Presentation on theme: "Securing BSC’s Wireless Network Nercomp Annual Conference March 7, 2005 Pat Cronin, Assoc. VP Information Technology Mike King, Telecommunications Technician."— Presentation transcript:
Securing BSC’s Wireless Network Nercomp Annual Conference March 7, 2005 Pat Cronin, Assoc. VP Information Technology Mike King, Telecommunications Technician Bridgewater State College, Bridgewater MA, 02325 www.bridgew.edu Copyright Bridgewater State College, 2005. This work is the intellectual property of the author. Permission is granted for this material to be shared for non-commercial, educational purposes, provided that this copyright statement appears on the reproduced materials and notice is given that the copying is by permission of the author. To disseminate otherwise or to republish requires written permission from the author. www.bridgew.edu
Agenda BSC Security Challenges of Wireless What We Did Lessons Learned Future Plans Question and Answers
Bridgewater State College Background Public State College –10,000 students –2300 Residents –1000 Faculty and Staff 30+ Buildings on 235 acres of land Ranked 50 th on Yahoo Internet Life’s list of “Most Wired Colleges of 2001”
Bridgewater State College June 2004 Wireless Environment 180 Access Points Enterasys R2 units 802.11b standard Seamless roaming via a VLAN
Security and Authentication 2004 Netreg acts as a captive portal Netreg maps MAC addresses to username Scan clients for RPC Vulnerability 128 bit WEP Encryption SSID Broadcast disabled Force users to visit Help Desk Working Computer & Network Security Team
Remediation Techniques 2004 During Welchia Virus outbreak, used the Policy feature of R2’s to drop PINGs Watched traffic reports for Top Hosts contacting other hosts, and blocked them at firewall. (Virus Like activity)
Security Challenges 2004 Viruses, spyware/malware Windows Patches Laptop requirement (1500 additional devices) Transient devices (No college account) Did not want administrator access to non-college owned devices Did not want to deal with maintaining VPN clients Concern about legacy apps (most were based on Telnet)
What We did We looked at Perfigo, Bradford Campus Manager, Roving Planet, and Still Secure We tested Perfigo in March 2004 Decided on 802.1x authentication with Rapid Rekeying (TKIP) Purchased Perfigo software Contracted with Dell and installed BSC image on program notebooks Implemented Application based security. (SSH/HTTPS)
What We Did (Standards) Sophos for AV Webroot SpySweeper for anti-spyware Windows Updates enabled Firewall enabled Used Microsoft built-in 802.1x client Created centralized download site for secure distribution of software
What We Did (New Practices) Made Applications available via Citrix Obtained Site Licenses for Office and XP Introduced the Be Security Conscious initiative to heighten security awareness http://it.bridgew.edu/Security/ Opened two support counters to help repair and train students on laptop computers
Bridgewater State College June 2005 Wireless Environment 230+ Access Points Added AireSpace to Enterasys R2 units 802.11b standard, Selected area’s with 802.11g and 802.11a 802.1x with Rapid Rekeying (TKIP) Profiles for faculty, students, and staff New Guest profile Users log-in with domain credentials
Security Implementation plan Summer 2004 Two major changes were made –802.1x –Perfigo (Network access Requirements) Both Wireless and ResNet users
802.1x Implementation Funk Steel belted Radius appliances All Roamabout R2 AP’s were configured for 802.1x with Rapid Rekeying, using the Radius Server. Clients were configured to used PEAP.
Perfigo Implementation Perfigo became the default router for all of the wireless and ResNet students. Subnets were shrunk to /29’s, reducing broadcast ranges to 4 hosts per subnets. Rules were written to enforce the standard applications and configurations that we made school policy.
Rules and Requirements at BSC Some Version of Norton AV, McAfee, or Sophos Antivirus installed or running Windows Update Service running Latest Service Packs and Patches –Windows 2000 SP4 and all Hotfixes till December –Windows XP SP2
Lessons Learned from 802.1x OSX and WinCE are difficult to configure Win9X have no built in clients (Third party available) Only one Palm device has 802.1x support Machine Authentication a must for Windows logon to be processed
Lessons Learned from 802.1x Not all vendors have released 802.1x drivers Even with easy to follow directions, most users sought the helpdesk to have configuration performed for them When creating computer images, 802.1x settings do not carry Popular devices have no 802.1x support (Wifi Phones, Game console wireless cards, Barcode scanners)
Lessons Learned from Perfigo Vendor updates need to be managed and approved Computer mobility and different policies in different zones Exempt classroom Front-ends Users did not understand why error messages were being presented.
Lessons Learned We set the security bar high. Maybe too high Vacation problems Touching computers Core-business is wired, but what is your users perception? Network Bridging in WinXP This security environment is difficult for your average student.
Future Rules and Requirements Some Version of Norton AV, McAfee, or Sophos Antivirus installed, running, recent updates Windows Update Service running and configured for automatic download and install Require all administrative computers to use Perfigo
Future Rules and Requirements Latest Service Packs and Patches –Windows 2000 SP4 and all Hotfixes till the previous month –Windows XP SP2 and all Hotfixes till the previous month Webroot SpySweeper required Latest Version of Perfigo Client. (Now Cisco Clean Access Agent)
Future Wireless Plans Upgrade infrastructure including access points Create wireless solution that supports multiple SSIDs Implement campus bus locator app complete with video surveillance Extend Campus Card to Off-campus vendors Cover Bridgewater downtown and add hotspots