Wireless Getting Started

Skip to end of metadata
Go to start of metadata

Wireless Networking at LBNL


Wireless Overview

Berkeley Lab offers secured wireless services on the internal lbl.gov network, and has a separate on-site visitor wireless network constituting the lbnl.us internet domain.

The visitor network is an "open", non-authenticated, unencrypted wireless network, connected to the Internet (via ESnet) and logically external to the Lab’s lbl.gov network perimeter DMZ. From the perspective of the Lab’s internal lbl.gov network, devices connected on the visitor wireless network are treated like they were on a commercial ISP or any other external location (ie, outside the Lab perimeter).

The employee network on the internal lbl.gov internet domain offers a secure, encrypted connection to the local network of the building where the access point is located. Traffic on the employee network is treated as any other traffic on the lbl.gov domain.

Policies

Who Can Use Wireless

Anyone physically on-site (within range of an Access Point) may use the wireless network.
  • The wireless network is intended for use by both Berkeley site staff and affiliates.
  • For casual visitors, it is the usual means of Internet access (persons without a Berkeley Lab ID are not permitted to use the wired network without explicit permission from a Berkeley Lab employee)
  • For staff, it is a convenience network, primarily used for applications such as email, calendaring, etc. while in conference rooms and with mobile devices.
  • Permanent equipment like desktop computers, and mission critical equipment such as business systems or scientific applications, should not be operated on the wireless network.

Acceptable Use of Wireless

Acceptable Use of the wireless network includes:
  • Job-related activities
  • Incidental personal use (unless use is explicitly forbidden; see below)
See the LBL RPM http://www.lbl.gov/Workplace/RPM/R9.01.html#_Toc162065214 for more details.

Unacceptable Use of Wireless

Activities that constitute "unacceptable use" include, but are not limited to, the following:
  • Use for personal gain, lobbying, or unlawful activities such as fraud, embezzlement, theft, or gambling
  • Use of resources to create, download, view, store, copy, or transmit sexually explicit materials or images
  • Unauthorized entry into or tampering with computers, networks, or other information resources
  • Use of resources in a manner intended to, or likely to result in, damage to any system, database, or intended official use (e.g., distributing viruses)
  • Misusing or forging e-mail or tampering or gaining unauthorized access to the Laboratory's e-mail system
  • Use of e-mail to give the impression that the user is representing, giving opinions, or otherwise making statements on behalf of the Laboratory unless appropriately authorized (explicitly or implicitly) to do so
  • Use of resources in connection with conduct or activities prohibited by Laboratory policy (e.g., fabrication, falsification, or plagiarism in proposing, conducting, or reporting research; unauthorized disclosure of Laboratory proprietary information) or use in violation of applicable copyright or patent law.
  • Unauthorized use of resources on behalf of outside organizations or any use that conflicts with or is inconsistent with Laboratory information resources policies or procedures
  • Use of resources to store, manipulate, or remotely access any national security information, including, but not limited to, classified information, unclassified controlled nuclear information (UCNI), and naval nuclear propulsion information (NNPI)
  • Any use that violates applicable federal or state laws or regulations.
See the LBL RPM http://www.lbl.gov/Workplace/RPM/R9.01.html#_Toc162065214 for more details.

No User-Installed Wireless Equipment

All wireless systems at Berkeley Lab must be approved and operated by the IT Division's Network and Telecommunications Department. No one else may install wireless networking equipment, such as wireless access points. Monitoring is in place to detect 'rogue' access points. If they are found they will be immediately removed from the network, confiscated, and offending Division management notified.

No VirtualBox bridged networking

Bridge-mode networking for Virtualbox virtual machines on wireless networks is unsupported until further notice. This non-standard option has been linked to a DHCP client bug that is disruptive to all wireless users, and has been disabled by blocking DHCP requests on wireless networks with the client MAC addresses starting with "08:00:27". Virtualbox users are advised to either re-configure their bridge-mode VM network to use NAT, or to use the wired network if bridging is necessary.

Wireless Security

Considerations on the "Open" Visitor Network:

Berkeley Lab’s visitor wireless network is an "open", unauthenticated, and un-encrypted network. As with other open public wireless networks, all connections to Berkeley Lab’s visitor wireless network should be considered insecure, as un-encrypted wireless technology inherently affords no protection against traffic snooping by other devices within RF range. When using Berkeley Lab’s visitor wireless network, one must exercise the same precautions one would apply when using an open wireless network in any off-site public place.
When using the secured, employee wireless network, traffic is encrypted to offer protection against data snooping.

Firewall and Perimeter Security

There is a firewall at the lbnl.us network perimeter, which limits traffic to and from lbnl.us. It is important to understand that although one is physically on-site when connected to the visitor wireless network, one is "outside" the Lab with respect to network traffic to and from lbl.gov.

This has security and functional implications while you are connected to the visitor wireless network. Any lbl.gov network resources (e.g. web servers) that are restricted to "internal" access (ie, within lbl.gov domain) will not be accessible on the visitor wireless network, despite being physically on-site. Network services that are blocked at the lbl.gov perimeter will affect wireless as well -- for example, Microsoft file shares on lbl.gov cannot be accessed from the visitor wireless network (unless VPN is used.)

The lbl.gov perimeter defenses equally apply to the wireless networks. For example, a wireless computer attempting to scan lbl.gov will be blocked (both from reaching lbl.gov and from reaching the internet.) Traffic monitoring and intrusion detection are performed on the wireless networks – within the networks; between wireless and lbl.gov; and between wireless and the internet.

Wireless Access Point (WAP) Installation Requests

IEEE 802.11a/b wireless LANs may be requested by sending email to the LBLnet Services Group: LBLnet@lbl.gov
To best serve you and to expedite your request, we ask that you send a key plan marked up to indicated what building areas require wireless coverage. From this we will be able to provide you with a cost and time estimate.
The cost of all wireless installations is time and materials. Cost estimates are available here.

Using lbnl.us Wireless

Network Services & Protocols Supported and Not Supported

The wireless network only allows limited types of traffic between wireless and other networks, effectively restricting applications that can be used. However, most commonly-used, personal computer applications are supported, and the restrictions primarily limit the inappropriate behavior.

Supported and unsupported services are summarized below.

Internet to Wireless

Inbound TCP connections from the Internet to lbnl.us are generally not allowed. Accordingly, applications intended to serve Internet clients, such as web servers, cannot be operated on the wireless network.

Wireless to Berkeley Lab lbl.gov

TCP Traffic from wireless to lbl.gov is subject to a default deny policy (from lbl.gov perspective), with specific exceptions for the following services, which are allowed:
  • Web: http/80 and https/443
  • Email
  • Calendar
  • SSH
  • LDAP and LDAPS
  • Novell
  • Printing: jetdirect and printer protocol
  • FTP
  • Jabber
  • Appleshare
  • Windows Remote Desktop
  • Timbuktu
  • Cisco VPN
  • Finger
  • RTSG

Wireless to Internet traffic

There are currently no static restrictions on traffic from wireless to the Internet at large (except to lbl.gov as above).
However, note that all such traffic is fully monitored for unacceptable use and subject to both automated and manual reactive measures, such as blocking individual hosts at the wireless perimeter.
If you have questions about these services, please see the Contact section of this document.

Coverage

Wireless coverage is not ubiquitous across the Berkeley site. Wireless access is installed as requested by clients. As of 2009, approximately 58% of the Lab’s buildings have wireless coverage.

Supported Conference Rooms

Please Note: Effective 1 October 2005, the only conference rooms supported by LBL Overhead funds are: Wireless networking in all other locations will be supported on a Time & Materials basis.
For help with any of these networks, please call the help desk for support. (x4357)

Finding the Wireless Network

Berkeley Lab wireless network access points broadcast their SSID which will help to find and attach to the wireless network. A list of access points and the locations served is available here.

IP Addressing on Wireless

All end-user IP addresses on the Wireless network are provided via DHCP. Static wireless addresses will not be assigned to users.

Smartphone and Tablet Configuration

For instructions on configuring your smartphone or tablet for wireless connectivity please click here.

Client Computer Configuration

Is it very important that wireless computers be properly configured. Mis-configured computers can not only fail to provide you with network connectivity, but can also disrupt the smooth functioning of other people’s wireless computers and devices. Be a considerate wireless citizen and make sure you follow these configuration guidelines.
  • Bridging must be turned off or disabled.
    Using Windows XP see Network Connections, right click on the wireless adapter. Check for bridging. Turn bridging off or disable it.
  • Do not set the Network Type to 'Ad hoc.'
    Using Windows XP see Network Connections, right click on wireless adapter>Properties> Wireless Networks tab>Advanced. Select 'Access point (infrastructure) networks only'.
  • Mac laptops - Do not use the computer-to-computer network setting.
    Using: System Preferences>Network>AirPort>Network Name. Do not use the "Create Network" option..If you have enabled this option, you may disable it by using the "Join Other Network" option or turning off Airport.

Help and Support Contacts

If you have a problem with, or general question about, wireless connectivity and usage, you should contact the Berkeley Lab IT Help Desk at extension 4357 (HELP), via email at help@lbl.gov, or on the web at http://www.lbl.gov/help

Note that the wireless network is a secondary service. There is no off-hours technical support, and during business hours, support for Berkeley Lab’s internal lbl.gov network always has precedence.

If you have a question specifically related to cyber security, such as wireless firewall policy, you may contact the Computer Protection Program (CPP) group directly via email at cppm@lbl.gov

You may also contact the LBLnet Services Group, who maintain and operate the wireless infrastructure. Email us at lblnet@lbl.gov for more information.


  • No labels