University's New WLAN Cuts Out Uninvited APs

The medical center's WLAN woes were symptomatic of 802.11 WLAN technology's inherent flaws--mainly that it breeds co-channel interference in heavy traffic and that its shared-hub architecture doesn't scale with the volume of users in a large enterprise or university WLAN like Miami's. The strain on the medical school's growing WLAN was becoming nerve-wracking, especially as new wireless clinical applications were added. For example, the medical center added mobile clinical information carts that let nurses and medical staff access patient registration and lab results from the patient's bedside. Ultimately, medical staff will be able to monitor vital signs from these carts. Although the application didn't suffer any major mishaps with the WLAN glitches, Bogue says he became worried that the network couldn't continue to reliably run it.

Meanwhile, Bogue and his team had to physically track down the rogue APs, then disconnect and replace them with university-sanctioned Cisco Systems and Avaya APs. To complicate matters, the university had several renovation and construction projects under way, so when walls were removed, wireless signals shifted to previously uncovered areas. The whole project was becoming too labor-intensive for the six-person WLAN team: "We had to reposition and sometimes reconfigure APs every couple of weeks or so," Bogue recalls. "The WLAN became difficult to manage."

Changing Channels

After wrestling with all of these issues, Bogue and his team reached the inevitable conclusion that the Miller School of Medicine had outgrown its WLAN. So the university changed its wireless game plan (see The Hard Sell).Last fall, the IT team began constructing a more streamlined WLAN architecture to eliminate the channel-interference problem. The team also tightened security: The WLAN now authenticates users against their Microsoft Active Directory credentials, rather than their client machine's MAC (Media Access Control) address. The new WLAN is now about halfway complete, supporting 300 concurrent users. Over the next year, it will expand to more than 2,000 concurrent users across the Miami campus and clinic affiliates in other areas of South Florida, including Naples, West Palm Beach and Deerfield Beach.

The WLAN is based on Meru Networks' Air Traffic Control system, which includes a WLAN gateway that provides QoS (quality of service) so that voice, video and other sensitive traffic get the necessary priority and bandwidth. Meru's Controller appliance load-balances the Meru APs to eliminate interference, says Frank Rodriguez, network manager and information security manager for the medical school. The Controller also automatically detects and shuts out any rogue APs.

The IT team configured more than 400 Meru APs onto a single channel to avoid the connection degradation or loss that occurs when a physician moves from his office to the hospital with his or her BlackBerry, for example. Meru's system is different from most 802.11 WLAN systems because it lets the connection appear to the client machine as one big AP. The single channel gives the user a full 11-Mbps connection, even when moving between AP coverage areas, Bogue says. The catch: IT must still use separate management tools for the old Cisco and Avaya APs.

The university's six Meru Controllers sit in the data center, where Bogue and his team are still testing QoS. All a professor or physician needs to access the WLAN is an 802.11b- or 802.11g-enabled device. Users can set up a VPN tunnel or go through their browser, which connects to a Vernier Networks' security appliance that provides a portal and VPN tunnel to the university's Juniper Networks Neoteris VPN appliance. A user authenticates through the med school's Active Directory.

If the user is a visiting professor or a hospital patient's family member, he or she uses the guest link on the intranet site (Port 80), which provides a "throttled" Internet connection through the community WLAN subnet, Bogue says. There's also an intrusion-detection and -prevention appliance that inspects all traffic for potential intruders or worms such as the SQL Slammer, which the appliance has stopped in its tracks on several occasions.

Wireless Gets a Voice

The Miller School of Medicine has been running a small Cisco-based VoIP (voice over IP) system on its wired network for some time and soon will move a VoIP nurse call-station application onto the WLAN. The Vocera Communications System is a peer-to-peer, 802.11-based app that uses lightweight voice badges so a nurse can reach a lab technician directly for blood-test results, for example. The university runs streaming video over the WLAN for classes and events on campus.

Even with its flashy features, though, the school's WLAN is still a shared network infrastructure. So unlike a switched Ethernet network, bandwidth can only go so far for now, Bogue says. "The throughput for wireless isn't where we'd like it to be now, but it will be in the next two or three years," he says.

Chris Bogue is IT director and information security officer for the University of Miami's Miller School of Medicine. Bogue, 32, has been with the university for all of his six years in IT.Biggest annoyance with the WLAN: Its popularity is growing at an alarming rate. But our job is to help the organization better achieve its strategic objectives, and mobilizing the workforce gives it a leg up.

Most bizarre IT inquiry: A user asked me to help him e-mail a CAD file on his laptop over the wireless network. There was no wireless card, so I asked him if he had one available. His response: "I need a wireless card to use the network?" There was a pause as he thought for a second, and then said, "Hmm, that didn't make much sense, did it?"

Never give a BlackBerry to: My mother. She's not a technology-savvy user. I got frustrated having to [regularly] go to her home and reformat her PC's hard drive, so I bought her a Mac and she loves it.

Favorite team: Miami 'Canes, of course.

How life imitates IT: My brother just built a new house in Tampa, and he asked me to configure his WLAN. I did it remotely, logging in through my DSL connection.If you were stranded on an island, who would you rather be stuck with--Bill Gates, Steve Jobs or Larry Ellison? If I can only pick one, Steve Jobs. He seems to be a visionary--that's what keeps the industry moving.

Biggest industry flop: The recurring theme of nonstandard protocols and proprietary languages holds us back. IT typically gets way too wrapped up in details that don't matter to the user. Keep it simple and produce results.

Why Wi-Fi gets a bad rap: It's a cultural change and there's a lack of understanding--or unwillingness to understand--the value behind these tools. You've got to balance technology with cultural change. Throw too much at your users faster than they can adapt and you're bound to run into issues.

Wheels: Audi. I'm big into fit and finish--quality is more important to me than quantity.

What you do after hours: Renovating a waterfront home, continuing my education and deep-sea fishing. My staff, though, would probably say my favorite activity entails hammering away at my BlackBerry in the wee hours of the morning.Dream job: Being a dad someday.

No one really balked last year when Chris Bogue pitched a new wireless LAN for the University of Miami's Miller School of Medicine to the university's senior management. The wave of rogue wireless access points and connection problems had been the final straw for the existing WLAN, so the change was a no-brainer.

Bogue, director of IT and information security officer for the Miller School of Medicine, had already been discussing the potential for expanding wireless capabilities around campus with the school's vice president of administrative operations and planning. "That helped grease the skids for purchasing and installing the new wireless LAN," Bogue says.

The school's IT operations--a large Cisco Systems shop--considered Cisco Systems and Avaya WLAN technology, but settled on the unique approach of Meru Systems' Air Traffic Control system. "We chose the Meru product because of its ability to reduce cochannel interference and site surveys, and its ease of management and deployment," Bogue says. The school had been spending about $100,000 per year on site surveys to help locate rogue APs, but the Meru system not only detects the rogues, but shuts them down as well.

The new system, which cost the med school about $700,000 up front and will likely reach about $1 million when all is said and done, sparks a new debate over how much more to invest in the wired infrastructure. The WLAN could eventually replace some of the wired network. "We are recabling our old Ethernet Category 3 and 4 wiring, but we don't know how much to invest here," Bogue says. "We've got to figure that out."The next project Bogue will pitch is a Microsoft Active Directory 2003 implementation for the university's Jackson Memorial Hospital. "We'll have a 14,000-user directory structure," Bogue says. The hospital needs to move from its old Microsoft Exchange Server environment to AD 2003.