Berkeley Lab offers secured wireless services on the internal lbl.gov network, and has a separate on-site visitor wireless network constituting the lbnl.us internet domain.
The visitor network is an "open", non-authenticated, unencrypted wireless network, connected to the Internet (via ESnet) and logically external to the Lab’s lbl.gov network perimeter DMZ. From the perspective of the Lab’s internal lbl.gov network, devices connected on the visitor wireless network are treated like they were on a commercial ISP or any other external location (ie, outside the Lab perimeter).
The employee network on the internal lbl.gov internet domain offers a secure, encrypted connection to the local network of the building where the access point is located. Traffic on the employee network is treated as any other traffic on the lbl.gov domain.
Anyone physically on-site (within range of an Access Point) may use the wireless network.
Acceptable Use of the wireless network includes:
See the LBL RPM http://www.lbl.gov/Workplace/RPM/R9.01.html#_Toc162065214 for more details.
Activities that constitute "unacceptable use" include, but are not limited to, the following:
See the LBL RPM http://www.lbl.gov/Workplace/RPM/R9.01.html#_Toc162065214 for more details.
All wireless systems at Berkeley Lab must be approved and operated by the IT Division's Network and Telecommunications Department. No one else may install wireless networking equipment, such as wireless access points. Monitoring is in place to detect 'rogue' access points. If they are found they will be immediately removed from the network, confiscated, and offending Division management notified.
Bridge-mode networking for Virtualbox virtual machines on wireless networks is unsupported until further notice. This non-standard option has been linked to a DHCP client bug that is disruptive to all wireless users, and has been disabled by blocking DHCP requests on wireless networks with the client MAC addresses starting with "08:00:27". Virtualbox users are advised to either re-configure their bridge-mode VM network to use NAT, or to use the wired network if bridging is necessary.
Berkeley Lab’s visitor wireless network is an "open", unauthenticated, and unencrypted network. As with other open public wireless networks, all connections to Berkeley Lab’s visitor wireless network should be considered insecure, as unencrypted wireless technology inherently affords no protection against traffic snooping by other devices within RF range. When using Berkeley Lab’s visitor wireless network, one must exercise the same precautions one would apply when using an open wireless network in any off-site public place.
When using the secured, employee wireless network, traffic is encrypted to offer protection against data snooping.
There is a firewall at the lbnl.us network perimeter, which limits traffic to and from lbnl.us. It is important to understand that although one is physically on-site when connected to the visitor wireless network, one is "outside" the Lab with respect to network traffic to and from lbl.gov.
This has security and functional implications while you are connected to the visitor wireless network. Any lbl.gov network resources (e.g. web servers) that are restricted to "internal" access (ie, within lbl.gov domain) will not be accessible on the visitor wireless network, despite being physically on-site. Network services that are blocked at the lbl.gov perimeter will affect wireless as well -- for example, Microsoft file shares on lbl.gov cannot be accessed from the visitor wireless network (unless VPN is used.)
The lbl.gov perimeter defenses equally apply to the wireless networks. For example, a wireless computer attempting to scan lbl.gov will be blocked (both from reaching lbl.gov and from reaching the internet.) Traffic monitoring and intrusion detection are performed on the wireless networks – within the networks; between wireless and lbl.gov; and between wireless and the internet.
IEEE 802.11a/b wireless LANs may be requested by sending email to the LBLnet Services Group: LBLnet@lbl.gov
To best serve you and to expedite your request, we ask that you send a key plan marked up to indicated what building areas require wireless coverage. From this we will be able to provide you with a cost and time estimate.
The cost of all wireless installations is time and materials.
The wireless network only allows limited types of traffic between wireless and other networks, effectively restricting applications that can be used. However, most commonly-used, personal computer applications are supported, and the restrictions primarily limit the inappropriate behavior.
Supported and unsupported services are summarized below.
Inbound TCP connections from the Internet to lbnl.us are generally not allowed. Accordingly, applications intended to serve Internet clients, such as web servers, cannot be operated on the wireless network.
TCP Traffic from wireless to lbl.gov is subject to a default deny policy (from lbl.gov perspective), with specific exceptions for the following services, which are allowed:
There are currently no static restrictions on traffic from wireless to the Internet at large (except to lbl.gov as above).
However, note that all such traffic is fully monitored for unacceptable use and subject to both automated and manual reactive measures, such as blocking individual hosts at the wireless perimeter.
Berkeley Lab wireless network access points broadcast their SSID which will help to find and attach to the wireless network.
All end-user IP addresses on the Wireless network are provided via DHCP. Static wireless addresses will not be assigned to users.
For instructions on configuring your smartphone or tablet for wireless connectivity please click here.
Is it very important that computers be properly configured. Misconfigured computers can not only fail to provide you with network connectivity, but can also disrupt the functioning of other computers and devices.
If you have a problem or question about wireless connectivity and usage, contact the Berkeley Lab IT Help Desk at (510)486-4357 or email help@lbl.gov.
Note that the wireless network is a secondary service. There is no off-hours technical support and during business hours, support for Berkeley Lab’s internal lbl.gov network always has precedence.
If you have a question specifically related to cyber security, such as wireless firewall policy, you may contact the Computer Protection Program (CPP) group directly via email at cppm@lbl.gov