Download click here

Survey
yes no Was this document useful for you?
   Thank you for your participation!

* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project

page
1
page
2
page
3
page
4
page
5
page
6
page
7
page
8
page
9
page
10
page
11
page
12
page
13
page
14
page
15
page
16
page
17
page
18
page
19
page
20
page
21
page
22
page
23
page
24
page
25
page
26
page
27
page
28
page
29
page
30
page
31
page
32
page
33
page
34
page
35
page
36
page
37
page
38
page
39
page
40
Document related concepts

Airborne Networking wikipedia , lookup

Wake-on-LAN wikipedia , lookup

Computer network wikipedia , lookup

Network tap wikipedia , lookup

Extensible Authentication Protocol wikipedia , lookup

IEEE 802.11 wikipedia , lookup

Wireless USB wikipedia , lookup

Distributed firewall wikipedia , lookup

Computer security wikipedia , lookup

Wi-Fi wikipedia , lookup

Policies promoting wireless broadband in the United States wikipedia , lookup

Cracking of wireless networks wikipedia , lookup

Wireless security wikipedia , lookup

Piggybacking (Internet access) wikipedia , lookup

Transcript 
Wireless Security Basics
A Discussion Motivator
For
Technology Coordinators of
NWOCA Owner-Member Schools
Vision Statement

In the future NWOCA member school
districts will implement wireless network
access points in a consistent, easily
managed mode, and in a manner that
protects network integrity for all
NWOCA member school districts.
December 9, 2004
2
Today’s Goals and Objectives


Achieve a basic understanding of
terminology and related technologies
Provide suggestions for short-term
rudimentary security mechanisms that
should be implemented for all wireless
devices
December 9, 2004
3
Today’s Goals and Objectives

Initiate a dialogue that leads to the
development of a wireless security
policy that is embraced by NWOCA and
all its member school districts
December 9, 2004
4
Today’s Situation


Most district wireless access points are
“wide open”, with no security
mechanisms implemented
Some “rogue” (not implemented or
managed by the district technology staff
or NWOCA) wireless access points exist
in the network
December 9, 2004
5
Today’s Situation


Many NWOCA school districts are
(unknowingly) providing unsecured
wireless access in public areas outside
of their buildings
Most districts don’t understand the
“hidden” costs of wireless total cost of
ownership (TCO) [see next two slides]
December 9, 2004
6
Wired vs. Wireless TCO

Gartner Research (June 2004)




Wired Lan Cost - $453/user/year
Wireless LAN Cost - $1,026/user/year
Mixed Wired and Wireless LAN Cost $1,043/user/year
Cost differential is primarily in personnel
costs for administering wireless vs.
wired networks
December 9, 2004
7
Gartner Recommendations


Wired LANs are more reliable, secure,
and faster than their wireless
counterparts
Understand that wireless has a much
higher TCO than wired LANs and assess
whether the productivity gains or
convenience outweigh the additional
costs
December 9, 2004
8
Today’s Situation

Wireless access points are SNMPmanaged gateways to the network, and
(technically) are required to be under
the management of NWOCA personnel
per NWOCA’s network management
policy adopted by the member school
district boards of education
December 9, 2004
9
Today’s Situation

Unauthorized network usage represents
a financial liability for the school district,
with a penalty being the potential loss
of E-Rate, ODE, and OSN technology
funding; and/or criminal/civil liability
under the Family Educational Rights to
Privacy Act (FERPA) and HIPAA
December 9, 2004
10
Today’s Situation


A good security strategy is like an
onion. It has to have multiple and
varied layers to be any good.
Security enforcement at each NWOCA
district has a direct effect on the
security of all other districts served by
NWOCA … “weakest link” syndrome
December 9, 2004
11
How Did We Get Here?


Wireless access points can be easily,
cheaply, and quickly implemented when
overall network security and user
authentication strategies are not taken
into consideration
Wireless access points are cheap and
can be used to provide access to areas
that would remain otherwise unserved
December 9, 2004
12
Terminology/Definitions



802.11 ~ IEEE specification for overthe-air wireless networks
802.11i ~ Proposed specification for
“next generation” WLAN security
standards
802.1x ~ IEEE specification for portbased access control
December 9, 2004
13
Terminology/Definitions




AES ~ Advanced Encryption Standard
EAP ~ Extensible Authentication
Protocol
FAST ~ Flexible Authentication via
Secure Tunnel
LAN ~ Local Area Network (IntraBuilding)
December 9, 2004
14
Terminology/Definitions




LEAP ~ Lightweight Extensible
Authentication Protocol
MAC ~ Media Access Control
MD5 ~ Message Digest Encryption
Algorithm #5
MSCHAP ~ Microsoft ChallengeHandshake Authentication Protocol
December 9, 2004
15
Terminology/Definitions





PEAP ~ Protected Extensible
Authentication Protocol
PKI ~ Public Key Infrastructure
RF ~ Radio Frequency
SSID ~ Subsystem Identification
TCO ~ Total Cost of Ownership
December 9, 2004
16
Terminology/Definitions





TLS ~ Transport Layer Security
TTLS ~ Tunneled Transport Layer
Security
VPN ~ Virtual Private Network
WAN ~ Wide Area Network (InterBuilding)
WAP ~ Wireless Access Point
December 9, 2004
17
Terminology/Definitions





WEP ~ Wired Equivalent Privacy
Wi-Fi ~Wireless Fidelity
WLAN ~ Wireless Local Area Network
WPA ~ Wi-Fi Protected Access
WPA2 ~ Wi-Fi Protected Access using
AES
December 9, 2004
18
Available Options

Do nothing – ignore the issue

Potentially catastrophic strategy



Financial/civil liabilities for districts
Network disruption potential
Adopt a multi-strategy approach


Try to eliminate or minimize financial/civil
liabilities for districts
Strengthen overall security within NWOCA’s
network – “weakest link” syndrome
December 9, 2004
19
Recommended Strategies

Education & Training


Problem awareness and understanding is
key to success
Establish consensus for minimum
agreed-upon wireless security measures
to be implemented for all wireless
implementations within NWOCA’s
network
December 9, 2004
20
Recommended Strategies

Convene a committee of technology
coordinators and NWOCA personnel to
develop and propose a comprehensive
WLAN security policy for adoption and
implementation for all NWOCA member
school districts
December 9, 2004
21
Strategy: Education


This session
What other educational/information
sessions are needed by NWOCA
member district coordinators?
December 9, 2004
22
Strategy: Minimal Security Steps
1.
Change default wireless access point
administrative password
1.
2.
Eliminate casual access to administrative
functions of the wireless access point
Change SSID away from vendor
default
1.
Do not make the SSID “obvious”, and
change it every school year if
administratively feasible
December 9, 2004
23
Strategy: Minimal Security Steps
3.
Set SSID broadcast to “NO”
1.
Avoid broadcasting the name of your
wireless network and making it easier for
casual hackers to attempt unauthorized
accesses
1.
2.
December 9, 2004
Note: Some wireless access points do not
support this feature.
Should there be a “standard” for wireless
access points in the NWOCA network?
24
Strategy: Minimal Security Steps
4.
Enable WEP Encryption
1.
If your volume of wireless devices
permits, enable WEP encryption to
provide a more secure transmission of
data wirelessly. This is especially
important if student data is being
transmitted wirelessly.
December 9, 2004
25
Strategy: Minimal Security Steps
4.
Enable WEP Encryption
2.
3.
Create WEP keys creatively using a
mixture of nonsense words and numbers
using the highest encryption level
possible (128-bit)
Change WEP keys each school year if
administratively feasible
December 9, 2004
26
Strategy: Minimal Security Steps
5.
Enable MAC Filtering
1.
If your wireless device volume permits,
enable MAC (Media Access Control)
filtering. This creates an access control
allowing only registered devices to access
the wireless network.
1.
December 9, 2004
Can be spoofed, but it is like adding another
lock on your front door. The more obstacles
you present, the more likely hackers will try
less secure organizations.
27
Strategy: Minimal Security Steps
Ensure you own the “footprint” of all WLAN
access points
6.
1.
Test your wireless access points to determine
whether they are providing coverage outside
your facilities. If so, move them so that doesn’t
occur, or install directional antennas to focus the
footprint. Some access points have adjustable
power levels to assist with this problem.
December 9, 2004
28
Strategy: Minimal Security Steps
7.
Install or enable a personal firewall on
all laptops authorized to use a wireless
interface, and lockdown visibility and
changes to network control settings
on those that have been authorized.
1.
Link open ports to specific IP addresses
and ranges as needed
December 9, 2004
29
Strategy: Minimal Security Steps
8.
Educate district personnel that
connecting unauthorized wireless
access points to the school network is
not permitted
December 9, 2004
30
Strategy: Minimal Security Steps
9.
Use Static IP Addressing for Wireless
Clients
1.
Static IP addressing forces wireless
clients to have a legitimate IP address
before access to the network is granted.
Static IP addressing forces hackers to
know the network addressing scheme
and manually allocate an address and
gateway.
December 9, 2004
31
Strategy: Optional Next Steps
1.
2.
3.
Cede management control of all
wireless access points to NWOCA.
Implement EAP, LEAP, or PEAP
Have NWOCA redesign your district
network to put all access points on
mandatory VPN connections
December 9, 2004
32
Security Policy Development



Understanding the need
Understanding the benefits
Essential Components of a wireless
policy



Delegation of authority and responsibility
Risk assessment
Network segregation
December 9, 2004
33
Security Policy Development

Essential Components of a wireless
policy (cont’d.)





User authentication
Confidentiality
Availability
Logging and Accounting
Wireless Access Point Security
December 9, 2004
34
Security Policy Development

Essential Components of a wireless
policy (cont’d.)

Client-Based Security





Firewall
Anti-Virus
Ad-Hoc Wireless Communications
Wireless Scanning
Education and Awareness
December 9, 2004
35
Recommended Next Steps


Can we agree on the mandatory
implementation by all NWOCA member
districts of the minimal steps outlined in
this document?
What should be the timeline for the
implementation of the mandatory
minimal steps?
December 9, 2004
36
Recommended Next Steps

Districts desiring to implement optional
steps outlined in this document, or
having questions regarding the minimal
steps, should contact the NWOCA
Network Services Group
([email protected])
December 9, 2004
37
Recommended Next Steps

Convene a committee of district
technology coordinators and NWOCA
personnel to develop a wireless network
security policy as outlined in this
document.


Volunteers?
Timeframe?
December 9, 2004
38
Wireless Security Basics
Questions/Answers/Discussion
December 9, 2004
39
Contact Information
Duane Baker, Chief Technology Officer
Northwest Ohio Computer Association
22-900 State Route 34
Archbold, Ohio 43502
Phone: (419) 267-5565 Ext. 2519
Email: [email protected]
December 9, 2004
40
Related documents
(P1) How networks communicate
(P1) How networks communicate
88% 73%
88% 73%
Polytel® Remote Data Termininal (RDT)
Polytel® Remote Data Termininal (RDT)
The Internet is a global communication network which acts as a
The Internet is a global communication network which acts as a
Wireless Monitoring System
Wireless Monitoring System
Security challenges in the lighting use case
Security challenges in the lighting use case
GenerationOne Acquires Hybrid-Four
GenerationOne Acquires Hybrid-Four
Network - Missouri State University
Network - Missouri State University
15.1 Networking
15.1 Networking
challenges of a connected world
challenges of a connected world
Downlaod File
Downlaod File