1 / 14

No More VPN for Wireless!

No More VPN for Wireless!. PDI 2010 Steve Lovaas, ACNS. Wireless With CSU-NET Overview. Technology basics Wireless security at CSU so far The new way of doing things: CSU-NET Step-by-step configuration. Wireless: Where we started. Less controlled than wired network

mardi
Download Presentation

No More VPN for Wireless!

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. No More VPN for Wireless! PDI 2010 Steve Lovaas, ACNS

  2. Wireless With CSU-NET Overview • Technology basics • Wireless security at CSU so far • The new way of doing things: CSU-NET • Step-by-step configuration

  3. Wireless: Where we started • Less controlled than wired network • Anyone can try to connect • Wasn’t designed with ANY security • Early security add-ons (WEP) were poor! • Technology was useful before it was safe… • We should have predicted that

  4. Wireless: Where We’ve Been • Protect our resources • Find malicious users • Protect private traffic • Early hardware didn’t support native crypto • Security standards slow to evolve • Easiest solution: VPN Authenticate & Encrypt

  5. CSU Wireless Security: VPN • Cisco VPN: The OLD Way • Require VPN to reach wired LAN or Internet • Pre-load application and profile • Encrypted tunnel to VPN server • Can sort some by group profile, separate IP space

  6. CSU Wireless Security: VPN • Problems with the VPN approach • Install & maintain • System compatibility • Client vulnerabilities • Licensing $$ • Dropped connections • Waste of IP addresses • Hassle!

  7. CSU Wireless Security: SSL gateway • A newer approach, easier • Application & profile dynamically downloaded • Web based • Compatible with more systems, through firewalls • Sorts on username, Windows OU, etc.

  8. CSU Wireless Security: SSL gateway • Problems with the SSL gateway approach • It’s a lot easier, but… • Java/ActiveX downloads and permissions • Java/ActiveX vulnerabilities • Licensing $$

  9. Wireless Security Standards • Letting the wireless client & AP do the work • First try: WEP (shared-key) = BAD • Next try: WPA = slightly better protocol • Finally: WPA2 = stronger encryption, too • But these all rely on shared keys (passwords) • And those can be stolen, broken

  10. Wireless Security Standards • WPA2 Enterprise = can replace VPN • Finalized in 2004 (IEEE 802.11i) • Centralized authentication (RADIUS) • Strong encryption (AES) • Native to client (no extra software to install) • The official standard now (802.11 – 2007) • More compatibility (Win/Mac/Linux/mobile/etc.) • This is CSU-NET!

  11. CSU-NET Architecture Surfing Encrypted Authenticated

  12. How-To: Prerequisites • Operating system up to date • XP SP3 (or SP2 with patch) • Vista, Windows 7 • Mac OS X since 10.4 • Recent Linux • Wireless card drivers up to date • Download from manufacturer • Must support WPA2

  13. How-To: Settings • Just a few basic settings • Authentication: WPA2-Enterprise • Encryption: AES • Authentication Type: PEAP • Authentication Protocol: MSCHAP v2 • Certificate Authority: Equifax • ACNS web site instructions for Win, Mac • Updating for Equifax CA rather than IPS Servidores

  14. Demo (tempting fate)

More Related