Transcript No More VPN for Wireless!

No More VPN for Wireless!
PDI 2010
Steve Lovaas, ACNS
Wireless With CSU-NET Overview
•
•
•
•
Technology basics
Wireless security at CSU so far
The new way of doing things: CSU-NET
Step-by-step configuration
Wireless: Where we started
• Less controlled than wired network
– Anyone can try to connect
• Wasn’t designed with ANY security
• Early security add-ons (WEP) were poor!
• Technology was useful before it was safe…
– We should have predicted that
Wireless: Where We’ve Been
•
•
•
•
•
•
Protect our resources
Authenticate
Find malicious users
&
Encrypt
Protect private traffic
Early hardware didn’t support native crypto
Security standards slow to evolve
Easiest solution: VPN
CSU Wireless Security: VPN
• Cisco VPN: The OLD Way
– Require VPN to reach wired LAN or Internet
– Pre-load application and profile
– Encrypted tunnel to VPN server
– Can sort some by group profile, separate IP space
CSU Wireless Security: VPN
• Problems with the VPN approach
– Install & maintain
– System compatibility
– Client vulnerabilities
– Licensing $$
– Dropped connections
– Waste of IP addresses
– Hassle!
CSU Wireless Security: SSL gateway
• A newer approach, easier
– Application & profile dynamically downloaded
– Web based
• Compatible with more systems, through firewalls
– Sorts on username, Windows OU, etc.
CSU Wireless Security: SSL gateway
• Problems with the SSL gateway approach
– It’s a lot easier, but…
– Java/ActiveX downloads and permissions
– Java/ActiveX vulnerabilities
– Licensing $$
Wireless Security Standards
• Letting the wireless client & AP do the work
– First try: WEP (shared-key) = BAD
– Next try: WPA = slightly better protocol
– Finally: WPA2 = stronger encryption, too
– But these all rely on shared keys (passwords)
• And those can be stolen, broken
Wireless Security Standards
• WPA2 Enterprise = can replace VPN
– Finalized in 2004 (IEEE 802.11i)
– Centralized authentication (RADIUS)
– Strong encryption (AES)
– Native to client (no extra software to install)
– The official standard now (802.11 – 2007)
– More compatibility (Win/Mac/Linux/mobile/etc.)
– This is CSU-NET!
CSU-NET Architecture
Encrypted
Authenticated
How-To: Prerequisites
• Operating system up to date
– XP SP3 (or SP2 with patch)
– Vista, Windows 7
– Mac OS X since 10.4
– Recent Linux
• Wireless card drivers up to date
– Download from manufacturer
– Must support WPA2
How-To: Settings
• Just a few basic settings
– Authentication: WPA2-Enterprise
– Encryption: AES
– Authentication Type: PEAP
– Authentication Protocol: MSCHAP v2
– Certificate Authority: Equifax
• ACNS web site instructions for Win, Mac
– Updating for Equifax CA rather than IPS Servidores
Demo (tempting fate)