Presentation on theme: "Emory Network Communications Building a Secure & Scaleable Wireless LAN Infrastructure Stan Brooks CWNA, CWSP Emory Network Communications"— Presentation transcript:
Emory Network Communications Building a Secure & Scaleable Wireless LAN Infrastructure Stan Brooks CWNA, CWSP Emory Network Communications firstname.lastname@example.org AIM-Y!-MSN: WLANstan Copyright Stan Brooks 2007. This work is the intellectual property of the author. Permission is granted for this material to be shared for non-commercial, educational purposes, provided that this copyright statement appears on the reproduced materials and notice is given that the copying is by permission of the author. To disseminate otherwise or to republish requires written permission from the author.
Emory Network Communications 1 Outline About Emory Emorys Wireless Network Today & Yesterday The New WLAN: What We Chose – and Why How We Deployed the Architecture Network Usage Tips, Tricks, Traps, & Best Practices
Emory Network Communications 2 About Emory & NetCom Who we are Network Communications Division supports both Emory University & Emory Healthcare Network Scope Data ~32,700 data ports Voice ~43,500 voice lines & 17,800 V-Mailboxes Video – 3000+ Cable TV Drops Pagers ~ 6800 pagers 2-Way Radios – for Facilities Mgmt & Police
Emory Network Communications 3 Wireless Network – Todays Scope Two Systems Academic ~1000 Access Points (APs) Healthcare ~ 525 APs Total of ~1525 APs Over 2300 Simultaneous Wireless Users Spanning 3 Campuses, 3 Hospitals, & 8+ Clinics Covering 130+ Buildings and Outdoor Areas
Emory Network Communications 4 Back in Time – Late 2004/Early 2005 Legacy Environment Autonomous APs with VPN termination capability Chosen security model Open Wi-Fi w/VPN authentication & Encryption No Guest Access Was the right solution at the time (pre-2005) Deployment: ~75-100 APs in library locations & some administration areas Issues for the users and network support
Emory Network Communications 5 Welcome to My Nightmare: Deployment Autonomous APs, each requiring configuration and network provisioning Issues with Defining & Managing: AP IP addresses, DHCP pools, VPN pools, VLANs RF channel & power settings Individual APs as RADIUS clients Configuring each AP took a long time
Emory Network Communications 6 Welcome to My Nightmare: Management DHCP & VPN Pool/ IP subnet management Authentication Client/Server Management Client Roaming Adding an SSID was near impossible because of our routed network architecture local IP pools and VLANs were needed at each AP location Adding different security models were near impossible WE NEEDED A BETTER SOLUTION!!!
Emory Network Communications 7 Selection Criteria: Our Wireless Concerns Security Wireless is inherently NOT SECURE! Scalability & Flexibility Grow to a large number of APs Support a variety of different groups of wireless users Manageability Supportable both during deployment and for ongoing operations
Emory Network Communications 8 Wireless Security Concerns There 3 main areas to address: 1)Protect data as it travels from source to destination Eavesdropping Integrity (tampering) Denial of Service (DoS ) 2)Protect the network from unauthorized/compromised users Rogue APs Stolen/hacked credentials Client remediation (NAC/NAP/etc.) 3)Protect the client from unauthorized access MitM/Evil Twin and Ad Hoc attacks Hacking open hard drive shares Wired Network Real Wireless User Security is a PROCESS Real Access Point
Emory Network Communications 9 Security Security is a PROCESS Apply Security in layers There is NO single security silver bullet Different types of data require different levels of security A Term Paper vs. Student Grades vs. Financial Aid Data vs. Health Records A Business Risk Assessment helps to define requirements
Emory Network Communications 10 Scalability & Flexibility Network estimated to grow to around 2500 APs Ease of Deployment Limited resources (headcount) Compressed deployment timelines Flexible Architecture in order to: Support our current user base Grow to other security models Add SSIDs Add guest access and move towards WPA
Emory Network Communications 11 Manageability Limited staff for supporting WLAN infrastructure Automated RF channel & power control Ability to quickly troubleshoot wireless issues WLAN infrastructure issues User/client issues (#1 issue with Wi-Fi) Ability to track users Ability to easily see the WLAN Big Picture
Emory Network Communications 13 Aruba WLAN Switch/Controller-based Implementation The AP attaches to network infrastructure and gets its configuration from the Aruba WLAN switch/controller The AP builds tunnel to the Aruba WLAN switch/controller An Authenticated user associates to AP; all traffic is tunneled to controller where it is scrutinized and passed or blocked to various destinations including the Internet A Guest user associates to AP; all traffic is tunneled to controller, scrutinized and forwarded to the Internet as policy dictates Using a centralized controller gives a single point of ingress and control for wireless traffic on Emorys network Authenticated User SSID: EmoryUnplugged Emorys Internal Network Aruba WLAN Switch/Controller w/ Built in Firewall and Per User Access Control Internet Guest User SSID: EmoryGuest Thin Access Point
Emory Network Communications 14 How We Deployed: Site Surveys We try to do a Site Survey for each location To get a basic understanding of the RF Landscape To get an idea of deployment densities Not used for RF channel or power plans The controllers do that job very well Some overrides necessary depending on the local terrain
Emory Network Communications 15 How We Deployed: WLAN Growth Deployment Timeline: Initial deployment of 39 APs in the Law School (03/05) Additional deployments from 04/05 to 09/05: School of Public Health & some outdoor areas Replaced ~75-100 legacy APs by 08/05 Move-In Weekend 05 saw a push to get Wi-Fi in all residence buildings by start of Spring 06 semester (~5 Months) ~460 APs deployed in 50+ buildings in less than 5 months including surveys & designs Also deployed Healthcare starting in 08/05 with large deployment summer of 2006 Currently (06/07): 500 APs in ResNet 500 APs covering the rest of campus 525 APs on Healthcare network 21 Aruba Controllers on both networks
Emory Network Communications 16 How We Deployed: Installing the APs Contractors pulled data drops and mount APs Created a Best Practices document for AP mounting Ensures unified (correct) approach for mounting & labeling APs
Emory Network Communications 17 How We Deployed: Installing the APs Emory Mounted APs so they are visible Ease of locating for troubleshooting Visual indicates of Wi-Fi availability for users Weighed the potential for damaged or stolen APs APs are relatively inexpensive None stolen to date Have lost 5 due to damage over 2 years Published an AP Light Guide Users can report problems
Emory Network Communications 18 If You Build It, They Will Come! Move-In Weekend 2006 was an eye-opener Turned off ResNet VPN & guest access to force users to WPA Implemented NetReg NAC on wireless and wired networks Users flocked to wireless in droves Spring Semester 06 ~835 peak simultaneous users Move-In Weekend 06 ~1900+ peak simultaneous users Incoming freshmen didnt know (and didnt want to know) what an Ethernet cable was Their mantra: I want my wireless connectivity!
Emory Network Communications 19 Crunch Time – Dealing w/Unexpected Usage Growth Subnet Crunch Wireless Subnets maxed out Additional subnets on ResNet controllers needed (and quickly) Load Balancing APs were evenly distributed among controllers, but users were not Developed spreadsheets to estimate # of users/dorm Arubas VLAN pooling feature automatically spread users across multiple subnets Retained class-C subnet size Now peaks of 350-400 users/ controller – evenly distributed
Emory Network Communications 20 Emorys Wireless Growth Total Academic Wireless Clients (month) VPN Wireless Clients (year) Guest Wireless Clients (year) Total Academic Wireless Clients (year) Total Healthcare Clients (Year) Academic and Healthcare Wireless Traffic as of Oct 2006
Emory Network Communications 21 Wireless User Graphs (04/07) Academic and Healthcare Wireless Traffic as of April 2007
Emory Network Communications 22 The End Result: Emorys Wireless Networks Today 21 Aruba controllers (05/07) 9 Healthcare controllers 12 Academic controllers Wireless Footprint continues to grow Adding APs as departments and schools request them Adding controllers as APs increase (128 APs/controller) Adding new functionality VoIP over Wi-Fi (VoFi) in the hospital and beyond Addressing non-standard applications Consolidated wireless networks: Now a unified system Considering merging Academic & Healthcare wireless systems
Emory Network Communications 23 Some Tips, Tricks and Best Practices Contractor Documentation Provide floor plans with AP Placement Provide best practices documents Provide forms for contractors to fill out AP MAC & S/No, Data Jack #, Ethernet switch ID & port Record AP MACs & S/Nos for remote AP configuration Preconfigured APs with a location code Contractors record the AP placement, MAC & S/No check & balance system for installations Project Management/Workflow We used project managers to manage contractors and installation schedules
Emory Network Communications 24 Some Tips, Tricks and Best Practices (cont) Manage IP subnets & load balancing Dorms – use pillows as surrogate for users Spreadsheets can help plan load balancing efforts Walk the wireless areas with a tablet/laptop/PDA to get a feel for coverage and user problems Ask users about coverage and functionality Keep an eye out for new things Wireless exploits, new technology, etc.
Emory Network Communications 25 Some Tips, Tricks and Best Practices (cont) Most wireless issues weve seen are client based Drivers, service packs, client configuration, etc. A good wireless infrastructure will help you troubleshoot these issues Our APs let us know of wired infrastructure issues Constant communication with the controllers let them act as canaries in a coal mine Indicating wired network health
Emory Network Communications 26 Recap The Legacy Wireless Network – and its Problems The Decision Process – What Criteria We Used Our Chosen Architecture – Aruba How We Built Out the WLAN Network Growth Weve Experienced What We Learned – Useful Tips & Tricks
Emory Network Communications 27 ? Questions Presenter: Stan Brooks – email@example.com Building a Secure & Scaleable WLAN Infrastructure