Wi-Fi Security at Greenspring

Encryption, Wi-Fi Protected Access (WPA), secure Internet protocol (https) and Firewalls; what does it all mean to Greenspring Residents.

Before the Erickson Wi-Fi system became operational we connected our computing devices to the Internet with a cable modem provided by AEITV. Signals from our devices left our apartments by wire and were relatively inaccessible to eavesdroppers. Now signals from our computing devices leave our apartments by radio waves and anyone in range with a suitable receiving device can intercepted them. If the eavesdropper is a bad guy he may be able to steal information from you. Fortunately the usable range of Wi-Fi is short, about the length of a Greenspring hallway and considerable less toward the outside of the building considering the blockage by walls and such. To protect our privacy the Erickson System provides added security by encrypting the radio wave signals and protecting access to the signals from our devices with ID and password authentication (WPA).1

It is highly unlikely that our neighbors are a threat and it is unlikely that a bad guy would park a van with a high gain antenna on campus to monitor our signals. The Wi-Fi security risk with the Erickson system is no different than the Wi-Fi security risk that those of us had with wireless routers connected to AEITV modems except that the wireless router was inside our apartment and had a somewhat shorter range. Wired access to the Internet is undoubtedly more secure than wireless but Wi- Fi with the WPA2 Enterprise security protocol that Erickson has provided on the GSV-Resident network is certainly more than adequate.

What then protects us on the Internet? - https and firewalls. Hypertext Transfer Protocol, (http) is the foundation of data communication for the World Wide Web and the Internet. Most http is not encrypted or secured however a form of http called Hypertext Transfer Protocol Secure (https) provides for secure communication over the Internet. It creates a secure encrypted channel that ensures protection from eavesdroppers and other bad guys. Connections made via https are used for payment transactions on the World Wide Web and other sensitive transactions such as those with a Broker or Bank. If you have made a secure connection to a web site the web address will start with https as the following address for Amazon does - https://www.amazon.com/. Some browsers will show an image of a lock. Newer browsers also prominently display the site's security information in the address bar. Be sure you have connected via https if you are providing private information to a web site.

The radio waves of the GSV-Portal network are not encrypted and information exchanged with devices connected to the Portal is subject to wireless eavesdropping albeit low risk in our Greenspring environment. Devices connected to the Portal are protected by a filter system that allows access to only you. The risk of harmful eavesdropping on the GSV-Portal is low. Devices like TiVo and Roku do not use information that demand wireless security however wireless printer security may concern some. Printing directly from a computer wired to a printer can eliminate printer risk for those that are uneasy with wireless. If you have traffic to https sites, be assured that is just as secure on GSV-Portal as it is on the GSV-Resident network.

Firewalls: In computing, a firewall is a software or hardware-based network security system that controls the incoming and outgoing network traffic. A firewall establishes a barrier between a trusted, secure internal network and another network (e.g., the Internet) that is not assumed to be secure and trusted. Many personal computer operating systems include software-based firewalls to protect against threats from the public Internet. Many routers that pass data between networks contain firewall components. In our AEITV service many of us had firewalls contained in our routers and some of us set up firewalls on individual computers.

Erickson has installed a strong firewall between the Greenspring PON and the Internet connection into the community thus blocking harmful traffic from the Internet much as our home firewalls did previously. The firewall uses Network Address Translation (NAT), a method of connecting multiple computers to the Internet using one IP address. Greenspring has 2 NAT IP addresses: 70.165.87.53 and 70.165.87.54 . The Internet never sees our individual IP addresses. NAT automatically provides firewall-style protection because it only allows connections that are originated inside Greenspring.

A NAT firewall does not protect against viruses, worms, Trojans and other Internet-borne nasties, however in addition to NAT an IDS/IPS (Intrusion Detection Sensor/Intrusion Protection Sensor) is in place on the Greenspring firewall. It has a database of known attacks and if it senses one coming from the Internet it will block the traffic from the offending site (IPS). If the attack is too new to recognize it may still recognize the pattern and send an alert to Erickson IT. Those usually happen with ‘Zero Hour’ attacks that spread too fast for security vendors to get out an update. Note that this does not replace virus software that you may have on your computer.

For most of us it probably is not necessary to set up additional firewalls however an additional local firewall on your home computer is an option but it may cause issues with file sharing (and similar services) if it is not properly setup. It would be wise to consult Erickson IT if you decide to incorporate such a firewall.

All in all the Greenspring Wi-Fi System is reasonably secure although not as secure as an encrypted home network with a firewall. Unless you have a devious neighbor skilled in computer science there is little risk.2

Good luck and happy computing. Bill Raymond

  1. Encrypted Wi-Fi only provides security of the radio waves between our computing devices and the Access Point in the hallway. From there it is on wire or fiber optic cable. The Wi-Fi WPA does not encrypt the information that we exchange with the Internet, most of which is unencrypted.
  2. The Erickson administrators have individualized and centralized control over access to the Wi-Fi network. User login can be modified or revoked by administrators at anytime. Note that in addition to the administrators, anyone with your login credentials can log into your GSV-Resident account in any building in Greenspring.