Matt Morgan, Concrete Computing, USA
Abstract
In 2004, for the opening of its new front plaza and grand lobby, Brooklyn Museum launched Brooklyn Museum Wireless, an integrated system providing public Internet access, networking for gallery kiosks and handhelds, and staff access to internal resources via Virtual Private Networking (VPN). The system covers the entire 600,000 square foot Museum and its grounds with Wifi coverage and cost, in its entirety, under $50,000. The system closes the loop between visitor and on-line content, for a fraction of the cost of creating the content, and therefore helps drive the Museum's mission.
Keywords: wireless, Wifi, 802.11, kiosk, VPN, remote access, handheld, laptop
Introduction
In spring of 2004, Brooklyn Museum introduced Brooklyn Museum Wireless. To the Museum's community at large, Brooklyn Museum Wireless appeared to be simply a gift to go along with the Museum's beautiful new front plaza: free wireless Internet access, to be used by anyone at any time, for any purpose (within reason).
But to the Museum itself, Brooklyn Museum Wireless was much more than just free Internet access, and the public access side was only icing on the cake. The cake itself was a system providing staff access to internal resources from anywhere in the building or on its grounds, and providing network access for gallery kiosks and handheld devices. The trio of services was completed in one project, for surprisingly little cost. The wireless itself - cabling, access points, and management systems and software - cost under $50,000. Today, the price might be considerably lower.
While different museums have different goals, all museums share the goal of providing access to content - both their own and other, related content - hence the great expenditures we often see on Web sites, electronic components in galleries, library systems, image digitization and distribution, and remote access for museum staff. In some cases, wireless networking can mitigate these costs, and in others it can help close the loops connecting consumers and content.
Many real and perceived issues of cost and complication, both technical and non-technical, create roadblocks to wireless implementation. In this mini-workshop we will directly address the technical issues, using off-the-shelf hardware with OpenWRT (http://openwrt.org) and WifiDog (http://wifidog.org), and discuss the non-technical issues, with examples from Brooklyn Museum.
Paths To Wireless Access-Non-Technical Issues
Often, the question appears to be simply, “why?” That is, why should a Museum provide public wireless Internet access, or even, why should a museum provide any kind of Internet access to the public? The simple answer is that the Internet is where the content is, and museums, in the knowledge and education business as they are, can't permanently maintain their positions of authority without encouraging access to as much relevant content as possible.
Personally, I want to be able to search the Web instantly for information I care about, when I care about it. We go to Web sites for information, and we search and click on links to find related information. Museums would benefit many visitors by being more Web-like. I want to go to museums and read the labels, yes; every curator's point of view is important to me. But without fail, a label is either too short or too long, too detailed or too unspecific. When I'm interested in an artwork, no label answers all my questions; when I'm not interested in an artwork, any label is more than I want to read. The complications involved in label production and the competition for wall space in an exhibition guarantee that labels will only serve some of the people, some of the time. On the other hand, the Web, more than any other medium, serves all of the people, all of the time.
Reality differs from the above in two important ways. First, it will be a few years yet before the public at large judges museums based on how freely they provide Web-based content. Nonetheless, museums are rushing down that path, with great expenditures for on-line collection access, image capture and digitization, and high-end storage systems and digital asset management. In no other field of technology are museums so commonly on the high-cost, cutting-edge of technology as they are with respect to image management. Yet this is being done without similar focus (and expenditures) being placed on the actual connection to that content - why would we not encourage visitors to access the on-line content we are so expensively providing, by enabling in-museum, wireless networking? Why would we not empower our staff by giving them access to electronic resources while working on artworks in situ, in the galleries or storerooms? That is, if we are going to create the content, we should also consider providing better access to that content.
The reason that we don't always look at both ends of the content-access equation lies in the second way in which reality differs from the straw man I've constructed above. That is the fact that museums almost never simply ask, “Why?” Rather, we ask, “Why this important task, goal, or service rather than that one?” That is to say, we compare priorities and we seek to further our missions as much as we can, given limited resources. In other words, we don't do wireless because we think it's not a good investment. I hope some readers will agree that wireless Internet access can serve a museum's mission, at least as much as on-line collections databases and OPACs do; in the next section I hope to dispel some myths about the other side of ROI equation--the costs.
Paths To Wireless Internet Access - Technical Issues
The perceived costs (cash and staff effort) of Wifi generally come down to three issues:
- Complicated Technology/Security.
- Hardware/installation expense.
- Maintenance.
In this mini-workshop I'll demonstrate a public wireless Internet hotspot, within the limits of the conference center's network connection, that is almost free, took only a day to set up from start to finish, and is easily maintainable - the long-term effort it takes to monitor and maintain is easily less than the effort to support one Windows or Linux server.
In the past few years, the cost of wireless hardware has come down tremendously. Meanwhile, the prevalence of open source, free software in the wireless area, such as Pebble Linux (http://www.nycwireless.net/pebble/), OpenWRT, and the NoCat (http://nocat.net/) and WifiDog captive portals, has meant that the software costs of establishing a public hotspot can be minimal. Staff time may be the only remaining significant cost, and as we'll see in this mini-workshop, the complications involved in setting up a public hotspot are diminishing rapidly.
Technical Issues - Hardware
The intro page to Pebble Linux, a Linux distribution designed for wireless portals, states compellingly that Pebble “runs on many different types of systems, such as old 486 machines, mini-itx boards, or the $199 machine down at Fry's.” At Brooklyn Museum, Pebble serves as the operating system on a Soekris low-power, solid-state PC (http://soekris.com) board. Soekris computers, and similar solid-state PC's, are available for prices from about $150 to $300, to which one need only add a compact flash card for disk storage; a 512MB card is more than enough for Pebble.
While Soekris boards and old 486's from the closet are popular platforms for wireless portals, for this mini-workshop we'll focus on a somewhat more recent option, the Linksys WRT54G home wireless router and firewall running the open source OpenWRT operating system. The WRT54G, and many similar models from several manufacturers (http://wiki.openwrt.org/TableOfHardware), are all capable of running OpenWRT. All of them are available at typical consumer pricing - for example, the WRT54G I bought for this conference came to me via eBay and cost $47, including shipping.
Brooklyn Museum, all told, runs about 60 wireless access points. Together, they cost roughly $30,000. While it's unrealistic to expect prices of $47 per access point in a large, enterprise install, many good-quality access points are now available in the $100-200 range, so that $30,000 total would come down to $6,000-$12,000 today.
Technical Issues - Structural, Software, Security
You don't want members of the public on your private network. The easiest and best way to keep private and public separate is to devote a segment of a multi-network firewall to public access. In a larger building, this most likely will involve Virtual LANs (VLANs) on network switches, as well. Finally, the firewall should provide Quality of Service (QoS) management so that public access bandwidth requirements do not unacceptably restrict staff access to the Internet. At Brooklyn Museum, one VLAN and one firewall segment serve all public computers, from Library OPAC stations to Learning Center Web browsing stations to gallery kiosks and handhelds to public computers using the hotspot. They are limited to 256Kb/s when staff access consumes the rest of the Museum's available bandwidth, and are otherwise allowed to range up to the full bandwidth maintained by the Museum.
Additionally, then, this requires some form of authentication to distinguish some stations from others; even purely Web-based gallery kiosks may be designed to run at specific screen resolutions, or with bigger on-screen buttons than their counterparts on the public Web site, to make touch-screens easier to use. The two most popular open-source wireless captive portals, WifiDog and NoCat, offer different means of identification. WifiDog, the simpler of the two, requires user registration and username/password pairs. NoCat is more sophisticated and allows for IP-based authentication (among other kinds), so with the combination of subnetting and DHCP reservations based on MAC addresses, kiosks, library stations, and other known clients can route around the portal, and therefore avoid Acceptable-Use Policies and enforced home/start pages, for example.
Aside from disallowing public access to your private network, if a selling point for public wireless has been, as it was at Brooklyn Museum, museum-wide staff access to internal resources such as the collections database, then you'll also need to provide some means of staff access to the internal network, across the wireless. In 2003, when Brooklyn Museum was planning its wireless strategy, Wired Equivalent Privacy (WEP), the common means of providing wireless security, was known to be inadequately secure for corporate networks. But Brooklyn Museum had an existing VPN strategy that worked well with the wireless, so we opted simply to require wireless users to use the VPN over the wireless.
While VPN usage was occasionally somewhat cumbersome for users, the benefits outweighed the costs. In 2005, we began to provide much easier access to many services, including read-only access to the collections and membership databases, via SSL, and those efforts are continuing. While the VPN at Brooklyn Museum, a proprietary system from the firewall vendor, was somewhat costly, many institutions implementing VPN today are finding IPSec and other low-cost, standards-based VPN solutions to be quite usable.
Today, many IT security experts agree that Wireless Protected Access (WPA), the successor to WEP and a part of the much broader, upcoming 802.11i standard, is acceptably secure for corporate networks (http://www.wirelessnewsfactor.com/perl/story/22207.html; http://www.mobilevillage.com/news/2003.11.13/nw-security.htm). The combination of WPA and the Remote Authentication Dial-in Users Service (RADIUS), available standard with modern Windows, Linux, and OS X servers, can thus be a relatively simple, low-cost means of providing VPN-style access to authorized staff. OpenWRT supports WPA and RADIUS (with an external RADIUS server), but for simplicity we will not demonstrate RADIUS in this mini-workshop.
Technical Issues - Physical Network
Perhaps the most time-consuming task in a large wireless installation is all the network cabling and electrical wiring. Bridging, that is, connecting wirelessly from one access point (AP) to another, at first glance appears to be an attractive option. But bridging provides no way to get electric power to each AP, and network cabling is usually cheaper and easier to complete than electrical wiring. Power-over-Ethernet (PoE) is supported by many APs, and that, at least, means that only one cable- - the network cable - is required for each AP.
PoE requires either a network switch that supplies power to each port (http://www.zipzoomfly.com/jsp/ProductDetail.jsp?ProductCode=251837), or an adapter at the switch end of the cable that plugs into an electrical outlet (http://www.zipzoomfly.com/jsp/ProductDetail.jsp?ProductCode=252365). As of the time of this writing, OpenWRT will not run on any APs that support PoE; but since only one instance of a captive portal is required for an entire hotspot, that presents no difficulty. The reality is, in a larger installation (more than a few APs), the best solution may be one instance of OpenWRT or Pebble Linux with a captive portal on a small computer of some kind, interposed between the firewall, and many APs running whatever firmware is most convenient.
Besides cabling, depending on installation requirements, external antennas (which can be more subtle, and resistant to weather, than APs) may be important and are available at low cost (http://sharperconcepts.zoovy.com/product/YSC-HG2414P-XX). Finally, for fully outdoor installations, APs must be protected by weatherproof NEMA enclosures, also relatively cheap and easy to install (http://sharperconcepts.zoovy.com/category/nema/).
At Brooklyn Museum, the final tally for cabling and additional installation equipment was about $20,000 for the 60 APs. That number would be somewhat lower today, as prices for antennae and enclosures have come down, but cabling costs have not.
Conclusion
Museums, when they are fortunate enough, are moving their collections quickly to the on-line world, while not always considering the benefits of that world to the galleries and grounds of the museums themselves. We have a lot to gain by providing wireless access for staff and guests, and we can make the public side of it essentially free by focusing on the internal benefits.
Cite as:
Morgan M., Making Public Wireless Happen, in J. Trant and D. Bearman (eds.). Museums and the Web 2006: Proceedings, Toronto: Archives & Museum Informatics, published March 1, 2006 at http://www.archimuse.com/mw2006/papers/morgan/morgan.html
