components of secure wireless network

Download Report

Transcript components of secure wireless network 

SECURE WIRELESS
NETWORK
IN IŞIK UNIVERSITY
ŞİLE CAMPUS
Designed by VOLKAN MUHTAROĞLU
WLAN(Wirelass LAN)



We introduced at 1986 for use in barcode
scanning .
A properly selected and installed Wi-Fi or
wireless fidelity.
802.11a, 802.11b, 802.11g technologies, 802.11g
is the latest technology. These are IEEE
standard.
GENERAL TOPOGOLY OF WLAN
THE PROJECT
The problem is, how can three different users
access over an access point to different type of
data with securily in our campus.
 As another word, if we choose there people
such as; student, university staff and data
processing center worker can access different
type of data or they have different rights when
access from the access point by securily.

THREE DIFFERENT USER
1)
2)
3)
Student
University Staff
Data Processing Center Worker
COMPONENTS OF SECURE
WIRELESS NETWORK
I.
II.
III.
IV.
V.
VI.
VII.
VIII.
Cisco Aironet 1100 Series Access Point
Radius Server
Two Switch(One of them is Managable Switch, the
other one is Backbone Switch)
Vlan
Cisco PIX Firewall
WEP & LEAP
Database Server
Intranet Web Server
Cisco Aironet 1100 Series Access
Point
It is a wireless LAN transceiver.
 1100 series is cheaper than the others and its
performances is really efficient.
 It is also managable easily and common all over
the world.

RADIUS SERVER




RADIUS is a distributed client/server system
that secures networks against unauthorized
access.
Use RADIUS in these network environments,
which require access security
This server also called AAA Server which means
Audit, Authentication and Accounting.
In my project Radius Server will provide
Authentication and Mac filtering.
SWITCHES
Managable Switch
 Backbone Switch
 I will use three different type IP. Student will
take 10.0.x.x, University Staff will take 10.50.x.x,
Data Processing Center Worker will take
192.168.x.x.

VLAN


VLAN is a switched network that is logically
segmented.
I will use Vlan for having different kind of
rights of these there different type of users on
WLAN.
CISCO PIX FIREWALL

I chose it because I have it.
DATABASE AND INTRANET
WEB SERVER


Database Server : Only Data Processing Center
Worker can access these server.
Intranet Web Server : Only University Staff and
Only Data Processing Center Worker can access
these server.
HOW WILL DESIGN BE?



Firstly; how will student, university staff and data
processing center worker be on the different Vlan, how
can I give different rights them.
The second thing is how these people come to these
Vlan.
The third thing which is most important how I can
provide security.
SSID(Service Set Identifer)

When connect to WLAN you will see the name
of WLAN, which is SSID.
FOR VLAN 1
If we define two different SSID, one of them
broadcasting, the other one is secret.
 For instance; our broadcasting SSID is tsunami;
our not broadcasting(secret) SSID is Private. If
you connect WLAN with access point
everybody sees automatically tsunami SSID.
Also when you connect this, you will come to
Vlan 1 and this Vlan provides to access only
Internet.

AUTHENTICATION



If you are not student; you write the not
broadcasting SSID name for accessing, at that
time you will see the Username-Password
Window for having different kind of rights.
When you enter the username-password, the
information come to Radius Server.
And now; EAP (Extensible Authentication
Protocol) uses.
AUTHENTICATION TOPOLOGY
WEP(Wired Equivalent Privacy )
i.
ii.
iii.
iv.


WEP is an encryption algorithm used by the Shared
Key authentication process for authenticating users
and for encrypting data payloads over only the
wireless segment of the LAN.
The secret key lengths are 40-bit or 104-bit yielding
WEP key lengths of 64 bits and 128 bits.
WEP key is an alphanumeric character string used in
two manners in a wireless LAN.
WEP key can be used :
Verify the identity of an authenticating station.
WEP keys can be used for data encryption.
CRITERIA
The 802.11 standard specifies the following criteria for
security:
 Exportable
 Reasonably Strong
 Self-Synchronizing
 Computationally Efficient
 Optional
WEP meets all these requirements.
WEP supports the security goals of confidentiality, access
control, and data integrity.
WEP KEY
WEP key is an alphanumeric character string
used in two manners in a wireless LAN.
 WEP key can be used :
 Verify the identity of an authenticating station.
 WEP keys can be used for data encryption.


WEP KEY TABLE
EAP(Extensible Authentication
Protocol )




This authentication type provides the highest level of
security for your wireless network.
Using the Extensible Authentication Protocol (EAP) to
interact with an EAP-compatible RADIUS server.
This is type of dynamic WEP key.
There are five different type of EAP, I will use LEAP
(Lightweight Extensible Authentication Protocol,
designed by Cisco) which is the most secure.
LEAP TOPOLOGY
MAC(Media Access Control)
ADDRESS FILTERING


Server checks the address against a list of
allowed MAC addresses.
If your MAC address is University Staff ’s MAC
address, you wil come to Vlan 2 and you will
have thoose rights, if your MAC address is data
processing center worker’s address, you will
come Vlan 3 also you will have those rights.
MAC FILTERING TOPOLOGY
STUDENT TOPOLOGY-1
STUDENT
ACCESS
POINT
STUDENT TOPOLOGY-2
BROADCASTING SSID (TSUNAMI)
STUDENT
SWITCH
SSID TSUNAMI
Student takes 10.0.x.x IP
and comes Vlan 1
ACCESS
POINT
BACKBONE
SWITCH
STUDENT GENERAL
TOPOLOGY
BROADCASTING SSID (TSUNAMI)
STUDENT
SWITCH
SSID TSUNAMI
Student takes 10.0.x.x IP
and comes Vlan 1
ACCESS
POINT
BACKBONE
SWITCH
FIREWALL
INTERNET
UNIVERSITY STAFF TOPOLOGY1
NOT BROADCASTING SSID
(PRIVATE)
UNIVERSITY
STAFF
ACCESS
POINT
UNIVERSITY STAFF TOPOLOGY2
NOT BROADCASTING SSID
(PRIVATE)
UNIVERSITY
STAFF
PRIVATE
SSID&AUTHENTICATION
&MAC FILTERING
University Staff takes
10.50.x.x IP and comes Vlan 2
ACCESS
POINT
SWITCH
RADIUS
SERVER
UNIVERSITY STAFF TOPOLOGY3
NOT BROADCASTING SSID
(PRIVATE)
SWITCH
UNIVERSITY
STAFF
PRIVATE
SSID&AUTHENTICATION
&MAC FILTERING
University Staff takes
10.50.x.x IP and comes Vlan 2
RADIUS
SERVER
ACCESS
POINT
BACKBONE
SWITCH
INTRANET
WEB SERVER
UNIVERSITY STAFF GENERAL
TOPOLOGY
NOT BROADCASTING SSID
(PRIVATE)
SWITCH
UNIVERSITY
STAFF
PRIVATE
SSID&AUTHENTICATION
&MAC FILTERING
University Staff takes
10.50.x.x IP and comes Vlan 2
RADIUS
SERVER
ACCESS
POINT
INTERNET
BACKBONE
SWITCH
FIREWALL
INTRANET
WEB SERVER
DATA PROCESSING CENTER
WORKER TOPOLOGY-1
NOT BROADCASTING SSID
(PRIVATE)
DATA
PROCESSING
CENTER
WORKER
ACCESS
POINT
DATA PROCESSING CENTER
WORKER TOPOLOGY-2
NOT BROADCASTING SSID
(PRIVATE)
DATA
PROCESSING
CENTER
WORKER
PRIVATE
SSID&AUTHENTICATION
&MAC FILTERING
Data Processing Center Worker takes
192.168.x.x IP and comes Vlan 3
ACCESS
POINT
SWITCH
RADIUS
SERVER
DATA PROCESSING CENTER
WORKER TOPOLOGY-2
NOT BROADCASTING SSID
(PRIVATE)
SWITCH
DATA
PROCESSING
CENTER
WORKER
PRIVATE
SSID&AUTHENTICATION
&MAC FILTERING
ACCESS
POINT
BACKBONE
SWITCH
RADIUS
SERVER
Data Processing Center Worker takes
192.168.x.x IP and comes Vlan 3
DATABASE
SERVER
INTRANET
WEB SERVER
DATA PROCESSING CENTER
WORKER GENERAL TOPOLOGY
NOT BROADCASTING SSID
(PRIVATE)
SWITCH
DATA
PROCESSING
CENTER
WORKER
PRIVATE
SSID&AUTHENTICATION
&MAC FILTERING
ACCESS
POINT
BACKBONE
SWITCH
RADIUS
SERVER
INTERNET
Data Processing Center Worker takes
192.168.x.x IP and comes Vlan 3
FIREWALL
DATABASE
SERVER
INTRANET
WEB SERVER
SECURITY POLICY

The purpose of this policy is to provide
guidance for the secure operation and
implementation of wireless local area networks
(WLANs).
AUTHENTICATION
University Staff and Data Processing Center
Worker have to authenticate the system if they
want to have different kind of rights.
 For authentication, username and password
authentication is used so users must use strong
passwords (alphanumeric and special character
string at least eight characters in length).
 Shared secret (or shared key) authentication
must be used to authenticate to the WLAN

ENCRYPTION & ACCESS CONTOL
Distinct WEP keys provide more security than
default keys and reduce the risk of key
compromise.
 SSID
 MAC(Media Access Control)

FIREWALL

Firewall provide security based on ports.
PHYSICAL AND LOGICAL
SECURITY
Access point must be placed in secure areas,
such as high on a wall, in a wiring closet, or in a
locked enclosure to prevent unauthorized
physical access and user manipulation.
 Access point must have Intrusion Detection
Systems (IDS) at designated areas on Campus
property to detect unauthorized access or attack.

CONCLUSION

With this design Student, University Staff and
Data Processing Center Worker can access
securily; wherever they want, don’t use extra
devices or don’t make any adjusting.
QUESTION ?
REFERENCES
•
•
•
•
•
•
•
•
•
Cisco Press 802.11 Wireless Network Site Surveying and Installation
book.
Cisco Securing 802.11 Wireless Networks handbook.
Cisco Aironet 1100 Series Access Point Quick Start Guide.
Certified Wireless Network AdministratorTM Official Study Guide.
Wireless Network Solutions (Paul Williams)
http://www.cisco.com/en/US/tech/tk722/tk809/tk723/tsd_technolo
gy_support_sub-protocol_home.html
http://www.cisco.com/en/US/tech/tk722/tk809/tsd_technology_su
pport_protocol_home.html
http://www.webopedia.com/TERM/M/MAC_address.html
http://searchnetworking.techtarget.com/originalContent/0,289142,sid
7_gci843996,00.html