SECURE SECURE WIRELESS WIRELESS NETWORKNETWORK
IN IŞIK IN IŞIK UNIVERSITY ŞİLE UNIVERSITY ŞİLE
CAMPUSCAMPUS
WLAN(Wirelass LAN)WLAN(Wirelass LAN)
We introduced at 1986 for use in We introduced at 1986 for use in barcode scanning .barcode scanning .
A properly selected and installed Wi-A properly selected and installed Wi-Fi or wireless fidelity.Fi or wireless fidelity.
802.11a, 802.11b, 802.11g 802.11a, 802.11b, 802.11g technologies, 802.11g is the latest technologies, 802.11g is the latest technology. These are IEEE technology. These are IEEE standard. standard.
THE PROJECTTHE PROJECT
The problem is, how can three different The problem is, how can three different users access over an access point to users access over an access point to different type of data with securily in our different type of data with securily in our campus.campus.
As another word, if we choose there As another word, if we choose there people such as; student, university staff people such as; student, university staff and data processing center worker can and data processing center worker can access different type of data or they have access different type of data or they have different rights when access from the different rights when access from the access point by securily. access point by securily.
THREE DIFFERENT THREE DIFFERENT USER USER
1)1) StudentStudent
2)2) University StaffUniversity Staff
3)3) Data Processing Center WorkerData Processing Center Worker
COMPONENTS OF SECURE COMPONENTS OF SECURE WIRELESS NETWORKWIRELESS NETWORK
I.I. Cisco Aironet 1100 Series Access Point Cisco Aironet 1100 Series Access Point II.II. Radius ServerRadius ServerIII.III. Two Switch(One of them is Managable Two Switch(One of them is Managable
Switch, the other one is Backbone Switch, the other one is Backbone Switch)Switch)
IV.IV. VlanVlanV.V. Cisco PIX FirewallCisco PIX FirewallVI.VI. WEP & LEAPWEP & LEAPVII.VII. Database ServerDatabase ServerVIII.VIII. Intranet Web ServerIntranet Web Server
Cisco Aironet 1100 Series Cisco Aironet 1100 Series Access Point Access Point
It is a wireless LAN transceiver.It is a wireless LAN transceiver. 1100 series is cheaper than the 1100 series is cheaper than the
others and its performances is really others and its performances is really efficient. efficient.
It is also managable easily and It is also managable easily and common all over the world.common all over the world.
RADIUS SERVERRADIUS SERVER RADIUS is a distributed client/server RADIUS is a distributed client/server
system that secures networks against system that secures networks against unauthorized access.unauthorized access.
Use RADIUS in these network Use RADIUS in these network environments, which require access environments, which require access security security
This server also called AAA Server which This server also called AAA Server which means Audit, Authentication and means Audit, Authentication and Accounting.Accounting.
In my project Radius Server will provide In my project Radius Server will provide Authentication and Mac filtering.Authentication and Mac filtering.
SWITCHESSWITCHES
Managable SwitchManagable Switch Backbone SwitchBackbone Switch I will use three different type IP. I will use three different type IP.
Student will take 10.0.x.x, University Student will take 10.0.x.x, University Staff will take 10.50.x.x, Data Staff will take 10.50.x.x, Data Processing Center Worker will take Processing Center Worker will take 192.168.x.x.192.168.x.x.
VLANVLAN
VLAN is a switched network that is VLAN is a switched network that is logically segmented.logically segmented.
I will use Vlan for having different I will use Vlan for having different kind of rights of these there different kind of rights of these there different type of users on WLAN. type of users on WLAN.
DATABASE AND INTRANET DATABASE AND INTRANET WEB SERVERWEB SERVER
Database Server : Only Data Processing Center Worker can access these server.
Intranet Web Server : Only University Staff and Only Data Processing Center Worker can access these server.
HOW WILL DESIGN BE?HOW WILL DESIGN BE?
Firstly; how will student, university staff Firstly; how will student, university staff and data processing center worker be on and data processing center worker be on the different Vlan, how can I give different the different Vlan, how can I give different rights them. rights them.
The second thing is how these people The second thing is how these people come to these Vlan. come to these Vlan.
The third thing which is most important The third thing which is most important how I can provide security. how I can provide security.
SSID(Service Set SSID(Service Set Identifer)Identifer)
When connect to WLAN you will see When connect to WLAN you will see the name of WLAN, which is SSID.the name of WLAN, which is SSID.
FOR VLAN 1FOR VLAN 1 If we define two different SSID, one of If we define two different SSID, one of
them broadcasting, the other one is them broadcasting, the other one is secret. secret.
For instance; our broadcasting SSID is For instance; our broadcasting SSID is tsunami; our not broadcasting(secret) tsunami; our not broadcasting(secret) SSID is Private. If you connect WLAN SSID is Private. If you connect WLAN with access point everybody sees with access point everybody sees automatically tsunami SSID. Also when automatically tsunami SSID. Also when you connect this, you will come to Vlan 1 you connect this, you will come to Vlan 1 and this Vlan provides to access only and this Vlan provides to access only Internet. Internet.
AUTHENTICATION AUTHENTICATION
If you are not student; you write the not If you are not student; you write the not broadcasting SSID name for accessing, broadcasting SSID name for accessing, at that time you will see the Username-at that time you will see the Username-Password Window for having different Password Window for having different kind of rights.kind of rights.
When you enter the username-password, When you enter the username-password, the information come to Radius Server. the information come to Radius Server.
And now; EAP (Extensible Authentication And now; EAP (Extensible Authentication Protocol) uses. Protocol) uses.
WEP(WEP(Wired Equivalent Wired Equivalent Privacy Privacy ))
i.i. WEP is an encryption algorithm used by the WEP is an encryption algorithm used by the Shared Key authentication process for Shared Key authentication process for authenticating users and for encrypting data authenticating users and for encrypting data payloads over only the wireless segment of the payloads over only the wireless segment of the LAN.LAN.
ii.ii. The secret key lengths are 40-bit or 104-bit The secret key lengths are 40-bit or 104-bit yielding WEP key lengths of 64 bits and 128 yielding WEP key lengths of 64 bits and 128 bits. bits.
iii.iii. WEP key is an alphanumeric character string WEP key is an alphanumeric character string used in two manners in a wireless LANused in two manners in a wireless LAN..
iv.iv. WEP key can be used WEP key can be used :: VVerify the identity of an authenticating stationerify the identity of an authenticating station.. WEP keys can be used for data encryptionWEP keys can be used for data encryption..
CRITERIACRITERIA
The 802.11 standard specifies the followingThe 802.11 standard specifies the following criteria for security:criteria for security:
ExportableExportable Reasonably StrongReasonably Strong Self-SynchronizingSelf-Synchronizing Computationally EfficientComputationally Efficient OptionalOptionalWEP meets all these requirements.WEP meets all these requirements. WEP supportWEP supportss the security goals of the security goals of
confidentiality, accessconfidentiality, access control, and data control, and data integrity.integrity.
WEP KEYWEP KEY
WEP key is an alphanumeric WEP key is an alphanumeric character string used in two character string used in two manners in a wireless LANmanners in a wireless LAN..
WEP key can be used WEP key can be used :: VVerify the identity of an erify the identity of an
authenticating stationauthenticating station.. WEP keys can be used for data WEP keys can be used for data
encryptionencryption..
EAP(Extensible EAP(Extensible Authentication Protocol )Authentication Protocol )
This authentication type provides the highest This authentication type provides the highest level of security for your wireless network. level of security for your wireless network.
Using the Extensible Authentication Protocol Using the Extensible Authentication Protocol (EAP) to interact with an EAP-compatible (EAP) to interact with an EAP-compatible RADIUS server. RADIUS server.
This is type of dynamic WEP key.This is type of dynamic WEP key. There are five different type of EAP, I will There are five different type of EAP, I will
use LEAP (Lightweight Extensible use LEAP (Lightweight Extensible Authentication Protocol, designed by Cisco) Authentication Protocol, designed by Cisco) which is the most secure.which is the most secure.
MAC(Media Access Control) MAC(Media Access Control) ADDRESS FILTERING ADDRESS FILTERING
Server checks the address against a Server checks the address against a list of allowed MAC addresses. list of allowed MAC addresses.
If your MAC address is University If your MAC address is University Staff’s MAC address, you wil come Staff’s MAC address, you wil come to Vlan 2 and you will have thoose to Vlan 2 and you will have thoose rights, if your MAC address is data rights, if your MAC address is data processing center worker’s address, processing center worker’s address, you will come Vlan 3 also you will you will come Vlan 3 also you will have those rights. have those rights.
STUDENT TOPOLOGY-2STUDENT TOPOLOGY-2
STUDENT
BROADCASTING SSID (TSUNAMI)
SWITCH
BACKBONE SWITCH
SSID TSUNAMI
Student takes 10.0.x.x IP and comes Vlan 1
ACCESS POINT
STUDENT GENERAL STUDENT GENERAL TOPOLOGYTOPOLOGY
STUDENT
BROADCASTING SSID (TSUNAMI)
SWITCH
BACKBONE SWITCH FIREWALL INTERNET
Student takes 10.0.x.x IP and comes Vlan 1
SSID TSUNAMIACCESS POINT
UNIVERSITY STAFF UNIVERSITY STAFF TOPOLOGY-1TOPOLOGY-1
UNIVERSITY STAFF
NOT BROADCASTING SSID (PRIVATE)
ACCESS POINT
UNIVERSITY STAFF UNIVERSITY STAFF TOPOLOGY-2TOPOLOGY-2
UNIVERSITY STAFF
NOT BROADCASTING SSID (PRIVATE)
SWITCHRADIUS SERVERACCESS
POINT
PRIVATE SSID&AUTHENTICATION
&MAC FILTERING
University Staff takes 10.50.x.x IP and comes Vlan 2
UNIVERSITY STAFF UNIVERSITY STAFF TOPOLOGY-3TOPOLOGY-3
UNIVERSITY STAFF
NOT BROADCASTING SSID (PRIVATE)
SWITCH
RADIUS SERVER
BACKBONE SWITCH
INTRANET WEB SERVER
ACCESS POINT
PRIVATE SSID&AUTHENTICATION
&MAC FILTERING
University Staff takes 10.50.x.x IP and comes Vlan 2
UNIVERSITY STAFF UNIVERSITY STAFF GENERAL TOPOLOGYGENERAL TOPOLOGY
UNIVERSITY STAFF
NOT BROADCASTING SSID (PRIVATE)
SWITCH
RADIUS SERVER
BACKBONE SWITCH
INTRANET WEB SERVER
ACCESS POINT
FIREWALL
INTERNET
PRIVATE SSID&AUTHENTICATION
&MAC FILTERING
University Staff takes 10.50.x.x IP and comes Vlan 2
DATA PROCESSING DATA PROCESSING CENTER WORKER CENTER WORKER
TOPOLOGY-1TOPOLOGY-1NOT BROADCASTING SSID
(PRIVATE)
ACCESS POINT
DATA PROCESSING
CENTER WORKER
DATA PROCESSING DATA PROCESSING CENTER WORKER CENTER WORKER
TOPOLOGY-2TOPOLOGY-2NOT BROADCASTING SSID
(PRIVATE)
SWITCHRADIUS SERVERACCESS
POINTPRIVATE
SSID&AUTHENTICATION&MAC FILTERING
DATA PROCESSING
CENTER WORKER
Data Processing Center Worker takes 192.168.x.x IP and comes Vlan 3
DATA PROCESSING DATA PROCESSING CENTER WORKER CENTER WORKER
TOPOLOGY-2TOPOLOGY-2NOT BROADCASTING SSID
(PRIVATE)
SWITCH
RADIUS SERVERBACKBONE
SWITCH
INTRANET WEB SERVER
ACCESS POINT
PRIVATE SSID&AUTHENTICATION
&MAC FILTERING
DATA PROCESSING
CENTER WORKER
Data Processing Center Worker takes 192.168.x.x IP and comes Vlan 3
DATABASE SERVER
DATA PROCESSING DATA PROCESSING CENTER WORKER CENTER WORKER
GENERAL TOPOLOGYGENERAL TOPOLOGYNOT BROADCASTING SSID
(PRIVATE)
SWITCH
RADIUS SERVERBACKBONE
SWITCH
INTRANET WEB SERVER
ACCESS POINT
PRIVATE SSID&AUTHENTICATION
&MAC FILTERING
DATA PROCESSING
CENTER WORKER
Data Processing Center Worker takes 192.168.x.x IP and comes Vlan 3
DATABASE SERVER
FIREWALL
INTERNET
SECURITY POLICYSECURITY POLICY
The purpose of this policy is to provide guidance for the secure operation and implementation of wireless local area networks (WLANs).
AUTHENTICATION
University Staff and Data Processing Center Worker have to authenticate the system if they want to have different kind of rights.
For authentication, username and password authentication is used so users must use strong passwords (alphanumeric and special character string at least eight characters in length).
Shared secret (or shared key) authentication must be used to authenticate to the WLAN
ENCRYPTION & ACCESS CONTOL
Distinct WEP keys provide more security than default keys and reduce the risk of key compromise.
SSIDSSID MAC(Media Access Control)MAC(Media Access Control)
PHYSICAL AND LOGICAL PHYSICAL AND LOGICAL SECURITYSECURITY
Access point must be placed in secure areas, such as high on a wall, in a wiring closet, or in a locked enclosure to prevent unauthorized physical access and user manipulation.
Access point must have Intrusion Detection Systems (IDS) at designated areas on Campus property to detect unauthorized access or attack.
CONCLUSIONCONCLUSION
With this design Student, University Staff and Data Processing Center Worker can access securily; wherever they want, don’t use extra devices or don’t make any adjusting.
REFERENCESREFERENCES• Cisco Press 802.11 Wireless Network Site Surveying Cisco Press 802.11 Wireless Network Site Surveying
and Installation book.and Installation book.• Cisco Securing 802.11 Wireless Networks handbook.Cisco Securing 802.11 Wireless Networks handbook.• Cisco Aironet 1100 Series Access Point Quick Start Cisco Aironet 1100 Series Access Point Quick Start
Guide.Guide.• Certified Wireless Network AdministratorTM Certified Wireless Network AdministratorTM Official Official
Study Guide.Study Guide.• Wireless Network Solutions (Paul Williams)Wireless Network Solutions (Paul Williams)• http://www.cisco.com/en/US/tech/tk722/tk809/tk723/http://www.cisco.com/en/US/tech/tk722/tk809/tk723/
tsd_technology_support_sub-protocol_home.htmltsd_technology_support_sub-protocol_home.html• http://www.cisco.com/en/US/tech/tk722/tk809/http://www.cisco.com/en/US/tech/tk722/tk809/
tsd_technology_support_protocol_home.htmltsd_technology_support_protocol_home.html• http://www.webopedia.com/TERM/M/MAC_address.htmlhttp://www.webopedia.com/TERM/M/MAC_address.html• http://searchnetworking.techtarget.com/http://searchnetworking.techtarget.com/
originalContent/0,289142,sid7_gci843996,00.htmloriginalContent/0,289142,sid7_gci843996,00.html
Top Related