SECURE WIRELESS NETWORK IN ISIK UNIVERSITY SILE CAMPUS

1
SECURE WIRELESS NETWORKIN ISIK UNIVERSITY SILE
CAMPUS
2

• Designed by VOLKAN MUHTAROGLU

3
WLAN(Wirelass LAN)

• We introduced at 1986 for use in barcode scanning
  .
• A properly selected and installed Wi-Fi or
  wireless fidelity.
• 802.11a, 802.11b, 802.11g technologies, 802.11g
  is the latest technology. These are IEEE
  standard.

4
GENERAL TOPOGOLY OF WLAN
5
THE PROJECT

• The problem is, how can three different users
  access over an access point to different type of
  data with securily in our campus.
• As another word, if we choose there people such
  as student, university staff and data processing
  center worker can access different type of data
  or they have different rights when access from
  the access point by securily.

6
THREE DIFFERENT USER

1. Student
2. University Staff
3. Data Processing Center Worker

7
COMPONENTS OF SECURE WIRELESS NETWORK

1. Cisco Aironet 1100 Series Access Point
2. Radius Server
3. Two Switch(One of them is Managable Switch, the
   other one is Backbone Switch)
4. Vlan
5. Cisco PIX Firewall
6. WEP LEAP
7. Database Server
8. Intranet Web Server

8
Cisco Aironet 1100 Series Access Point

• It is a wireless LAN transceiver.
• 1100 series is cheaper than the others and its
  performances is really efficient.
• It is also managable easily and common all over
  the world.

9
RADIUS SERVER

• RADIUS is a distributed client/server system that
  secures networks against unauthorized access.
• Use RADIUS in these network environments, which
  require access security
• This server also called AAA Server which means
  Audit, Authentication and Accounting.
• In my project Radius Server will provide
  Authentication and Mac filtering.

10
SWITCHES

• Managable Switch
• Backbone Switch
• I will use three different type IP. Student will
  take 10.0.x.x, University Staff will take
  10.50.x.x, Data Processing Center Worker will
  take 192.168.x.x.

11
VLAN

• VLAN is a switched network that is logically
  segmented.
• I will use Vlan for having different kind of
  rights of these there different type of users on
  WLAN.

12
CISCO PIX FIREWALL

• I chose it because I have it.

13
DATABASE AND INTRANET WEB SERVER

• Database Server Only Data Processing Center
  Worker can access these server.
• Intranet Web Server Only University Staff and
  Only Data Processing Center Worker can access
  these server.

14
HOW WILL DESIGN BE?

• Firstly how will student, university staff and
  data processing center worker be on the different
  Vlan, how can I give different rights them.
• The second thing is how these people come to
  these Vlan.
• The third thing which is most important how I can
  provide security.

15
SSID(Service Set Identifer)

• When connect to WLAN you will see the name of
  WLAN, which is SSID.

16
FOR VLAN 1

• If we define two different SSID, one of them
  broadcasting, the other one is secret.
• For instance our broadcasting SSID is tsunami
  our not broadcasting(secret) SSID is Private. If
  you connect WLAN with access point everybody sees
  automatically tsunami SSID. Also when you connect
  this, you will come to Vlan 1 and this Vlan
  provides to access only Internet.

17
AUTHENTICATION

• If you are not student you write the not
  broadcasting SSID name for accessing, at that
  time you will see the Username-Password Window
  for having different kind of rights.
• When you enter the username-password, the
  information come to Radius Server.
• And now EAP (Extensible Authentication Protocol)
  uses.

18
AUTHENTICATION TOPOLOGY
19
WEP(Wired Equivalent Privacy )

• WEP is an encryption algorithm used by the Shared
  Key authentication process for authenticating
  users and for encrypting data payloads over only
  the wireless segment of the LAN.
• The secret key lengths are 40-bit or 104-bit
  yielding WEP key lengths of 64 bits and 128 bits.
  
• WEP key is an alphanumeric character string used
  in two manners in a wireless LAN.
• WEP key can be used
• Verify the identity of an authenticating station.
• WEP keys can be used for data encryption.

20
CRITERIA

• The 802.11 standard specifies the following
  criteria for security
• Exportable
• Reasonably Strong
• Self-Synchronizing
• Computationally Efficient
• Optional
• WEP meets all these requirements.
• WEP supports the security goals of
  confidentiality, access control, and data
  integrity.

21
WEP KEY

• WEP key is an alphanumeric character string used
  in two manners in a wireless LAN.
• WEP key can be used
• Verify the identity of an authenticating station.
• WEP keys can be used for data encryption.

22
WEP KEY TABLE
23
EAP(Extensible Authentication Protocol )

• This authentication type provides the highest
  level of security for your wireless network.
• Using the Extensible Authentication Protocol
  (EAP) to interact with an EAP-compatible RADIUS
  server.
• This is type of dynamic WEP key.
• There are five different type of EAP, I will use
  LEAP (Lightweight Extensible Authentication
  Protocol, designed by Cisco) which is the most
  secure.

24
LEAP TOPOLOGY
25
MAC(Media Access Control) ADDRESS FILTERING

• Server checks the address against a list of
  allowed MAC addresses.
• If your MAC address is University Staffs MAC
  address, you wil come to Vlan 2 and you will have
  thoose rights, if your MAC address is data
  processing center workers address, you will come
  Vlan 3 also you will have those rights.

26
MAC FILTERING TOPOLOGY
27
STUDENT TOPOLOGY-1
28
STUDENT TOPOLOGY-2
29
STUDENT GENERAL TOPOLOGY
30
UNIVERSITY STAFF TOPOLOGY-1
31
UNIVERSITY STAFF TOPOLOGY-2
32
UNIVERSITY STAFF TOPOLOGY-3
33
UNIVERSITY STAFF GENERAL TOPOLOGY
34
DATA PROCESSING CENTER WORKER TOPOLOGY-1
35
DATA PROCESSING CENTER WORKER TOPOLOGY-2
36
DATA PROCESSING CENTER WORKER TOPOLOGY-2
37
DATA PROCESSING CENTER WORKER GENERAL TOPOLOGY
38
SECURITY POLICY

• The purpose of this policy is to provide guidance
  for the secure operation and implementation of
  wireless local area networks (WLANs).

39
AUTHENTICATION

• University Staff and Data Processing Center
  Worker have to authenticate the system if they
  want to have different kind of rights.
• For authentication, username and password
  authentication is used so users must use strong
  passwords (alphanumeric and special character
  string at least eight characters in length).
• Shared secret (or shared key) authentication must
  be used to authenticate to the WLAN

40
ENCRYPTION ACCESS CONTOL

• Distinct WEP keys provide more security than
  default keys and reduce the risk of key
  compromise.
• SSID
• MAC(Media Access Control)

41
FIREWALL

• Firewall provide security based on ports.

42
PHYSICAL AND LOGICAL SECURITY

• Access point must be placed in secure areas, such
  as high on a wall, in a wiring closet, or in a
  locked enclosure to prevent unauthorized physical
  access and user manipulation.
• Access point must have Intrusion Detection
  Systems (IDS) at designated areas on Campus
  property to detect unauthorized access or attack.

43
CONCLUSION

• With this design Student, University Staff and
  Data Processing Center Worker can access
  securily wherever they want, dont use extra
  devices or dont make any adjusting.

44

• QUESTION ?

45
REFERENCES

• Cisco Press 802.11 Wireless Network Site
  Surveying and Installation book.
• Cisco Securing 802.11 Wireless Networks handbook.
• Cisco Aironet 1100 Series Access Point Quick
  Start Guide.
• Certified Wireless Network AdministratorTM
  Official Study Guide.
• Wireless Network Solutions (Paul Williams)
• http//www.cisco.com/en/US/tech/tk722/tk809/tk723/
  tsd_technology_support_sub-protocol_home.html
• http//www.cisco.com/en/US/tech/tk722/tk809/tsd_te
  chnology_support_protocol_home.html
• http//www.webopedia.com/TERM/M/MAC_address.html
• http//searchnetworking.techtarget.com/originalCon
  tent/0,289142,sid7_gci843996,00.html