Hacker High

Hacker High School Wireless Network Enhancement Presented by Team 3 Frank Arcila, James Botkin, Roger Brush, Robert Cross, Tami Gallupe, Shaun Phelps and Jeff Schlotzhauer 3/19/2003 CS 635 Group Research Project - Team 3 1 Topics          Project Introduction – Jeff Wireless – Frank WAN / VPN – Tami LAN – James Security – Bob Return on Investment – Roger Configuration Management – Frank Training – Shaun Summary - Jeff CS 635 Group Research Project - Team 3 2 3/19/2003 Project Introduction - Premise   Consultants responding to a school’s network enhancement RFP Hacker High School    Fine/Digital Arts Building (FDA) Science & Math Complex (SMC) Typical facilities 2000 students 150 staff Performing Arts/Auditorium Field Industrial Arts Building Administrative Offices (South East Corner of SMC and Basement) Liberal Arts Building 3/19/2003 CS 635 Group Research Project - Team 3 3 Project Introduction - Requirements  HHS basic requirements:      Provide wireless access campus wide Network standalone devices Connect existing networks together Make network secure Use COTS products when possible 3/19/2003 CS 635 Group Research Project - Team 3 4 Project Introduction – Site Survey    Two existing wired LANs Connectivity to District Office Performing Arts building   Standalone workstations Wasn’t wired to other campus facilities  No existing wireless capabilities 3/19/2003 CS 635 Group Research Project - Team 3 5 Wireless Frank Arcila LapTop Workstation Comm. Tower Hand Held Computer 3/19/2003 CS 635 Group Research Project - Team 3 6 Wireless - Hacker High Fine/Digital Arts Building (FDA) Science & Math Complex (SMC) Performing Arts/Auditorium Field Industrial Arts Building Administrative Offices (South East Corner of SMC and Basement) Liberal Arts Building 3/19/2003 CS 635 Group Research Project - Team 3 7 Wireless - Concerns   Staff is not trained on components of proposed wireless upgrade School’s goal, “to prepare students for the Digital World” is of concern:   Historic lack of complete infrastructure General fear of adopting & integrating technology improperly  Documentation shows “improper user activities” occur at rates proportional to the number of students in the Computer Science Department CS 635 Group Research Project - Team 3 8 3/19/2003 Wireless - Physical Environment A B A B A B Field Performing Arts/Auditorium Building (PAA) Bleachers Industrial Arts Building (IA) Fine/Digital Arts Building (FDA) C C Liberal Arts Building (LA) A A A B B A Science and Math Complex (SMC) Science Wing Science and Math Complex (SMC) Math Wing 3/19/2003 CS 635 Group Research Project - Team 3 9 Wireless - User Population 2000 1800 1600 1400 1200 1000 800 600 400 200 0 Current 1 Year 5 Years Staff/Faculty Students Users (estimated) 3/19/2003 CS 635 Group Research Project - Team 3 10 Wireless - Load  Assumptions    APs degrade at about 55% of rated capacity Using 802.11b Required performance level is 100Kbps   60 happy users per AP 24 APs on campus  Enough for 1440 under balanced load conditions at minimum performance CS 635 Group Research Project - Team 3 11 3/19/2003 Wireless - Antenna Distribution/Number  Physical layout is driving the minimum number of APs, not minimum capacity 3/19/2003 CS 635 Group Research Project - Team 3 12 Wireless – Threat Mitigation (Security) Threat Wireless Packet Sniffers Man in the Middle Unauthorized Access Mitigated by IPSec encryption of wireless traffic IPSec encryption of wireless traffic The only known protocols for initial IP configuration (DHCP) and VPN access (DNS, Internet Key Exchange [IKE], and Encapsulating Security Payload [ESP]) are allowed from the WLAN to the network through filtering at the AP and Layer 3 switch. Hackers can spoof traffic on the wireless LAN, but only valid, authenticated IPSec packets will ever reach the production wired network ARP spoofing attacks can be launched however data is encrypted to to the VPN gateway so hackers will be unable to read the data. These threats are mitigated through good password policies and auditing. Only IKE, ESP, and DHCP are allowed from this segment into the production network. DNS is only provided once the client has connected…each client will be configured with the required IP connected… addresses required for client authentication when access processing processing (user account sign-up at Technical Services Team Help Desk) is signcompleted. Source: Cisco SAFE: Wireless LAN Security in Depth IP Spoofing ARP Spoofing Password Attacks Network Topology Discovery 3/19/2003 CS 635 Group Research Project - Team 3 13 Wireless - Proposed Approach 3/19/2003 CS 635 Group Research Project - Team 3 14 WAN / VPN Tami Gallupe 3/19/2003 CS 635 Group Research Project - Team 3 15 WAN / LAN     WAN, a technology definition VPN, as defined in technology Hacker High Assessment Recommendation 3/19/2003 CS 635 Group Research Project - Team 3 16 Wired LAN James Botkin 3/19/2003 CS 635 Group Research Project - Team 3 17 Wired LAN – Existing Science and Math Complex Administrative Offices 7x t e n r e h t E C 7 8 9 1 0111 2 A 12 34 5 6 1x 2x 3x 4 x 5x 6x 1x 2x 3x 4x 5x 6x 8x 9x 1 0x 1 1x 1 2x 7x 8x 9x 1 0x 1 1x 12 x A B 7x t e n r e h t E C 7 8 9 1 01 1 2 1 A 1 2 345 6 1x 2x 3 x A 4x 5x 6x 1x 2x 3 x B 4x 5x 6x 8x 9x 10 x 1 1x 1 x 2 7x 8x 9x 10 x 11 x 12x 16 Offices 30 Computers Application Servers 25 Classrooms 50 Computers Computer Lab 1 25 Computers Computer Lab 2 25 Computers Performing Arts/Auditorium 7x t e n r e h t E C 7 8 9 1 01 1 12 A 1 2 34 56 1x 2x 3x 4x 5x 6x 1x 2x 3x 4x 5x 6x 8x 9x 10 x 1 1x 12 x 7x 8x 9x 1 0x 11 x 12 x A B t e n r e h t E Fine/Digital Arts Building 7x C 7 8 9 10 1112 A 12 3 45 6 1x 2x 3x 4x 5x 6x 1x 2x 3x 4x 5x 6x 8x 9x 1 0x 11 x 12 x 7x 8x 9x 10 x 1 1x 12 x A B 10 Computers Practice Studio 6 Computers 20 Classrooms 40 Computers Library 20 Computers Digital Imaging Lab 15 Computers Legend 100BASE-T 3/19/2003 CS 635 Group Research Project - Team 3 18 Wired LAN - Problems    Network Traffic—entire LAN consists of hubs, all connected computers see network traffic Management—the existing hardware does not provide a means to manage the configuration and performance of the network Security—the computers in the administrative offices are not currently protected from intrusion by any network level mechanism 3/19/2003 CS 635 Group Research Project - Team 3 19 Wired LAN - Requirements       Create a single unified campus wired LAN. Replace existing wired LAN with modern highperformance, yet cost-effective LAN Add wired network connectivity to the newconstruction buildings and connect them to the campus LAN The network traffic from the Digital Imaging Lab should be segmented from the rest of the LAN to prevent its traffic from affecting other segments Use manageable network hardware Provide a network level mechanism for securing access to the computers in the administrative offices CS 635 Group Research Project - Team 3 20 3/19/2003 Science and Math Complex Administrative Offices Wired LAN – New Design 3 Switches 108 10/100 Ports Cisco 3550-48 Switch Cisco 4912G-L3 Switch 1 Switch 48 10/100 Ports Cisco 3550-48 Switch Cisco 3550-48 Switch Cisco 3550-12 Switch 16 Offices 30 Computers Application Servers 25 Classrooms 50 Computers Computer Lab 1 25 Computers Computer Lab 2 25 Computers Fine/Digital Arts Building Liberal Arts Building 3 Switches 96 10/100 Ports Cisco 3550-48 Switch Cisco 3550-24 Switch Cisco 3550-24 Switch Cisco 3550-48 Switch Cisco 3550-24 Switch 2 Switches 72 10/100 Ports 20 Classrooms 40 Computers 20 Classrooms 40 Computers Library 20 Computers Digital Imaging Lab 15 Computers Language Lab 25 Computers Industrial Arts Building Performing Arts/Auditorium 1 Switch 24 10/100 Ports Cisco 3550-24 Switch 5 Classrooms 10 Computers 1 Switch 12 10/100 Ports Cisco 3550-12 Switch Legend 10 Computers Practice Studio 6 Computers 1000BASE-SX 100BASE-T 3/19/2003 CS 635 Group Research Project - Team 3 21 Wired LAN - Hardware    Cisco Catalyst line of switches 1000BASE-SX used to interconnect switches Redundancy    Each secondary switch is connected to the primary switch using two 1000BASE-SX connections. If one connection fails, the other can continue network traffic as normal. Uses Spanning Tree Protocol to prevent loops 3/19/2003 CS 635 Group Research Project - Team 3 22 Wired LAN - Security   Switches integrate with RADIUS server ACL can be set up to restrict access based on:    MAC addresses IP addresses TCP ports   Total number of devices connected to a single port can be limited Option to use full firewall instead CS 635 Group Research Project - Team 3 23 3/19/2003 Security Robert (Bob) Cross 3/19/2003 CS 635 Group Research Project - Team 3 24 Security – Lifecycle security model Identify systems and assets on the network and identify critical vulnerability points Identify changes to network infrastructure and compliance with policies Define and document an organizational security policy 3/19/2003 CS 635 Group Research Project - Team 3 25 Security  Defense in Depth Architecture        Physical Security Intrusion Detection System Standard 802.11 Security Mechanisms Robust Authentication and Encryption Virtual Private Network Network Segregation Controlled Access of System Resources  Confidentiality, Integrity, and Availability Weights CS 635 Group Research Project - Team 3 26 3/19/2003 Security  Physical Security   Controlled Perimeter Assets in Lockable Rooms or Containers Signal Interception Antennae Types Location of Access Points Access Point Signal Strength CS 635 Group Research Project - Team 3 27  Emissions Control     3/19/2003 Security  Vulnerabilities and Mitigation     Weak authentication / Remote Authentication Dial-in User Service (RADIUS) Weak encryption / Virtual Private Networks (VPNs) Interception and eavesdropping / VPN and antennae placement and power settings Physical access to wireless components / Locked containers and rooms, hidden APs CS 635 Group Research Project - Team 3 28 3/19/2003 Security – Legal issues  School District Involvement  Documented Policies Written Publicly Disseminated Policy A System Legal Banner After Action Forensics Classes for Students, Teachers, and Administrators Signed System Use Agreements CS 635 Group Research Project - Team 3 29  Prosecution of Misuse Requires a Minimum of:     Training on Wireless and General Network Use   3/19/2003 Return on Investment Roger Brush  30 3/19/2003 CS 635 Group Research Project - Team 3 Return on Investment (ROI)  Analysis    Advanced form of Cost-Benefit analysis How much will investment earn over time Simple or as Complex as desired 3/19/2003 CS 635 Group Research Project - Team 3 31 Return on Investment (ROI)  Difference between Commercial and Educational    Quality/Cost of equipment and duration kept Commercial returns more quantifiable Level of Support Required 3/19/2003 CS 635 Group Research Project - Team 3 32 Return on Investment (ROI)  Total Costs of Ownership (TCO)   All costs of installing, operating, maintaining system over time Consists of Hardware  Software  Support  Training  Future Upgrades  3/19/2003 CS 635 Group Research Project - Team 3 33 Configuration Management Frank Arcila 3/19/2003 CS 635 Group Research Project - Team 3 34 Configuration Management   Outside Scope of Proposal Recommendations     Policy Publication/Distribution Documentation Change Management Support to Security function 3/19/2003 CS 635 Group Research Project - Team 3 35 Training Shaun Phelps 3/19/2003 CS 635 Group Research Project - Team 3 36 Training  Network Administrator Training    Installation Administration Hardware and Security Features 3/19/2003 CS 635 Group Research Project - Team 3 37 Training  Employee Utilization    Based Primarily on District Policy Appropriate Use and Network Usage Policy Procedures to Add Additional Equipment 3/19/2003 CS 635 Group Research Project - Team 3 38 Training  Two Day Network Administrator Course      Card Installation and Configuration Base Station Configuration Connecting to LAN Security Implementation Measures Areas to Consider Implementing Within Network Usage Policy 3/19/2003 CS 635 Group Research Project - Team 3 39 Summary Jeff Schlotzhauer 3/19/2003 CS 635 Group Research Project - Team 3 40 Summary   Reviewed HHS’s RFP noting basic requirements Performed a site survey   showed us what we had to work with Identified additional requirements 3/19/2003 CS 635 Group Research Project - Team 3 41 Summary  Recommendations included considerations for:        Hardware & software – wired, wireless LAN/WAN/VPN Security Return on Investment Future growth – traffic and no. of users Configuration management (O&M) Staffing Training 3/19/2003 CS 635 Group Research Project - Team 3 42