Presentation is loading. Please wait.

Presentation is loading. Please wait.

Company LOGO WIRELESS DEPLOYMENT A successful solution to Campuswide role-based secure Wi-Fi deployment Andrea Di Fabio – Information Security Officer.

Published byBarbara Harper Modified over 8 years ago

Similar presentations

Presentation on theme: "Company LOGO WIRELESS DEPLOYMENT A successful solution to Campuswide role-based secure Wi-Fi deployment Andrea Di Fabio – Information Security Officer."— Presentation transcript:

1 Company LOGO WIRELESS DEPLOYMENT A successful solution to Campuswide role-based secure Wi-Fi deployment Andrea Di Fabio – Information Security Officer Copyright Andrea Di Fabio 2006. This work is the intellectual property of the author. Permission is granted for this material to be shared for non-commercial, educational purposes, provided that this copyright statement appears on the reproduced materials and notice is given that the copying is by permission of the author. To disseminate otherwise or to republish requires written permission from the author.

2 Agenda 1.The Challenge Manageability End User Configuration Campus and User Security Wireless Standards Hardware and Vendors 2.The Results Selection of Standards Hardware and Vendor Selection Wireless Site Survey 3.Pitfalls and Solutions Shared Computers PDA’s Remote Locations (no VLAN) The business case for Wi-Fi 4.Conclusion 1.The Challenge Manageability End User Configuration Campus and User Security Wireless Standards Hardware and Vendors 2.The Results Selection of Standards Hardware and Vendor Selection Wireless Site Survey 3.Pitfalls and Solutions Shared Computers PDA’s Remote Locations (no VLAN) The business case for Wi-Fi 4.Conclusion

3 Manageability  Least time managing the infrastructure  Standard Configuration = fast deployment  Access Points  End User  Health monitoring tools  Simple effective and secure

4 End User Configuration As simple as possible  Standard configuration for all users  Secure communication  Awareness Program  Flyers and Web instructions

5 Campus and User Security GOAL: Simple effective and secure Protect the end user  Encryption  Dynamic keys  Key rotation  Protect the Campus Network  VLAN’s and ACL’s  Encryption  Authentication  Role-based security context  Automatic VLAN switching  Per VLAN ACL’s  User Authentication Required  Wireless Encryption Required  Awareness VS Technical Controls

6 The Challenge Matrix ManageabilityConfigurationSecurity Least timeSimpleUser Authentication Standard configuration StandardRole-Based Context Simple and SecureSecureEncryption Health monitoring

7 Possible Solutions Wi-FiManageabilityConfigurationSecurity OpenSimplest None Plain Text & Authenticated Moderate User Access Encrypted & No Auth ComplexModerateData Encrypted & Authenticated Complex? User & Data

8 Wireless Standards  Some Technical Jargon and …  Let the fun begin!  802.11a/b/g/i  802.1X  EAP, PEAP, LEAP, TLS, TTLS  WEP, WPA, WPA2, TKIP, CCMP  RADIUS, IETF, EXTENDED TAGS  WIRELESS MESH

9 Wireless Standards PEAP with Generic Token Card (GTC) PEAP with MS-CHAP Version 2 Cisco LEAPEAP-TLS User Authentication Windows NT Active Directory Novell NDS OTP Windows NT Active Directory Windows NT Domains, Active Directory Windows NT Active Directory Novell NDS OTP Requires Server Certificates Yes NoYes Requires Client Certificates No Yes

10 THE TEAM Network Team:  Select vendor supporting selected standards  Determine needs for additional VLANS  Conduct site survey and deploy AP’s  Server Team:  Define/Create AD groups for VLAN mappings  User Dept mappings delegated to depts.  ADSI Scripts to regroup users  Security Team:  Selecting and implementing the standards  Defining and implementing QoS requirements

11 The Implementation 802.1X PEAP Authentication with Dynamic VLAN Assignment

12 Hardware and Vendors  Project Team Selects:  CISCO Aironet AP’s  Coverage inside buildings  We started with Dorms and Admin Buildings  Mostly one AP per floor (no overlapping channels)  Vivato Panels  Green space coverage  5 Panels, each panel is made on 11 AP’s  Very Directional.

13 AP Configuration dot11 ssid NSUWIFI vlan 172 authentication open eap eap_methods<- PEAP authentication network-eap eap_methods<- LEAP authentication key-management wpa cckm optional<- WPA ! interface Dot11Radio0 ! encryption vlan 172 mode ciphers tkip wep128 ! encryption vlan 75 mode ciphers tkip wep128 ! interface BVI1 ip address 192.168.1.100 255.255.255.0<- MGMT

14 RADIUS CONFIGURATION  Database Mappings  Prioritize group mappings

15 RADIUS CONFIGURATION  Use RADIUS Shared Secret  Between AP and RADIUS Server  Make good use of RADIUS Attributes  VLAN TAGGING

16 Wireless Coverage Site Survey by Elandia Solutions, Inc.

17 The Flyer The Instructions … WIRELESS Configuration … and the Pitfalls

18 Shared Computers  The Problem  Authentication of new users  The Solution

19 PDA’s  The Problem  Limited Support for 802.1X on PDA’s  The Solution  Funk’s Odyssey (Commercial)  Future Plans …

20 Remote Locations (no VLAN)  The Problem  RADIUS TAGGING on FLAT NETWORK …  The Solution

21 The Business Case for Wi-Fi  $$$$  Wireless GB bridges VS Fiber  Great success in Resident Halls  Full VLAN Support (Layer 2)  Wireless Labs and Classrooms  VBHEC Lab 100% Wireless  Wireless Collaboration Classes  WPA2 ‘almost’ as secure as Wired  Wireless VoIP Phones

22 Conclusion A successful solution to Campuswide role-based secure Wi-Fi deployment Auto VLAN + encryption + authentication can be SIMPLE Need for a well developed directory infrastructure Assemble a diverse team: InfoSec, Network, Server, Faculty/Staff Use well know vendors and upgradeable hardware Know the Pro and Cons in your Options Balance Security, User Access, Configuration and Administration 802.1X PEAP MS-ChapV2 with Dynamic VLANS Per Session WEP Key migrating to WPA TKIP Natively supported by Windows and MAC OS Linux Support in WPA_SUPPLICANTS and Open1X A successful solution to Campuswide role-based secure Wi-Fi deployment Auto VLAN + encryption + authentication can be SIMPLE Need for a well developed directory infrastructure Assemble a diverse team: InfoSec, Network, Server, Faculty/Staff Use well know vendors and upgradeable hardware Know the Pro and Cons in your Options Balance Security, User Access, Configuration and Administration 802.1X PEAP MS-ChapV2 with Dynamic VLANS Per Session WEP Key migrating to WPA TKIP Natively supported by Windows and MAC OS Linux Support in WPA_SUPPLICANTS and Open1X

23 Q&A adifabio@nsu.edu

Download ppt "Company LOGO WIRELESS DEPLOYMENT A successful solution to Campuswide role-based secure Wi-Fi deployment Andrea Di Fabio – Information Security Officer."

Similar presentations

Securing Your Wireless Network

Securing Your Wireless Network
Network Security.

Network Security.
Student, Faculty, and Staff Data Availability and Protection What’s the Back-Up Plan? (for academic computing) Sponsored by.

Student, Faculty, and Staff Data Availability and Protection What’s the Back-Up Plan? (for academic computing) Sponsored by.
Wireless LAN  Setup & Optimizing Wireless Client in Linux  Hacking and Cracking Wireless LAN  Setup Host Based AP ( hostap ) in Linux & freeBSD  Securing.

Wireless LAN  Setup & Optimizing Wireless Client in Linux  Hacking and Cracking Wireless LAN  Setup Host Based AP ( hostap ) in Linux & freeBSD  Securing.
© Copyright Computer Lab Solutions 2006. All rights reserved. Do you need usage information about your computer labs? Copyright Computer Lab Solutions.

© Copyright Computer Lab Solutions All rights reserved. Do you need usage information about your computer labs? Copyright Computer Lab Solutions.
Cut Costs and Increase Productivity in your IT Organization with Effective Computer and Network Monitoring. Copyright © T3 Software Builders, Inc 2004.

Cut Costs and Increase Productivity in your IT Organization with Effective Computer and Network Monitoring. Copyright © T3 Software Builders, Inc 2004.
Copyright Tom Parker, Ron DiNapoli, Andrea Beesing, Joy Veronneau 2004. This work is the intellectual property of the authors. Permission is granted for.

Copyright Tom Parker, Ron DiNapoli, Andrea Beesing, Joy Veronneau This work is the intellectual property of the authors. Permission is granted for.
WiFi VS Cellular “Bringing Secure Payment to the Point Of Service”

WiFi VS Cellular “Bringing Secure Payment to the Point Of Service”
Copyright Statement Copyright Robert J. Brentrup 2005. This work is the intellectual property of the author. Permission is granted for this material to.

Copyright Statement Copyright Robert J. Brentrup This work is the intellectual property of the author. Permission is granted for this material to.
WiFi Security. What is WiFi ? Originally, Wi-Fi was a marketing term. The Wi-Fi certified logo means that the product has passed interoperability tests.

WiFi Security. What is WiFi ? Originally, Wi-Fi was a marketing term. The Wi-Fi certified logo means that the product has passed interoperability tests.
Northern Arizona University Wi-Fi 2005 Flagstaff Campus Wireless Plan 4/11/2005.

Northern Arizona University Wi-Fi 2005 Flagstaff Campus Wireless Plan 4/11/2005.
MITP | Master of Information Technology Program Securing Wireless LAN using Cisco-based technology Campus Crew Study Group Paul Matijevic Ed McCulloch.

MITP | Master of Information Technology Program Securing Wireless LAN using Cisco-based technology Campus Crew Study Group Paul Matijevic Ed McCulloch.
Wireless Security without a VPN! Stirling Goetz, Microsoft Consulting Services.

Wireless Security without a VPN! Stirling Goetz, Microsoft Consulting Services.
802.1x EAP Authentication Protocols

802.1x EAP Authentication Protocols
Wireless LAN Security Framework Backend AAA Infrastructure RADIUS, TACACS+, LDAP, Kerberos TLSLEAPTTLSPEAPMD5 VPN EAP PPP 802.3802.5802.11 802.1x EAP API.

Wireless LAN Security Framework Backend AAA Infrastructure RADIUS, TACACS+, LDAP, Kerberos TLSLEAPTTLSPEAPMD5 VPN EAP PPP x EAP API.
© 2003, Cisco Systems, Inc. All rights reserved. FWL 1.0—8-1 Security Olga Torstensson Halmstad University.

© 2003, Cisco Systems, Inc. All rights reserved. FWL 1.0—8-1 Security Olga Torstensson Halmstad University.
E-mail: kemal@cs.siu.edu Department of Computer Science Southern Illinois University Carbondale Wireless and Network Security Lecture 9: IEEE 802.11.

Department of Computer Science Southern Illinois University Carbondale Wireless and Network Security Lecture 9: IEEE
This work is supported by the National Science Foundation under Grant Number DUE-0302909. Any opinions, findings and conclusions or recommendations expressed.

This work is supported by the National Science Foundation under Grant Number DUE Any opinions, findings and conclusions or recommendations expressed.
Chapter 8: Configuring Network Connectivity. Installing Network Adapters Network adapter cards connect a computer to a network. Installation –Plug and.

Chapter 8: Configuring Network Connectivity. Installing Network Adapters Network adapter cards connect a computer to a network. Installation –Plug and.
The Journey Toward 24/7 IT Monitoring University of North Carolina at Greensboro Design and Build of Network Operations Center Copyright Thomas M. Sheriff,

The Journey Toward 24/7 IT Monitoring University of North Carolina at Greensboro Design and Build of Network Operations Center Copyright Thomas M. Sheriff,

Similar presentations

Ads by Google