James Tucker 459650490 Dr. Durrett ISQS 6342 Wired or Wireless? James Tucker 459650490 Dr. Durrett ISQS 6342

Summary Food for Thought Corporate Level University Level Public Access Level

Food For Thought1 10 Steps to Secure a Wireless Network Control your broadcast area Lock each AP Ban rogue access points Use 128-bit WEP Use SSIDS wisely Limit access rights Limit the number of user addresses Authenticate users Use RADIUS Call in the big boys

Control your broadcast area: wireless access points allow for control of signal strength, and some direction. Place in center of area. Lock each AP: people don’t change the darn defaults! Change them – and MAKE IT GOOD!!! (www.pcmag.com/passwords, click on password dos and don’ts) Ban rogue access points: if you have an AP on your network, make sure you put it there. (www.netstumbler.com)

Use 128-bit WEP: adds a layer of difficulty Use 128-bit WEP: adds a layer of difficulty. HOWEVER easily cracked with freeware (http://airsnort.shmoo.com) Use SSIDS wisely: Change the defaults – AGAIN! Service Set Identifiers (SSIDS) show all your AP information. Also, buy a product that allows you to disable broadcasting the SSIDS. Limit access rights: Authorized MAC cards only!

Limit # of user addresses: constrict the # of DHCP addresses to just enough – then if you have some connection trouble you know you have unauthorized access! Authenticate users: firewalls with VPN connectivity, and require log-ons. Use RADIUS: provides another authentication method (time of day & simultaneous) – can be pricey. (www.freeradius.org) Call in the big boys: AirDefense, server appliance that monitors activity and protects traffic on LANs – really pricey ($10k - $100k depending on # sensors)

Corporate Level Attacks to Consider: WEP Attacks WAP Attacks Brute Force

Corporate Level Security Design IT Sub Department Diagram User Levels Spec Hardware Spec Software Diagram User Levels Define User Access Define LAN Architecture (Wired and Wireless) Define DMZ’s Define Firewall Protocols Define Wireless Sniffing Tools

Corporate Level IT Sub Department: ruthless individuals Spec Hardware based upon needs (# of AP’s defined by # of users, etc…) Go for 802.11a!!! Spec Software based upon required security Granted – Pocketbook is King Diagram User Levels: who needs access to what? Employee status, Employee Area, Employee Expertise

Corporate Level Define LAN Architecture: Does the entire building need wireless? Remember 10 steps. Hardwire offices, meeting rooms, etc… Wireless for open spaces, floor level access for IT employees Define DMZs: What is available online? What is available to Wireless protocols?

Demilitarized Zones

Corporate Level Define Firewall Protocols Allow only ports and protocols needed Kill Telnet, ping, port-scan, etc… Define Wireless Sniffing Tools Use of sniffers to determine unauthorized access is becoming more and more popular. Example: Wavelink’s Mobile Manager. (www.wavelink.com, www.mcafee.com)

Mobile Manager by Wavelink Reduction of DNS attacks through Access Point profiles (streamlining of all AP profiles)

University Level Treat it like Corporate: Much less likely to have money requirements of 802.11a, BUT: Securing 802.11b is defined by: Broadcast area Sniffing Restricting # Users Restricting Access Rights

University Level Use of 802.11b requires more physical security: Wardriving still possible Attacks through Staff Attacks through dormatories Requires a very accurate listing of User MAC addresses Requires accurate accounting for DHCP address use

University Level Time of Day lockdown implementation Set-up of DMZ is critical Just as important as securing corporate data is securing sensitive University data Grades, Degree Plans, Financial Information, etc… Building by building better than broadcast cloud

Public Access Level Problems: Answers Unlike Corporate or University Level, listing MAC addresses is more difficult. Creating the correct DMZ cloud Answers Setting up an account service requiring MAC addresses of users Creating architecture of system before implementation!

Closing Be Smart and Realize that no network is perfect! Hire Good People with a diverse background in Security (More eyes and ears!) Restrict User Access Restrict Number of Users Use of Sniffing Tools Change the Defaults!

Reference Security Watch, PC MAGAZINE, February 25th, 2003, www.pcmag.com. Hacking Exposed, McClure, Scambray, Kurtz, McGrawHill, Chicago, 2001. Secrets & Lies, Schneier, Wiley, New York, 2000. Cisco AVVID Network Infrastructure Enterprise Wireless LAN Design, Adobe Acrobat Presentation, www.cisco.com, 2003.

Questions? Queries? Posers? Inquiries? Huh?