emory network communications building a secure & scaleable wireless lan infrastructure stan...
TRANSCRIPT
EmoryNetwork Communications
Building aSecure & Scaleable
Wireless LANInfrastructure
Stan Brooks CWNA, CWSPEmory Network Communications
AIM-Y!-MSN: WLANstan
Copyright Stan Brooks 2007. This work is the intellectual property of the author. Permission is granted for this material to be shared for non-commercial, educational purposes, provided that this copyright statement appears on the reproduced materials and notice is given that the copying is by permission of the author. To disseminate
otherwise or to republish requires written permission from the author.
2
EmoryEmoryNetwork CommunicationsNetwork Communications
Outline
About Emory Emory’s Wireless Network Today & Yesterday The “New” WLAN: What We Chose – and Why How We Deployed the Architecture Network Usage Tips, Tricks, Traps, & Best Practices
3
EmoryEmoryNetwork CommunicationsNetwork Communications
About Emory & NetCom
Who we are Network Communications Division supports both
Emory University & Emory Healthcare
Network Scope Data ~32,700 data ports Voice ~43,500 voice lines & 17,800 V-Mailboxes Video – 3000+ Cable TV Drops Pagers ~ 6800 pagers 2-Way Radios – for Facilities Mgmt & Police
4
EmoryEmoryNetwork CommunicationsNetwork Communications
Wireless Network – Today’s Scope
Two Systems Academic ~1000 Access Points (APs) Healthcare ~ 525 APs Total of ~1525 APs
Over 2300 Simultaneous Wireless Users Spanning 3 Campuses, 3 Hospitals, & 8+ Clinics
Covering 130+ Buildings and Outdoor Areas
5
EmoryEmoryNetwork CommunicationsNetwork Communications
Back in Time – Late 2004/Early 2005
Legacy Environment Autonomous APs with VPN termination capability Chosen security model
Open Wi-Fi w/VPN authentication & Encryption No Guest Access
Was the “right” solution at the time (pre-2005) Deployment: ~75-100 APs in library locations &
some administration areas “Issues” for the users and network support
6
EmoryEmoryNetwork CommunicationsNetwork Communications
Welcome to My Nightmare: Deployment
Autonomous APs, each requiring configuration and network provisioning
Issues with Defining & Managing: AP IP addresses, DHCP pools, VPN pools, VLANs RF channel & power settings Individual APs as RADIUS clients
Configuring each AP took a long time
7
EmoryEmoryNetwork CommunicationsNetwork Communications
Welcome to My Nightmare: Management
DHCP & VPN Pool/ IP subnet management Authentication Client/Server Management Client Roaming Adding an SSID was near impossible because of our
routed network architecture local IP pools and VLANs were needed at each AP location
Adding different security models were near impossible
WE NEEDED A BETTER SOLUTION!!!
8
EmoryEmoryNetwork CommunicationsNetwork Communications
Selection Criteria: Our Wireless Concerns
Security Wireless is inherently NOT SECURE!
Scalability & Flexibility Grow to a large number of APs Support a variety of different groups of wireless users
Manageability Supportable both during deployment and for ongoing
operations
9
EmoryEmoryNetwork CommunicationsNetwork Communications
Wireless Security ConcernsThere 3 main areas to address:1) Protect data as it travels from source
to destination Eavesdropping Integrity (tampering) Denial of Service (DoS)
2) Protect the network from unauthorized/compromised users Rogue APs Stolen/hacked credentials Client remediation (NAC/NAP/etc.)
3) Protect the client from unauthorized access MitM/Evil Twin and Ad Hoc attacks Hacking open hard drive shares
Wired Network
“Real” Wireless User
Security is a PROCESS
“Real” Access Point
10
EmoryEmoryNetwork CommunicationsNetwork Communications
Security
Security is a PROCESS Apply Security in layers There is NO single security silver bullet Different types of data require different levels of
security A Term Paper vs. Student Grades vs. Financial Aid Data vs.
Health Records A Business Risk Assessment helps to define requirements
11
EmoryEmoryNetwork CommunicationsNetwork Communications
Scalability & Flexibility
Network estimated to grow to around 2500 APs Ease of Deployment
Limited resources (headcount) Compressed deployment timelines
Flexible Architecture in order to: Support our current user base Grow to other security models Add SSIDs Add guest access and move towards WPA
12
EmoryEmoryNetwork CommunicationsNetwork Communications
Manageability
Limited staff for supporting WLAN infrastructure
Automated RF channel & power control
Ability to quickly troubleshoot wireless issues WLAN infrastructure issues User/client issues (#1 issue with Wi-Fi)
Ability to track users
Ability to easily see the WLAN “Big Picture”
13
EmoryEmoryNetwork CommunicationsNetwork Communications
Decision: Aruba Networks
WLAN switch/controller architecture Ease of
Configurations Deployment Management Scaling
Easily emulated our security model (VPN access) Easily handled our evolving security model(s) Redundancy
14
EmoryEmoryNetwork CommunicationsNetwork Communications
Aruba WLAN Switch/Controller-based Implementation The AP attaches to network infrastructure and gets its configuration from the Aruba
WLAN switch/controller The AP builds tunnel to the Aruba WLAN switch/controller An Authenticated user associates to AP; all traffic is tunneled to controller where it is
scrutinized and passed or blocked to various destinations including the Internet A Guest user associates to AP; all traffic is tunneled to controller, scrutinized and
forwarded to the Internet as policy dictates Using a centralized controller gives a single point of ingress and control for wireless
traffic on Emory’s network
Authenticated UserSSID: EmoryUnplugged
Emory’s Internal Network
Aruba WLAN Switch/Controllerw/ Built in Firewall and Per User Access Control
InternetGuest UserSSID: EmoryGuest
“Thin” Access Point
15
EmoryEmoryNetwork CommunicationsNetwork Communications
How We Deployed: Site Surveys
We try to do a Site Survey for each location To get a basic understanding of the “RF Landscape” To get an idea of deployment densities
Not used for RF channel or power plans The controllers do that job very well Some overrides necessary depending on the local
terrain
16
EmoryEmoryNetwork CommunicationsNetwork Communications
How We Deployed: WLAN Growth
Deployment Timeline:
Initial deployment of 39 APs in the Law School (03/05)
Additional deployments from 04/05 to 09/05: School of Public Health & some outdoor areas
Replaced ~75-100 legacy APs by 08/05
Move-In Weekend ’05 saw a push to get Wi-Fi in all residence buildings by start of Spring ’06 semester (~5 Months) ~460 APs deployed in 50+ buildings in less
than 5 months including surveys & designs
Also deployed Healthcare starting in 08/05 with large deployment summer of 2006
Currently (06/07): 500 APs in ResNet 500 APs covering the rest of campus 525 APs on Healthcare network 21 Aruba Controllers on both networks
0
200
400
600
800
1000
1200
1400
1600
Mar.05
Aug.05
Feb.06
Aug.06
Nov.06
Mar.07
Jun.07
Academic APs Healthcare APs
17
EmoryEmoryNetwork CommunicationsNetwork Communications
How We Deployed: Installing the APs
Contractors pulled data drops and mount APs Created a “Best Practices” document for AP mounting
Ensures unified (correct) approach for mounting & labeling APs
18
EmoryEmoryNetwork CommunicationsNetwork Communications
How We Deployed: Installing the APs
Emory Mounted APs so they are visible
Ease of locating for troubleshooting
Visual indicates of Wi-Fi availability for users
Weighed the potential for damaged or stolen APs
APs are relatively inexpensive None stolen to date Have lost 5 due to damage over 2 years
Published an AP “Light Guide” Users can report problems
19
EmoryEmoryNetwork CommunicationsNetwork Communications
If You Build It, They Will Come!
Move-In Weekend 2006 was an eye-opener Turned off ResNet VPN & guest access to force users to WPA Implemented NetReg NAC on wireless and wired networks
Users flocked to wireless in droves Spring Semester ’06 ~835 peak simultaneous users Move-In Weekend ’06 ~1900+ peak simultaneous users
Incoming freshmen didn’t know (and didn’t want to know) what an Ethernet cable was
Their mantra: I want my wireless connectivity!
20
EmoryEmoryNetwork CommunicationsNetwork Communications
Crunch Time – Dealing w/Unexpected Usage Growth
Subnet Crunch Wireless Subnets max’ed out Additional subnets on ResNet controllers needed (and quickly)
Load Balancing APs were evenly distributed among controllers, but users were
not Developed spreadsheets to estimate # of users/dorm Aruba’s “VLAN pooling” feature automatically spread users across
multiple subnets Retained class-C subnet size Now peaks of 350-400 users/ controller – evenly distributed
21
EmoryEmoryNetwork CommunicationsNetwork Communications
Emory’s Wireless Growth
Total Academic Wireless Clients (month)
VPN Wireless Clients (year)
Guest Wireless Clients (year)
Total Academic Wireless Clients (year)
Total Healthcare Clients (Year)
Academic and Healthcare Wireless Traffic as of Oct 2006
22
EmoryEmoryNetwork CommunicationsNetwork Communications
Wireless User Graphs (04/07)
Academic and Healthcare Wireless Traffic as of April 2007
23
EmoryEmoryNetwork CommunicationsNetwork Communications
The End Result: Emory’s Wireless Networks Today
21 Aruba controllers (05/07) 9 Healthcare controllers 12 Academic controllers
Wireless Footprint continues to grow Adding APs as departments and schools request them Adding controllers as APs increase (128 APs/controller)
Adding new functionality VoIP over Wi-Fi (VoFi) in the hospital and beyond Addressing “non-standard” applications Consolidated wireless networks: Now a unified system Considering merging Academic & Healthcare wireless systems
24
EmoryEmoryNetwork CommunicationsNetwork Communications
Some Tips, Tricks and Best Practices
Contractor Documentation Provide floor plans with AP Placement Provide best practices documents Provide forms for contractors to fill out
AP MAC & S/No, Data Jack #, Ethernet switch ID & port
Record AP MACs & S/No’s for remote AP configuration Preconfigured APs with a “location code” Contractors record the AP placement, MAC & S/No
check & balance system for installations
Project Management/Workflow We used project managers to manage contractors and installation
schedules
25
EmoryEmoryNetwork CommunicationsNetwork Communications
Some Tips, Tricks and Best Practices (cont)
Manage IP subnets & load balancing Dorms – use pillows as surrogate for users Spreadsheets can help plan load balancing efforts
Walk the wireless areas with a tablet/laptop/PDA to get a feel for coverage and user problems Ask users about coverage and functionality
Keep an eye out for new things Wireless exploits, new technology, etc.
26
EmoryEmoryNetwork CommunicationsNetwork Communications
Some Tips, Tricks and Best Practices (cont)
Most wireless issues we’ve seen are client based Drivers, service packs, client configuration, etc. A good wireless infrastructure will help you
troubleshoot these issues
Our APs let us know of wired infrastructure issues Constant communication with the controllers let them
act as “canaries in a coal mine” Indicating wired network health
27
EmoryEmoryNetwork CommunicationsNetwork Communications
Recap
The Legacy Wireless Network – and its Problems The Decision Process – What Criteria We Used Our Chosen Architecture – Aruba How We Built Out the WLAN Network Growth We’ve Experienced What We Learned – Useful Tips & Tricks
28
EmoryEmoryNetwork CommunicationsNetwork Communications
?QuestionsPresenter: Stan Brooks – [email protected]
Building a Secure & Scaleable WLAN Infrastructure