University network disruption caused by my airport extreme router? Is that possible?

Discussion in 'Mac Accessories' started by PDE, Feb 2, 2010.

  1. PDE macrumors 68020

    Joined:
    Nov 16, 2005
    #1
    I've lived in an apartment for the past year that is connected directly to our university network. I have an airport extreme router that I've tried to set up responsibly with no SSID broadcast, WPA2 with extremely difficult password, transmission power set to 25% etc. It has also been set to 'share a public IP address" and everything has so far worked smoothly.

    Recently, however, all apartments in the complex received letters saying that there had been disruptions on the network and that it was most likely due to wifi routers -- which are NOT permitted. If we temporarily disregard that ban, is it possible that my router is causing any disruption? And, if so, what could I do differently to ensure that it does not?

    I've tried setting it to bridge mode, but that does not work at all. We are allowed to register 10 mac addresses and I have registered all my devices, but in bridge mode none of them can connect . As I understand it, in bridge mode the university servers are distributing IP addresses to devices that are registered on the network -- is that correct? Then what could be the reason for bridge mode not working if my devices were registered properly?

    My main question is whether my router could be causing problems with the above setup?

    Any advice or ideas would be greatly appreciated, but please let's not get into a discussion about whether it's ok to use a wireless router when it's not permitted...

    Cheers!
     
  2. johnnj macrumors 6502a

    Joined:
    Dec 11, 2008
    Location:
    Not here
    #2
    Many organizations prohibit rogue access points, and if your school's IT department states that WAPs are not allowed and you're doing it anyway, then that's what your AP is. Your best intentions and careful configuration of your AP are irrelevant. The rule is the rule. The reason why such a policy would be in place is because improperly configured WAPs can create security vulnerabilities and/or impact the functionality of the network.

    In order to enforce this policy, many places will implement rules on the managed switches that provide end user connectivity which will make it difficult or impossible for rogue WAPs to function.

    Your best bet is to contact your IT group and request that they deploy an AP to your location or that they approve you installing your own according to their AP configuration standard,

    John
     
  3. PDE thread starter macrumors 68020

    Joined:
    Nov 16, 2005
    #3
    Thank you for your input. And that was exactly what I was hoping to not get into since the question is technological, not ethical or anything else.

    My question is whether my router would be able to cause problems given my configuration? There are lots of wireless access points being used all over the place here and I would like to know if mine can be causing the problem.

    Obviously, I'm not going to contact the IT department since wireless devices are not allowed...
     
  4. johnnj macrumors 6502a

    Joined:
    Dec 11, 2008
    Location:
    Not here
    #4
    I never commented on whether what you intend to do is right or wrong. This part of my post was actually technical:

    "In order to enforce this policy, many places will implement rules on the managed switches that provide end user connectivity which will make it difficult or impossible for rogue WAPs to function."

    As a corporate IT director who has authored similar policies and have in the past directed my staff to implement technical roadblocks to limit the ability of end users to install rogue access points, I have some experience in these matters.

    Good luck with your endeavor. If your classmates have succeeded in overcoming these measures, then you might want to consult with them.

    Have a nice day.

    John
     
  5. PDE thread starter macrumors 68020

    Joined:
    Nov 16, 2005
    #5
    My airport router is functioning perfectly, as far as I know. I'm just trying to understand whether my router, as it is configured, would capable of disrupting the network services in any way. And I'm not referring to the security issues that may be a result of inadequate security configuration of the router.

    I don't have any classmates because I'm not a student. Besides, as I've written before, the issue is not that I'm having problems connecting with my router, but whether the settings I'm using (especially the share a public IP setting) is capable of disrupting or causing any problems on the network.

    If my router settings is capable of causing problems for the larger network, I will stop using it and just get a private ISP. My personal view is that since so many people are breaking the rules and using wireless devices - and indeed since wireless devices are a major component of today's digital world -- it would be in the university's interest to provide guidance as to how people should configure their devices properly. This is similar to not giving condoms to teenagers because they're not 'supposed to' be having sex -- it's better to accept and help/monitor than to live in denial.


    Anyway...
     
  6. miles01110 macrumors Core

    miles01110

    Joined:
    Jul 24, 2006
    Location:
    The Ivory Tower (I'm not coming down)
    #6
    Network security is a huge issue with rogue access points. Why does that not count?
     
  7. PDE thread starter macrumors 68020

    Joined:
    Nov 16, 2005
    #7
    It's not that it doesn't count: of course it does, but that's not the issue here. I'm an adult and have made the decision to break the rules by using a wireless access point. You may or may not agree with that decision, but that's what I'm doing. If, however, my router is capable of causing interruptions to the network the way the letter we received suggests (it was addressed to all tenants, not just me), then I will reconsider my decision to break the rules.

    I wrote in here in order to understand, by asking people who know more about routers and networking than I do, whether my router can cause disruptions in the wider network by being configured the way I've configured it. I'm thinking mainly about the setting that have to do with different modes - bridge vs share single IP vs distribute ip. I'm not talking about security because that's not what the letter was about -- it was about the network going down and the blame being put on wireless devices.

    I deliberately wanted to avoid getting into the discussion about whether what I'm doing is okay or not since it's a discussion that is irrelevant at this point. My question is purely technical right now.
     
  8. jampat macrumors 6502a

    Joined:
    Mar 17, 2008
    #8
    Assuming your router security is the same level of security as the rest of their network, I couldn't see your AP causing any upstream problems. I understand their policy they have as you have introduced something they cannot control that is a potentially vulnerable point. It may not be, but they have no way of enforcing compliance with security standards, so they just enforce no AP.

    It could cause a problem with their official wireless AP's (if they exist). If you have an apartment building full of people with AP's there will be a ton of interference that will limit peoples ability to connect to any official wireless AP's.

    In summary, technically it is unlikely you are causing a problem, but as they can't enforce security (just way too complicated to even try to tell people the hardware and settings they must use and ensure compliance), they must enforce no uncontrolled AP's.

    EDIT: The network disruptions they are talking about could be due to high traffic (or malicious attacks) on unsecured access points causing problems, I doubt the problem is the actual AP itself.
     
  9. miles01110 macrumors Core

    miles01110

    Joined:
    Jul 24, 2006
    Location:
    The Ivory Tower (I'm not coming down)
    #9
    The letter was about

    If an unauthorized wireless network allowed an attacker behind whatever university firewall they have in place and installed malicious software, that's a security issue brought about by a technical one. It's hard to separate the two, and in the eyes of a sysadmin there's no difference. I'm guessing something like this happened unless you can get clarification on what "disruptions" occurred. It's not about what's right and what's wrong, it doesn't really matter.

    Your access point probably isn't the problem, but in my experience the warning letter is just a precursor to a larger crackdown. They might actually start enforcing whatever policy they have against unauthorized wireless devices, in which case it doesn't matter how well your device is configured.
     
  10. PDE thread starter macrumors 68020

    Joined:
    Nov 16, 2005
    #10
    Thank you, Jampat. That was exactly what I was trying to understand -- whether it can cause upstream problems or some other kind of conflict with the network. Whether my router is as secure as the rest of the network is probably the next questions...and I can imagine that it probably isn't, even if I tried to limit any kind of access to the best of my limited understanding.

    I understand that it's a difficult situation for IT people and that part of the problem is that it's impossible to control what people do. I remember last year, I noticed a new access point that was wide open. I opened apple airport utility and they hadn't even bothered to password protect that, so I had total access. At the same time, when googling my problem this morning I noticed that quite a few university networks do allow wifi routers and offer solid and appropriate guidelines to make sure people configure them properly. Some IT departments also offer to set things up if somebody doesn't know how to configure their router. That makes more sense to me, but obviously needs additional resources to set up.

    Anyway, thank you again.
     
  11. PDE thread starter macrumors 68020

    Joined:
    Nov 16, 2005
    #11

    Thanks. Yes, I think you're right about that they might start enforcing their policies.

    Since you have a lot of experience in this area, how do those universities/organisations that allow wireless routers deal with security adequately? For example, I noticed that Columbia had a page on configuring wireless routers. Do they just accept that there will be more security breaches, or are there things IT departments can do to minimise risk to the whole network when people start plugging in wireless devices?
     
  12. miles01110 macrumors Core

    miles01110

    Joined:
    Jul 24, 2006
    Location:
    The Ivory Tower (I'm not coming down)
    #12
    Looks like Columbia only officially allows pre-configured wireless routers that are installed by the university IT people, which cuts down on a lot of the misconfiguration and security issues. In your case, since you seem to know what you're doing with regard to configuration, etc. this probably wouldn't matter too much. But for the average freshman they're apt to just plug in their device and have an unprotected access point behind the firewall which is generally bad.

    Oh, now that I remember... there are cases in which misconfigured routers can intercept requests for IP addresses... meaning you can get an IP from the rogue router which isn't an actual gateway. This means you wouldn't be able to connect to the outside world and would just be looking at the router. Rarer these days, but it's happened.
     
  13. PDE thread starter macrumors 68020

    Joined:
    Nov 16, 2005
    #13
    They actually seem to allow students to configure their routers themselves as part of a limited pilot program (http://www.columbia.edu/acis/networks/expressreshalls.html), but I think the idea of selling pre-configured routers seems very smart and forward-thinking. I mean, that's a positive and proactive way to encourage people to configure their routers properly.

    Cheers,
    PDE
     

Share This Page