Michigan's Award-Winning Approach to Securing the State's Wireless Network

Michigan Department of Information Technology upgrades the state's wireless network.

by / June 27, 2010
Illustration by Tom McKeith

The Web has become an everyday utility to so many Americans that government IT leaders may feel pressure to grow their network to accommodate employees who are accustomed to connecting securely to the Internet even if they're remote.

Michigan wanted to achieve that goal, but in 2007, the state's IT environment wasn't ready to provide that level of service delivery. Though the Michigan Department of Information Technology (MDIT) served 19 departments, back then, different offices had different wireless equipment. The state lacked enterprisewide policies or standards for wireless networks, and wireless coverage was confined to fiber-connected offices.

"We had different products from different manufacturers, and they weren't working very well together," said Rhea Linn, the wireless LAN project manager for the department's Office of Telecommunications. "And they were past their shelf life, so to speak."

These problems motivated the MDIT to centralize the wireless network under one unified network and create enterprise policies. Leaders like Linn and Jack Harris, director of telecommunications, put a team together to work on the wireless LAN project, an effort to expand coverage on a platform that's safer and easier to manage. The solution was implemented in May 2007, and today 16 locations in the state have wireless LAN services.

"We had to have a secure solution that our clients could use. Otherwise, our clients would be off installing their own solutions that would not be secure," Harris said. "We must have a secured and acceptable solution that the client can point to and use - and use happily to keep them from trying to engineer their own thing on the sly."

And new state employees likely prefer the type of broadband environment they've been accustomed to using outside of work.

"The new students coming in who are taking state jobs are used to having free Wi-Fi at the university, and it was easy. They liked the portability," Harris said. "More and more state employees are using laptops."

Costs and Benefits

Many people refer to the current Michigan wireless infrastructure as Version 2. The Version 1 environment left much to be desired in many agencies - and not just technically. A huge sticking point was the cost agencies paid for using Version 1.

The state spent more effort and money servicing disparate wireless systems in Version 1 than the MDIT liked. But a single solution means less money must be spent on maintenance and installation. In Version 2, the MDIT rolled Wi-Fi capability into the managed LAN service to the participating agencies.

"At no additional charge, we could put Wi-Fi access in points in their conference rooms, hallways [or] gathering places," Harris said, "and there's a one-time charge that they pay for an RF survey of the building, but after that, it's rolled into their managed LAN."

An RF, or radio frequency, survey identifies behavior of radio waves in an area before installing a wireless access point.

The cost to run Version 1 was estimated at $3,696 per month, including the $31 monthly charge per user, and about $93,677 per year for staff support and overhead. But the cost to run Version 2 is staggeringly low by comparison - $105 a month, including a $1.25 monthly charge per user, and $14,989 per year in staff support and overhead. Harris said he's heard that customers are happy with savings in the new environment.

"We knew right away that it was too cost-prohibitive," Linn said of Version 1. "And people were not going to want to roll it."

Linn spearheaded much of the technical development and was part of the initial design team - 13 people responsible for design, product research and installation. During this early phase, the group set up a pilot site with other MDIT agencies to hammer out issues like operational parameters and call-center procedures for customers with wireless problems.

But before all this, Harris had to help lay the project's groundwork in 2006 by convincing then-state CIO Teri Takai and other officials that network changes would benefit the state.

"We had to convince our Office of Enterprise Security that what we were building would be secure and meet their standards," Harris said, "and we took a lot of time with them to make sure that they understood."

The MDIT decided on the Cisco Unified Wireless Network so users could have a single vendor solution that could meet scalability, operational and security needs. The new network offers high-speed connectivity over a wider area, and is easier to run and keep track of because it's centrally managed on compatible equipment, unlike the former heterogeneous environment. According to Linn, Michigan has a long-term contract with AT and T, which supplies the state with Cisco technology. Having one solution for so many functions makes operations smoother, in her opinion.

"Michigan is very Cisco-centric, if you will. We look to them first," she said, adding that she did consider other solutions before choosing Cisco for the wireless LAN project. "I was looking at Nortel and the other solutions out there, and Cisco was the overwhelming winner. They met all of our requirements with security, and ease of deployment and integration with our other tool sets."

Lockdowns and Upgrades

Linn is confident that Version 2's security is superior to Version 1's. One reason is because Version 2 has more physical security layers in place when nonstate personnel connect.

"When someone comes into a state building," she said, "they have to pass a security guard, and they get visitors' passes and things like that." Once in the building, they must take extra steps to connect their mobile equipment. "With our wireless network, they must have a physical device that is owned by the state to connect onto our secure network, so a guest will not come in and connect wirelessly using their own laptop."

Guests are restricted on how much bandwidth they can consume so they don't impede network operations and their Internet access is tracked by a security appliance. All Web transactions are logged through security servers. This way, administrators can view Web usage patterns, and audit user history and other data to help them protect the network and make policy decisions.

Employees must provide authentication protocols to access Michigan's network, but that method was irritating with Version 1. State workers carried small devices called fobs, which are keychain-sized gadgets with tiny screens that display a random number every 90 seconds. The fobs were synced to the network, so when a state employee wanted to access the network from a computer, he or she had 90 seconds to enter the number shown on the fob.

The MDIT discontinued with this method in Version 2, opting for less cumbersome authentication that requires passwords in a radius and an active directory system. Radius environments may ask users to provide unique identifying information like a network address, phone number or data about the physical access point or location from which the user is attempting to access the network.

Harris and Linn are pleased with the MDIT's current network, and so are others in the department. The state nominated the wireless LAN project for consideration in the 2009 National Association of State Chief Information Officers Recognition Awards and won in the Information Security and Privacy category.

But as technology and threats change, security also must change. The MDIT will keep this in mind as it modifies the wireless network.

"As more devices are integrated to what is assumed to be a ubiquitous Wi-Fi environment," Harris said, "we have to be able to secure these other devices that may or may not have a person attached to them."

Hilton Collins

Hilton Collins is a former staff writer for Government Technology and Emergency Management magazines.

Platforms & Programs