Securing BSC’s Wireless NetworkNercomp Annual Conference

March 7, 2005

Pat Cronin, Assoc. VP Information TechnologyMike King, Telecommunications Technician

Bridgewater State College, Bridgewater MA, 02325

www.bridgew.eduCopyright Bridgewater State College, 2005. This work is the intellectual property of the author. Permission is granted for this material to be shared for non-commercial, educational purposes, provided that this copyright statement appears on the reproduced materials and notice is given that the copying is by permission of the author. To

disseminate otherwise or to republish requires written permission from the author.

Agenda

• BSC Security Challenges of Wireless

• What We Did

• Lessons Learned

• Future Plans

• Question and Answers

Bridgewater State College Background

• Public State College– 10,000 students– 2300 Residents– 1000 Faculty and Staff

• 30+ Buildings on 235 acres of land

• Ranked 50th on Yahoo Internet Life’s list of “Most Wired Colleges of 2001”

Bridgewater State College June 2004 Wireless Environment

• 180 Access Points

• Enterasys R2 units

• 802.11b standard

• Seamless roaming via a VLAN

Security and Authentication2004

• Netreg acts as a captive portal• Netreg maps MAC addresses to username• Scan clients for RPC Vulnerability• 128 bit WEP Encryption• SSID Broadcast disabled• Force users to visit Help Desk• Working Computer & Network Security Team

Remediation Techniques 2004

• During Welchia Virus outbreak, used the Policy feature of R2’s to drop PINGs

• Watched traffic reports for Top Hosts contacting other hosts, and blocked them at firewall. (Virus Like activity)

Infrastructure 2004

LaptopFirewall

Workstation

Workstation

Firewall

Firewall

Internet

WirelessNetwork

Residence HallNetwork

AdminNetwork

Internet

Security Challenges2004

• Viruses, spyware/malware• Windows Patches• Laptop requirement (1500 additional devices)• Transient devices (No college account)• Did not want administrator access to non-college

owned devices• Did not want to deal with maintaining VPN clients• Concern about legacy apps (most were based on

Telnet)

What We did

• We looked at Perfigo, Bradford Campus Manager, Roving Planet, and Still Secure

• We tested Perfigo in March 2004• Decided on 802.1x authentication with Rapid

Rekeying (TKIP)• Purchased Perfigo software• Contracted with Dell and installed BSC image on

program notebooks• Implemented Application based security.

(SSH/HTTPS)

What We Did (Standards)

• Sophos for AV

• Webroot SpySweeper for anti-spyware

• Windows Updates enabled

• Firewall enabled

• Used Microsoft built-in 802.1x client

• Created centralized download site for secure distribution of software

What We Did (New Practices)

• Made Applications available via Citrix

• Obtained Site Licenses for Office and XP

• Introduced the Be Security Conscious initiative to heighten security awareness

• http://it.bridgew.edu/Security/

• Opened two support counters to help repair and train students on laptop computers

Bridgewater State College June 2005 Wireless Environment

• 230+ Access Points• Added AireSpace to Enterasys R2 units• 802.11b standard, Selected area’s with 802.11g

and 802.11a• 802.1x with Rapid Rekeying (TKIP)• Profiles for faculty, students, and staff• New Guest profile• Users log-in with domain credentials

Security Implementation planSummer 2004

• Two major changes were made– 802.1x– Perfigo (Network access Requirements)

• Both Wireless and ResNet users

802.1x Implementation

• Funk Steel belted Radius appliances

• All Roamabout R2 AP’s were configured for 802.1x with Rapid Rekeying, using the Radius Server.

• Clients were configured to used PEAP.

Perfigo Implementation

• Perfigo became the default router for all of the wireless and ResNet students.

• Subnets were shrunk to /29’s, reducing broadcast ranges to 4 hosts per subnets.

• Rules were written to enforce the standard applications and configurations that we made school policy.

Infrastructure 2005

Laptop

Workstation

Workstation

Firewall

Firewall

Perfigo

AdminNetwork

Residence HallNetwork

WirelessNetwork

Internet

Internet

How Does The Scan Work?

Check

Rule

Requirement

Check

Rule

Check

Role(Student)

Role(Admin)

UserName Mapping

Pass/Fail

Fail

Error Messageredirecting towebpage ispresented

Pass Logon to Network

How Does The Scan Work, ExampleNorton Antivirus Corporate Edition

HKLM\Software\Symantec\

InstalledApps\SavceEXISTS

Norton CEInstalled and

current definitions

Norton AntivirusInstalled, Updated,

and Active

HKLM\Software\Symantec\

SharedDefs\Defwatch_10CONTAINS20050304

Norton CE isrunning

Application Statusof

rtvscan isRUNNING

Role(Student)

Role(Admin)

UserName Mapping

Pass/Fail

Fail

Error Messageredirecting towebpage ispresented

Pass Logon to Network

User Based Roles

• Admin

• Student

• Guest

Rules and Requirements at BSC

• Some Version of Norton AV, McAfee, or Sophos Antivirus installed or running

• Windows Update Service running

• Latest Service Packs and Patches– Windows 2000 SP4 and all Hotfixes till

December– Windows XP SP2

Lessons Learned from 802.1x

• OSX and WinCE are difficult to configure

• Win9X have no built in clients (Third party available)

• Only one Palm device has 802.1x support

• Machine Authentication a must for Windows logon to be processed

Lessons Learned from 802.1x

• Not all vendors have released 802.1x drivers• Even with easy to follow directions, most users

sought the helpdesk to have configuration performed for them

• When creating computer images, 802.1x settings do not carry

• Popular devices have no 802.1x support (Wifi Phones, Game console wireless cards, Barcode scanners)

Lessons Learned from Perfigo

• Vendor updates need to be managed and approved

• Computer mobility and different policies in different zones

• Exempt classroom Front-ends• Users did not understand why error

messages were being presented.

Lessons Learned

• We set the security bar high. Maybe too high

• Vacation problems• Touching computers• Core-business is wired, but what is your

users perception?• Network Bridging in WinXP• This security environment is difficult for

your average student.

Future Rules and Requirements

• Some Version of Norton AV, McAfee, or Sophos Antivirus installed, running, recent updates

• Windows Update Service running and configured for automatic download and install

• Require all administrative computers to use Perfigo

Future Rules and Requirements

• Latest Service Packs and Patches– Windows 2000 SP4 and all Hotfixes till the

previous month– Windows XP SP2 and all Hotfixes till the

previous month

• Webroot SpySweeper required

• Latest Version of Perfigo Client. (Now Cisco Clean Access Agent)

Future Wireless Plans

• Upgrade infrastructure including access points• Create wireless solution that supports multiple

SSIDs • Implement campus bus locator app complete with

video surveillance • Extend Campus Card to Off-campus vendors• Cover Bridgewater downtown and add hotspots

Future Wireless PlansMesh Network

Questions and Answers

Questions about the AireSpace Outdoor Mesh product can be directed toJeff Aaronjaaron@airespace.com

408-635-2052