1 / 19

DU Wireless Networking Security Update

DU Wireless Networking Security Update. Chad D. Burnham & Byron D. Early University Technology Services CCHE CIO Council Forum on Cybersecurity 3-12-03. Wireless Acceptable Use Policy:. Institutional Support Needed from “Top Level” Do you have a Wireless-AUP in place? DU Wireless-AUP Link

vanessa
Download Presentation

DU Wireless Networking Security Update

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. DU Wireless Networking Security Update Chad D. Burnham & Byron D. Early University Technology Services CCHE CIO Council Forum on Cybersecurity 3-12-03

  2. Wireless Acceptable Use Policy: • Institutional Support Needed from “Top Level” • Do you have a Wireless-AUP in place? • DU Wireless-AUP Link • Issues: • Security & Privacy • Authorization • Hardware & Installation • “Rouge” Access Points • User Support

  3. Securing Wireless Today: • Securing WLANs today: • Virtual Private Networks (VPNs) • 802.1X based authentication with WEP encryption (dynamic WEP) • WEP is still a good deterrent for “casual” snoopers • “Wi-Fi Protected Access” (WPA) will replace WEP as standard Wi-Fi security

  4. Security & Access…@ Which OSI Layer? • DU: Not Using Layer-2 WEP/WEP2 Key encryption • WEP2 (802.11i) not yet ratified • DU: Using VPN Layer-3 solution • Encryption & AAA

  5. DU Physical Network Topology: • DU Data Backbone • Wireless is several Internal VLANs / Subnets • DU: Cisco 3030 VPN “appliance” in each VTP “Core” Domain • (Cisco 6500s: VPN-blade now available)

  6. Wireless Backbone @ DU: • Separate Layer-2 & Layer-3 VLANs for WLANs! • Similar to VoIP Networks • Apply a Wireless Access Control centric Lists / Filters • Do not place Wireless Access Points ‘on-top’ of existing wired VLANS/Networks • DU Using 10.X.Y.Z address space & routing it • DOCUMENT your WLANS!

  7. DU Encryption & Access - VPNs: • DU using Cisco 3030s for VPNs (IPSEC-3DES – 168Bit) • Authentication & Authorization: VPN Client software leverages DU’s ERP Directory: “Banner” database for AA functionality • RADIUS: Radiator on Solaris 8 fed by Banner (nightly) • Handles ACCOUNTING • DU “Branded” the Cisco VPN Client Software: • DU Logo, & configured .pcf file (similar to .ini) • DU Supports: WIN 2K & XP (98/ME/NT4 work). • OSs: Not yet branded (beta configured): • MAC OS 10.2, Solaris, Linux • Pocket PC: Movian Admit One software client – BETA Trial

  8. “Locking Down” Wireless LANs w/ ACLs – Key to Security: • Complex Router Access Control List Objectives: • # Allow IPsec to VPN Concentrators • # Allows MSFCs to see each other for HSRP • # Allow bootp on broadcast • # Allow bootp from DHCP clients • # Allow DNS to iVPN DNS server • # Allow download of client • # Allow MGMT station to ping router and AP's • # Allow these systems to be pinged • # Allow management station to snmp from APs • # Deny all else

  9. “Rogue” Access Points: • “Rogue” Access Points are not permitted • Department, Student & Contractor Incidents • Log incidents @ DU Network Security Office • Student Apple Airport DHCP Incident(s) • Ticketmaster & Bookstore Contractors (so far) • Performance Issues: • Speed/Duplex • RF Signal/Channel Overlay Issues • Use AUP as Leverage for Enforcement • Student Judicial Department • Dean’s Council

  10. Locating “Rouge” APs RF Analyzers / Tools:OSI Layer 1/2 : • Grasshopper & Yellowjacket Plus • OSI Layer 2/3: • Air Magnet–Handheld–iPAQ /Laptop - ~$3,600 • Fluke:Handheld-iPAQ(Linux)–WaveRunner ~$4K • Fluke:Tablet Add-on – OptiView Integrated Network Analyzer - $30k • Sniffer Wireless for PDA – 1 Year Software License

  11. Standards Watch: • DU: Standards-based solution

  12. 802.11: Security & Access(OSI Layers 1 & 2) • ESS (Network) ID: Text Constant Variable • DU: Using Single Standardized Name • Users can’t be expected to know multiple wireless names for different locations • Not a Valid Security Approach! • Common Name Signifies a “Supported Network” • MAC Address Registration (on APs) • Cumbersome & high management overhead • Must re-enter if card is swapped out • DU tried on 3 networks…...it’s over

  13. 802.11i - Layer 2 Encryption: • Enhanced WEP (a.k.a. WEP2) • Applies to 802.11a, 802.11b, 802.11g • New encryption & authentication methods • Temporal Key Integrity Protocol (TKIP) • AES (an iterated block cipher) and TKIP backwards compatibility - replaces RC4. • Best “on-track” approach to the wireless threats/model. • Ratification expected Q1 2003

  14. 802.1X - EAP VariantsLayer-2Authentication • EAP-TTLS • IETF draft jointly authored by Funk Software and Certicom, and is a working document of the PPP Extensions group. EAP-TTLS provides strong security, while supporting legacy password protocols, enabling easy deployment across the enterprise. • EAP-TLS • Follow-on to Secure Socket Layer (SSL). It provides strong security, but relies on client certificates for user authentication. • EAP-MD5 • Essentially duplicates CHAP password protection on a WLAN. EAP-MD5 represents a kind of base-level EAP support among 802.1x devices. • LEAP, PEAP, Etc • Vendor pushing ahead of standards efforts (de facto attempts) AKA “Cisco-Compatible” • Good Presentation @ 2003 WestNet by Dave Packham on problems with today’s 802.1X methods: • http://www.scd.ucar.edu/nets/projects/Westnet/prev-mtg/0103.meeting/presentations.0103/802.1x.ppt

  15. Introducing WPA • Wi-Fi Protected Access (WPA) is a proactive response by the industry to offer an immediate and strong security solution • Standards-based, interoperable security specification – N.I.S.T. Supported • Significantly increases the level of data protection and access control for existing and future wireless LAN systems • WPA is a subset of the 802.11i draft standard and will maintain forward compatibility

  16. WPA – When? • When properly installed, Wi-Fi Protected Access will provide • Strong over-the-air data protection • Strong network access control • The Wi-Fi Alliance expects formal certification of WPA to begin in first quarter of 2003 • Look for WPA software upgrades to start to appear in the next several months

  17. Other Good Articles & Links: • http://standards.ieee.org/ • http://www.wi-fi.com/ • http://www.80211-planet.com • http://csrc.nist.gov/wireless/S09_WPA%20Analyst%20Briefing%2005-part1-ff.pdf • This Presentation: • http://netserv.du.edu/data/presentations.asp

More Related