340 likes | 434 Views
Wireless. CIS Plan for Testing and Rollout (draft). W.E.P. Wire Equivalent Privacy 40 bit (64 bit), 128 bit Already defeatable without additional security measures Most clients use software encryption, which significantly decreases performance. EAP and LEAP.
E N D
Wireless CIS Plan for Testing and Rollout (draft)
W.E.P. • Wire Equivalent Privacy • 40 bit (64 bit), 128 bit • Already defeatable without additional security measures • Most clients use software encryption, which significantly decreases performance
EAP and LEAP • Extensible Authentication Protocol • Light-weight Extensible Authentication Protocol • EAP is an extension to RADIUS – Remote Access Dial-In User Service
Wireless Standards • 802.11b – 11 Mbps • 802.11g – ratified but no products currently available for it. An extension to 802.11b that will allow 22 Mbps rates • 802.11a – have only seen one vendor producing these but supposed to be more widely available by year end. 6-54 Mbps, uses 5ghz band and isn’t compatible. Range is about half of 802.11b • Realistically is 2-3 years away from widespread adoption
OIT Observations • Wlan Encryption takes overhead of about 3% on Cisco -already starting at less than 5 mbps • [Less than 50% effective vs 70% for 802.11] • Should only use wireless to augment wired not replace it. • Membership to SONNET requires authentication of clients
OIT Recommendations • 1) use WEP for now • 2) require application level security where possible • 3) doesn’t see any value in MAC authentication • 4) authentication & logging required by OSU • 5) use OIT’s authentication script for now
OIT Standards proposals • 1) 802.11b compliance • 2) client authentication • 3) client dhcp by server not by AP • 4) NAT (Network Address Translation) off • 5) encryption of sensitive data - WEP • 6) follow channel reservation scheme
OIT Standards proposals • 7) Only channels 1,6,11 can be used but only 1 is for departments, 6 is for OIT, 11 is campus wide • 8) Other channels can't be used
Capabilities • 11 Mbps (theoretical) per Access Point (AP) –limited by 10 Mbps wired connection • 25 clients or less per AP is recommended by Cisco and others • 250 clients is theoretical limit • Client (theoretical) – 11 Mbps at 100 ft., 5.5Mbps at 150ft, 2Mbps at 300 ft indoors. Segment load, obstructions and overhead will reduce these rates significantly
Limitations • Cells can’t overlap w/o interference • Underlap creates dropouts • 11 Mbps X 55% = 6.05 Mbps - testing of various Aps often produce results of less than 5Mbps • 6.05 Mbps/25 clients = 242 kbps aprox. • 6.05 Mbps/250 clients = 24kbps - phone grade connection • Could not provide adequate bandwidth for lecture halls like 113 – if everyone had wireless. Access to wired network is through OIT, elevator shafts create obstacles to provide from new Dreese
Limitations • Dropout will occur in elevators, stairwells and similar areas • 2.4 ghz band is “crowded” - Interference from portable phones and microwaves is possible, especially when device is directly in path of transmission. • Interference from rogue Aps would be detrimental to entire Wlan • Use of any channel other than 11 can potentially cause some interference, particulary on the edge of cell ranges. Even ch 11 would interfere with OIT
Non-Cisco PC Cards • Cisco’s Secure client only works with Cisco cards at this time • EAP is now a standard. 802.1x standard is pushing toward LEAP • Cisco’s security will fall back to MAC authentication but it compromises security • Doesn’t meet OIT’s proposed standards • Owner of MAC would be implicated in unauthorized use of our system if their MAC is spoofed, or card is stolen
WEP Vulnerabilities – addressed by Cisco LEAP • Static keys allow enough packets to be captured to defeat encryption • A WEP key can be derived in 100,000 to 1,000,000 packets • Cisco LEAP forces reauthentication • WEP key timeout is configurable • Rogue Access Point – WEP client doesn’t authenticate AP http://www.cisco.com/warp/public/cc/pd/witc/ao350ap/prodlit/1515_pp.htm
LEAP • Immune to AirSnort – popular wireless packet sniffing software • Worst case – change key every 8 min 20 sec • We would probably be fine changing key every 30 minutes
Vendor Comparison • Cisco only one with 100mw transmitter others are 30 mw • We tried Intel AP which is characteristic of many other vendor offerings. It is underpowered compared to the Cisco equipment, and it only offers static WEP • Cisco cards WEP encryption takes place in hardware and requires less overhead - about 3%
Why Cisco? • They provide the strongest commercially available security scheme. • Their products will integrate better with our existing Cisco network. • They are the only vendor identified whose products meet and exceed the proposed OIT specification. • Their products have strongest throughput and reliability results.
Aironet 350 AP • Adjustable transmit power – several increments between 1-100 mW • 128-bit WEP • Hot-standby AP mode for critical areas • Rugged version – plenum rated for ceiling mount locations • Indoor 130 ft. @ 11 Mbps, 350ft. @ 1 Mbps
Aironet 350 PC Card • Range - indoor 130 ft. @ 11 Mbps, 350ft. @ 1 Mbps - outdoor 800 ft. @ 11 Mbps, 2000 ft @ 1 Mbps • Can create profiles for home, work, Starbucks, etc. for easy configuration changes. Seems to require less rebooting • Adjustable power 1-100 mw • Support tools for determining connection strength/quality and configuring client adapter seem to be better and more detailed
Throughput Proximity Cisco 720 kbps Next Closest 628 kbps Distance Cisco 599 kbps Next Closest 541 kbps Source: Network World 2/5/01 Tested: Cisco 340 series – 30 mw version
Overall Performance Source: Network World 2/5/01
Security • Eavesdropping - authentication • Unauthorized network access - encryption • WEP cracked - Can capture enough packets in 12 hours or less to break if using static keys. • Can pick up a non-directional wireless signal from as far away as 8 miles with a parabolic dish • Cisco secure server authenticates AP to eliminate Rogue AP threat
Proposed Security • Authentication by Cisco Secure ACS server • Firewall – same settings as Region 1 – would allow printing but not SMB, NFS, NIS, etc. • Would need to move files via client – Citrix, ssh, ftp, etc.
Secure ACS – other benefits • Usage Accounting • Ability to limit User Max Sessions and Group Max Sessions • Disable account after X number of failed attempts
Cisco Secure Clients • Windows 95, 98, NT, 2000, XP or Me • PDA - No current support for Palm, but there is for Windows CE 2.11, 3.0 • Linux kernel 2.2.xx and Macintosh OS 9.x • 802.1x standard – Cisco hopes it will lead to more LEAP enabled clients
Authentication Model SOURCE: Cisco
Wired Network Support • Power injectors come with Access Points and would be mounted in switch closets – power would be supplied by special cat 5 • Wired Network would have one dedicated Vlan with class C network – would require another NIC in the firewall • We project having 10-11 APs at first – so aproximately 240 addresses for clients should work out about right
Wired Network Support - Cont. • A second class C network would require one more NIC on the firewall • Switches would require no special configuration
Expected configuration • 1 AP per floor except on 2nd floor, where there would probably be a 2nd AP on the Baker side. EE has also indicated they would eventually need an AP here. Might be able to use ch 1 in that area and ch 6 on the North side of Dreese • 2nd AP in rooms like 280, 480 might be possible if antenna gain can be turned down far enough • No servers or desktops acting as servers. Sustained 1-2 Mbps would use up 30% or more of bandwidth with one client
Expected Support • Cisco cards and clients will be used • Personal laptops - will help with configuration issues relating to connection, authentication, passing of allowed protocols
Site Survey • Roam around halls of Dreese with 2 APs, 2 ladders, 2 0r 3 notebooks with wireless and collect data on signal strength and throughput for various offices, labs etc. • Won’t be able to test all types of antennas • Cisco recommends outsourcing this function to someone with proper tools and expertise to minimize dead spots and interference • Maximum allowable packet loss 29%
Secure ACS Server • Configure and test functionality • Make sure it performs as advertised
Timeline – phase 1 • Secure Server testing – end of January • Site Analysis – end of February • Testing – should be done by start of spring quarter • Final Recommendation – Early April
Timeline – phase 2 • April-June Testing available on 8th and 7th floors to test group • Late June, early July – order APs, and hardware for secure server • Rollout – Aug – early Sept. to all floors in Dreese • Other buildings – some time during fall quarter or winter break. Unknown interference problems from rogue access points may complicate rollout