Berkeley Lab offers secured wireless services on the internal lbl.gov network, and has a separate on-site visitor wireless network constituting the lbnl.us internet domain.
The visitor network is an "open", non-authenticated, unencrypted wireless network, connected to the Internet (via ESnet) and logically external to the Lab’s lbl.gov network perimeter DMZ. From the perspective of the Lab’s internal lbl.gov network, devices connected on the visitor wireless network are treated like they were on a commercial ISP or any other external location (ie, outside the Lab perimeter).
The employee network on the internal lbl.gov internet domain offers a secure, encrypted connection to the local network of the building where the access point is located. Traffic on the employee network is treated as any other traffic on the lbl.gov domain.
The wireless network only allows limited types of traffic between wireless and other networks, effectively restricting applications that can be used. However, most commonly-used, personal computer applications are supported, and the restrictions primarily limit the inappropriate behavior.
Supported and unsupported services are summarized below.
Inbound TCP connections from the Internet to lbnl.us are generally not allowed. Accordingly, applications intended to serve Internet clients, such as web servers, cannot be operated on the wireless network.
Visitor Wireless is largely treated the same as the internet with regards to connections to Berkeley Lab address space. For more details on ports/protocols, including those which are permitted from Visitor Wireless but not from the internet, see the below Perimeter Protection document:
https://commons.lbl.gov/display/cpp/Perimeter+Protection
There are currently no static restrictions on traffic from wireless to the Internet at large (except to lbl.gov as above).
However, note that all such traffic is fully monitored for unacceptable use and subject to both automated and manual reactive measures, such as blocking individual hosts at the wireless perimeter.
All end-user IP addresses on the Wireless network are provided via DHCP. Static wireless addresses will not be assigned to users.
-
- Use Safari for this process, other browsers will not work
- Go to software.lbl.gov on your iOS device.
- Log in with your LDAP information.
- Search for "Wireless Networking LBNL-Employee profile".
- Download the software and enter information requested on each screen.
- Your connection profile will be added to the "Profiles" of your System Preferences".
- Bridging must be turned off or disabled.
- Do not set the Network Type to 'Ad hoc.'
- Mac laptops - Do not use the computer-to-computer network setting.
Using: System Preferences>Network>AirPort>Network Name. Do not use the "Create Network" option..If you have enabled this option, you may disable it by using the "Join Other Network" option or turning off Airport.
Anyone physically on-site (within range of an Access Point) may use the wireless network.
- The wireless network is intended for use by both Berkeley site staff and affiliates.
- For casual visitors, it is the usual means of Internet access (persons without a Berkeley Lab ID are not permitted to use the wired network without explicit permission from a Berkeley Lab employee)
- For staff, it is a convenience network, primarily used for applications such as email, calendaring, etc. while in conference rooms and with mobile devices.
- Permanent equipment like desktop computers, and mission critical equipment such as business systems or scientific applications, should not be operated on the wireless network.
Acceptable Use of the wireless network includes:
- Job-related activities
- Incidental personal use (unless use is explicitly forbidden; see below)
See the LBL RPM http://www.lbl.gov/Workplace/RPM/R9.01.html#_Toc162065214 for more details.
Activities that constitute "unacceptable use" include, but are not limited to, the following:
- Use for personal gain, lobbying, or unlawful activities such as fraud, embezzlement, theft, or gambling
- Use of resources to create, download, view, store, copy, or transmit sexually explicit materials or images
- Unauthorized entry into or tampering with computers, networks, or other information resources
- Use of resources in a manner intended to, or likely to result in, damage to any system, database, or intended official use (e.g., distributing viruses)
- Misusing or forging e-mail or tampering or gaining unauthorized access to the Laboratory's e-mail system
- Use of e-mail to give the impression that the user is representing, giving opinions, or otherwise making statements on behalf of the Laboratory unless appropriately authorized (explicitly or implicitly) to do so
- Use of resources in connection with conduct or activities prohibited by Laboratory policy (e.g., fabrication, falsification, or plagiarism in proposing, conducting, or reporting research; unauthorized disclosure of Laboratory proprietary information) or use in violation of applicable copyright or patent law.
- Unauthorized use of resources on behalf of outside organizations or any use that conflicts with or is inconsistent with Laboratory information resources policies or procedures
- Use of resources to store, manipulate, or remotely access any national security information, including, but not limited to, classified information, unclassified controlled nuclear information (UCNI), and naval nuclear propulsion information (NNPI)
- Any use that violates applicable federal or state laws or regulations.
See the LBL RPM http://www.lbl.gov/Workplace/RPM/R9.01.html#_Toc162065214 for more details.
All wireless systems at Berkeley Lab must be approved and operated by the IT Division's Network and Telecommunications Department. No one else may install wireless networking equipment, such as wireless access points. Monitoring is in place to detect 'rogue' access points. If they are found they will be immediately removed from the network, confiscated, and offending Division management notified.
Bridge-mode networking for Virtualbox virtual machines on wireless networks is unsupported until further notice. This non-standard option has been linked to a DHCP client bug that is disruptive to all wireless users, and has been disabled by blocking DHCP requests on wireless networks with the client MAC addresses starting with "08:00:27". Virtualbox users are advised to either re-configure their bridge-mode VM network to use NAT, or to use the wired network if bridging is necessary.
Berkeley Lab’s visitor wireless network is an "open", unauthenticated, and unencrypted network. As with other open public wireless networks, all connections to Berkeley Lab’s visitor wireless network should be considered insecure, as unencrypted wireless technology inherently affords no protection against traffic snooping by other devices within RF range. When using Berkeley Lab’s visitor wireless network, one must exercise the same precautions one would apply when using an open wireless network in any off-site public place.
When using the secured, employee wireless network, traffic is encrypted to offer protection against data snooping.
There is a firewall at the lbnl.us network perimeter, which limits traffic to and from lbnl.us. It is important to understand that although one is physically on-site when connected to the visitor wireless network, one is "outside" the Lab with respect to network traffic to and from lbl.gov.
This has security and functional implications while you are connected to the visitor wireless network. Any lbl.gov network resources (e.g. web servers) that are restricted to "internal" access (ie, within lbl.gov domain) will not be accessible on the visitor wireless network, despite being physically on-site. Network services that are blocked at the lbl.gov perimeter will affect wireless as well -- for example, Microsoft file shares on lbl.gov cannot be accessed from the visitor wireless network (unless VPN is used.)
The lbl.gov perimeter defenses equally apply to the wireless networks. For example, a wireless computer attempting to scan lbl.gov will be blocked (both from reaching lbl.gov and from reaching the internet.) Traffic monitoring and intrusion detection are performed on the wireless networks – within the networks; between wireless and lbl.gov; and between wireless and the internet.
IEEE 802.11a/b wireless LANs may be requested by sending email to the LBLnet Services Group: LBLnet@lbl.gov
To best serve you and to expedite your request, we ask that you send a key plan marked up to indicated what building areas require wireless coverage. From this we will be able to provide you with a cost and time estimate.
The cost of all wireless installations is time and materials.
