Download presentation
Presentation is loading. Please wait.
Published byBarbara Harper Modified over 9 years ago
1
Company LOGO WIRELESS DEPLOYMENT A successful solution to Campuswide role-based secure Wi-Fi deployment Andrea Di Fabio – Information Security Officer Copyright Andrea Di Fabio 2006. This work is the intellectual property of the author. Permission is granted for this material to be shared for non-commercial, educational purposes, provided that this copyright statement appears on the reproduced materials and notice is given that the copying is by permission of the author. To disseminate otherwise or to republish requires written permission from the author.
2
Agenda 1.The Challenge Manageability End User Configuration Campus and User Security Wireless Standards Hardware and Vendors 2.The Results Selection of Standards Hardware and Vendor Selection Wireless Site Survey 3.Pitfalls and Solutions Shared Computers PDA’s Remote Locations (no VLAN) The business case for Wi-Fi 4.Conclusion 1.The Challenge Manageability End User Configuration Campus and User Security Wireless Standards Hardware and Vendors 2.The Results Selection of Standards Hardware and Vendor Selection Wireless Site Survey 3.Pitfalls and Solutions Shared Computers PDA’s Remote Locations (no VLAN) The business case for Wi-Fi 4.Conclusion
3
Manageability Least time managing the infrastructure Standard Configuration = fast deployment Access Points End User Health monitoring tools Simple effective and secure
4
End User Configuration As simple as possible Standard configuration for all users Secure communication Awareness Program Flyers and Web instructions
5
Campus and User Security GOAL: Simple effective and secure Protect the end user Encryption Dynamic keys Key rotation Protect the Campus Network VLAN’s and ACL’s Encryption Authentication Role-based security context Automatic VLAN switching Per VLAN ACL’s User Authentication Required Wireless Encryption Required Awareness VS Technical Controls
6
The Challenge Matrix ManageabilityConfigurationSecurity Least timeSimpleUser Authentication Standard configuration StandardRole-Based Context Simple and SecureSecureEncryption Health monitoring
7
Possible Solutions Wi-FiManageabilityConfigurationSecurity OpenSimplest None Plain Text & Authenticated Moderate User Access Encrypted & No Auth ComplexModerateData Encrypted & Authenticated Complex? User & Data
8
Wireless Standards Some Technical Jargon and … Let the fun begin! 802.11a/b/g/i 802.1X EAP, PEAP, LEAP, TLS, TTLS WEP, WPA, WPA2, TKIP, CCMP RADIUS, IETF, EXTENDED TAGS WIRELESS MESH
9
Wireless Standards PEAP with Generic Token Card (GTC) PEAP with MS-CHAP Version 2 Cisco LEAPEAP-TLS User Authentication Windows NT Active Directory Novell NDS OTP Windows NT Active Directory Windows NT Domains, Active Directory Windows NT Active Directory Novell NDS OTP Requires Server Certificates Yes NoYes Requires Client Certificates No Yes
10
THE TEAM Network Team: Select vendor supporting selected standards Determine needs for additional VLANS Conduct site survey and deploy AP’s Server Team: Define/Create AD groups for VLAN mappings User Dept mappings delegated to depts. ADSI Scripts to regroup users Security Team: Selecting and implementing the standards Defining and implementing QoS requirements
11
The Implementation 802.1X PEAP Authentication with Dynamic VLAN Assignment
12
Hardware and Vendors Project Team Selects: CISCO Aironet AP’s Coverage inside buildings We started with Dorms and Admin Buildings Mostly one AP per floor (no overlapping channels) Vivato Panels Green space coverage 5 Panels, each panel is made on 11 AP’s Very Directional.
13
AP Configuration dot11 ssid NSUWIFI vlan 172 authentication open eap eap_methods<- PEAP authentication network-eap eap_methods<- LEAP authentication key-management wpa cckm optional<- WPA ! interface Dot11Radio0 ! encryption vlan 172 mode ciphers tkip wep128 ! encryption vlan 75 mode ciphers tkip wep128 ! interface BVI1 ip address 192.168.1.100 255.255.255.0<- MGMT
14
RADIUS CONFIGURATION Database Mappings Prioritize group mappings
15
RADIUS CONFIGURATION Use RADIUS Shared Secret Between AP and RADIUS Server Make good use of RADIUS Attributes VLAN TAGGING
16
Wireless Coverage Site Survey by Elandia Solutions, Inc.
17
The Flyer The Instructions … WIRELESS Configuration … and the Pitfalls
18
Shared Computers The Problem Authentication of new users The Solution
19
PDA’s The Problem Limited Support for 802.1X on PDA’s The Solution Funk’s Odyssey (Commercial) Future Plans …
20
Remote Locations (no VLAN) The Problem RADIUS TAGGING on FLAT NETWORK … The Solution
21
The Business Case for Wi-Fi $$$$ Wireless GB bridges VS Fiber Great success in Resident Halls Full VLAN Support (Layer 2) Wireless Labs and Classrooms VBHEC Lab 100% Wireless Wireless Collaboration Classes WPA2 ‘almost’ as secure as Wired Wireless VoIP Phones
22
Conclusion A successful solution to Campuswide role-based secure Wi-Fi deployment Auto VLAN + encryption + authentication can be SIMPLE Need for a well developed directory infrastructure Assemble a diverse team: InfoSec, Network, Server, Faculty/Staff Use well know vendors and upgradeable hardware Know the Pro and Cons in your Options Balance Security, User Access, Configuration and Administration 802.1X PEAP MS-ChapV2 with Dynamic VLANS Per Session WEP Key migrating to WPA TKIP Natively supported by Windows and MAC OS Linux Support in WPA_SUPPLICANTS and Open1X A successful solution to Campuswide role-based secure Wi-Fi deployment Auto VLAN + encryption + authentication can be SIMPLE Need for a well developed directory infrastructure Assemble a diverse team: InfoSec, Network, Server, Faculty/Staff Use well know vendors and upgradeable hardware Know the Pro and Cons in your Options Balance Security, User Access, Configuration and Administration 802.1X PEAP MS-ChapV2 with Dynamic VLANS Per Session WEP Key migrating to WPA TKIP Natively supported by Windows and MAC OS Linux Support in WPA_SUPPLICANTS and Open1X
23
Q&A adifabio@nsu.edu
Similar presentations
© 2024 SlidePlayer.com. Inc.
All rights reserved.