It’s clear that there is confusion out there about the Lab's current wireless network policy. This article is intended to clarify the key points of that policy and to explain the factors leading to them.

To begin our walk though the cactus garden of LBNL’s wireless policy, it is important to understand the primary and immutable implementation requirements that include both security and usability. Security is a must and is intended to protect the Lab’s internal computers and IT infrastructure. Usability means that users of the wireless local area networks (WLANs) enjoy efficient support and simple access. The latter is very important, as ease of use is critical for wireless value to be realized.

To ensure security and interoperability of wireless communications systems at the Lab, LBNL policy requires that all Wireless Access Points (which provide wireless service to a specific area) must be installed and managed by LBLnet, the group responsible for the Lab’s networks. Lab groups that have installed their own wireless systems should contact the LBLnet Services Group to have the retrofitting of these systems assessed. ITSD will work with groups to ensure that a well-planned and as-painless-as-possible conversion takes place.

This policy maintains both security and ease of use by accomplishing two things: (1) The prevention of outside access and (2) Simple wireless host configuration.

Luckily, Berkeley Lab has a fairly large perimeter that naturally prevents people outside the Lab from accessing LBNL’s WLANs. This means that the radio frequency (RF) levels radiating from our WLANs are sufficiently low to prevent access by people outside the Lab perimeter using standard retail WLAN hardware.

This allows LBNL to run our WLAN without special host configuration and in a manner that is low risk. This is not true of sites such as the Berkeley Tower building and other offsite buildings lacking large perimeters to protect against unauthorized access.

However, since our wireless implementation does not provide a 100 percent guarantee against unauthorized access, we have placed our WLANs outside of LBLnet. This means that even if someone was able to access our wireless network, they would not gain access to our primary Lab computer network. This places users in the position that some (not all) internal LBNL IT services are simply unavailable when connected to wireless.

If a user requires access to an IT service that is not natively accessible via wireless, there is an alternative. The Lab provides “software VPN” (virtual private networking) that can now be used to facilitate access to IT services. The LBNL software VPN is sufficiently robust to make access via DSL- and cable-based ISP connections safe and acceptable.

Here are key points regarding the Lab’s wireless policy:

• Laboratory staff on LBLnet subnets may not install wireless equipment.
• Telecommuting staff using Lab-provided ISDN must not use wireless at home to connect to the Lab.
• LBNL software VPN is acceptable for use on Berkeley Lab’s wireless network.
• DSL and cable users may use LBNL software VPN over wireless.