[OPLINTECH] Wireless Internet

Nathan Eady eady at galion.lib.oh.us
Mon Aug 4 13:36:54 EDT 2008 

"Michelle Sidle" <msidle at pauldingcountylibrary.org> writes:

> Hello Everyone,
>
>    I am curious as to how libraries who provide wireless access for
> their patron manage the security of their system.

There are several relevant things in place:

 1. The wireless access point is on the patron network, which is
    separated from the staff network (where the ILS lives) by a
    firewall, which does not forward unsolicited traffic inbound
    (except to certain services, chiefly the web catalog).  So
    if a patron hooks up with a computer that is infected with a
    worm or somesuch, the staff network should be protected
    (unless the worm exploits one of the services we are running
    on purpose, in which case we'd be vulnerable to such traffic
    from anywhere on the internet, as well).

 2. Our entire network, including the patron network, which includes
    the wireless network, is also separated from the outside world by
    a firewall.  This is not foolproof (because, among other things,
    patron systems are potentially still vulnerable to eachother), but
    I consider it to be a worthwile precaution.
    
 3. The outer firewall only forwards approved traffic from patron
    systems -- chiefly the things necessary for web access (ports 
    53, 80, 443).  Anything not expressly permitted is dropped by
    default.

 4. Traffic going out to the outside world from the patron network
    uses a different public IP address from most other traffic.
    The outer firewall arranges this.

There's another thing I'm thinking of looking into, but haven't
implemented yet...

 5. I'd like to use traffic control to prioritize certain essential
    traffic (e.g., our web catalog, DNS lookups) and then enforce a
    fair sharing of remaining available bandwidth between computers.
    However, I haven't yet identified a queuing discipline designed to
    promote fair sharing on a per-computer level.  Stochastic Fairness
    Queuing (SFQ), for example, operates on a per-session level, which
    would give an unfair advantage to multi-session traffic (e.g.,
    peer-to-peer filesharing), which is undesirable.  
    
    There's also the matter of asymetry: most traffic is asymetrical,
    typically consuming more downstream bandwidth than upstream, but
    we only have access to our end of the bottleneck (the T1), so we
    can't directly shape the downstream traffic.  (To do that, we'd
    have to be able to operate traffic control on the OPLIN side of
    the connection; if that's currently an option, I'm not aware of
    it.)  So nothing we do would be perfect.  But it's something I
    want to look into, preferably *before* our wireless access usage
    increases to the point where it can saturate our T1.  (Speaking
    of which, I really ought to get a bandwidth study done again one
    of these months and see how fast it's been increasing.)

> At the main library, we have a wireless access manager that allows
> patron to use their library card to access the internet. The system
> is secured and we have reports that tell us who was on the
> connection and the length of time they were on as well. This works
> great but it is costly.

We don't really have anything like that.  I admit, it would be nice to
be able to easily count how many different patrons were using the
thing in any given time period.  But so far we haven't implemented
anything like that.

-- 
Nathan Eady
Galion Public Library

More information about the OPLINTECH mailing list