Wireless Security Basics

Wireless Security Basics

A Discussion MotivatorFor

Technology Coordinators ofNWOCA Owner-Member

Schools

December 9, 2004 2

Vision Statement In the future NWOCA member

school districts will implement wireless network access points in a consistent, easily managed mode, and in a manner that protects network integrity for all NWOCA member school districts.

December 9, 2004 3

Today’s Goals and Objectives Achieve a basic understanding of

terminology and related technologies

Provide suggestions for short-term rudimentary security mechanisms that should be implemented for all wireless devices

December 9, 2004 4

Today’s Goals and Objectives Initiate a dialogue that leads to the

development of a wireless security policy that is embraced by NWOCA and all its member school districts

December 9, 2004 5

Today’s Situation Most district wireless access points

are “wide open”, with no security mechanisms implemented

Some “rogue” (not implemented or managed by the district technology staff or NWOCA) wireless access points exist in the network

December 9, 2004 6

Today’s Situation Many NWOCA school districts are

(unknowingly) providing unsecured wireless access in public areas outside of their buildings

Most districts don’t understand the “hidden” costs of wireless total cost of ownership (TCO) [see next two slides]

December 9, 2004 7

Wired vs. Wireless TCO Gartner Research (June 2004)

Wired Lan Cost - $453/user/year Wireless LAN Cost - $1,026/user/year Mixed Wired and Wireless LAN Cost -

$1,043/user/year Cost differential is primarily in

personnel costs for administering wireless vs. wired networks

December 9, 2004 8

Gartner Recommendations Wired LANs are more reliable,

secure, and faster than their wireless counterparts

Understand that wireless has a much higher TCO than wired LANs and assess whether the productivity gains or convenience outweigh the additional costs

December 9, 2004 9

Today’s Situation Wireless access points are SNMP-

managed gateways to the network, and (technically) are required to be under the management of NWOCA personnel per NWOCA’s network management policy adopted by the member school district boards of education

December 9, 2004 10

Today’s Situation Unauthorized network usage

represents a financial liability for the school district, with a penalty being the potential loss of E-Rate, ODE, and OSN technology funding; and/or criminal/civil liability under the Family Educational Rights to Privacy Act (FERPA) and HIPAA

December 9, 2004 11

Today’s Situation A good security strategy is like an

onion. It has to have multiple and varied layers to be any good.

Security enforcement at each NWOCA district has a direct effect on the security of all other districts served by NWOCA … “weakest link” syndrome

December 9, 2004 12

How Did We Get Here? Wireless access points can be easily,

cheaply, and quickly implemented when overall network security and user authentication strategies are not taken into consideration

Wireless access points are cheap and can be used to provide access to areas that would remain otherwise unserved

December 9, 2004 13

Terminology/Definitions 802.11 ~ IEEE specification for

over-the-air wireless networks 802.11i ~ Proposed specification

for “next generation” WLAN security standards

802.1x ~ IEEE specification for port-based access control

December 9, 2004 14

Terminology/Definitions AES ~ Advanced Encryption

Standard EAP ~ Extensible Authentication

Protocol FAST ~ Flexible Authentication via

Secure Tunnel LAN ~ Local Area Network (Intra-

Building)

December 9, 2004 15

Terminology/Definitions LEAP ~ Lightweight Extensible

Authentication Protocol MAC ~ Media Access Control MD5 ~ Message Digest Encryption

Algorithm #5 MSCHAP ~ Microsoft Challenge-

Handshake Authentication Protocol

December 9, 2004 16

Terminology/Definitions PEAP ~ Protected Extensible

Authentication Protocol PKI ~ Public Key Infrastructure RF ~ Radio Frequency SSID ~ Subsystem Identification TCO ~ Total Cost of Ownership

December 9, 2004 17

Terminology/Definitions TLS ~ Transport Layer Security TTLS ~ Tunneled Transport Layer

Security VPN ~ Virtual Private Network WAN ~ Wide Area Network (Inter-

Building) WAP ~ Wireless Access Point

December 9, 2004 18

Terminology/Definitions WEP ~ Wired Equivalent Privacy Wi-Fi ~Wireless Fidelity WLAN ~ Wireless Local Area

Network WPA ~ Wi-Fi Protected Access WPA2 ~ Wi-Fi Protected Access

using AES

December 9, 2004 19

Available Options Do nothing – ignore the issue

Potentially catastrophic strategy Financial/civil liabilities for districts Network disruption potential

Adopt a multi-strategy approach Try to eliminate or minimize

financial/civil liabilities for districts Strengthen overall security within

NWOCA’s network – “weakest link” syndrome

December 9, 2004 20

Recommended Strategies Education & Training

Problem awareness and understanding is key to success

Establish consensus for minimum agreed-upon wireless security measures to be implemented for all wireless implementations within NWOCA’s network

December 9, 2004 21

Recommended Strategies Convene a committee of

technology coordinators and NWOCA personnel to develop and propose a comprehensive WLAN security policy for adoption and implementation for all NWOCA member school districts

December 9, 2004 22

Strategy: Education This session What other

educational/information sessions are needed by NWOCA member district coordinators?

December 9, 2004 23

Strategy: Minimal Security Steps

1. Change default wireless access point administrative password

1. Eliminate casual access to administrative functions of the wireless access point

2. Change SSID away from vendor default

1. Do not make the SSID “obvious”, and change it every school year if administratively feasible

December 9, 2004 24


3. Set SSID broadcast to “NO”1. Avoid broadcasting the name of your

wireless network and making it easier for casual hackers to attempt unauthorized accesses

1. Note: Some wireless access points do not support this feature.

2. Should there be a “standard” for wireless access points in the NWOCA network?

December 9, 2004 25


4. Enable WEP Encryption1. If your volume of wireless devices

permits, enable WEP encryption to provide a more secure transmission of data wirelessly. This is especially important if student data is being transmitted wirelessly.

December 9, 2004 26


4. Enable WEP Encryption2. Create WEP keys creatively using a

mixture of nonsense words and numbers using the highest encryption level possible (128-bit)

3. Change WEP keys each school year if administratively feasible

December 9, 2004 27


5. Enable MAC Filtering1. If your wireless device volume permits,

enable MAC (Media Access Control) filtering. This creates an access control allowing only registered devices to access the wireless network.

1. Can be spoofed, but it is like adding another lock on your front door. The more obstacles you present, the more likely hackers will try less secure organizations.

December 9, 2004 28


6. Ensure you own the “footprint” of all WLAN access points

1. Test your wireless access points to determine whether they are providing coverage outside your facilities. If so, move them so that doesn’t occur, or install directional antennas to focus the footprint. Some access points have adjustable power levels to assist with this problem.

December 9, 2004 29


7. Install or enable a personal firewall on all laptops authorized to use a wireless interface, and lockdown visibility and changes to network control settings on those that have been authorized.

1. Link open ports to specific IP addresses and ranges as needed

December 9, 2004 30


8. Educate district personnel that connecting unauthorized wireless access points to the school network is not permitted

December 9, 2004 31


9. Use Static IP Addressing for Wireless Clients

1. Static IP addressing forces wireless clients to have a legitimate IP address before access to the network is granted. Static IP addressing forces hackers to know the network addressing scheme and manually allocate an address and gateway.

December 9, 2004 32

Strategy: Optional Next Steps

1. Cede management control of all wireless access points to NWOCA.

2. Implement EAP, LEAP, or PEAP3. Have NWOCA redesign your

district network to put all access points on mandatory VPN connections

December 9, 2004 33

Security Policy Development Understanding the need Understanding the benefits Essential Components of a wireless

policy Delegation of authority and

responsibility Risk assessment Network segregation

December 9, 2004 34

Security Policy Development Essential Components of a wireless

policy (cont’d.) User authentication Confidentiality Availability Logging and Accounting Wireless Access Point Security

December 9, 2004 35

Security Policy Development Essential Components of a wireless

policy (cont’d.) Client-Based Security

Firewall Anti-Virus Ad-Hoc Wireless Communications

Wireless Scanning Education and Awareness

December 9, 2004 36

Recommended Next Steps Can we agree on the mandatory

implementation by all NWOCA member districts of the minimal steps outlined in this document?

What should be the timeline for the implementation of the mandatory minimal steps?

December 9, 2004 37

Recommended Next Steps Districts desiring to implement

optional steps outlined in this document, or having questions regarding the minimal steps, should contact the NWOCA Network Services Group ([email protected])

December 9, 2004 38

Recommended Next Steps Convene a committee of district

technology coordinators and NWOCA personnel to develop a wireless network security policy as outlined in this document. Volunteers? Timeframe?

December 9, 2004 39

Wireless Security Basics

Questions/Answers/Discussion

December 9, 2004 40

Contact Information

Duane Baker, Chief Technology OfficerNorthwest Ohio Computer Association22-900 State Route 34Archbold, Ohio 43502Phone: (419) 267-5565 Ext. 2519Email: [email protected]

Wireless Security Basics

Documents

Transcript of Wireless Security Basics