Wireless Networking Update University of Denver
Download
Report
Transcript Wireless Networking Update University of Denver
DU Wireless
Networking
Security Update
Chad D. Burnham & Byron D. Early
University Technology Services
CCHE CIO Council Forum on Cybersecurity
3-12-03
1
Wireless Acceptable Use Policy:
Institutional Support Needed from “Top Level”
Do you have a Wireless-AUP in place?
DU Wireless-AUP Link
Issues:
2
Security & Privacy
Authorization
Hardware & Installation
“Rouge” Access Points
User Support
Securing Wireless Today:
Securing WLANs today:
3
Virtual Private Networks (VPNs)
802.1X based authentication with WEP
encryption (dynamic WEP)
WEP is still a good deterrent for “casual”
snoopers
“Wi-Fi Protected Access” (WPA) will
replace WEP as standard Wi-Fi security
Security & Access…
@ Which OSI Layer?
DU: Not Using Layer-2 WEP/WEP2 Key
encryption
DU: Using VPN Layer-3 solution
4
WEP2 (802.11i) not yet ratified
Encryption & AAA
DU Physical Network Topology:
DU Data Backbone
Wireless is several Internal VLANs / Subnets
DU: Cisco 3030 VPN “appliance” in each VTP “Core” Domain
(Cisco 6500s: VPN-blade now available)
VLAN
7XX
VLAN
6XX
VLAN
8XX
VLAN
9XX
5
Wireless Backbone @ DU:
6
Separate Layer-2 & Layer-3 VLANs for WLANs!
Similar to VoIP Networks
Apply a Wireless Access Control centric Lists /
Filters
Do not place Wireless Access Points ‘on-top’ of
existing wired VLANS/Networks
DU Using 10.X.Y.Z address space & routing it
DOCUMENT your WLANS!
7
8
DU Encryption & Access - VPNs:
DU using Cisco 3030s for VPNs (IPSEC-3DES – 168Bit)
Authentication & Authorization: VPN Client software leverages
DU’s ERP Directory: “Banner” database for AA functionality
RADIUS: Radiator on Solaris 8 fed by Banner (nightly)
Handles ACCOUNTING
DU “Branded” the Cisco VPN Client Software:
DU Logo, & configured .pcf file (similar to .ini)
DU Supports: WIN 2K & XP (98/ME/NT4 work).
OSs: Not yet branded (beta configured):
9
MAC OS 10.2, Solaris, Linux
Pocket PC: Movian Admit One software client – BETA Trial
“Locking Down” Wireless LANs
w/ ACLs – Key to Security:
Complex Router Access Control List Objectives:
10
# Allow IPsec to VPN Concentrators
# Allows MSFCs to see each other for HSRP
# Allow bootp on broadcast
# Allow bootp from DHCP clients
# Allow DNS to iVPN DNS server
# Allow download of client
# Allow MGMT station to ping router and AP's
# Allow these systems to be pinged
# Allow management station to snmp from APs
# Deny all else
“Rogue” Access Points:
“Rogue” Access Points are not permitted
Department, Student & Contractor Incidents
Performance Issues:
Speed/Duplex
RF Signal/Channel Overlay Issues
Use AUP as Leverage for Enforcement
11
Log incidents @ DU Network Security Office
Student Apple Airport DHCP Incident(s)
Ticketmaster & Bookstore Contractors (so far)
Student Judicial Department
Dean’s Council
Locating “Rouge” APs
RF Analyzers / Tools:
OSI Layer 1/2 :
OSI Layer 2/3:
12
Grasshopper & Yellowjacket Plus
Air Magnet–Handheld–iPAQ /Laptop - ~$3,600
Fluke:Handheld-iPAQ(Linux)–WaveRunner ~$4K
Fluke:Tablet Add-on – OptiView Integrated Network
Analyzer - $30k
Sniffer Wireless for PDA – 1 Year Software License
Standards Watch:
13
DU: Standards-based solution
802.11: Security & Access
(OSI Layers 1 & 2)
ESS (Network) ID: Text Constant Variable
DU: Using Single Standardized Name
Users can’t be expected to know multiple wireless
names for different locations
Not a Valid Security Approach!
Common Name Signifies a “Supported Network”
14
MAC Address Registration (on APs)
Cumbersome & high management overhead
Must re-enter if card is swapped out
DU tried on 3 networks…...it’s over
802.11i - Layer 2 Encryption:
15
Enhanced WEP (a.k.a. WEP2)
Applies to 802.11a, 802.11b, 802.11g
New encryption & authentication methods
Temporal Key Integrity Protocol (TKIP)
AES (an iterated block cipher) and TKIP
backwards compatibility - replaces RC4.
Best “on-track” approach to the wireless
threats/model.
Ratification expected Q1 2003
802.1X - EAP Variants
Layer-2 Authentication
EAP-TTLS
EAP-TLS
Essentially duplicates CHAP password protection on a WLAN.
EAP-MD5 represents a kind of base-level EAP support among
802.1x devices.
LEAP, PEAP, Etc
Follow-on to Secure Socket Layer (SSL). It provides strong
security, but relies on client certificates for user authentication.
EAP-MD5
IETF draft jointly authored by Funk Software and Certicom, and is
a working document of the PPP Extensions group. EAP-TTLS
provides strong security, while supporting legacy password
protocols, enabling easy deployment across the enterprise.
Vendor pushing ahead of standards efforts
(de facto attempts) AKA “Cisco-Compatible”
Good Presentation @ 2003 WestNet by Dave Packham on
problems with today’s 802.1X methods:
16
http://www.scd.ucar.edu/nets/projects/Westnet/prevmtg/0103.meeting/presentations.0103/802.1x.ppt
Introducing WPA
17
Wi-Fi Protected Access (WPA) is a proactive
response by the industry to offer an immediate
and strong security solution
Standards-based, interoperable security
specification – N.I.S.T. Supported
Significantly increases the level of data
protection and access control for existing and
future wireless LAN systems
WPA is a subset of the 802.11i draft standard
and will maintain forward compatibility
WPA – When?
When properly installed, Wi-Fi Protected Access
will provide
18
Strong over-the-air data protection
Strong network access control
The Wi-Fi Alliance expects formal certification of
WPA to begin in first quarter of 2003
Look for WPA software upgrades to start to
appear in the next several months
Other Good Articles & Links:
http://standards.ieee.org/
http://www.wi-fi.com/
http://www.80211-planet.com
http://csrc.nist.gov/wireless/S09_WPA%20
Analyst%20Briefing%2005-part1-ff.pdf
This Presentation:
19
http://netserv.du.edu/data/presentations.asp