Emory Network Communications Building a Secure & Scaleable Wireless LAN Infrastructure Stan Brooks CWNA, CWSP Emory Network Communications [email protected].

EmoryNetwork Communications

Building aSecure & Scaleable

Wireless LANInfrastructure

Stan Brooks CWNA, CWSPEmory Network Communications

[email protected]

AIM-Y!-MSN: WLANstan

Copyright Stan Brooks 2007. This work is the intellectual property of the author. Permission is granted for this material to be shared for non-commercial, educational purposes, provided that this copyright statement appears on the reproduced materials and notice is given that the copying is by permission of the author. To disseminate

otherwise or to republish requires written permission from the author.

2

EmoryEmoryNetwork CommunicationsNetwork Communications

Outline

About Emory Emory’s Wireless Network Today & Yesterday The “New” WLAN: What We Chose – and Why How We Deployed the Architecture Network Usage Tips, Tricks, Traps, & Best Practices

3


About Emory & NetCom

Who we are Network Communications Division supports both

Emory University & Emory Healthcare

Network Scope Data ~32,700 data ports Voice ~43,500 voice lines & 17,800 V-Mailboxes Video – 3000+ Cable TV Drops Pagers ~ 6800 pagers 2-Way Radios – for Facilities Mgmt & Police

4


Wireless Network – Today’s Scope

Two Systems Academic ~1000 Access Points (APs) Healthcare ~ 525 APs Total of ~1525 APs

Over 2300 Simultaneous Wireless Users Spanning 3 Campuses, 3 Hospitals, & 8+ Clinics

Covering 130+ Buildings and Outdoor Areas

5


Back in Time – Late 2004/Early 2005

Legacy Environment Autonomous APs with VPN termination capability Chosen security model

Open Wi-Fi w/VPN authentication & Encryption No Guest Access

Was the “right” solution at the time (pre-2005) Deployment: ~75-100 APs in library locations &

some administration areas “Issues” for the users and network support

6


Welcome to My Nightmare: Deployment

Autonomous APs, each requiring configuration and network provisioning

Issues with Defining & Managing: AP IP addresses, DHCP pools, VPN pools, VLANs RF channel & power settings Individual APs as RADIUS clients

Configuring each AP took a long time

7


Welcome to My Nightmare: Management

DHCP & VPN Pool/ IP subnet management Authentication Client/Server Management Client Roaming Adding an SSID was near impossible because of our

routed network architecture local IP pools and VLANs were needed at each AP location

Adding different security models were near impossible

WE NEEDED A BETTER SOLUTION!!!

8


Selection Criteria: Our Wireless Concerns

Security Wireless is inherently NOT SECURE!

Scalability & Flexibility Grow to a large number of APs Support a variety of different groups of wireless users

Manageability Supportable both during deployment and for ongoing

operations

9


Wireless Security ConcernsThere 3 main areas to address:1) Protect data as it travels from source

to destination Eavesdropping Integrity (tampering) Denial of Service (DoS)

2) Protect the network from unauthorized/compromised users Rogue APs Stolen/hacked credentials Client remediation (NAC/NAP/etc.)

3) Protect the client from unauthorized access MitM/Evil Twin and Ad Hoc attacks Hacking open hard drive shares

Wired Network

“Real” Wireless User

Security is a PROCESS

“Real” Access Point

10


Security

Security is a PROCESS Apply Security in layers There is NO single security silver bullet Different types of data require different levels of

security A Term Paper vs. Student Grades vs. Financial Aid Data vs.

Health Records A Business Risk Assessment helps to define requirements

11


Scalability & Flexibility

Network estimated to grow to around 2500 APs Ease of Deployment

Limited resources (headcount) Compressed deployment timelines

Flexible Architecture in order to: Support our current user base Grow to other security models Add SSIDs Add guest access and move towards WPA

12


Manageability

Limited staff for supporting WLAN infrastructure

Automated RF channel & power control

Ability to quickly troubleshoot wireless issues WLAN infrastructure issues User/client issues (#1 issue with Wi-Fi)

Ability to track users

Ability to easily see the WLAN “Big Picture”

13


Decision: Aruba Networks

WLAN switch/controller architecture Ease of

Configurations Deployment Management Scaling

Easily emulated our security model (VPN access) Easily handled our evolving security model(s) Redundancy

14


Aruba WLAN Switch/Controller-based Implementation The AP attaches to network infrastructure and gets its configuration from the Aruba

WLAN switch/controller The AP builds tunnel to the Aruba WLAN switch/controller An Authenticated user associates to AP; all traffic is tunneled to controller where it is

scrutinized and passed or blocked to various destinations including the Internet A Guest user associates to AP; all traffic is tunneled to controller, scrutinized and

forwarded to the Internet as policy dictates Using a centralized controller gives a single point of ingress and control for wireless

traffic on Emory’s network

Authenticated UserSSID: EmoryUnplugged

Emory’s Internal Network

Aruba WLAN Switch/Controllerw/ Built in Firewall and Per User Access Control

InternetGuest UserSSID: EmoryGuest

“Thin” Access Point

15


How We Deployed: Site Surveys

We try to do a Site Survey for each location To get a basic understanding of the “RF Landscape” To get an idea of deployment densities

Not used for RF channel or power plans The controllers do that job very well Some overrides necessary depending on the local

terrain

16


How We Deployed: WLAN Growth

Deployment Timeline:

Initial deployment of 39 APs in the Law School (03/05)

Additional deployments from 04/05 to 09/05: School of Public Health & some outdoor areas

Replaced ~75-100 legacy APs by 08/05

Move-In Weekend ’05 saw a push to get Wi-Fi in all residence buildings by start of Spring ’06 semester (~5 Months) ~460 APs deployed in 50+ buildings in less

than 5 months including surveys & designs

Also deployed Healthcare starting in 08/05 with large deployment summer of 2006

Currently (06/07): 500 APs in ResNet 500 APs covering the rest of campus 525 APs on Healthcare network 21 Aruba Controllers on both networks

0

200

400

600

800

1000

1200

1400

1600

Mar.05

Aug.05

Feb.06

Aug.06

Nov.06

Mar.07

Jun.07

Academic APs Healthcare APs

17


How We Deployed: Installing the APs

Contractors pulled data drops and mount APs Created a “Best Practices” document for AP mounting

Ensures unified (correct) approach for mounting & labeling APs

18


How We Deployed: Installing the APs

Emory Mounted APs so they are visible

Ease of locating for troubleshooting

Visual indicates of Wi-Fi availability for users

Weighed the potential for damaged or stolen APs

APs are relatively inexpensive None stolen to date Have lost 5 due to damage over 2 years

Published an AP “Light Guide” Users can report problems

19


If You Build It, They Will Come!

Move-In Weekend 2006 was an eye-opener Turned off ResNet VPN & guest access to force users to WPA Implemented NetReg NAC on wireless and wired networks

Users flocked to wireless in droves Spring Semester ’06 ~835 peak simultaneous users Move-In Weekend ’06 ~1900+ peak simultaneous users

Incoming freshmen didn’t know (and didn’t want to know) what an Ethernet cable was

Their mantra: I want my wireless connectivity!

20


Crunch Time – Dealing w/Unexpected Usage Growth

Subnet Crunch Wireless Subnets max’ed out Additional subnets on ResNet controllers needed (and quickly)

Load Balancing APs were evenly distributed among controllers, but users were

not Developed spreadsheets to estimate # of users/dorm Aruba’s “VLAN pooling” feature automatically spread users across

multiple subnets Retained class-C subnet size Now peaks of 350-400 users/ controller – evenly distributed

21


Emory’s Wireless Growth

Total Academic Wireless Clients (month)

VPN Wireless Clients (year)

Guest Wireless Clients (year)

Total Academic Wireless Clients (year)

Total Healthcare Clients (Year)

Academic and Healthcare Wireless Traffic as of Oct 2006

22


Wireless User Graphs (04/07)

Academic and Healthcare Wireless Traffic as of April 2007

23


The End Result: Emory’s Wireless Networks Today

21 Aruba controllers (05/07) 9 Healthcare controllers 12 Academic controllers

Wireless Footprint continues to grow Adding APs as departments and schools request them Adding controllers as APs increase (128 APs/controller)

Adding new functionality VoIP over Wi-Fi (VoFi) in the hospital and beyond Addressing “non-standard” applications Consolidated wireless networks: Now a unified system Considering merging Academic & Healthcare wireless systems

24


Some Tips, Tricks and Best Practices

Contractor Documentation Provide floor plans with AP Placement Provide best practices documents Provide forms for contractors to fill out

AP MAC & S/No, Data Jack #, Ethernet switch ID & port

Record AP MACs & S/No’s for remote AP configuration Preconfigured APs with a “location code” Contractors record the AP placement, MAC & S/No

check & balance system for installations

Project Management/Workflow We used project managers to manage contractors and installation

schedules

25


Some Tips, Tricks and Best Practices (cont)

Manage IP subnets & load balancing Dorms – use pillows as surrogate for users Spreadsheets can help plan load balancing efforts

Walk the wireless areas with a tablet/laptop/PDA to get a feel for coverage and user problems Ask users about coverage and functionality

Keep an eye out for new things Wireless exploits, new technology, etc.

26


Some Tips, Tricks and Best Practices (cont)

Most wireless issues we’ve seen are client based Drivers, service packs, client configuration, etc. A good wireless infrastructure will help you

troubleshoot these issues

Our APs let us know of wired infrastructure issues Constant communication with the controllers let them

act as “canaries in a coal mine” Indicating wired network health

27


Recap

The Legacy Wireless Network – and its Problems The Decision Process – What Criteria We Used Our Chosen Architecture – Aruba How We Built Out the WLAN Network Growth We’ve Experienced What We Learned – Useful Tips & Tricks

28


?QuestionsPresenter: Stan Brooks – [email protected]

Building a Secure & Scaleable WLAN Infrastructure

Emory Network Communications Building a Secure & Scaleable Wireless LAN Infrastructure Stan Brooks CWNA, CWSP Emory Network Communications [email protected].

Documents

emory emorys wireless

network support slide

wireless network todays

emory netcom

network provisioning

aps total

wireless security concerns

deployment autonomous