Transcript Best Practices for Building a Secure and Scaleable

Emory
Network Communications
Building a
Secure & Scaleable
Wireless LAN
Infrastructure
Stan Brooks CWNA, CWSP
Emory Network Communications
[email protected]
AIM-Y!-MSN: WLANstan
Copyright Stan Brooks 2007. This work is the intellectual property of the author. Permission is granted for this
material to be shared for non-commercial, educational purposes, provided that this copyright statement appears on
the reproduced materials and notice is given that the copying is by permission of the author. To disseminate
otherwise or to republish requires written permission from the author.
Emory
Network Communications
Outline






About Emory
Emory’s Wireless Network Today & Yesterday
The “New” WLAN: What We Chose – and Why
How We Deployed the Architecture
Network Usage
Tips, Tricks, Traps, & Best Practices
1
Emory
Network Communications
About Emory & NetCom
 Who we are
 Network Communications Division supports both
Emory University & Emory Healthcare
 Network Scope





Data ~32,700 data ports
Voice ~43,500 voice lines & 17,800 V-Mailboxes
Video – 3000+ Cable TV Drops
Pagers ~ 6800 pagers
2-Way Radios – for Facilities Mgmt & Police
2
Emory
Network Communications
Wireless Network – Today’s Scope
 Two Systems
 Academic ~1000 Access Points (APs)
 Healthcare ~ 525 APs
 Total of ~1525 APs
 Over 2300 Simultaneous Wireless Users
 Spanning 3 Campuses, 3 Hospitals, & 8+ Clinics
 Covering 130+ Buildings and Outdoor Areas
3
Emory
Network Communications
Back in Time – Late 2004/Early 2005
 Legacy Environment
 Autonomous APs with VPN termination capability
 Chosen security model
 Open Wi-Fi w/VPN authentication & Encryption
 No Guest Access
 Was the “right” solution at the time (pre-2005)
 Deployment: ~75-100 APs in library locations &
some administration areas
 “Issues” for the users and network support
4
Emory
Network Communications
Welcome to My Nightmare: Deployment
 Autonomous APs, each requiring configuration
and network provisioning
 Issues with Defining & Managing:
 AP IP addresses, DHCP pools, VPN pools, VLANs
 RF channel & power settings
 Individual APs as RADIUS clients
 Configuring each AP took a long time
5
Emory
Network Communications
Welcome to My Nightmare: Management




DHCP & VPN Pool/ IP subnet management
Authentication Client/Server Management
Client Roaming
Adding an SSID was near impossible because of our
routed network architecture
 local IP pools and VLANs were needed at each AP location
 Adding different security models were near impossible
WE NEEDED A BETTER SOLUTION!!!
6
Emory
Network Communications
Selection Criteria: Our Wireless Concerns
 Security
 Wireless is inherently NOT SECURE!
 Scalability & Flexibility
 Grow to a large number of APs
 Support a variety of different groups of wireless users
 Manageability
 Supportable both during deployment and for ongoing
operations
7
Emory
Network Communications
Wireless Security Concerns
There 3 main areas to address:
Wired Network
1) Protect data as it travels from source
to destination
 Eavesdropping
 Integrity (tampering)
 Denial of Service (DoS)
“Real” Access Point
“Real” Wireless User
2) Protect the network from
unauthorized/compromised users
 Rogue APs
 Stolen/hacked credentials
 Client remediation (NAC/NAP/etc.)
3) Protect the client from unauthorized
access
Security is a PROCESS
 MitM/Evil Twin and Ad Hoc attacks
 Hacking open hard drive shares
8
Emory
Network Communications
Security
 Security is a PROCESS
 Apply Security in layers
 There is NO single security silver bullet
 Different types of data require different levels of
security
 A Term Paper vs. Student Grades vs. Financial Aid Data vs.
Health Records
 A Business Risk Assessment helps to define requirements
9
Emory
Network Communications
Scalability & Flexibility
 Network estimated to grow to around 2500 APs
 Ease of Deployment
 Limited resources (headcount)
 Compressed deployment timelines
 Flexible Architecture in order to:




Support our current user base
Grow to other security models
Add SSIDs
Add guest access and move towards WPA
10
Emory
Network Communications
Manageability
 Limited staff for supporting WLAN infrastructure
 Automated RF channel & power control
 Ability to quickly troubleshoot wireless issues
 WLAN infrastructure issues
 User/client issues (#1 issue with Wi-Fi)
 Ability to track users
 Ability to easily see the WLAN “Big Picture”
11
Emory
Network Communications
Decision: Aruba Networks
 WLAN switch/controller architecture
 Ease of




Configurations
Deployment
Management
Scaling
 Easily emulated our security model (VPN access)
 Easily handled our evolving security model(s)
 Redundancy
12
Emory
Network Communications
Aruba WLAN Switch/Controller-based Implementation





The AP attaches to network infrastructure and gets its configuration from the Aruba
WLAN switch/controller
The AP builds tunnel to the Aruba WLAN switch/controller
An Authenticated user associates to AP; all traffic is tunneled to controller where it is
scrutinized and passed or blocked to various destinations including the Internet
A Guest user associates to AP; all traffic is tunneled to controller, scrutinized and
forwarded to the Internet as policy dictates
Using a centralized controller gives a single point of ingress and control for wireless
traffic on Emory’s network
Emory’s Internal Network
Authenticated User
SSID: EmoryUnplugged
“Thin” Access Point
Guest User
SSID: EmoryGuest
Internet
Aruba WLAN Switch/Controller
w/ Built in Firewall and
Per User Access Control
13
Emory
Network Communications
How We Deployed: Site Surveys
 We try to do a Site Survey for each location
 To get a basic understanding of the “RF Landscape”
 To get an idea of deployment densities
 Not used for RF channel or power plans
 The controllers do that job very well
 Some overrides necessary depending on the local
terrain
14
Emory
Network Communications
How We Deployed: WLAN Growth
Deployment Timeline:

Initial deployment of 39 APs in the Law School
(03/05)

Additional deployments from 04/05 to 09/05:

School of Public Health & some outdoor areas

Replaced ~75-100 legacy APs by 08/05

Move-In Weekend ’05 saw a push to get Wi-Fi
in all residence buildings by start of Spring ’06
semester (~5 Months)



~460 APs deployed in 50+ buildings in less than
5 months including surveys & designs
Also deployed Healthcare starting in 08/05
with large deployment summer of 2006
Currently (06/07):




Academic APs
Healthcare APs
1600
1400
1200
1000
800
600
400
200
0
Mar.
05
Aug.
05
Feb.
06
Aug.
06
Nov.
06
Mar.
07
Jun.
07
500 APs in ResNet
500 APs covering the rest of campus
525 APs on Healthcare network
21 Aruba Controllers on both networks
15
Emory
Network Communications
How We Deployed: Installing the APs
 Contractors pulled data drops and mount APs
 Created a “Best Practices” document for AP mounting
 Ensures unified (correct) approach for mounting & labeling APs
16
Emory
Network Communications
How We Deployed: Installing the APs
Emory Mounted APs so they are visible
 Ease of locating for troubleshooting
 Visual indicates of Wi-Fi availability for
users
 Weighed the potential for damaged or
stolen APs
 APs are relatively inexpensive
 None stolen to date
 Have lost 5 due to damage over 2 years
 Published an AP “Light Guide”
 Users can report problems
17
Emory
Network Communications
If You Build It, They Will Come!
 Move-In Weekend 2006 was an eye-opener
 Turned off ResNet VPN & guest access to force users to WPA
 Implemented NetReg NAC on wireless and wired networks
 Users flocked to wireless in droves
 Spring Semester ’06 ~835 peak simultaneous users
 Move-In Weekend ’06 ~1900+ peak simultaneous users
 Incoming freshmen didn’t know (and didn’t want to know)
what an Ethernet cable was
Their mantra: I want my wireless connectivity!
18
Emory
Network Communications
Crunch Time – Dealing w/Unexpected Usage Growth
 Subnet Crunch
 Wireless Subnets max’ed out
 Additional subnets on ResNet controllers needed (and quickly)
 Load Balancing
 APs were evenly distributed among controllers, but users were not
 Developed spreadsheets to estimate # of users/dorm
 Aruba’s “VLAN pooling” feature automatically spread users across
multiple subnets
 Retained class-C subnet size
 Now peaks of 350-400 users/ controller – evenly distributed
19
Emory
Network Communications
Emory’s Wireless Growth
Total Academic Wireless Clients (year)
Total Academic Wireless Clients (month)
VPN Wireless Clients (year)
Total Healthcare Clients (Year)
Guest Wireless Clients (year)
Academic and Healthcare Wireless Traffic as of Oct 2006
20
Emory
Network Communications
Wireless User Graphs (04/07)
Academic and Healthcare Wireless Traffic as of April 2007
21
Emory
Network Communications
The End Result: Emory’s Wireless Networks Today
 21 Aruba controllers (05/07)
 9 Healthcare controllers
 12 Academic controllers
 Wireless Footprint continues to grow
 Adding APs as departments and schools request them
 Adding controllers as APs increase (128 APs/controller)
 Adding new functionality




VoIP over Wi-Fi (VoFi) in the hospital and beyond
Addressing “non-standard” applications
Consolidated wireless networks: Now a unified system
Considering merging Academic & Healthcare wireless systems
22
Emory
Network Communications
Some Tips, Tricks and Best Practices
 Contractor Documentation
 Provide floor plans with AP Placement
 Provide best practices documents
 Provide forms for contractors to fill out
 AP MAC & S/No, Data Jack #, Ethernet switch ID & port
 Record AP MACs & S/No’s for remote AP configuration
 Preconfigured APs with a “location code”
 Contractors record the AP placement, MAC & S/No
 check & balance system for installations
 Project Management/Workflow
 We used project managers to manage contractors and installation
schedules
23
Emory
Network Communications
Some Tips, Tricks and Best Practices (cont)
 Manage IP subnets & load balancing
 Dorms – use pillows as surrogate for users
 Spreadsheets can help plan load balancing efforts
 Walk the wireless areas with a tablet/laptop/PDA
to get a feel for coverage and user problems
 Ask users about coverage and functionality
 Keep an eye out for new things
 Wireless exploits, new technology, etc.
24
Emory
Network Communications
Some Tips, Tricks and Best Practices (cont)
 Most wireless issues we’ve seen are client based
 Drivers, service packs, client configuration, etc.
 A good wireless infrastructure will help you
troubleshoot these issues
 Our APs let us know of wired infrastructure issues
 Constant communication with the controllers let them
act as “canaries in a coal mine”
 Indicating wired network health
25
Emory
Network Communications
Recap






The Legacy Wireless Network – and its Problems
The Decision Process – What Criteria We Used
Our Chosen Architecture – Aruba
How We Built Out the WLAN Network
Growth We’ve Experienced
What We Learned – Useful Tips & Tricks
26
Emory
Network Communications
Building a Secure & Scaleable WLAN Infrastructure
Questions
Presenter: Stan Brooks – [email protected]
27