and act like one server to the end user (that would be you). The answer is…wait for it…Load Balancing.

“David, what does a load balancer do?”, you ask. Well, assume you, as the end user, are browsing http://www.williams.edu. You aren’t actually talking directly to the back end web server. You’re talking to the load balancer, which, in turn, talks to the back end web servers.

Here are the gory details on how it works. Topologically speaking, the load balancer sits between the end user (you) and the back end web servers. It performs three main functions:

  1. Monitoring the back end servers.
  2. Accepting website requests from the end user (still you).
  3. Routing the end user traffic (yup, from you) to an available server.

On a periodic basis (usually every ten seconds), the load balancer sends a request to each back end server. If the back end server responds quickly, the load balancer decides it is healthy and can accept traffic. If the back end server doesn’t respond at all (not unlike my two children), the load balancer will not route any end user traffic to it. If the back end server is slow to respond, the load balancer may or may not route end user traffic to it, depending on how it’s set up.

There are many methods that can be used to tell the load balancers how to route traffic to the back end servers. It can send the same number of requests to each healthy server; it can send the request to the server with the least number of open connections; or it can send it to the sever that responds the fastest.

Most of the load balancers in the marketplace now do far more than just load balancing. For instance, they can perform the encryption and decryption required for SSL (Secure Socket Layer) requests, which removes that work from the web servers themselves. Some load balancers can even route requests to different servers based upon what’s being requested.

Dave Parks

Dave Parks doing a load balancer impression.