Securing BSC’s Wireless Network Nercomp Annual Conference March 7, 2005 Pat Cronin, Assoc. VP...
Transcript of Securing BSC’s Wireless Network Nercomp Annual Conference March 7, 2005 Pat Cronin, Assoc. VP...
Securing BSC’s Wireless NetworkNercomp Annual Conference
March 7, 2005
Pat Cronin, Assoc. VP Information TechnologyMike King, Telecommunications Technician
Bridgewater State College, Bridgewater MA, 02325
www.bridgew.eduCopyright Bridgewater State College, 2005. This work is the intellectual property of the author. Permission is granted for this material to be shared for non-commercial, educational purposes, provided that this copyright statement appears on the reproduced materials and notice is given that the copying is by permission of the author. To
disseminate otherwise or to republish requires written permission from the author.
Agenda
• BSC Security Challenges of Wireless
• What We Did
• Lessons Learned
• Future Plans
• Question and Answers
Bridgewater State College Background
• Public State College– 10,000 students– 2300 Residents– 1000 Faculty and Staff
• 30+ Buildings on 235 acres of land
• Ranked 50th on Yahoo Internet Life’s list of “Most Wired Colleges of 2001”
Bridgewater State College June 2004 Wireless Environment
• 180 Access Points
• Enterasys R2 units
• 802.11b standard
• Seamless roaming via a VLAN
Security and Authentication2004
• Netreg acts as a captive portal• Netreg maps MAC addresses to username• Scan clients for RPC Vulnerability• 128 bit WEP Encryption• SSID Broadcast disabled• Force users to visit Help Desk• Working Computer & Network Security Team
Remediation Techniques 2004
• During Welchia Virus outbreak, used the Policy feature of R2’s to drop PINGs
• Watched traffic reports for Top Hosts contacting other hosts, and blocked them at firewall. (Virus Like activity)
Infrastructure 2004
LaptopFirewall
Workstation
Workstation
Firewall
Firewall
Internet
WirelessNetwork
Residence HallNetwork
AdminNetwork
Internet
Security Challenges2004
• Viruses, spyware/malware• Windows Patches• Laptop requirement (1500 additional devices)• Transient devices (No college account)• Did not want administrator access to non-college
owned devices• Did not want to deal with maintaining VPN clients• Concern about legacy apps (most were based on
Telnet)
What We did
• We looked at Perfigo, Bradford Campus Manager, Roving Planet, and Still Secure
• We tested Perfigo in March 2004• Decided on 802.1x authentication with Rapid
Rekeying (TKIP)• Purchased Perfigo software• Contracted with Dell and installed BSC image on
program notebooks• Implemented Application based security.
(SSH/HTTPS)
What We Did (Standards)
• Sophos for AV
• Webroot SpySweeper for anti-spyware
• Windows Updates enabled
• Firewall enabled
• Used Microsoft built-in 802.1x client
• Created centralized download site for secure distribution of software
What We Did (New Practices)
• Made Applications available via Citrix
• Obtained Site Licenses for Office and XP
• Introduced the Be Security Conscious initiative to heighten security awareness
• http://it.bridgew.edu/Security/
• Opened two support counters to help repair and train students on laptop computers
Bridgewater State College June 2005 Wireless Environment
• 230+ Access Points• Added AireSpace to Enterasys R2 units• 802.11b standard, Selected area’s with 802.11g
and 802.11a• 802.1x with Rapid Rekeying (TKIP)• Profiles for faculty, students, and staff• New Guest profile• Users log-in with domain credentials
Security Implementation planSummer 2004
• Two major changes were made– 802.1x– Perfigo (Network access Requirements)
• Both Wireless and ResNet users
802.1x Implementation
• Funk Steel belted Radius appliances
• All Roamabout R2 AP’s were configured for 802.1x with Rapid Rekeying, using the Radius Server.
• Clients were configured to used PEAP.
Perfigo Implementation
• Perfigo became the default router for all of the wireless and ResNet students.
• Subnets were shrunk to /29’s, reducing broadcast ranges to 4 hosts per subnets.
• Rules were written to enforce the standard applications and configurations that we made school policy.
Infrastructure 2005
Laptop
Workstation
Workstation
Firewall
Firewall
Perfigo
AdminNetwork
Residence HallNetwork
WirelessNetwork
Internet
Internet
How Does The Scan Work?
Check
Rule
Requirement
Check
Rule
Check
Role(Student)
Role(Admin)
UserName Mapping
Pass/Fail
Fail
Error Messageredirecting towebpage ispresented
Pass Logon to Network
How Does The Scan Work, ExampleNorton Antivirus Corporate Edition
HKLM\Software\Symantec\
InstalledApps\SavceEXISTS
Norton CEInstalled and
current definitions
Norton AntivirusInstalled, Updated,
and Active
HKLM\Software\Symantec\
SharedDefs\Defwatch_10CONTAINS20050304
Norton CE isrunning
Application Statusof
rtvscan isRUNNING
Role(Student)
Role(Admin)
UserName Mapping
Pass/Fail
Fail
Error Messageredirecting towebpage ispresented
Pass Logon to Network
User Based Roles
• Admin
• Student
• Guest
Rules and Requirements at BSC
• Some Version of Norton AV, McAfee, or Sophos Antivirus installed or running
• Windows Update Service running
• Latest Service Packs and Patches– Windows 2000 SP4 and all Hotfixes till
December– Windows XP SP2
Lessons Learned from 802.1x
• OSX and WinCE are difficult to configure
• Win9X have no built in clients (Third party available)
• Only one Palm device has 802.1x support
• Machine Authentication a must for Windows logon to be processed
Lessons Learned from 802.1x
• Not all vendors have released 802.1x drivers• Even with easy to follow directions, most users
sought the helpdesk to have configuration performed for them
• When creating computer images, 802.1x settings do not carry
• Popular devices have no 802.1x support (Wifi Phones, Game console wireless cards, Barcode scanners)
Lessons Learned from Perfigo
• Vendor updates need to be managed and approved
• Computer mobility and different policies in different zones
• Exempt classroom Front-ends• Users did not understand why error
messages were being presented.
Lessons Learned
• We set the security bar high. Maybe too high
• Vacation problems• Touching computers• Core-business is wired, but what is your
users perception?• Network Bridging in WinXP• This security environment is difficult for
your average student.
Future Rules and Requirements
• Some Version of Norton AV, McAfee, or Sophos Antivirus installed, running, recent updates
• Windows Update Service running and configured for automatic download and install
• Require all administrative computers to use Perfigo
Future Rules and Requirements
• Latest Service Packs and Patches– Windows 2000 SP4 and all Hotfixes till the
previous month– Windows XP SP2 and all Hotfixes till the
previous month
• Webroot SpySweeper required
• Latest Version of Perfigo Client. (Now Cisco Clean Access Agent)
Future Wireless Plans
• Upgrade infrastructure including access points• Create wireless solution that supports multiple
SSIDs • Implement campus bus locator app complete with
video surveillance • Extend Campus Card to Off-campus vendors• Cover Bridgewater downtown and add hotspots
Future Wireless PlansMesh Network
Questions and Answers
Questions about the AireSpace Outdoor Mesh product can be directed toJeff [email protected]
408-635-2052