NETWOG Thursday May 10, 2001 Baker SE 120

1
NETWOG Thursday May 10, 2001Baker SE 120

• Office of Information Technology

2
Agenda

• Design Russ Morrison (20 minutes)
• Wireless Security Discussion (20 minutes)
• Campus Wireless Implementations (20)
• Discussion Questions Answers (20)

3
Wireless Web at Ohio State

• NETWOG

Russell Morrison
Enterprise Networking - The Ohio State University
4
Wireless Initiatives
Point-Point/Multipoint Wireless
Wireless LAN
Wireless Local Loop
Telecommuter
5
Deployment Issues

• Terminal Mobility in the IP network
• Wireless Standards
• IEEE 802.11 Overview
• Configuration and Service discovery
• WLAN solves LAN level mobility but...
• How to support mobility between IP sub-networks
• Network Design
• Roaming
• Future Wireless Quality of Service
• How to map IP QoS classes into radio link
• Security

6
Wireless Technologies
Mobile TMBU
Campus
Fixed
2G Cellular
3G Cellular
Broadband
Wireless LAN
UMTS CDMA 2000
MMDS Clarity
LMDS
802.11B Aironet
GSM/GPRS CDMA/PDSN
GSM Bldg JetCell
IP RAN IPMobile
7
WLAN Categories
In-Building WLANs
Building-to-Building WLANS
8
WLAN Vision Performance

• Small, medium, and large enterprises
• High powerand performance
• Mobility/Users
• Cost and manageability

Speed
Network
Radio

• IEEE 802.11a/b Ratified

1999
2000
2001
2002
9
Client appl
Host
TCP/IP stack
TCP/IP stack
Optional end-to-end Data Encryption -gt Privacy

• Key management
• and PKI needed
• for secure ad-hoc
• networking
• IPSEC aware QoS

Access Controller
IP packet encryption / authentication
AP
802.11 WLAN offers radio link packet authenticatio
n and data encryption (RC4)

• IPSEC and IKE
• used for security
• critical access
• IPSEC policy mngt
• should be defined
• AAA needed for
• global roaming
• Remote access
• IPSEC needed

WLAN
WLAN
WLAN encryption
10

• Network Design
• Primary users of the wireless network
• Administrative
• Student
• Total coverage area for the wireless network
• Isolated Area
• Entire Building
• Roaming requirements
• Continuous building connectivity
• Isolated roaming
• Channel Design
• Accesspoint hardware design
• Manufacturer (CISCO, Orinoco)
• Line Power, Transformer Powered

11
Design Considerations
Channel 1

• Third Party inference from same channel usage
• Potential problem in congested areas

Channel 1
Site 1C
Site 2A
Site 1D
Site 1A
Site 1B
Site 2B
12

• When is wireless the right solution?
• Should I use a wireless network in lieu of a
  wired network?
• How does a wireless network effect my wired
  network?
• Any IP applications adversely effect a wireless
  network?

13
Security Issues for Wireless Networks

• Steve Romig
• Enterprise Network Services
• May, 2001

14
The Same Old Issues

• Privacy
• Integrity
• Availability
• Authentication
• Authorization

15
New Twists

• Anyone with the right antennae can attach to
  the network
• Physical access controls dont work (how do you
  keycard access to the oval?)

16
Solving the Problems

• There are (at least) two views
• Solve the problem at the application layer with
  encryption (e.g. ssh, ssl) and/or better
  authentication/authorization (e.g. Kerberos,
  secur-id)
• Solve the problem at the network level through
  link encryption (WEP, EAP) or VPN (IPSEC)

17
My View

• Do what you can (reasonably) at the link level to
  protect the ignorant
• But dont ignore the application layer!

18
Some Solutions

• MAC Authentication
• Cost of maintenance
• Stolen NIC cards
• Easy to sniff, spoof MAC addresses with some NIC
  cards (e.g. Linux)

19
Some Solutions

• WEP (Wire-Equivalent Privacy)
• Simple solutions are easy to break
• Complex solutions are hard to implement
• Better than nothing, though
• EAP
• Not standard yet
• Looks nice
• Needs special authentication server, which needs
  hooks into our local authentication system

20
KarlBridge Access Control

• Like in the OIT public labs
• User authenticates to an auth server
• Auth server tells KarlBridge to permit access
  to/from the users IP address
• Doesnt solve privacy, integrity problems
• We are looking at KarlBridge replacements

21
Related Issues

• Logging
• Would be great if you could log DHCP leases
• If your AP acts as a NAT (Network Address
  Translator), would be nice to log the internal
  IP/external port mappings also

22
Security Recommendations

• Deploy with WEP now, look for something better
  later
• Use/require application level measures where
  possible
• Restricting by MAC isnt worth the effort
• Some form of authentication (with logging) is
  REQUIRED by OSU policy
• Use KarlBridges for now

23
Proposed Wireless Networking Standards for the
Ohio State University
NETWOG May 10, 2001 C. Morrow-Jones
24
Proposed OSU Wireless Networking Standards

• OIT is proposing a set of standards for the
  deployment of wireless networks on OSUs
  campuses.
• These standards will evolve as the wireless
  products evolve. We will update these standards
  periodically.
• Your reaction to the proposed standards is
  welcomed morrow-jones.2_at_osu.edu

25
Intent of OSU Wireless Networking Standards

• Provide information and guidance to Departmental
  Network Administrators who wish to deploy
  departmental wireless networks.
• Allow maximum flexibility while enabling OIT to
  provide a campus-wide wireless infrastructure.
  
• Prevent conflicts in frequency usage between
  departments.

26
Intent of OSU Wireless Networking Standards (2)

• Allow within-building roaming without loss of
  signal.
• Prevent unauthorized access to campus and
  departmental LANs.
• Ensure privacy of data.
• Make use of common standards to maximize product
  choice.

27
The Proposed OSU Wireless Networking standard

• 1. Will Require IEEE 802.11b Compliant Products
• 2. Will Require Client Authentication
• 3. Will Require Passing Client DHCP Requests Back
  to the Wired Network
• 4.Will Require that Network Address Translation
  (NAT) be Turned Off
• 5. Will Require Encryption of Sensitive Data
• 6.Will Require Adherence to Assigned Channels
  

28
Will Require Adherence to Assigned Channels

• 802.11b provides 11 channels -these overlap so
  at most three channels can be used in the same
  space.
• At OSU, we will use channels 1, 6, and 11.
• Channel 1 is reserved for departmental use.
  
• Channel 6 is reserved for future expansion.
  
• Channel 11 is reserved for campus-wide OIT
  infrastructure.

29
Adherence to Assigned Channels (contd)

• OIT will use Channel 11 for general-purpose
  wireless access.
• Departments will use Channel 1 for local
  deployment.
• Channel 6 is reserved for later use.
• adding additional capacity
• filling in weak spots.

30
Adherence to Assigned Channels (concluded)

• Channels other than 1, 6, and 11 must not be
  used, as they will interfere with compliant
  infrastructure
• Scheme insures that OIT will not interfere with
  departmental infrastructure and vice versa.
• Caution Could be conflicts in locations where
  two departments occupy the same building. If so,
  the departments will have to coordinate wireless
  deployment.

31
QUESTIONS?SOLUTIONS?

• THANK YOU!!