450 likes | 611 Vues
SECURE WIRELESS NETWORK IN IŞIK UNIVERSITY ŞİLE CAMPUS. Designed by VOLKAN MUHTAROĞLU. WLAN(Wirelass LAN). We introduced at 1986 for use in barcode scanning . A properly selected and installed Wi-Fi or wireless fidelity.
E N D
WLAN(Wirelass LAN) • We introduced at 1986 for use in barcode scanning . • A properly selected and installed Wi-Fi or wireless fidelity. • 802.11a, 802.11b, 802.11g technologies, 802.11g is the latest technology. These are IEEE standard.
THE PROJECT • The problem is, how can three different users access over an access point to different type of data with securily in our campus. • As another word, if we choose there people such as; student, university staff and data processing center worker can access different type of data or they have different rights when access from the access point by securily.
THREE DIFFERENT USER • Student • University Staff • Data Processing Center Worker
COMPONENTS OF SECURE WIRELESS NETWORK • Cisco Aironet 1100 Series Access Point • Radius Server • Two Switch(One of them is Managable Switch, the other one is Backbone Switch) • Vlan • Cisco PIX Firewall • WEP & LEAP • Database Server • Intranet Web Server
Cisco Aironet 1100 Series Access Point • It is a wireless LAN transceiver. • 1100 series is cheaper than the others and its performances is really efficient. • It is also managable easily and common all over the world.
RADIUS SERVER • RADIUS is a distributed client/server system that secures networks against unauthorized access. • Use RADIUS in these network environments, which require access security • This server also called AAA Server which means Audit, Authentication and Accounting. • In my project Radius Server will provide Authentication and Mac filtering.
SWITCHES • Managable Switch • Backbone Switch • I will use three different type IP. Student will take 10.0.x.x, University Staff will take 10.50.x.x, Data Processing Center Worker will take 192.168.x.x.
VLAN • VLAN is a switched network that is logically segmented. • I will use Vlan for having different kind of rights of these there different type of users on WLAN.
CISCO PIX FIREWALL • I chose it because I have it.
DATABASE AND INTRANET WEB SERVER • Database Server : Only Data Processing Center Worker can access these server. • Intranet Web Server : Only University Staff and Only Data Processing Center Worker can access these server.
HOW WILL DESIGN BE? • Firstly; how will student, university staff and data processing center worker be on the different Vlan, how can I give different rights them. • The second thing is how these people come to these Vlan. • The third thing which is most important how I can provide security.
SSID(Service Set Identifer) • When connect to WLAN you will see the name of WLAN, which is SSID.
FOR VLAN 1 • If we define two different SSID, one of them broadcasting, the other one is secret. • For instance; our broadcasting SSID is tsunami; our not broadcasting(secret) SSID is Private. If you connect WLAN with access point everybody sees automatically tsunami SSID. Also when you connect this, you will come to Vlan 1 and this Vlan provides to access only Internet.
AUTHENTICATION • If you are not student; you write the not broadcasting SSID name for accessing, at that time you will see the Username-Password Window for having different kind of rights. • When you enter the username-password, the information come to Radius Server. • And now; EAP (Extensible Authentication Protocol) uses.
WEP(Wired Equivalent Privacy ) • WEP is an encryption algorithm used by the Shared Key authentication process for authenticating users and for encrypting data payloads over only the wireless segment of the LAN. • The secret key lengths are 40-bit or 104-bit yielding WEP key lengths of 64 bits and 128 bits. • WEP key is an alphanumeric character string used in two manners in a wireless LAN. • WEP key can be used : • Verify the identity of an authenticating station. • WEP keys can be used for data encryption.
CRITERIA The 802.11 standard specifies the followingcriteria for security: • Exportable • Reasonably Strong • Self-Synchronizing • Computationally Efficient • Optional WEP meets all these requirements. WEP supports the security goals of confidentiality, accesscontrol, and data integrity.
WEP KEY • WEP key is an alphanumeric character string used in two manners in a wireless LAN. • WEP key can be used : • Verify the identity of an authenticating station. • WEP keys can be used for data encryption.
EAP(Extensible Authentication Protocol ) • This authentication type provides the highest level of security for your wireless network. • Using the Extensible Authentication Protocol (EAP) to interact with an EAP-compatible RADIUS server. • This is type of dynamic WEP key. • There are five different type of EAP, I will use LEAP (Lightweight Extensible Authentication Protocol, designed by Cisco) which is the most secure.
MAC(Media Access Control) ADDRESS FILTERING • Server checks the address against a list of allowed MAC addresses. • If your MAC address is University Staff’s MAC address, you wil come to Vlan 2 and you will have thoose rights, if your MAC address is data processing center worker’s address, you will come Vlan 3 also you will have those rights.
SECURITY POLICY • The purpose of this policy is to provide guidance for the secure operation and implementation of wireless local area networks (WLANs).
AUTHENTICATION • University Staff and Data Processing Center Worker have to authenticate the system if they want to have different kind of rights. • For authentication, username and password authentication is used so users must use strong passwords (alphanumeric and special character string at least eight characters in length). • Shared secret (or shared key) authentication must be used to authenticate to the WLAN
ENCRYPTION & ACCESS CONTOL • Distinct WEP keys provide more security than default keys and reduce the risk of key compromise. • SSID • MAC(Media Access Control)
FIREWALL • Firewall provide security based on ports.
PHYSICAL AND LOGICAL SECURITY • Access point must be placed in secure areas, such as high on a wall, in a wiring closet, or in a locked enclosure to prevent unauthorized physical access and user manipulation. • Access point must have Intrusion Detection Systems (IDS) at designated areas on Campus property to detect unauthorized access or attack.
CONCLUSION • With this design Student, University Staff and Data Processing Center Worker can access securily; wherever they want, don’t use extra devices or don’t make any adjusting.
REFERENCES • Cisco Press 802.11 Wireless Network Site Surveying and Installation book. • Cisco Securing 802.11 Wireless Networks handbook. • Cisco Aironet 1100 Series Access Point Quick Start Guide. • Certified Wireless Network AdministratorTM Official Study Guide. • Wireless Network Solutions (Paul Williams) • http://www.cisco.com/en/US/tech/tk722/tk809/tk723/tsd_technology_support_sub-protocol_home.html • http://www.cisco.com/en/US/tech/tk722/tk809/tsd_technology_support_protocol_home.html • http://www.webopedia.com/TERM/M/MAC_address.html • http://searchnetworking.techtarget.com/originalContent/0,289142,sid7_gci843996,00.html