Transcript Wireless Networks at Umass-Amherst

Managing a Secure Wireless
Infrastructure
Michael Dickson
Christopher Misra
[email protected]
[email protected]
Network Systems and Services
University of Massachusetts at Amherst
Mar. 22, 2004
University of Massachusetts
Amherst © 2004
UMass Amherst
Network Vital Statistics










Class B network (umass.edu - 128.119.0.0/16)
142 buildings
All 42 Residential buildings are networked
8800+ Residence hall connections (port-per-pillow)
5500+ Academic building connections
1200+ Cisco 24 port Switches (1900 and 2900
series)
6 Cisco 6509 core switches
600 Off-campus dial-in modem lines
250Mb/s - commodity Internet connections
155Mb/s - Internet2 connection
 Both over GigE private fiber to Springfield, MA
University of Massachusetts
Amherst © 2004
UMass Amherst Network Map
Univ ersity of
Massachusetts
Amherst Campus
Network Lay out
Updated as of: 1/3/2002
= HSSI
location:nss-stu/Network Map/campus-network.vsd
Montag ue
Furcolo
Amherst
2
Admissions
Baker
Arnold
Hampshire
OIT ISDN
Clark
Brett
Hasbrouck
Mt. Holyoke
NSS 175
Shade Tree
Brooks
LGRC
Smith
Hasbrouck
Apiary
Fernald
Butterfield
Totman
C&W Internet
LGRT
UPN
French
Dickinson
East Exp. Station
C&W Internet
Remote Access
Child Care
Grayson PC
Field
West Exp. Station
UIS
Dial Up-rt
Cold Storage
Health Services
Gorman
Border 2
C7507
= 10 Mb
= 100 Mb
H IG H SPEED
Brown
= 1 Gb
Cashin
vBNS
= DS3
Crabtree
IPPM
Hamlin
Computer Science
= HDSL
= T1
Border 1
C7507
Grayson
Hillside
Greenough
Mather
Morrill IV
W ebster
Nelson
New Africa
W heeler
Skinner
Van Meter
Johnson
Lewis
= OIT Controlled Network
Hills
T ilson Farm
Project T railer
Remote Access
Thatcher
LGRC - C6509
C5500
ACSO
SOM
OIT 166
Wilder
Morrill NSM
= Non-OIT Legacy Network
Ag ric Eng.
Bowditch
= Non-OIT Network
Academic Building
Residential Building
Chenoweth
Morrill - C6509
Knowles - C6509
Draper
Blaisdell
Animal Care
Flint Lab
Dickinson
Bartlett
Hatch Lab
Dubois Library
Holdsworth
Goodell
Berkshire
Paige Lab
Machmer
Farley
JQA
Continuing Ed.
Parking Services
Memorial Hall
Crampton PC
Kennedy
Curry Hicks
Library - C6509
Whitmore - C6509
Boyden
PVTA
Mullins Center
Patterson PC
Stockbridge
Photo Lab
Hampden DC
Patterson
Physical Plant
Power Plant
Berkshire DC
Pierpont
Marcus/Engineering
Hampden - C5500
MacKimmie
FAC
Hampshire House
Herter
Finance &
Administration
South College
Hampshire DC
Prince
Munson
OIT/South
Student Union
Cance
Thoreau
Middlesex
Registrar
Thompson
Coolidge
W ashington
Robsham
SARIS
Campus Center
Crampton
OIT Telcom
Emerson
University
of Massachusetts
John Adams
Amherst © 2004
ROTC
Tobin
Whitmore
C2924M
Equipment used
 IEEE 802.11g – 2.4Ghz – 11/54Mbps
 Cisco Aironet 1200 series APs:




50+ AP’s currently in field
1220’s (running VxWorks)
1230’s (running IOS)
Changeable radios (802.11a,b,g support)
 Dual slots
 1 vLAN per SSID (up to 16)
 Cisco 29xx switches
 Cisco Aironet antennas (6.5 dB patch)
University of Massachusetts
Amherst © 2004
Typical Enclosure Installation
University of Massachusetts
Amherst © 2004
Library Installation
University of Massachusetts
Amherst © 2004
Physical Security
 Locking cabinets for Access Points.
 Jack installed inside enclosure
 Good antenna design can minimize
signal leakage.
 Still looking for the “perfect”
enclosure (plastic, secure, hidden..)
University of Massachusetts
Amherst © 2004
Inside of Enclosure
University of Massachusetts
Amherst © 2004
Omnidirectional Antennas
 A good choice where antenna is
placed in the “middle” of the area to
be covered.
 Tend to have low gain since signal is
divided over 360 degrees.
University of Massachusetts
Amherst © 2004
Diversity Antennas
 Diversity antennas have 2 antennas in a
single enclosure.
 ~80% forward and ~20% back bleed
 Diversity antennas are good choices where
there will be signal reflections.
 Best choice for most applications
 The Cisco Aironet “votes” for the stronger
signal by antenna at the start of receiving each
packet, then transmits out the same antenna.
University of Massachusetts
Amherst © 2004
Diversity Antennas
University of Massachusetts
Amherst © 2004
Ceiling Mount Antenna
University of Massachusetts
Amherst © 2004
Site Surveys
 Start with Blueprints…




Never believe the prints !
Walls move…
Construction materials not shown
Contents of coverage area not shown
 Walk-around !!
Select antenna/enclosure locations
 “Live” site survey is best
 Pay attention to wall materials !
 Educate Departments and staff
 What Wi-Fi IS
 What is Wi-Fi IS NOT
University of Massachusetts
Amherst © 2004
Library Structure. Looks open but…
University of Massachusetts
Amherst © 2004
RF-Hell…
University of Massachusetts
Amherst © 2004
Initial Design Goals
 Virtual Classroom
 We closed some labs due to budget constraints
 Wireless network is meant to reproduce similar
function…to an extent
 Focused at public areas where students
gather
 Student Union, atriums, study halls
 New push is for wireless in classrooms
 Not initially a ‘campus-wide’ rollout
 Experimenting with outdoor coverage
 Scalable
 Although initial rollout is targeted, design must
fit campus-wide
University of Massachusetts
Amherst © 2004
University of Massachusetts
Amherst © 2004
Initial Design Requirements
 Identification & Authentication




Association
Accounting
Authentication
Authorization
 Encryption
 Too many plaintext protocols still in use
 Card heterogeneity
 We don’t enforce a single vendor for
wired network cards…
 This limited our set of solutions
University of Massachusetts
Amherst © 2004
A Word About Residence Halls
 Already fully wired
 Mostly Cat 5/5e/6. Some Cat 3
 A 10MB port per pillow
 Solid authentication using NetReg
 Little value seen in adding wireless in res
halls at this time. Focus is on academic and
open areas.
 Gaming, music downloading, studying(?) are
better served over the wire
University of Massachusetts
Amherst © 2004
OP AP’s… (rogues)
 No pre-existing campus-wide wireless
implementation
 Some local deployments
 Departments
 Residence Halls
 NetStumbler and Kismet are your friends
 Kismet, especially for non-broadcast SSIDs
 Create a Policy Early, include Rogue AP’s
 Make sure it is enforceable!
 Prepare to install your own service if you plan to take
down theirs
 Many ways to deal with rogue AP’s
University of Massachusetts
Amherst © 2004
Authentication and Access
Control
 We considered four options
 Wireless with WEP
 Insufficient…
 Wireless with dynamic WEP
 Dynamic WEP is better, but…
 Basically a race condition
 Most implementations require card
homogeneity (not a Good Thing)
University of Massachusetts
Amherst © 2004
Authentication and Access
Control (cont.)
 We considered four options
 Wireless with WEP and VPN
 WEP didn’t improve the situation in this
model
 Added management overhead
 Wireless with required VPN, no WEP
 This was our 1rst phase deployment
 Lasted 2 years
University of Massachusetts
Amherst © 2004
WEP Weaknesses
In case you haven’t all seen this already…
 WEP uses RC4 encryption
 Fluhrer, Mantin, and Shamir
described a passive, ciphertext-only
attack against RC4
 Specifically targeting the key scheduling
algorithm of RC4
http://www.cryptonomicon.net/papers/rc4_ksaproc.
pdf
University of Massachusetts
Amherst © 2004
WEP Weaknesses
 Stubblefield, Ioannidis, and Rubin implemented
the attack against the RC4 weakness (6 Aug 2001)

“We conclude that 802.11 WEP is totally insecure, and we provide
some recommendations. “
 http://www.cs.rice.edu/~astubble/wep/
 We felt justified in saying WEP is insufficient
for our campus implementation.
 We are network security professionals. We
try do design secure systems…
 WEP still makes sense in many environments
 Home users, departmental deployments, etc
University of Massachusetts
Amherst © 2004
VPN Benefits and Drawbacks
 Benefits
 VPN provides encryption and authentication
 Use of VPN is required for any access outside of wireless
network
 Not necessary to track/filter MAC address
 Limited to authorized users
 Drawbacks
 Client software install required
 No free Mac (pre-OSX) client for Cisco VPN 3000, no
PDAs or tablets
 Client support = Help Desk Hell
 Increased overhead
 No easy access for visitors
 So…
University of Massachusetts
Amherst © 2004
Bluesocket at UMass
 Scalable – just add more boxes
 Flexible
 802.1q capable
 Different authentication options
 Developing Guest Access process
 Web-based CGI front end, API back end
 Allows role-based grouping
 Works for wired, too (kiosks, public jacks)
 VPN still supported as an option
 Using hot standby for fault tolerance
University of Massachusetts
Amherst © 2004
Bluesocket and Umass (cont.)
 Hotspot stickers help get out the word
 Post-login “Thank you” page
 API:
 Guest Access
 Bulk import of MAC addresses
 IPSec pass through in Un-reg role
 Now: VPN is supported but optional
 Explain why it is desirable to use
 Rogues: “If you can’t beat ‘em, assimilate
‘em !!”
University of Massachusetts
Amherst © 2004
Wireless Network Topology
 Didn’t want to trunk a vLAN over
production equipment
 Current infrastructure is layer3.
 Needed to leverage existing network
equipment (Cisco 2912)
 Cost savings
Only need a single authentication gateway to
deploy wireless campus wide
University of Massachusetts
Amherst © 2004
Wireless Network Topology
 Running over parallel fiber infrastructure
 Flexibility
 We can add authentication gateways as demand warrants
 Don’t need to buy one per major nodesite until needed.
 Allows us to provide campus-wide vLAN at layer 2
without impacting current environment
 Migrating wireless management to 1918-space
 Part of wholesale infrastructure migration
 Mitigate exposure to managed devices
 Investigating central management (Cisco WLSE)
University of Massachusetts
Amherst © 2004
Wireless Network Topology
University of Massachusetts
Amherst © 2004
Upcoming Wireless Concerns
 Bridging
 Many modern OS’s provide bridging to ease
home use of wireless APs.
 Given the prevalence of personal APs at home, this is
becoming a challenge.
 Two layer 2 networks may be bridged
 Connected to wired ethernet and wireless
 Spanning tree is not happy about this
 BPDU Guard (Cisco)
 Huge time cost for client, help desk staff and
networking staff
University of Massachusetts
Amherst © 2004
Upcoming Wireless Concerns
 Wireless Denial of Service
 Without policy:
 Channel saturation
 SSID Jamming
 Bandwidth saturation
 With Policy, we can respond to it:
 Channel allocations
 SSID allocations
 Bandwidth management
 Per location, Per role, Per user?
University of Massachusetts
Amherst © 2004
Wireless Incident Handling
 Physically locating hosts would be a
challenge
 There is no wire/jack to follow
 Triangulation is not there yet (for us at least)
 Authentication gateway provides us:
 Username logged in
 MAC/IP address of client
 AP the user is associated to
 Triangulation data someday?
University of Massachusetts
Amherst © 2004
Wireless Incident Handling
 First wireless shutoff
 Sometime in September we had our first wireless Nachi
infection
 Needed to develop a handling process
 Manual intervention required.
 We have netreg on our wired networks.
 Currently no automatic notification path.
 We have a ‘safetynet’ for wired networks.
 Incident handling is like dialup.
 Short duration sessions
 More robust (per session) authentication on wireless
 Currently account lockout is not specific to wireless
University of Massachusetts
Amherst © 2004
Research partnerships
 An opportunity to apply user needs in promoting the
research mission of the University with real-world
applications
 Mobility research
 Computer Science research group
 Interested in user mobility and connectivity patterns
 Especially outdoor wireless
 Trending AP associations
 Targeting deployment based on need and value of data
 Requires ubiquitous coverage




Can’t roam where there are no APs
Working on it
New challenge in locating misbehaving hosts
It is very cold outdoors…
University of Massachusetts
Amherst © 2004
Research partnerships
 Wireless as a teaching tool
 NSF grant-funded
 Vendor equipment grant
 Tablet PCs for students in class to use for semester
 Collaboration between School of Management,
OIT, and other departments on campus
 Online quizzing
 In-class video delivery
University of Massachusetts
Amherst © 2004
Summary
 Questions?
Copyright University of Massachusetts, 2004. This work is the intellectual property of the
author. Permission is granted for this material to be shared for non-commercial, educational
purposes, provided that this copyright statement appears on the reproduced materials and
notice is given that the copying is by permission of the author. To disseminate otherwise or
to republish requires written permission from the author.
University of Massachusetts
Amherst © 2004