Securing BSC’s Wireless Network
Nercomp Annual Conference
March 7, 2005
Pat Cronin, Assoc. VP Information Technology
Mike King, Telecommunications Technician
Bridgewater State College,
Bridgewater MA, 02325
www.bridgew.edu
Copyright Bridgewater State College, 2005. This work is the intellectual property of the author. Permission is granted for this material to be shared for non-commercial,
educational purposes, provided that this copyright statement appears on the reproduced materials and notice is given that the copying is by permission of the author. To
disseminate otherwise or to republish requires written permission from the author.
Agenda
•
•
•
•
•
BSC Security Challenges of Wireless
What We Did
Lessons Learned
Future Plans
Question and Answers
Bridgewater State College
Background
• Public State College
– 10,000 students
– 2300 Residents
– 1000 Faculty and Staff
• 30+ Buildings on 235 acres of land
• Ranked 50th on Yahoo Internet Life’s list of
“Most Wired Colleges of 2001”
Bridgewater State College June
2004 Wireless Environment
•
•
•
•
180 Access Points
Enterasys R2 units
802.11b standard
Seamless roaming via a VLAN
Security and Authentication
2004
•
•
•
•
•
•
•
Netreg acts as a captive portal
Netreg maps MAC addresses to username
Scan clients for RPC Vulnerability
128 bit WEP Encryption
SSID Broadcast disabled
Force users to visit Help Desk
Working Computer & Network Security Team
Remediation Techniques
2004
• During Welchia Virus outbreak, used the
Policy feature of R2’s to drop PINGs
• Watched traffic reports for Top Hosts
contacting other hosts, and blocked them at
firewall. (Virus Like activity)
Infrastructure 2004
Wireless
Network
Laptop
Firewall
Residence Hall
Network
Internet
Firewall
Workstation
Internet
Admin
Network
Firewall
Workstation
•
•
•
•
•
Security Challenges
2004
Viruses, spyware/malware
Windows Patches
Laptop requirement (1500 additional devices)
Transient devices (No college account)
Did not want administrator access to non-college
owned devices
• Did not want to deal with maintaining VPN clients
• Concern about legacy apps (most were based on
Telnet)
What We did
• We looked at Perfigo, Bradford Campus Manager,
Roving Planet, and Still Secure
• We tested Perfigo in March 2004
• Decided on 802.1x authentication with Rapid
Rekeying (TKIP)
• Purchased Perfigo software
• Contracted with Dell and installed BSC image on
program notebooks
• Implemented Application based security.
(SSH/HTTPS)
What We Did (Standards)
•
•
•
•
•
•
Sophos for AV
Webroot SpySweeper for anti-spyware
Windows Updates enabled
Firewall enabled
Used Microsoft built-in 802.1x client
Created centralized download site for secure
distribution of software
What We Did (New Practices)
• Made Applications available via Citrix
• Obtained Site Licenses for Office and XP
• Introduced the Be Security Conscious
initiative to heighten security awareness
• http://it.bridgew.edu/Security/
• Opened two support counters to help repair
and train students on laptop computers
Bridgewater State College June
2005 Wireless Environment
• 230+ Access Points
• Added AireSpace to Enterasys R2 units
• 802.11b standard, Selected area’s with 802.11g
and 802.11a
• 802.1x with Rapid Rekeying (TKIP)
• Profiles for faculty, students, and staff
• New Guest profile
• Users log-in with domain credentials
Security Implementation plan
Summer 2004
• Two major changes were made
– 802.1x
– Perfigo (Network access Requirements)
• Both Wireless and ResNet users
802.1x Implementation
• Funk Steel belted Radius appliances
• All Roamabout R2 AP’s were configured
for 802.1x with Rapid Rekeying, using the
Radius Server.
• Clients were configured to used PEAP.
Perfigo Implementation
• Perfigo became the default router for all of
the wireless and ResNet students.
• Subnets were shrunk to /29’s, reducing
broadcast ranges to 4 hosts per subnets.
• Rules were written to enforce the standard
applications and configurations that we
made school policy.
Infrastructure 2005
Wireless
Network
Laptop
Perfigo
Internet
Residence Hall
Network
Firewall
Workstation
Internet
Admin
Network
Firewall
Workstation
How Does The Scan Work?
Check
Check
Check
Rule
Rule
Pass
Requirement
Pass/Fail
Error Message
redirecting to
webpage is
presented
Fail
Role
(Student)
UserName
Mapping
Role
(Admin)
Logon to Network
How Does The Scan Work, Example
Norton Antivirus Corporate Edition
HKLM\Software\
Symantec\
InstalledApps\
Savce
EXISTS
HKLM\Software\
Symantec\
SharedDefs\
Defwatch_10
CONTAINS
20050304
Norton CE
Installed and
current definitions
Application Status
of
rtvscan is
RUNNING
Norton CE is
running
Pass
Norton Antivirus
Installed, Updated,
and Active
Pass/Fail
Error Message
redirecting to
webpage is
presented
Fail
Role
(Student)
UserName
Mapping
Role
(Admin)
Logon to Network
User Based Roles
• Admin
• Student
• Guest
Rules and Requirements at BSC
• Some Version of Norton AV, McAfee, or
Sophos Antivirus installed or running
• Windows Update Service running
• Latest Service Packs and Patches
– Windows 2000 SP4 and all Hotfixes till
December
– Windows XP SP2
Lessons Learned from 802.1x
• OSX and WinCE are difficult to configure
• Win9X have no built in clients (Third party
available)
• Only one Palm device has 802.1x support
• Machine Authentication a must for
Windows logon to be processed
Lessons Learned from 802.1x
• Not all vendors have released 802.1x drivers
• Even with easy to follow directions, most users
sought the helpdesk to have configuration
performed for them
• When creating computer images, 802.1x settings
do not carry
• Popular devices have no 802.1x support (Wifi
Phones, Game console wireless cards, Barcode
scanners)
Lessons Learned from Perfigo
• Vendor updates need to be managed and
approved
• Computer mobility and different policies in
different zones
• Exempt classroom Front-ends
• Users did not understand why error
messages were being presented.
Lessons Learned
• We set the security bar high. Maybe too
high
• Vacation problems
• Touching computers
• Core-business is wired, but what is your
users perception?
• Network Bridging in WinXP
• This security environment is difficult for
your average student.
Future Rules and Requirements
• Some Version of Norton AV, McAfee, or
Sophos Antivirus installed, running, recent
updates
• Windows Update Service running and
configured for automatic download and
install
• Require all administrative computers to use
Perfigo
Future Rules and Requirements
• Latest Service Packs and Patches
– Windows 2000 SP4 and all Hotfixes till the
previous month
– Windows XP SP2 and all Hotfixes till the
previous month
• Webroot SpySweeper required
• Latest Version of Perfigo Client. (Now
Cisco Clean Access Agent)
Future Wireless Plans
• Upgrade infrastructure including access points
• Create wireless solution that supports multiple
SSIDs
• Implement campus bus locator app complete with
video surveillance
• Extend Campus Card to Off-campus vendors
• Cover Bridgewater downtown and add hotspots
Future Wireless Plans
Mesh Network
Questions and Answers
Questions about the AireSpace Outdoor Mesh product can be directed to
Jeff Aaron
[email protected]
408-635-2052