| 1. | The need for a wireless networking policy |
| 1.1 | The major problem with wireless networks, and the main reason for this policy, is related to their open nature. People often don't realise, for example, how far their wireless network extends beyond the confines of their building; the propagation characteristics of radio waves mean there is limited control over where the signal associated with a wireless network is accessible from. This leads to a situation where, unlike wired networks, a hacker or malicious user can manipulate or eavesdrop on the network from uncontrolled locations, possibly beyond the geographic boundaries of the University, which were not intended to be served when the network was implemented. |
| 1.2 | Wireless networks can also create "backdoors" to wired networks. Rhodes, like many organisations, takes extensive measures to protect the integrity of its wired network and the data it contains. This includes the use of various levels of firewalls and access controls, virtual private networks, and other security-enhancing technologies. A single unauthorised or badly configured wireless access point connected to the University's wired network has the potential to create a "backdoor" to the wired network, circumventing network security and thereby allowing a hacker to effortlessly bypass the restrictions that would normally be in place to limit the damage they can do. |
| 1.3 | This policy seeks to clarify the provisions of sections 6.3 and 6.5.1 of the University's Acceptable Use Policy with respect to wireless networks and wireless capable devices. |
| 2. | Scope of the policy |
| 2.1 | This policy applies to all "wireless capable" devices owned by the University, attached to any part of the University's network, or operated on any part of the University's campus. It should be interpreted such that it has the widest application. In particular, references to the Information Technology Division should, where appropriate, be taken to include departmental or other system managers responsible for the provision of a computing or communication service. |
| 2.2 | A wireless capable device is one that can make use of radio frequency transmissions to connect to a local area Internet Protocol network. This network may or may not be connected to Rhodes' wired network infrastructure. It includes, but is not limited to, devices conforming to IEEE the 802.11 (WLAN) and 802.15 (Bluetooth) series of specifications. |
| 2.3 | The use of commercially available wireless services operating in a licenced frequency band to connect to a value added network services provider (such as the use of VSAT or GPRS through a cellular telephone), provided they operate in isolation from Rhodes' local area network, are specifically excluded from this definition and by implication from this policy. In these cases other provisions in the acceptable use policy may still apply. |
| 2.4 | In cases where this policy makes specific reference to features provided by the 802.11 specification, it is assumed that devices making use of other technologies will use the equivalent features in their technology. In the event of uncertainty about a particular technology (for example where no comparable features exist) queries regarding the interpretation of this policy with respect to other wireless technologies should be addressed to the Information Technology Division. |
| 3. | General provisions |
| 3.1 | All wireless capable devices must be approved by ICASA or its nominee for use in South Africa. This includes obtaining an appropriate radio frequency licence or specific exemption from licensing (such as type approval). Devices should only be operated within the bounds of their licensing or type approval. |
| 3.2 | All wireless capable devices connected to or making use of Rhodes' network infrastructure should be registered with the Information Technology Division. Such registrations should indicate whether the device is a wireless access point, bridge or client. |
| 3.3 | All wireless clients connecting to the University's network should associate with an access point and all access points should operate in 802.11 "infrastructure" mode. No 802.11 "ad-hoc" or informal networks are to be connected to the University's network. |
| 3.4 | Service Set IDs (SSIDs) and network names, whether broadcast in beacon frames or not, must be approved by the Information Technology division prior to being used on Rhodes' campus. Once registered as per paragraph 3.2, SSIDs may not be altered without the approval of the Information Technology Division. |
| 3.5 | Channel/frequency allocation on wireless access points and devices should be done so as to minimise interference with other wireless services on campus. In general, devices with the ability to automatically select the best channel should be configured to use this feature. However, it may be necessary to consult with the Information Technology Division to determine what channels are available in a particular area. |
| 3.6 | Wireless devices should be configured to make use of the minimum possible radio transmission power in order to achieve their objective and coverage area. |
| 3.7 | All wireless access points used on campus should conform to a set of minimum specifications as published from time to time by the Information Technology Division. These specifications are intended to maintain the security and interoperability of wireless devices on campus. |
| 3.8 | No access to the University's financial, human resources, student records or other sensitive data will be made available via wireless access. This includes, where applicable, departmental records. |
| 3.9 | Any exceptions to the general provisions set out above must be approved by the Director of Information Technology. |
| 4. | Peer-to-peer and personal area networks |
| 4.1 | Temporary peer-to-peer, personal area or "ad-hoc" networks may be created provided: |
| 4.1.1 | they do not interfere with other wireless services provided by the University; |
| 4.1.3 | they do not connect to the University's network in any way; |
| 4.1.3 | they comply with general provisions 3.1, 3.4—3.6 and 3.8; |
| 4.1.4 | they are for personal use. |
| 4.2 | Provided that the SSID contains the user's Rhodes username in an easily distinguishable way, no specific approval is required for such networks. |
| 4.3 | Since "ad-hoc" networks provide little in the way of access controls, anyone creating such a network should be aware that they may be exposing the entire contents of their computer to anyone within range of their network. As such, users should take appropriate precautions to ensure that no sensitive or confidential information (such as exam papers or financial records) is made available in this way. |
| 5. | Temporary hot spots |
| 5.1 | It is sometimes necessary to set up additional wireless access points for testing purposes or to handle unusual demands (for example during conferences). In these instances it is permissible to create temporary wireless "hot spots" provided that, in addition to the general requirements set out above, they meet the following criteria: |
| 5.1.1 | The temporary hot spot, as well as any access points or other wireless infrastructure used in its creation, may not operate for a period in excess of two weeks. It is intended that this provision is used for short term, once off installations rather than for ongoing, ad-hoc type arrangements. |
| 5.1.2 | No wireless infrastructure may be permanently affixed. |
| 5.1.3 | All access points and wireless clients making use of the hot spot shall make use of some form of standards-based encryption. At a minimum, this means that the use of Wired Equivalent Privacy (WEP) should be an enforced, mandatory requirement for clients connecting to an access point. |
| 5.1.4 | In addition to the constraints imposed by paragraph 3.4, the SSID advertised by the hot spot must be unique and differ from any SSID in use for permanent installations. |
| 5.2 | Users of any network subnet temporarily hosting a wireless hot spot should be made aware of the privacy implications of hosting such a hot spot on their subnet. This could be done, for example, by sending e-mail to an appropriate distribution list. |
| 6. | Permanent installations |
| 6.1 | The wireless network will be logically segregated from the wired network and subject to specific access controls. For this reason it is necessary to consult with the Information Technology Division prior to installing access points in order to ensure that the supporting network infrastructure is capable of such segregation. Users planning wireless installations should be aware that not all parts of the University's network are capable of such segregation. |
| 6.2 | In order to ensure that wireless access points are correctly configured and able to inter-operate with the University's network, all access points should be installed and maintained by, or in consultation with, the Information Technology Division. |
| 6.3 | All permanent wireless installations shall be configured in accordance with a set of guidelines and best practises published from time to time by the Information Technology Division. These guidelines will cover topics such as network naming, IP address allocation, encryption and authentication. |
| 6.4 | All wireless clients must make use of appropriate, up-to-date anti-virus software. In addition, the use of personal firewall software on wireless clients is highly recommended. |
| 6.5 | Users should be aware of the privacy concerns relating to wireless networks and should take extra care to ensure that sensitive information (such as passwords or exam papers) is not transmitted over the wireless network. |
| 7. | Research networks |
| 7.1 | It may occasionally be necessary to waive some of the provisions of this policy in order to provide facilities for experimentation with, or in order to conduct research into wireless networking as part of an approved course of study within the University. |
| 7.2 | Persons or departments wishing to conduct such experiments or research into wireless networking beyond the scope of this policy should approach the Information Technology Division for approval in terms of paragraph 3.9. Such approval shall not be unreasonably withheld. |
| 8. | Other considerations |
| 8.1 | Recognising that, in general, wireless networks provide significantly less bandwidth than their wired counterparts and that this bandwidth is shared amongst all users of a particular wireless access point, users should ensure that they are considerate in their use of the wireless network. This means, for example, that using the wireless network to stream high quality full motion video or for any other high-bandwidth application could be seen as a contravention of point 6.3 of the acceptable use policy. |
| 9. | Implementation and supervision of policy |
| 9.1 | The responsibility for the supervision of this policy is delegated to the Information Technology Division. A senior member of the Information Technology Division, normally the Network Manager, Systems Manager or their nominee, will be designated as the person responsible for the day to day management of the policy's enforcement. He/she will liaise with the Director of Information Technology as required. |
| 9.2 | Any suspected breach of this policy should be reported to a member of the Information Technology Division staff. The responsible senior member will then take the appropriate action within the framework provided by the acceptable use policy. Information Technology Division staff will also take action when infringements are detected in the course of their normal duties. |
| 9.3 | Any unapproved wireless capable device may be disabled or removed by the Information Technology Division. In this respect, any device that is misconfigured in such a way as to, in the opinion of Information Technology Division, present a risk to the University's network shall be considered unapproved. |
