Case Study: Effective Wireless Architecture

Now that we have discussed the means to create a secure wireless architecture, let's put what you have learned to use by looking at a good wireless network design.

The sample organization is a small university that wants to add wireless for students, faculty, and visitors, as well as a small wireless network for executive administrators. The requirements are as follows:

• The Visitors network is unsecured and unencrypted.

• The Student, Faculty, and Admin networks are all to be encrypted with WPAv2 Enterprise, with the Admin network using its own RADIUS server.

• The Student and Faculty networks will access very different production network resources.

• Wireless service must be available for the Visitor, Student, and Faculty networks anywhere on the campus.

• The Admin network needs to be highly secure and efforts should be made to prevent its existence from being known.

Based on these basic requirements and the secure design elements we have discussed in this chapter, our proposed design is illustrated in Figure 14.5.

Figure 14.5. The proposed wireless architecture uses many of the defenses we discussed in this chapter.

The key to this design is the functionality of the Cisco Aironet 1200 series access point that is used for the public wireless networksthat is, the Faculty, Student, and Visitor networks. The Aironet 1200 supports multiple VLANs and a unique security policy on each VLAN. Each of the wireless networks is deployed as its own Extended Service Set (ESS), or basically as its own separate wireless network, with each being configured as an independent VLAN on the Aironet. Two APs are deployed to extend the range to cover the required service area of the campus. However, with this added coverage comes added exposure, which is why security is paramount. Both Aironets are trunked to the central 650x Series switch, which has a Firewall Services Module (FWSM) installed in it. The FWSM allows the trunked VLANs to be firewalled from each other as well as the rest of the wired network.

From a security perspective, each of the three networks is configured differently. The Visitor VLAN security policy is configured to support no encryption, as specified in the network requirements. MAC address authentication is disabled because anyone should be able to access the Visitor ESS. No authentication is required, but connections are logged and the FWSM is configured to only allow the Visitor network access to the Internet and certain public resources at the university.

The Student VLAN security policy is configured to support WPAv2 Enterprise and uses a RADIUS server that is protected by the FWSM. This strong security algorithm is critical in the campus environment to protect outside access to critical university resources. Because the university grounds are basically an unsecured public space, an interloper with a laptop could wander right into range without drawing any suspicion. Therefore, a secure protection algorithm combined with strong authentication can greatly increase the security of the university network. Also, specific firewall rules are added for the Student VLAN to only allow access to student resources. SSID broadcasts are enabled because we will not be able to configure all of the students' laptops and MAC address authentication is disabled. RADIUS authentication will be used for student access, which will steer the students to the correct VLAN using a special feature of the Aironet AP that forces authenticated clients to the appropriate ESS.

The Faculty ESS VLAN security policy is also configured to support WPAv2 Enterprise and uses the same protected RADIUS server. This strong protection protocol and authentication method is vital not to only protect the faculty resources from outside attackers, but also to protect them from curious students who may want to take a closer look at their grades. Again, the FWSM is used to allow only access to faculty resources and defend the wired network from the wireless network. Broadcasts are not required in this case, but due to the fact that we have RADIUS configured to assign clients to the correct VLAN, we can save ourselves a lot of administrative work by keeping broadcasts enabled. MAC address authentication will be enabled for the Faculty VLAN to add an additional level of security.

Faculty laptops are deployed using host-hardening best practices and installed with host-based defense components. Not only will this help protect the Faculty network from direct wireless attacks, it will help the university be aware of events occurring on the wireless network.

Finally, the Admin network is configured quite differently from the public wireless network. Though in a highly secure environment wired connectivity would be strongly suggested over wireless, sometimes business requirements force the use of inherently less-secure solutions. In this case, the administrators are the ones making the decisions and they want the flexibility of wireless networking in the administration area. With this in mind, the highest level of wireless networking security must be applied to the administrators' network. The center of the design is a single AP deployed in a carefully chosen point in the administration office area, thus minimizing access from the outside (as demonstrated in Figure 14.6).

Signal leakage will be minimized by using signal-limiting window tint on all offices. Also, because redecorating is not allowed in the admin area, the ceilings below their second-floor offices will be painted with signal-limiting metallic-based paint. The Admin AP will be a different manufacturer than the public APs to help enable additional defense in depth. However, with this decision comes additional administrative costs, because support personnel need to be trained on more than one product type. Broadcasts will be disabled and MAC address authentication will be configured. WPAv2 Enterprise is enabled and a separate RADIUS server is used for authentication.

Host-hardening best practices are used and the same host-defense components are installed on the administrators' laptops. Also, because security is paramount in their environment, the administrators' laptops are configured to use transport mode AH IPSec connectivity to critical resources they need to access, such as student grades, confidential employee information, and business information that is not publicly available. We have chosen AH because it has less overhead than ESP, and because we have implemented WPAv2 using AES encryption, we are not terribly concerned about the confidentiality being breached in the Admin network. When the traffic is unencrypted after it has left the AP, it is subject to IDS scans and content inspection because AH is unencrypted. However, AH adds another level of authentication that needs to be passed to gain access to critical resources.

An additional firewall is deployed between the Admin wireless network and the production network to control access to production wired resources.

This design employs many of the security options we have covered in this chapter. A strong network design is the foundation of this plan. Despite the fact that wireless may not be ideal for parts of this network, business requirements justify the security tradeoff. Therefore, maximizing the security posture through the use of all means available is paramount. Defense-in-depth methodologies are used throughout and a proven encryption algorithm enhances the network's security. Finally, all devices are properly hardened using best practices and the design is continually audited as a means of ongoing verification.