securing bsc’s wireless network nercomp annual conference march 7, 2005 pat cronin, assoc. vp...
TRANSCRIPT
![Page 1: Securing BSC’s Wireless Network Nercomp Annual Conference March 7, 2005 Pat Cronin, Assoc. VP Information Technology Mike King, Telecommunications Technician](https://reader036.vdocument.in/reader036/viewer/2022062407/56649c7d5503460f949320a8/html5/thumbnails/1.jpg)
Securing BSC’s Wireless NetworkNercomp Annual Conference
March 7, 2005
Pat Cronin, Assoc. VP Information TechnologyMike King, Telecommunications Technician
Bridgewater State College, Bridgewater MA, 02325
www.bridgew.eduCopyright Bridgewater State College, 2005. This work is the intellectual property of the author. Permission is granted for this material to be shared for non-commercial, educational purposes, provided that this copyright statement appears on the reproduced materials and notice is given that the copying is by permission of the author. To
disseminate otherwise or to republish requires written permission from the author.
![Page 2: Securing BSC’s Wireless Network Nercomp Annual Conference March 7, 2005 Pat Cronin, Assoc. VP Information Technology Mike King, Telecommunications Technician](https://reader036.vdocument.in/reader036/viewer/2022062407/56649c7d5503460f949320a8/html5/thumbnails/2.jpg)
Agenda
• BSC Security Challenges of Wireless
• What We Did
• Lessons Learned
• Future Plans
• Question and Answers
![Page 3: Securing BSC’s Wireless Network Nercomp Annual Conference March 7, 2005 Pat Cronin, Assoc. VP Information Technology Mike King, Telecommunications Technician](https://reader036.vdocument.in/reader036/viewer/2022062407/56649c7d5503460f949320a8/html5/thumbnails/3.jpg)
Bridgewater State College Background
• Public State College– 10,000 students– 2300 Residents– 1000 Faculty and Staff
• 30+ Buildings on 235 acres of land
• Ranked 50th on Yahoo Internet Life’s list of “Most Wired Colleges of 2001”
![Page 4: Securing BSC’s Wireless Network Nercomp Annual Conference March 7, 2005 Pat Cronin, Assoc. VP Information Technology Mike King, Telecommunications Technician](https://reader036.vdocument.in/reader036/viewer/2022062407/56649c7d5503460f949320a8/html5/thumbnails/4.jpg)
Bridgewater State College June 2004 Wireless Environment
• 180 Access Points
• Enterasys R2 units
• 802.11b standard
• Seamless roaming via a VLAN
![Page 5: Securing BSC’s Wireless Network Nercomp Annual Conference March 7, 2005 Pat Cronin, Assoc. VP Information Technology Mike King, Telecommunications Technician](https://reader036.vdocument.in/reader036/viewer/2022062407/56649c7d5503460f949320a8/html5/thumbnails/5.jpg)
Security and Authentication2004
• Netreg acts as a captive portal• Netreg maps MAC addresses to username• Scan clients for RPC Vulnerability• 128 bit WEP Encryption• SSID Broadcast disabled• Force users to visit Help Desk• Working Computer & Network Security Team
![Page 6: Securing BSC’s Wireless Network Nercomp Annual Conference March 7, 2005 Pat Cronin, Assoc. VP Information Technology Mike King, Telecommunications Technician](https://reader036.vdocument.in/reader036/viewer/2022062407/56649c7d5503460f949320a8/html5/thumbnails/6.jpg)
Remediation Techniques 2004
• During Welchia Virus outbreak, used the Policy feature of R2’s to drop PINGs
• Watched traffic reports for Top Hosts contacting other hosts, and blocked them at firewall. (Virus Like activity)
![Page 7: Securing BSC’s Wireless Network Nercomp Annual Conference March 7, 2005 Pat Cronin, Assoc. VP Information Technology Mike King, Telecommunications Technician](https://reader036.vdocument.in/reader036/viewer/2022062407/56649c7d5503460f949320a8/html5/thumbnails/7.jpg)
Infrastructure 2004
LaptopFirewall
Workstation
Workstation
Firewall
Firewall
Internet
WirelessNetwork
Residence HallNetwork
AdminNetwork
Internet
![Page 8: Securing BSC’s Wireless Network Nercomp Annual Conference March 7, 2005 Pat Cronin, Assoc. VP Information Technology Mike King, Telecommunications Technician](https://reader036.vdocument.in/reader036/viewer/2022062407/56649c7d5503460f949320a8/html5/thumbnails/8.jpg)
Security Challenges2004
• Viruses, spyware/malware• Windows Patches• Laptop requirement (1500 additional devices)• Transient devices (No college account)• Did not want administrator access to non-college
owned devices• Did not want to deal with maintaining VPN clients• Concern about legacy apps (most were based on
Telnet)
![Page 9: Securing BSC’s Wireless Network Nercomp Annual Conference March 7, 2005 Pat Cronin, Assoc. VP Information Technology Mike King, Telecommunications Technician](https://reader036.vdocument.in/reader036/viewer/2022062407/56649c7d5503460f949320a8/html5/thumbnails/9.jpg)
What We did
• We looked at Perfigo, Bradford Campus Manager, Roving Planet, and Still Secure
• We tested Perfigo in March 2004• Decided on 802.1x authentication with Rapid
Rekeying (TKIP)• Purchased Perfigo software• Contracted with Dell and installed BSC image on
program notebooks• Implemented Application based security.
(SSH/HTTPS)
![Page 10: Securing BSC’s Wireless Network Nercomp Annual Conference March 7, 2005 Pat Cronin, Assoc. VP Information Technology Mike King, Telecommunications Technician](https://reader036.vdocument.in/reader036/viewer/2022062407/56649c7d5503460f949320a8/html5/thumbnails/10.jpg)
What We Did (Standards)
• Sophos for AV
• Webroot SpySweeper for anti-spyware
• Windows Updates enabled
• Firewall enabled
• Used Microsoft built-in 802.1x client
• Created centralized download site for secure distribution of software
![Page 11: Securing BSC’s Wireless Network Nercomp Annual Conference March 7, 2005 Pat Cronin, Assoc. VP Information Technology Mike King, Telecommunications Technician](https://reader036.vdocument.in/reader036/viewer/2022062407/56649c7d5503460f949320a8/html5/thumbnails/11.jpg)
What We Did (New Practices)
• Made Applications available via Citrix
• Obtained Site Licenses for Office and XP
• Introduced the Be Security Conscious initiative to heighten security awareness
• http://it.bridgew.edu/Security/
• Opened two support counters to help repair and train students on laptop computers
![Page 12: Securing BSC’s Wireless Network Nercomp Annual Conference March 7, 2005 Pat Cronin, Assoc. VP Information Technology Mike King, Telecommunications Technician](https://reader036.vdocument.in/reader036/viewer/2022062407/56649c7d5503460f949320a8/html5/thumbnails/12.jpg)
Bridgewater State College June 2005 Wireless Environment
• 230+ Access Points• Added AireSpace to Enterasys R2 units• 802.11b standard, Selected area’s with 802.11g
and 802.11a• 802.1x with Rapid Rekeying (TKIP)• Profiles for faculty, students, and staff• New Guest profile• Users log-in with domain credentials
![Page 13: Securing BSC’s Wireless Network Nercomp Annual Conference March 7, 2005 Pat Cronin, Assoc. VP Information Technology Mike King, Telecommunications Technician](https://reader036.vdocument.in/reader036/viewer/2022062407/56649c7d5503460f949320a8/html5/thumbnails/13.jpg)
Security Implementation planSummer 2004
• Two major changes were made– 802.1x– Perfigo (Network access Requirements)
• Both Wireless and ResNet users
![Page 14: Securing BSC’s Wireless Network Nercomp Annual Conference March 7, 2005 Pat Cronin, Assoc. VP Information Technology Mike King, Telecommunications Technician](https://reader036.vdocument.in/reader036/viewer/2022062407/56649c7d5503460f949320a8/html5/thumbnails/14.jpg)
802.1x Implementation
• Funk Steel belted Radius appliances
• All Roamabout R2 AP’s were configured for 802.1x with Rapid Rekeying, using the Radius Server.
• Clients were configured to used PEAP.
![Page 15: Securing BSC’s Wireless Network Nercomp Annual Conference March 7, 2005 Pat Cronin, Assoc. VP Information Technology Mike King, Telecommunications Technician](https://reader036.vdocument.in/reader036/viewer/2022062407/56649c7d5503460f949320a8/html5/thumbnails/15.jpg)
Perfigo Implementation
• Perfigo became the default router for all of the wireless and ResNet students.
• Subnets were shrunk to /29’s, reducing broadcast ranges to 4 hosts per subnets.
• Rules were written to enforce the standard applications and configurations that we made school policy.
![Page 16: Securing BSC’s Wireless Network Nercomp Annual Conference March 7, 2005 Pat Cronin, Assoc. VP Information Technology Mike King, Telecommunications Technician](https://reader036.vdocument.in/reader036/viewer/2022062407/56649c7d5503460f949320a8/html5/thumbnails/16.jpg)
Infrastructure 2005
Laptop
Workstation
Workstation
Firewall
Firewall
Perfigo
AdminNetwork
Residence HallNetwork
WirelessNetwork
Internet
Internet
![Page 17: Securing BSC’s Wireless Network Nercomp Annual Conference March 7, 2005 Pat Cronin, Assoc. VP Information Technology Mike King, Telecommunications Technician](https://reader036.vdocument.in/reader036/viewer/2022062407/56649c7d5503460f949320a8/html5/thumbnails/17.jpg)
![Page 18: Securing BSC’s Wireless Network Nercomp Annual Conference March 7, 2005 Pat Cronin, Assoc. VP Information Technology Mike King, Telecommunications Technician](https://reader036.vdocument.in/reader036/viewer/2022062407/56649c7d5503460f949320a8/html5/thumbnails/18.jpg)
How Does The Scan Work?
Check
Rule
Requirement
Check
Rule
Check
Role(Student)
Role(Admin)
UserName Mapping
Pass/Fail
Fail
Error Messageredirecting towebpage ispresented
Pass Logon to Network
![Page 19: Securing BSC’s Wireless Network Nercomp Annual Conference March 7, 2005 Pat Cronin, Assoc. VP Information Technology Mike King, Telecommunications Technician](https://reader036.vdocument.in/reader036/viewer/2022062407/56649c7d5503460f949320a8/html5/thumbnails/19.jpg)
How Does The Scan Work, ExampleNorton Antivirus Corporate Edition
HKLM\Software\Symantec\
InstalledApps\SavceEXISTS
Norton CEInstalled and
current definitions
Norton AntivirusInstalled, Updated,
and Active
HKLM\Software\Symantec\
SharedDefs\Defwatch_10CONTAINS20050304
Norton CE isrunning
Application Statusof
rtvscan isRUNNING
Role(Student)
Role(Admin)
UserName Mapping
Pass/Fail
Fail
Error Messageredirecting towebpage ispresented
Pass Logon to Network
![Page 20: Securing BSC’s Wireless Network Nercomp Annual Conference March 7, 2005 Pat Cronin, Assoc. VP Information Technology Mike King, Telecommunications Technician](https://reader036.vdocument.in/reader036/viewer/2022062407/56649c7d5503460f949320a8/html5/thumbnails/20.jpg)
User Based Roles
• Admin
• Student
• Guest
![Page 21: Securing BSC’s Wireless Network Nercomp Annual Conference March 7, 2005 Pat Cronin, Assoc. VP Information Technology Mike King, Telecommunications Technician](https://reader036.vdocument.in/reader036/viewer/2022062407/56649c7d5503460f949320a8/html5/thumbnails/21.jpg)
Rules and Requirements at BSC
• Some Version of Norton AV, McAfee, or Sophos Antivirus installed or running
• Windows Update Service running
• Latest Service Packs and Patches– Windows 2000 SP4 and all Hotfixes till
December– Windows XP SP2
![Page 22: Securing BSC’s Wireless Network Nercomp Annual Conference March 7, 2005 Pat Cronin, Assoc. VP Information Technology Mike King, Telecommunications Technician](https://reader036.vdocument.in/reader036/viewer/2022062407/56649c7d5503460f949320a8/html5/thumbnails/22.jpg)
Lessons Learned from 802.1x
• OSX and WinCE are difficult to configure
• Win9X have no built in clients (Third party available)
• Only one Palm device has 802.1x support
• Machine Authentication a must for Windows logon to be processed
![Page 23: Securing BSC’s Wireless Network Nercomp Annual Conference March 7, 2005 Pat Cronin, Assoc. VP Information Technology Mike King, Telecommunications Technician](https://reader036.vdocument.in/reader036/viewer/2022062407/56649c7d5503460f949320a8/html5/thumbnails/23.jpg)
Lessons Learned from 802.1x
• Not all vendors have released 802.1x drivers• Even with easy to follow directions, most users
sought the helpdesk to have configuration performed for them
• When creating computer images, 802.1x settings do not carry
• Popular devices have no 802.1x support (Wifi Phones, Game console wireless cards, Barcode scanners)
![Page 24: Securing BSC’s Wireless Network Nercomp Annual Conference March 7, 2005 Pat Cronin, Assoc. VP Information Technology Mike King, Telecommunications Technician](https://reader036.vdocument.in/reader036/viewer/2022062407/56649c7d5503460f949320a8/html5/thumbnails/24.jpg)
Lessons Learned from Perfigo
• Vendor updates need to be managed and approved
• Computer mobility and different policies in different zones
• Exempt classroom Front-ends• Users did not understand why error
messages were being presented.
![Page 25: Securing BSC’s Wireless Network Nercomp Annual Conference March 7, 2005 Pat Cronin, Assoc. VP Information Technology Mike King, Telecommunications Technician](https://reader036.vdocument.in/reader036/viewer/2022062407/56649c7d5503460f949320a8/html5/thumbnails/25.jpg)
Lessons Learned
• We set the security bar high. Maybe too high
• Vacation problems• Touching computers• Core-business is wired, but what is your
users perception?• Network Bridging in WinXP• This security environment is difficult for
your average student.
![Page 26: Securing BSC’s Wireless Network Nercomp Annual Conference March 7, 2005 Pat Cronin, Assoc. VP Information Technology Mike King, Telecommunications Technician](https://reader036.vdocument.in/reader036/viewer/2022062407/56649c7d5503460f949320a8/html5/thumbnails/26.jpg)
Future Rules and Requirements
• Some Version of Norton AV, McAfee, or Sophos Antivirus installed, running, recent updates
• Windows Update Service running and configured for automatic download and install
• Require all administrative computers to use Perfigo
![Page 27: Securing BSC’s Wireless Network Nercomp Annual Conference March 7, 2005 Pat Cronin, Assoc. VP Information Technology Mike King, Telecommunications Technician](https://reader036.vdocument.in/reader036/viewer/2022062407/56649c7d5503460f949320a8/html5/thumbnails/27.jpg)
Future Rules and Requirements
• Latest Service Packs and Patches– Windows 2000 SP4 and all Hotfixes till the
previous month– Windows XP SP2 and all Hotfixes till the
previous month
• Webroot SpySweeper required
• Latest Version of Perfigo Client. (Now Cisco Clean Access Agent)
![Page 28: Securing BSC’s Wireless Network Nercomp Annual Conference March 7, 2005 Pat Cronin, Assoc. VP Information Technology Mike King, Telecommunications Technician](https://reader036.vdocument.in/reader036/viewer/2022062407/56649c7d5503460f949320a8/html5/thumbnails/28.jpg)
Future Wireless Plans
• Upgrade infrastructure including access points• Create wireless solution that supports multiple
SSIDs • Implement campus bus locator app complete with
video surveillance • Extend Campus Card to Off-campus vendors• Cover Bridgewater downtown and add hotspots
![Page 29: Securing BSC’s Wireless Network Nercomp Annual Conference March 7, 2005 Pat Cronin, Assoc. VP Information Technology Mike King, Telecommunications Technician](https://reader036.vdocument.in/reader036/viewer/2022062407/56649c7d5503460f949320a8/html5/thumbnails/29.jpg)
Future Wireless PlansMesh Network
![Page 30: Securing BSC’s Wireless Network Nercomp Annual Conference March 7, 2005 Pat Cronin, Assoc. VP Information Technology Mike King, Telecommunications Technician](https://reader036.vdocument.in/reader036/viewer/2022062407/56649c7d5503460f949320a8/html5/thumbnails/30.jpg)
Questions and Answers
Questions about the AireSpace Outdoor Mesh product can be directed toJeff [email protected]
408-635-2052