wireless networks at umass-amherst
TRANSCRIPT
Wireless Networks at Umass- Amherst
Scott ContiChristopher Misra
Copyright 2002
UMASS-Amherst Network Vital Statistics
Class B network (umass.edu - 128.119)142 buildingsAll 42 Residential buildings networked8800 Residence hall connections (port-per-pillow)5500 Academic building connections900- Cisco 24 port Switches (1900 and 2900 series)5 Cisco 6509 core switches, 2 Cisco 5500 switches600 Off-campus dial-in modem lines(2) DS-3 (45mb/s) commodity Internet connectionsDS-3 - Internet2 connection
Copyright 2002
UMASS at night
Copyright 2002
Wireless = Mobility
Copyright 2002
Equipment used
802.11b – 2.4ghz – 11mbpsCisco Aironet 350 seriesCisco switchesAironet antennas
Copyright 2002
Typical Enclosure installation
Copyright 2002
Library Installation
Copyright 2002
Inside of Enclosure
Copyright 2002
Ceiling Mount Antenna
Copyright 2002
Cable Losses
Cable Loss
0
2
4
6
8
10
12
14
16
18
0 feet 100 feetLength
dB
Cushcraft RG58 Ultralink Belden 9913 Andrews LDF4-50 Heliax
Copyright 2002
dB Factors
Increase Factor Decrease Factor0dB 1x 0db 1x1dB 1.25x -1dB .8x3dB 2x -3dB .5x6dB 4x -6dB .25x10dB 10x -10dB .1x12dB 16x -12dB .06x20dB 100x -20dB .01x30dB 1000x -30dB .001x
Copyright 2002
Connectors
Warning ! FCC Part 15 and rule 94 requires the use of RTNC Connectors !These are different from ordinary TNC
connectors.RTNC connectors are “transsexual” – They use the male body and the female dielectric and pins.
Copyright 2002
Omnidirectional Antennas
Good choices where antenna is placed in the “middle” of the area to be covered.Tend to have low gain since signal is divided over 360 degrees.
Copyright 2002
Omnidirectional Antennas
Copyright 2002
Directional Gain Antennas
Copyright 2002
Diversity Antennas
Diversity antennas have 2 antennas in a single enclosure.Diversity antennas are good choices where there will be signal reflections.
The Cisco Aironet 350 “votes” for the stronger signal by antenna at the start of receiving each packet, then transmits out the same antenna.
Copyright 2002
Diversity Antennas
Copyright 2002
Site Surveys
Start with BlueprintsNever believe the prints !Walls move…Construction materials not shown
Walk-aroundSelect antenna/enclosure locationsPay attention to wall materials !
Copyright 2002
Never Believe Prints…
Copyright 2002
Library Structure
Copyright 2002
RF-Hell…
Copyright 2002
UMASS-Amherst Network Map
Mather
Admissions
Library - C6509
= HSSI
= 10 Mb
= 100 Mb
= 1 Gb
= DS3
University ofMassachusetts
Amherst CampusNetwork Layout
Updated as of: 1/3/2002
location:nss-stu/Network Map/campus-network.vsd
Nelson
Remote Access
C2924M
LGRC - C6509
= HDSL
Dial Up-rtHIGH SPEED
Remote Access
NSS 175
OIT ISDN
Cold Storage
Project Trailer
Tilson Farm
ACSO
OIT 166= OIT Controlled Network
= Non-OIT Legacy Network
Child Care
Whitmore - C6509
Academic BuildingResidential Building
Border 1C7507
Border 2C7507
Paige Lab
Agric Eng.
Bowditch
Chenoweth
Draper
Flint Lab
Hatch Lab
Holdsworth
Parking Services
PVTA
Stockbridge
Physical Plant
Marcus/Engineering
Montague
Arnold
Furcolo
Hasbrouck
LGRC
Totman
East Exp. Station
West Exp. Station
Brown
Cashin
Crabtree
Hamlin
Johnson
Lewis
Thatcher
Blaisdell
Dickinson
Dubois Library
Goodell
Machmer
Memorial Hall
Mullins Center
Photo Lab
Power Plant
South College
Student Union
Thompson
Campus Center
OIT Telcom
LGRT
Hasbrouck
IPPM
vBNS
UPN
Apiary
Hampden - C5500
Morrill NSM
Baker
Brett
Brooks
Clark
Shade Tree
Fernald
French Dickinson
Field
Gorman
Grayson
Grayson PC
Health Services
Hills
Hillside
Morrill IV
New Africa
Skinner
SOM
Webster
Wheeler
Van Meter
Butterfield
Greenough
WilderC5500
Hampden DC
Berkshire DC
Hampshire DC
Crampton PC
Patterson PC
Cance
Coolidge
Crampton
John Adams
JQA
Kennedy
Patterson
Pierpont
Prince
Thoreau
Washington
Emerson
MacKimmie
Farley
ROTC
Robsham
Continuing Ed.
Curry Hicks
Middlesex
Bartlett
Berkshire
Boyden
Hampshire House
Herter
Munson
Tobin
Whitmore
FAC
Animal Care
SARIS
Registrar
Finance &Administration
OIT/South
Morrill - C6509Knowles - C6509
Amherst
Hampshire
C&W Internet
= T1
= Non-OIT Network
UIS
C&W Internet
Mt. Holyoke
Smith
Computer Science
2
Copyright 2002
Initial Design Goals
Virtual ClassroomWe closed some labs due to budget constraintsWireless network is meant to reproduce similar function
Focused at public areas where students gather
Not initially a ‘campus-wide’ rolloutScalable
Although initial rollout is targeted, design must fit campus-wide
Copyright 2002
Initial Design Requirements
Identification & AuthenticationWe register all MAC addresses in Residence HallsAccountability
EncryptionToo many plaintext protocols still in use
Card heterogeneityWe don’t enforce a single vendor for wired network cards…This limited our set of solutions
Copyright 2002
Initial Constraints
Short time to implementFirst pilot discussed in late November 2001First pilot went live late January 2002Phase 1 production rollout March 2002
Didn’t want a campus wide VLANVLANs are local to our 6 major nodesitesWe don’t switch VLANs across our backboneThis meant a parallel rfc1918 network
Management driven
Copyright 2002
Initial Assumptions
No pre-existing campus wireless implementation
Some local deploymentsNetstumbler is your friend
MAC address filtering doesn’t scaleBased half on factDidn’t feel ‘right’
WEP alone is likely insufficient
Copyright 2002
In case we haven’t all seen this already…WEP uses RC4 encryption
Fluhrer, Mantin, and Shamir described a passive, ciphertext-only attack against RC4
Specifically targeting the key scheduling algorithm of RC4
http://www.cryptonomicon.net/papers/rc4_ksaproc.pdf
WEP Weaknesses
Copyright 2002
Stubblefield, Ioannidis, and Rubin implemented the attack against the RC4 weakness (6 Aug 2001)
Using only off-the-shelf hardware, and some custom softwareLarge amounts of data are needed for the attack
“We conclude that 802.11 WEP is totally insecure, and we provide some recommendations. “
http://www.cs.rice.edu/~astubble/wep/
WEP Weaknesses
Copyright 2002
Nikita Borisov, Ian Goldberg, and David Wagner did an an analysis 30 Jan 2001
“Wired Equivalent Privacy (WEP) isn't”http://www.isaac.cs.berkeley.edu/isaac/wep-faq.html
We felt justified in saying WEP is insufficient for our implementation
We are network security guys. We try do design secure systems…
WEP Weaknesses
Copyright 2002
Authentication and Access Control
We considered four optionsWireless with WEP
Insufficient…Wireless with dynamic WEP
Dynamic WEP is better, but…Basically a race conditionMost implementations require card homogeneity
Copyright 2002
Authentication and Access Control
We considered four optionsWireless with WEP and VPN
WEP didn’t improve the situation in this modelAdded management overhead
Wireless with VPN, no WEPWhat we ended up going withMaybe not the best solution, but the best for us given our environment
Copyright 2002
Wireless Network Topology
Private DHCP/DNS for wireless networkSame hostname for VPN from wireless and wired
To minimize client configuration changesReally just DNS spoofing
Runs over campus network backboneUsing rfc1918 address spaceParallel mapping to routable IP space
If bldg is 128.119.10.0/24, wireless is 172.17.10.0/24
Copyright 2002
Wireless Network Topology
172.17.10.A
802.1q trunk
128.119.10.Y
172.17.10.Z
Commodity Internet
Internet2
172.17.3.X/30
Cisco VPN3000
128.119.192.0/24DHCP routable IP
space for VPN
128.119.3.X/30
AP
128.119.192.B
Copyright 2002
Basic Diagram for our Users
UMASSInternet
Laptop Switch Router
VPN
11 Mb/s
802.11bEthernet Card
802.11bWireless
Access Point
Encrypted Traffic (IPsec)
Unen
cryp
ted
Traf
fic
Copyright 2002
Enforcing the use of VPN
Rules without consequences are merely suggestionsEnforced with Cisco ACLsaccess-list 120 permit esp 172.17.78.192 0.0.0.63 host
172.17.3.190access-list 120 permit udp 172.17.78.192 0.0.0.63 host
172.17.3.190 eq isakmpaccess-list 120 permit udp 172.17.78.192 0.0.0.63 host
172.17.175.14 eq domainaccess-list 120 permit udp 172.17.78.192 0.0.0.63 host
172.17.166.14 eq domainaccess-list 120 permit tcp 172.17.78.192 0.0.0.63 host
172.17.175.14 eq domainaccess-list 120 deny ip any any log
Copyright 2002
Benefits and Drawbacks
BenefitsVPN provides encryption and authenticationUse of VPN is required for any access outside of wireless networkNot necessary to track/filter MAC addressLimited to authorized users
DrawbacksClient software install requiredNo free Mac client for Cisco VPN 3000Increased overheadNo easy access for visitors
Copyright 2002
Where are we going next?
Looking at some gateway softwareVPN without the client?802.1x
Scalability of VPNVPN concentrators at major nodesites?
Roaming AccessEasier access for authorized visitors802.11a or 802.11g?
Copyright 2002
Summary
Maybe not the best solutionBut the right one for us at this timeOnly time will tell…
Questions?