Presentation is loading. Please wait.

Presentation is loading. Please wait.

University of Massachusetts Amherst © 2004 Managing a Secure Wireless Infrastructure Michael Christopher Misra

Similar presentations


Presentation on theme: "University of Massachusetts Amherst © 2004 Managing a Secure Wireless Infrastructure Michael Christopher Misra"— Presentation transcript:

1 University of Massachusetts Amherst © 2004 Managing a Secure Wireless Infrastructure Michael Christopher Misra Network Systems and Services University of Massachusetts at Amherst Mar. 22, 2004

2 University of Massachusetts Amherst © 2004 UMass Amherst Network Vital Statistics  Class B network (umass.edu /16)  142 buildings  All 42 Residential buildings are networked  Residence hall connections (port-per-pillow)  Academic building connections  Cisco 24 port Switches (1900 and 2900 series)  6 Cisco 6509 core switches  600 Off-campus dial-in modem lines  250Mb/s - commodity Internet connections  155Mb/s - Internet2 connection  Both over GigE private fiber to Springfield, MA

3 University of Massachusetts Amherst © 2004 UMass Amherst Network Map

4 University of Massachusetts Amherst © 2004 Equipment used  IEEE g – 2.4Ghz – 11/54Mbps  Cisco Aironet 1200 series APs:  50+ AP’s currently in field  1220’s (running VxWorks)  1230’s (running IOS)  Changeable radios (802.11a,b,g support)  Dual slots  1 vLAN per SSID (up to 16)  Cisco 29xx switches  Cisco Aironet antennas (6.5 dB patch)

5 University of Massachusetts Amherst © 2004 Typical Enclosure Installation

6 University of Massachusetts Amherst © 2004 Library Installation

7 University of Massachusetts Amherst © 2004 Physical Security  Locking cabinets for Access Points.  Jack installed inside enclosure  Good antenna design can minimize signal leakage.  Still looking for the “perfect” enclosure (plastic, secure, hidden..)

8 University of Massachusetts Amherst © 2004 Inside of Enclosure

9 University of Massachusetts Amherst © 2004 Omnidirectional Antennas  A good choice where antenna is placed in the “middle” of the area to be covered.  Tend to have low gain since signal is divided over 360 degrees.

10 University of Massachusetts Amherst © 2004 Diversity Antennas  Diversity antennas have 2 antennas in a single enclosure.  ~80% forward and ~20% back bleed  Diversity antennas are good choices where there will be signal reflections.  Best choice for most applications  The Cisco Aironet “votes” for the stronger signal by antenna at the start of receiving each packet, then transmits out the same antenna.

11 University of Massachusetts Amherst © 2004 Diversity Antennas

12 University of Massachusetts Amherst © 2004 Ceiling Mount Antenna

13 University of Massachusetts Amherst © 2004 Site Surveys  Start with Blueprints…  Never believe the prints !  Walls move…  Construction materials not shown  Contents of coverage area not shown  Walk-around !! Select antenna/enclosure locations  “Live” site survey is best  Pay attention to wall materials !  Educate Departments and staff  What Wi-Fi IS  What is Wi-Fi IS NOT

14 University of Massachusetts Amherst © 2004 Library Structure. Looks open but…

15 University of Massachusetts Amherst © 2004 RF-Hell…

16 University of Massachusetts Amherst © 2004 Initial Design Goals  Virtual Classroom  We closed some labs due to budget constraints  Wireless network is meant to reproduce similar function…to an extent  Focused at public areas where students gather  Student Union, atriums, study halls  New push is for wireless in classrooms  Not initially a ‘campus-wide’ rollout  Experimenting with outdoor coverage  Scalable  Although initial rollout is targeted, design must fit campus-wide

17 University of Massachusetts Amherst © 2004

18 Initial Design Requirements  Identification & Authentication  Association  Accounting  Authentication  Authorization  Encryption  Too many plaintext protocols still in use  Card heterogeneity  We don’t enforce a single vendor for wired network cards…  This limited our set of solutions

19 University of Massachusetts Amherst © 2004 A Word About Residence Halls  Already fully wired  Mostly Cat 5/5e/6. Some Cat 3  A 10MB port per pillow  Solid authentication using NetReg  Little value seen in adding wireless in res halls at this time. Focus is on academic and open areas.  Gaming, music downloading, studying(?) are better served over the wire

20 University of Massachusetts Amherst © 2004 OP AP’s… (rogues)  No pre-existing campus-wide wireless implementation  Some local deployments  Departments  Residence Halls  NetStumbler and Kismet are your friends  Kismet, especially for non-broadcast SSIDs  Create a Policy Early, include Rogue AP’s  Make sure it is enforceable!  Prepare to install your own service if you plan to take down theirs  Many ways to deal with rogue AP’s

21 University of Massachusetts Amherst © 2004 Authentication and Access Control  We considered four options  Wireless with WEP  Insufficient…  Wireless with dynamic WEP  Dynamic WEP is better, but…  Basically a race condition  Most implementations require card homogeneity (not a Good Thing)

22 University of Massachusetts Amherst © 2004  We considered four options  Wireless with WEP and VPN  WEP didn’t improve the situation in this model  Added management overhead  Wireless with required VPN, no WEP  This was our 1rst phase deployment  Lasted 2 years Authentication and Access Control (cont.)

23 University of Massachusetts Amherst © 2004 In case you haven’t all seen this already…  WEP uses RC4 encryption  Fluhrer, Mantin, and Shamir described a passive, ciphertext-only attack against RC4  Specifically targeting the key scheduling algorithm of RC4 pdf WEP Weaknesses

24 University of Massachusetts Amherst © 2004  Stubblefield, Ioannidis, and Rubin implemented the attack against the RC4 weakness (6 Aug 2001)  “We conclude that WEP is totally insecure, and we provide some recommendations. “   We felt justified in saying WEP is insufficient for our campus implementation.  We are network security professionals. We try do design secure systems…  WEP still makes sense in many environments  Home users, departmental deployments, etc WEP Weaknesses

25 University of Massachusetts Amherst © 2004 VPN Benefits and Drawbacks  Benefits  VPN provides encryption and authentication  Use of VPN is required for any access outside of wireless network  Not necessary to track/filter MAC address  Limited to authorized users  Drawbacks  Client software install required  No free Mac (pre-OSX) client for Cisco VPN 3000, no PDAs or tablets  Client support = Help Desk Hell  Increased overhead  No easy access for visitors  So…

26 University of Massachusetts Amherst © 2004 Bluesocket at UMass  Scalable – just add more boxes  Flexible  802.1q capable  Different authentication options  Developing Guest Access process  Web-based CGI front end, API back end  Allows role-based grouping  Works for wired, too (kiosks, public jacks)  VPN still supported as an option  Using hot standby for fault tolerance

27 University of Massachusetts Amherst © 2004 Bluesocket and Umass (cont.)  Hotspot stickers help get out the word  Post-login “Thank you” page  API:  Guest Access  Bulk import of MAC addresses  IPSec pass through in Un-reg role  Now: VPN is supported but optional  Explain why it is desirable to use  Rogues: “If you can’t beat ‘em, assimilate ‘em !!”

28 University of Massachusetts Amherst © 2004 Wireless Network Topology  Didn’t want to trunk a vLAN over production equipment  Current infrastructure is layer3.  Needed to leverage existing network equipment (Cisco 2912)  Cost savings Only need a single authentication gateway to deploy wireless campus wide

29 University of Massachusetts Amherst © 2004 Wireless Network Topology  Running over parallel fiber infrastructure  Flexibility  We can add authentication gateways as demand warrants  Don’t need to buy one per major nodesite until needed.  Allows us to provide campus-wide vLAN at layer 2 without impacting current environment  Migrating wireless management to 1918-space  Part of wholesale infrastructure migration  Mitigate exposure to managed devices  Investigating central management (Cisco WLSE)

30 University of Massachusetts Amherst © 2004 Wireless Network Topology

31 University of Massachusetts Amherst © 2004 Upcoming Wireless Concerns  Bridging  Many modern OS’s provide bridging to ease home use of wireless APs.  Given the prevalence of personal APs at home, this is becoming a challenge.  Two layer 2 networks may be bridged  Connected to wired ethernet and wireless  Spanning tree is not happy about this  BPDU Guard (Cisco)  Huge time cost for client, help desk staff and networking staff

32 University of Massachusetts Amherst © 2004 Upcoming Wireless Concerns  Wireless Denial of Service  Without policy:  Channel saturation  SSID Jamming  Bandwidth saturation  With Policy, we can respond to it:  Channel allocations  SSID allocations  Bandwidth management  Per location, Per role, Per user?

33 University of Massachusetts Amherst © 2004 Wireless Incident Handling  Physically locating hosts would be a challenge  There is no wire/jack to follow  Triangulation is not there yet (for us at least)  Authentication gateway provides us:  Username logged in  MAC/IP address of client  AP the user is associated to  Triangulation data someday?

34 University of Massachusetts Amherst © 2004 Wireless Incident Handling  First wireless shutoff  Sometime in September we had our first wireless Nachi infection  Needed to develop a handling process  Manual intervention required.  We have netreg on our wired networks.  Currently no automatic notification path.  We have a ‘safetynet’ for wired networks.  Incident handling is like dialup.  Short duration sessions  More robust (per session) authentication on wireless  Currently account lockout is not specific to wireless

35 University of Massachusetts Amherst © 2004 Research partnerships  An opportunity to apply user needs in promoting the research mission of the University with real-world applications  Mobility research  Computer Science research group  Interested in user mobility and connectivity patterns  Especially outdoor wireless  Trending AP associations  Targeting deployment based on need and value of data  Requires ubiquitous coverage  Can’t roam where there are no APs  Working on it  New challenge in locating misbehaving hosts  It is very cold outdoors…

36 University of Massachusetts Amherst © 2004 Research partnerships  Wireless as a teaching tool  NSF grant-funded  Vendor equipment grant  Tablet PCs for students in class to use for semester  Collaboration between School of Management, OIT, and other departments on campus  Online quizzing  In-class video delivery

37 University of Massachusetts Amherst © 2004 Summary  Questions? Copyright University of Massachusetts, This work is the intellectual property of the author. Permission is granted for this material to be shared for non-commercial, educational purposes, provided that this copyright statement appears on the reproduced materials and notice is given that the copying is by permission of the author. To disseminate otherwise or to republish requires written permission from the author.


Download ppt "University of Massachusetts Amherst © 2004 Managing a Secure Wireless Infrastructure Michael Christopher Misra"

Similar presentations


Ads by Google