Wireless security overhaul

Printable View

June 3rd, 2005, 01:07 AM
The_Captain

Wireless security overhaul

I have the feeling I am going to be asked to do a major overhaul to the Wireless security policy and practices of my company's network. You may, after reading this, find security to be completely an afterthought in my institution and I will readily agree with you.

Here's the overview:

38 Wan sites (hardwired, bandwidth is a commodity)

300+ Cisco 1100b and 1100G access points (all documented and locally manageable)

1000+ laptops (centrally managed)

(If you're wondering, no, my network is not all wireless. This is just the WLAN information)

I have inherented a wireless network that is "secured" by merely disabling SSID broadcasts. I mentioned to one of the bosses today that it isn't even really a security policy and he told me he'd be calling me tomorrow to talk about changing that. Well, the way I look at it is it eventually needs to be done so I might as well be the one to do it.

I was reading a post by a senior member XTC46. Some of these are followed,but there are problems with me implementing some of these practices.

Quote:

Should be done:

- DO NOT use the default SSID
- DO NOT broadcast SSID
- Change the administrator Username/Password for your router
- Use WEP or WPA (if available on your router)
- Use MAC filtering if possible
- Limit the number of DHCP assigned IP address (or use static IP)
- Block ALL unassigned IP addresses
- Turn off default shares on the computer, set permissions for files that need to be shared.
- Turn off Printer sharing if it is not needed.

Optional: (not so basic)

- Limit broadcast range
- Use rotating WEPS
- When assigning IP addresses use class A or B IP’s and a class C subnet (sort of a Security through Obscurity technique against people scanning for active IP’s)
- Use a form of data encryption during transfers
- Rotate assigned IP addresses

(My thanks to XTC46 for the useful post)

1. I can't use MAC filtering because the laptops are constantly moving around to different areas.

2. I have static IP's assigned to the laptops from a predetermined range for each site, but we know that's easy to spoof.

I guess what I'm asking for is some advice or ideas, (how some of you have done it). I'm thinking of running a seperate VLAN for all the access points and making all machines validate through a TACACS server. I'm wondering if there are any major consideration to doing this. Everything is working now, but should I be conscience of any major problems I may face doing this. I'll probably have 4 or 5 techs with limited knowledge to help me implement the fix.

My primary concern is for best effort security. Obviously I cannot have total security using wireless. Stopping the users from moving around within each site is not an option. Stopping the APs from moving from port to port is not an option either (I know, this stops all talk of static VLANs from the switches. I'd rather not explain it) I have already limited range on many of the access points that had ridiculously large ranges on them.

Thanks in advance for all your help. Let me know if you need any clarification on my disposition.
June 3rd, 2005, 01:30 AM
XTC46

For this I would force authentication via username/password and make all sites authenticate from a central server (or multiple servers that replicate data). There are many ways to do this. It will basically give them a connection to the server that allows the authentication but they get nothing else until they authenticate.

This way no matter what site they use they can authenticate without using Mac filtering. But for this I would make log the Mac address just for record keeping sake and so you can more easily trace problem computers from network to network.

I would defiantly enable WPA if possible. But for technology limitations WEP might be the only availability. Make the key secure, but not so difficult that your help desk will get slammed when people need to get on.

I assume with network this size there are many other forms of protection for specific files in place, so for this we are just protecting the connection it self.
June 3rd, 2005, 01:51 AM
sysmin770

The_Captain,
You left quite a few pieces of the puzzle out. There are questions that I am sure people are wondering such as what operating systems are the laptops? Is there any need to access resources on the main network? Are you running any centralized administration such as Active Directory? What is the wireless network used for? Do you have any VPNs deployed in your network? How important is security in your network? Is the network properly segmented? Yadda, Yadda, Yadda.
June 3rd, 2005, 02:02 AM
Negative

http://www.lanarchitect.net/Articles...ecurityRating/

Just one link to answer all your questions :)
I don't remember who originally posted the link to that article... (s)he deserves some greenies, cause that article is worth gold :)
June 3rd, 2005, 02:05 AM
The_Captain

Ah, yes, in my haste I was only thinking of the network side of it.

Quote:

The_Captain,
You left quite a few pieces of the puzzle out. There are questions that I am sure people are wondering such as what operating systems are the laptops? Is there any need to access resources on the main network? Are you running any centralized administration such as Active Directory? What is the wireless network used for? Do you have any VPNs deployed in your network? How important is security in your network? Is the network properly segmented? Yadda, Yadda, Yadda.

The laptops all have current patches, realtime AV, and the like. All Windows XP SP 2. Has anyone seen this large of a deployment of Linux? All are centrally administered by Active Directory. The security issue is not so much with people getting to the laptops or that sort of thing, we can wipe those clean as needed because there is nothing kept on them.

The primary security issue is with anyone being able to access our network with no problem.

Hope this helps clear things up.
June 3rd, 2005, 07:28 AM
XTC46

Have all users that want to log onto the wireless network authenticate against your AD credentials. that way all users can go at it. Make sure you keep the firmware on the APs up to date as well. Enable WEP or wPA if you have the ability to do it. If you are just trying to protect the connection and not the data then it is much easier.
June 3rd, 2005, 11:35 AM
Spyrus

I would start with 128 bit encryption and proceed from there. If you have the means, XTC46 is dead on with setting up a server for authentication purposes. I am a bit confused why the access points are going to be being moved around on the switch ports??

In my setup, about the same size as yours, we have the same WEP key setup on all the access points, we have SSID turned on, makes it a tad bit easier for me when I do an audit to see if something popped up that doesnt belong. We have all our WAP's on a seperate VLAN and all the wireless uses a different IP range than the rest of our network.

In your situation as in mine MAC filtering is ridiculous as there are too many computers for it to be effective, however, as mentioned, you should run a log that grabs the MAC's and if you are doing authentication the computer name and Login name.
June 3rd, 2005, 07:41 PM
XTC46

http://www.mtghouse.com/EAP_082404.pdf

there. That should be helpful