Wireless Network Standard

Version 2011.07.14

The Auraria Cooperative Technology Committee

STANDARDS MANUAL 

 

–  DIVISION V  –

 

AURARIA WIRELESS NETWORK PLANNING AND DESIGN DOCUMENT

FOR

PROJECT MANAGERS, ARCHITECTS, CONTRACTORS 

AND

NETWORK PROFESSIONALS

 

Author

ACTC Wireless Sub-Committee

ACTC Wiring Standards Sub-Committee

 

Version

                                                  2011.07.14

 

Table of Contents

 

1.             OVERVIEW

2.             SCOPE

3.             ACCESS POINT STANDARDS

4.             SITE RADIO SURVEYS

5.             LOGICAL RADIO CELL LAYOUT

6.             ROAMING

7.             SERVICE LEVELS

8.             SHARED NETWORK SECURITY

9.             PERMANENT PHYSICAL INSTALLATION

10.          REPEATERS

11.          ACTC PRIVATE WIRELESS NETWORKS……………………………       ……………………...5

12.          THIRD PARTY (NON ACTC MEMBER) PRIVATE WIRELESS NETWORKS……    ………..…..5

13.          REQUEST FOR CHANGES……………………………………………………………………..5

14.          ADDENDUM…………………………………………………………………            ……………6

 

 

1.      Overview

1.1.   This living document provides guidelines for the construction of an expandable multi-institutional wireless network at the Auraria Campus. It can and will be amended as necessary.

1.2.   All Auraria campus persons, departments and/or institutions considering the implementation of any wireless equipment/systems must first coordinate with their respective IT departments on all planning, engineering, purchasing, installation, operation, troubleshooting and maintenance issues.

2.      Scope

2.1.   For deployment of the IEEE wireless LAN networking standard. 

3.      Access point standards

3.1.   All access points, bridges, and client adapters must be compliant to internationally recognized standards and certified for interoperability.

3.2.   The FCC, with its action in ET Docket 96-8, has adopted a safety standard for human exposure to radiated frequency (RF) electromagnetic energy emitted by FCC-certified equipment. Access points must meet the uncontrolled environmental limits found in OET-65 and ANSI C95.1, 1991.

3.3.   Remote configurable and manageable through a static IP address including the ability to disable remote access

3.4.   [Delete this: Support for a minimum of 128-bits WEP encryption.]

3.5.   Must be FCC version for North America.

3.6.   Indoor Use considerations

3.6.1.      Must comply with city and county building fire ordinances.

3.7.   Outdoor use considerations

3.7.1.      Weather proofing.

3.7.2.      Physical security to prevent tampering yet is accessible to network personnel.

3.7.3.      Electrical power that complies with safety ordinances for outdoor use. 

4.      Site radio surveys

4.1.   Radio surveys are performed with a normal amount of people and furnishings present in the coverage area.

4.2.   Design phase

4.2.1.      Determine and document the optimum utilization of networking components and to maximize range, coverage, and network performance.

4.2.2.      Uncover and document radio frequencies in use that may interfere with intended wireless operation or vice versa.

4.3.   Implementation phase

4.3.1.      During construction, a radio survey is performed to fine tune the implementation.

4.3.2.      Actual radio coverage is documented. 

5.      Logical radio cell layout

5.1.   Each coverage area shall require approval by the ACTC.

5.2.   The ACTC will decide which Auraria institution will monitor and manage each coverage area.

5.3.   Coverage cells shall be controlled to blanket the coverage area but not overlap into areas that will cause interference.

5.4.   Where multiple cells are used:

5.4.1.      Each cell should use a frequency or frequency series that does not interfere with other cells.

5.4.2.      Cells should be part of the same logical LAN subnet in order to provide roaming capabilities.

6.      Roaming

6.1.1.      Consistent subnet addressing and free mobility are necessary only within a designated coverage area.

6.1.2.      It is allowable that movement between coverage areas may break software long-term connections.

7.      Service levels

7.1.   Recommend that a wireless client must be able to receive wireless data at a rate of 2 Mb/s or more from any wireless service location when they are the only client accessing the network.

7.2.   Recommend that a wireless client must typically be able to receive wireless data at a rate of at least 500 Kb/s from any wireless service location when the network is in use along with others.

7.3.   Recommend the wireless network should be available during the times the coverage area is normally accessible 99.7% of the time.

7.4.   Will use “Auraria Campus” as the SSID for general campus access.

7.5.   The SSID “Auraria Campus” will be publicly beaconed/broadcasted.

7.6.   Private wireless networks are to use a SSID other “Auraria Campus”.

 

8.      Shared network security

8.1.   Each institution providing wireless access will provide centralized client DHCP services and a unique private address space.

8.2.   Data passing in or out of the private address space will be through an NTSL certified firewall.

8.3.   Must allow basic connectivity for all institutionally approved wireless clients without the need for add-in software to be installed.

8.4.   No WEP key will be used for the general access.

8.5.   Network services to each client will be limited to

8.5.1.      TCP port 80 (web access).

8.5.2.      TCP port 443 (secure web access).

8.5.3.      DNS (Domain Name Services).

8.5.4.      Outbound FTP.

8.5.5.      Outbound ICMP.

8.5.6.      VPN services through PPTP, L2TP, and IPSEC.

8.5.7.      SSH (TCP port 22)

8.5.8.      Black Board (WebCT)

8.5.9.      MetroConnect

8.5.10.  Open ports:

8.5.10.1.              From Client to:

8.5.10.1.1.     140.247.54.120 :8182 TCP (mazur-www.harvard.edu),

8.5.10.1.2.     209.133.74.95 :2304 (TCP) (WebCT),

8.5.10.1.3.     209.133.125.23: 8443 (TCP) (safeAssign.com),

8.5.10.1.4.     66.151.128.0/24: 2222 TCP (alpia.com economics online course)

8.5.10.2.              Auraria Visual Resources ( Luna Insight application) :

8.5.10.2.1.     128.138.128.136: tcp 3072 and 8083

8.5.10.2.2.     128.138.128.137: tcp 8380, 2840, 3082

8.5.10.2.3.     128.138.128.138: tcp 1935

8.5.10.2.4.     128.138.128.229: tcp 2840 and 3072

8.5.10.3.              From the client to subnet 147.153.0.0/16 (MSCD- metroconnect):

8.5.10.3.1.      TCP port – 9256,9257,8008,6785,6788,6777

8.5.10.4.              From client to Auraria Library server 132.194.83.247( envrejq):

8.5.10.4.1.      UDP port – 137(nbname), 138(nbdatagram)

8.5.10.4.2.      TCP port – 139(nbsession), 445(CIFS), 6970-6999, 30000-30499, 21326

8.5.10.5.              From client to DHCP/DNS server (IP of DNS/DHCP server of institution): (type of radius allowed Is dependent on each institutions radius solution)

8.5.10.5.1.      TCP port – 53 (dns),  1645(radius-auth)[ucd], 1646(radius-acct)[ucd], 1812-1813 UDP (Radius)[mscd]

8.5.10.5.2.      UDP port – 67 (bootp), 53 (dns),  1645(radius-auth)[ucd], 1646(radius-acct)[ucd], 1812-1813 UDP (Radius)[mscd]

8.5.10.6.              From the client to anywhere:

8.5.10.6.1.       IP protocol – 47 (GRE), 50(AH), 51 (ESP), 53 (SKIP)[ucd], 1(ICMP), 17 (traceroute)

8.5.10.6.2.      UDP port – 1701 (l2tp), 10000 (cisco vpn), 500 (ike), 4500 (nat-tran)

8.5.10.6.3.      TCP port  - 1723 (pptp), 500 (ike), 4500( nat-tran), 21 (ftp), 22 (ssh), 80 (http), 443 (https)

8.5.10.7.              From client to subnet 132.194.0.0/16 (UCD only):

8.5.10.7.1.      TCP port -  515 (lpd)

8.5.10.8.              From client … to Gmail server 74.125.127.0

8.5.10.8.1.      TCP port – 993(imap with ssl)

8.5.10.9.              From client to outside

8.5.10.9.1.      Bonjour: 5353 UDP and 5354 TCP

8.6.   VPN services will be provided by the clients’ sponsoring institution or through a private entity.

 

9.      Permanent physical installation

9.1.   Compliant with state building codes for fire and electrical.

9.2.   Electrical considerations need to be addressed either near the access point or in the closet.

9.3.   Open ceiling.

9.3.1.      Data only jacks.

9.3.1.1.Jack type and data cable run to telecommunications closets.

9.3.1.1.1.      Within 20’ of the access point mount location.

9.3.1.1.2.      At least 9’ high.

9.3.1.1.3.      Accessible.

9.3.1.1.4.      Conduit installed in the exposed area.

9.3.1.1.5.      Same as ACTC Network Construction Standards section 2.4.

9.3.2.      Access point mounting.

9.3.2.1.Within 20’ of data jack placement.

9.3.2.2.At least 9’ high.

9.3.2.3.Secured to a ‘hard’ point or suspended from ceiling structure anchor point.

9.3.2.4.Unit will be secured in a lockable enclosure.

9.3.2.5.Inconspicuous location.

9.3.2.6.Tamper resistant.

9.3.3.      Cable run from data jack to access point.

9.3.3.1.Inconspicuous color (e.g., black or grey if it blends into surroundings).

9.3.3.2.Plenum rated cabling.

9.3.3.3.Secured at least every 5’.

9.3.3.4.Cable type is same as ACTC Network Construction Standards section 2.4.1.

9.3.4.      Antenna mounting

9.3.4.1.Inconspicuous location.

9.3.4.2.Tamper resistant.

9.3.4.3.At least 9’ high.

9.3.4.4.Secured to a ‘hard’ point or suspended from ceiling structure anchor point.

9.3.4.5.Type of antenna will vary in accordance to the application and building characteristics.

9.4.   False ceiling.

9.4.1.      Data only jacks

9.4.1.1.Jack type and data cable run to telecommunications closets.

9.4.1.1.1.      Within 20’ of the access point mount location.

9.4.1.1.2.      At least 1’ above the ceiling.

9.4.1.1.3.      Accessible.

9.4.1.1.4.      Conduit installed in the exposed area.

9.4.1.1.5.      Same as ACTC Network Construction Standards section 2.4.

9.4.2.      Access point mounting

9.4.2.1.Within 20’ of data jack placement.

9.4.2.2.Unit will be secured by a lockable enclosure.

9.4.2.3.At least 1’ above the ceiling grid.

9.4.2.4.Secured to a ‘hard’ point or suspended from ceiling structure anchor point.

9.4.2.5.Inconspicuous location.

9.4.2.6.Tamper resistant.

9.4.3.      Cable run from data jack to access point.

9.4.3.1.Cable runs are suspended at least 1’ above the ceiling grid.

9.4.3.2.Plenum rated cable.

9.4.3.3.Cable type is same as ACTC Network Construction Standards section 2.4.1.

9.4.4.      Antenna mounting

9.4.4.1.Inconspicuous location.

9.4.4.2.Tamper resistant location.

9.4.4.3.At least 9’ high.

9.4.4.4.Secured to a ‘hard’ point or suspended from ceiling structure anchor point.

10.  Repeaters

10.1.                    An access point need not be connected to a wired network if doing so is cost prohibitive or is otherwise untenable. If an access point receives its’ data feed from another nearby access point, the above applicable mounting provisions for access points and antennas still apply. Power may be supplied by an external source, such as a power cube.

 

11.  ACTC Approved, Member Supported Private Wireless Networks

11.1.                    ACTC private wireless systems and areas shall not be promoted as being accessible by the general public.

11.2.                    ACTC approved institutional supported coverage areas shall take precedence over all third party private wireless network areas.

11.2.1.  As institutional support migrates into new areas, any established or existing third party wireless solutions must be decommissioned.

11.3.                    All ACTC private wireless systems must be registered with and approved for operation by the ACTC

12.  Third Party (Non-ACTC Approved/Institutional Supported) Wireless Networks

12.1.                    No third party wireless network shall be deployed. All wireless networks must be reviewed and approved by ACTC.  (See sections 5 and 11)

12.2.                    Any unapproved wireless networks will be shutdown.

13.  Request for Changes to the list of approved network services and security ports can be made either in person at the ACTC subcommittee meetings or by email to the subcommittee email list. actc-standards-sub@lists.mscd.edu

13.1.                    The institution requesting the change needs to state the purpose of the request and how they expect the rule to be used (i.e. We would like all client computers to be able to use google stmp email. From client to Gmail server port 993.)

13.2.                    The other institutions will review the request with their security teams and provide feedback, approval, or denial to the request within 5 business days.

13.3.                    If an institution does not reply it will be deemed as approval to proceed with the request.

13.4.                    Once the request is approved each institution will work within their change management model to get the change implemented. (This could be up to month to get internal change implemented.)

13.5.                    The change will be added to this document. 
 

14.  Addendum