1. 1 DU Wireless Networking Security Update Chad D. Burnham & Byron D. Early University Technology Services CCHE CIO Council Forum on Cybersecurity 3-12-03

2. 2 Wireless Acceptable Use Policy: Institutional Support Needed from “Top Level” Do you have a Wireless-AUP in place? DU Wireless-AUP Link DU Issues: Security & Privacy Authorization Hardware & Installation “Rouge” Access Points User Support

3. 3 Securing Wireless Today: Securing WLANs today: Virtual Private Networks (VPNs) 802.1X based authentication with WEP encryption (dynamic WEP) WEP is still a good deterrent for “casual” snoopers “Wi-Fi Protected Access” (WPA) will replace WEP as standard Wi-Fi security

4. 4 Security & Access… @ Which OSI Layer? DU: Not Using Layer-2 WEP/WEP2 Key encryption WEP2 (802.11i) not yet ratified DU: Using VPN Layer-3 solution Encryption & AAA

5. 5 DU Physical Network Topology: DU Data Backbone Wireless is several Internal VLANs / Subnets DU: Cisco 3030 VPN “appliance” in each VTP “Core” Domain (Cisco 6500s: VPN-blade now available)

6. 6 Wireless Backbone @ DU: Separate Layer-2 & Layer-3 VLANs for WLANs! Similar to VoIP Networks Apply a Wireless Access Control centric Lists / Filters Do not place Wireless Access Points ‘on-top’ of existing wired VLANS/Networks DU Using 10.X.Y.Z address space & routing it DOCUMENT your WLANS!

7. 7

8. 8

9. 9 DU Encryption & Access - VPNs: DU using Cisco 3030s for VPNs (IPSEC-3DES – 168Bit) Authentication & Authorization: VPN Client software leverages DU’s ERP Directory: “Banner” database for AA functionality RADIUS: Radiator on Solaris 8 fed by Banner (nightly) Handles ACCOUNTING DU “Branded” the Cisco VPN Client Software: DU Logo, & configured.pcf file (similar to.ini) DU Supports: WIN 2K & XP (98/ME/NT4 work). OSs: Not yet branded (beta configured): MAC OS 10.2, Solaris, Linux Pocket PC: Movian Admit One software client – BETA Trial

10. 10 “Locking Down” Wireless LANs w/ ACLs – Key to Security: Complex Router Access Control List Objectives: # Allow IPsec to VPN Concentrators # Allows MSFCs to see each other for HSRP # Allow bootp on broadcast # Allow bootp from DHCP clients # Allow DNS to iVPN DNS server # Allow download of client # Allow MGMT station to ping router and AP's # Allow these systems to be pinged # Allow management station to snmp from APs # Deny all else

11. 11 “Rogue” Access Points: “Rogue” Access Points are not permitted Department, Student & Contractor Incidents Log incidents @ DU Network Security Office Student Apple Airport DHCP Incident(s) Ticketmaster & Bookstore Contractors (so far) Performance Issues: Speed/Duplex RF Signal/Channel Overlay Issues Use AUP as Leverage for Enforcement Student Judicial Department Dean’s Council

12. 12 Locating “Rouge” APs RF Analyzers / Tools: OSI Layer 1/2 : Grasshopper & Yellowjacket Plus GrasshopperYellowjacket Plus OSI Layer 2/3: Air Magnet–Handheld–iPAQ /Laptop - ~$3,600 Air Magnet–Handheld–iPAQ Fluke:Handheld-iPAQ(Linux)–WaveRunner ~$4K Fluke:Handheld-iPAQ(Linux)– Fluke:Tablet Add-on – OptiView Integrated Network Analyzer - $30k Fluke:Tablet Add-on Sniffer Wireless for PDA – 1 Year Software License

13. 13 Standards Watch: DU: Standards-based solution

14. 14 802.11: Security & Access (OSI Layers 1 & 2) ESS (Network) ID: Text Constant Variable DU: Using Single Standardized Name Users can’t be expected to know multiple wireless names for different locations Not a Valid Security Approach! Common Name Signifies a “Supported Network” MAC Address Registration (on APs) Cumbersome & high management overhead Must re-enter if card is swapped out DU tried on 3 networks…...it’s over

15. 15 802.11i - Layer 2 Encryption: Enhanced WEP (a.k.a. WEP2) Applies to 802.11a, 802.11b, 802.11g New encryption & authentication methods Temporal Key Integrity Protocol (TKIP) AES (an iterated block cipher) and TKIP backwards compatibility - replaces RC4. Best “on-track” approach to the wireless threats/model. Ratification expected Q1 2003

16. 16 802.1X - EAP Variants Layer-2 Authentication EAP-TTLS IETF draft jointly authored by Funk Software and Certicom, and is a working document of the PPP Extensions group. EAP-TTLS provides strong security, while supporting legacy password protocols, enabling easy deployment across the enterprise. EAP-TLS Follow-on to Secure Socket Layer (SSL). It provides strong security, but relies on client certificates for user authentication. EAP-MD5 Essentially duplicates CHAP password protection on a WLAN. EAP-MD5 represents a kind of base-level EAP support among 802.1x devices. LEAP, PEAP, Etc Vendor pushing ahead of standards efforts (de facto attempts) AKA “Cisco-Compatible” Good Presentation @ 2003 WestNet by Dave Packham on problems with today’s 802.1X methods: http://www.scd.ucar.edu/nets/projects/Westnet/prev- mtg/0103.meeting/presentations.0103/802.1x.ppt http://www.scd.ucar.edu/nets/projects/Westnet/prev- mtg/0103.meeting/presentations.0103/802.1x.ppt

17. 17 Introducing WPA Wi-Fi Protected Access (WPA) is a proactive response by the industry to offer an immediate and strong security solution Standards-based, interoperable security specification – N.I.S.T. Supported Significantly increases the level of data protection and access control for existing and future wireless LAN systems WPA is a subset of the 802.11i draft standard and will maintain forward compatibility

18. 18 WPA – When? When properly installed, Wi-Fi Protected Access will provide Strong over-the-air data protection Strong network access control The Wi-Fi Alliance expects formal certification of WPA to begin in first quarter of 2003 Look for WPA software upgrades to start to appear in the next several months

19. 19 Other Good Articles & Links: http://standards.ieee.org/ http://www.wi-fi.com/ http://www.80211-planet.com http://csrc.nist.gov/wireless/S09_WPA%20 Analyst%20Briefing%2005-part1-ff.pdf http://csrc.nist.gov/wireless/S09_WPA%20 Analyst%20Briefing%2005-part1-ff.pdf This Presentation: http://netserv.du.edu/data/presentations.asp