Transcript Wireless

Wireless
CIS Plan for Testing and Rollout
(draft)
W.E.P.
• Wire Equivalent Privacy
• 40 bit (64 bit), 128 bit
• Already defeatable without additional
security measures
• Most clients use software encryption, which
significantly decreases performance
EAP and LEAP
• Extensible Authentication Protocol
• Light-weight Extensible Authentication
Protocol
• EAP is an extension to RADIUS –
Remote Access Dial-In User Service
Wireless Standards
• 802.11b – 11 Mbps
• 802.11g – ratified but no products currently
available for it. An extension to 802.11b that will
allow 22 Mbps rates
• 802.11a – have only seen one vendor producing
these but supposed to be more widely available by
year end. 6-54 Mbps, uses 5ghz band and isn’t
compatible. Range is about half of 802.11b
• Realistically is 2-3 years away from widespread
adoption
OIT Observations
• Wlan Encryption takes overhead of about 3%
on Cisco -already starting at less than 5 mbps
• [Less than 50% effective vs 70% for 802.11]
• Should only use wireless to augment wired
not replace it.
• Membership to SONNET requires
authentication of clients
OIT Recommendations
• 1) use WEP for now
• 2) require application level security where
possible
• 3) doesn’t see any value in MAC
authentication
• 4) authentication & logging required by OSU
• 5) use OIT’s authentication script for now
OIT Standards proposals
•
•
•
•
1)
2)
3)
4)
802.11b compliance
client authentication
client dhcp by server not by AP
NAT (Network Address Translation)
off
• 5) encryption of sensitive data - WEP
• 6) follow channel reservation scheme
OIT Standards proposals
• 7) Only channels 1,6,11 can be used
but only 1 is for departments, 6 is
for OIT, 11 is campus wide
• 8) Other channels can't be used
Capabilities
• 11 Mbps (theoretical) per Access Point (AP) –
limited by 10 Mbps wired connection
• 25 clients or less per AP is recommended by Cisco
and others
• 250 clients is theoretical limit
• Client (theoretical) – 11 Mbps at 100 ft., 5.5Mbps
at 150ft, 2Mbps at 300 ft indoors. Segment load,
obstructions and overhead will reduce these rates
significantly
Limitations
• Cells can’t overlap w/o interference
• Underlap creates dropouts
• 11 Mbps X 55% = 6.05 Mbps - testing of various
Aps often produce results of less than 5Mbps
• 6.05 Mbps/25 clients = 242 kbps aprox.
• 6.05 Mbps/250 clients = 24kbps - phone grade
connection
• Could not provide adequate bandwidth for lecture
halls like 113 – if everyone had wireless. Access
to wired network is through OIT, elevator shafts
create obstacles to provide from new Dreese
Limitations
• Dropout will occur in elevators, stairwells and
similar areas
• 2.4 ghz band is “crowded” - Interference from
portable phones and microwaves is possible,
especially when device is directly in path of
transmission.
• Interference from rogue Aps would be detrimental
to entire Wlan
• Use of any channel other than 11 can potentially
cause some interference, particulary on the edge of
cell ranges. Even ch 11 would interfere with OIT
Non-Cisco PC Cards
• Cisco’s Secure client only works with Cisco cards
at this time
• EAP is now a standard. 802.1x standard is pushing
toward LEAP
• Cisco’s security will fall back to MAC
authentication but it compromises security
• Doesn’t meet OIT’s proposed standards
• Owner of MAC would be implicated in
unauthorized use of our system if their MAC is
spoofed, or card is stolen
WEP Vulnerabilities – addressed
by Cisco LEAP
• Static keys allow enough packets to be captured to
defeat encryption
• A WEP key can be derived in 100,000 to
1,000,000 packets
• Cisco LEAP forces reauthentication
• WEP key timeout is configurable
• Rogue Access Point – WEP client doesn’t
authenticate AP
http://www.cisco.com/warp/public/cc/pd/witc/ao350ap/prodlit/1515_pp.htm
LEAP
• Immune to AirSnort – popular wireless
packet sniffing software
• Worst case – change key every 8 min 20 sec
• We would probably be fine changing key
every 30 minutes
Vendor Comparison
• Cisco only one with 100mw transmitter others are
30 mw
• We tried Intel AP which is characteristic of many
other vendor offerings. It is underpowered
compared to the Cisco equipment, and it only
offers static WEP
• Cisco cards WEP encryption takes place in
hardware and requires less overhead - about 3%
Why Cisco?
• They provide the strongest commercially available
security scheme.
• Their products will integrate better with our
existing Cisco network.
• They are the only vendor identified whose
products meet and exceed the proposed OIT
specification.
• Their products have strongest throughput and
reliability results.
Aironet 350 AP
• Adjustable transmit power – several
increments between 1-100 mW
• 128-bit WEP
• Hot-standby AP mode for critical areas
• Rugged version – plenum rated for ceiling
mount locations
• Indoor 130 ft. @ 11 Mbps, 350ft. @ 1 Mbps
Aironet 350 PC Card
• Range - indoor 130 ft. @ 11 Mbps, 350ft. @ 1
Mbps - outdoor 800 ft. @ 11 Mbps, 2000 ft @ 1
Mbps
• Can create profiles for home, work, Starbucks, etc.
for easy configuration changes. Seems to require
less rebooting
• Adjustable power 1-100 mw
• Support tools for determining connection
strength/quality and configuring client adapter
seem to be better and more detailed
Throughput
Proximity
Distance
Cisco
720 kbps
Cisco
599 kbps
Next
Closest
628 kbps
Source: Network
World 2/5/01
Next
Closest
541 kbps
Tested: Cisco 340
series – 30 mw version
Overall Performance
Source: Network World
2/5/01
Security
• Eavesdropping - authentication
• Unauthorized network access - encryption
• WEP cracked - Can capture enough packets in 12
hours or less to break if using static keys.
• Can pick up a non-directional wireless signal from
as far away as 8 miles with a parabolic dish
• Cisco secure server authenticates AP to eliminate
Rogue AP threat
Proposed Security
• Authentication by Cisco Secure ACS server
• Firewall – same settings as Region 1 –
would allow printing but not SMB, NFS,
NIS, etc.
• Would need to move files via client – Citrix,
ssh, ftp, etc.
Secure ACS – other benefits
• Usage Accounting
• Ability to limit User Max Sessions and
Group Max Sessions
• Disable account after X number of failed
attempts
Cisco Secure Clients
• Windows 95, 98, NT, 2000, XP or Me
• PDA - No current support for Palm, but
there is for Windows CE 2.11, 3.0
• Linux kernel 2.2.xx and Macintosh OS 9.x
• 802.1x standard – Cisco hopes it will lead to
more LEAP enabled clients
Authentication Model
SOURCE: Cisco
Wired Network Support
• Power injectors come with Access Points and
would be mounted in switch closets – power
would be supplied by special cat 5
• Wired Network would have one dedicated Vlan
with class C network – would require another NIC
in the firewall
• We project having 10-11 APs at first – so
aproximately 240 addresses for clients should
work out about right
Wired Network Support - Cont.
• A second class C network would require
one more NIC on the firewall
• Switches would require no special
configuration
Wireless Network Model
Expected configuration
• 1 AP per floor except on 2nd floor, where there
would probably be a 2nd AP on the Baker side. EE
has also indicated they would eventually need an
AP here. Might be able to use ch 1 in that area
and ch 6 on the North side of Dreese
• 2nd AP in rooms like 280, 480 might be possible if
antenna gain can be turned down far enough
• No servers or desktops acting as servers.
Sustained 1-2 Mbps would use up 30% or more of
bandwidth with one client
Expected Support
• Cisco cards and clients will be used
• Personal laptops - will help with
configuration issues relating to connection,
authentication, passing of allowed protocols
Site Survey
• Roam around halls of Dreese with 2 APs, 2
ladders, 2 0r 3 notebooks with wireless and collect
data on signal strength and throughput for various
offices, labs etc.
• Won’t be able to test all types of antennas
• Cisco recommends outsourcing this function to
someone with proper tools and expertise to
minimize dead spots and interference
• Maximum allowable packet loss 29%
Secure ACS Server
• Configure and test functionality
• Make sure it performs as advertised
Timeline – phase 1
• Secure Server testing – end of January
• Site Analysis – end of February
• Testing – should be done by start of spring
quarter
• Final Recommendation – Early April
Timeline – phase 2
• April-June Testing available on 8th and 7th floors
to test group
• Late June, early July – order APs, and hardware
for secure server
• Rollout – Aug – early Sept. to all floors in Dreese
• Other buildings – some time during fall quarter or
winter break. Unknown interference problems
from rogue access points may complicate rollout