• Share
  • Email
  • Embed
  • Like
  • Save
  • Private Content
Implementation of a Secure Wireless Network
 

Implementation of a Secure Wireless Network

on

  • 574 views

Wi-Fi is gaining popularity as users invest in not only one, but many Wi-Fi capable devices. Businesses are catching on and beginning to attempt to leverage wireless network capabilities to increase ...

Wi-Fi is gaining popularity as users invest in not only one, but many Wi-Fi capable devices. Businesses are catching on and beginning to attempt to leverage wireless network capabilities to increase productivity and profitability. As Wi-Fi saturation increases, the opportunity for network penetration also increases. How can small businesses that don’t have the money to spend on costly security measures still profit from the benefits of Wi-Fi without the security drawbacks?

Statistics

Views

Total Views
574
Views on SlideShare
574
Embed Views
0

Actions

Likes
0
Downloads
0
Comments
0

0 Embeds 0

No embeds

Accessibility

Categories

Upload Details

Uploaded via as Microsoft Word

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

    Implementation of a Secure Wireless Network Implementation of a Secure Wireless Network Document Transcript

    • Running head: IMPLEMENTATION OF A SECURE WIRELESS NETWORK 1 Implementation of a Secure Wireless Network Sharon Martin A Capstone Presented to the Information Technology College Faculty of Western Governors University in Partial Fulfillment of the Requirements for the Degree Master of Science in Information Security and Assurance 5 May 2013
    • IMPLEMENTATION OF A SECURE WIRELESS NETWORK 2 Abstract Wi-Fi is gaining popularity as users invest in not only one, but many Wi-Fi capable devices. Businesses are catching on and beginning to attempt to leverage wireless network capabilities to increase productivity and profitability. As Wi-Fi saturation increases, the opportunity for network penetration also increases. How can small businesses that don‘t have the money to spend on costly security measures still profit from the benefits of Wi-Fi without the security drawbacks? The goal of this project is to provide an easy to use and inexpensive plan for small businesses wishing to set up aWi-Fi network. The entire process of network planning will be covered from start to finish including an audit, project requirements, a project plan, process development, resource requirements, quality assurance testing, an implementation plan, and a risk assessment. The project will also validate the chosen approach by comparing it to other possibilities, providing risk mitigations, and detailing a cost/benefit analysis. Finally, deliverables will be presented along with post-implementation support resources and a maintenance plan to help small businesses keep their new secure Wi-Fi network up and running. In order to meetrequirements for a tight budget, a non-traditional Wi-Fi setup which uses open source software on a router and a Windows-based RADIUS server was designed. The Wi- Fi network will use WPA2 Enterprise authentication to provide more secure access and user accounting of all login events. A penetration test will be performed after final network configuration to demonstrate that is it possible to have high security without high cost. Expected results are that the configured Wi-Fi network will correctly authenticate clients and the penetration test will not succeed after the proper security measures are put in place. Success will be declared when the final output meets all solution testing and quality assurance criteria.
    • IMPLEMENTATION OF A SECURE WIRELESS NETWORK 3 Table of Contents Abstract.........................................................................................................................................................2 Introduction...................................................................................................................................................6 Project scope.............................................................................................................................................6 Defense of the Solution.............................................................................................................................7 Methodology Justification ........................................................................................................................8 Organization of the Capstone Report........................................................................................................8 Systems and Process Audit.........................................................................................................................10 Audit Details...........................................................................................................................................10 Problem Statement..................................................................................................................................11 Problem Causes.......................................................................................................................................12 Business Impacts.....................................................................................................................................13 Cost Analysis ..........................................................................................................................................14 Risk Analysis ..........................................................................................................................................14 Detailed and Functional Requirements.......................................................................................................15 Functional (end-user) Requirements.......................................................................................................15 Detailed Requirements............................................................................................................................16 Existing Gaps..........................................................................................................................................16 Project Design.............................................................................................................................................17 Scope.......................................................................................................................................................17 Assumptions............................................................................................................................................18 Project Phases .........................................................................................................................................19 Timelines ................................................................................................................................................20 Dependencies..........................................................................................................................................20 Resource Requirements ..........................................................................................................................21 Risk Factors ............................................................................................................................................22 Important Milestones ..............................................................................................................................22 Deliverables ............................................................................................................................................23 Methodology...............................................................................................................................................23 Approach Explanation ............................................................................................................................23 Approach Defense...................................................................................................................................24 Project Development...................................................................................................................................26
    • IMPLEMENTATION OF A SECURE WIRELESS NETWORK 4 Hardware.................................................................................................................................................27 Software..................................................................................................................................................27 Tech Stack...............................................................................................................................................27 Architecture Details ................................................................................................................................28 Resources Used.......................................................................................................................................28 Final Output ............................................................................................................................................29 Quality Assurance.......................................................................................................................................29 Quality Assurance Approach ..................................................................................................................30 Solution Testing......................................................................................................................................30 Implementation Plan...................................................................................................................................31 Strategy for the Implementation .............................................................................................................31 Phases of the Rollout ..............................................................................................................................31 Details of the Go-Live ............................................................................................................................32 Dependencies..........................................................................................................................................32 Deliverables ............................................................................................................................................33 Training Plan for Users...........................................................................................................................33 Risk Assessment .........................................................................................................................................33 Quantitative and Qualitative Risks .........................................................................................................33 Cost/Benefit Analysis .............................................................................................................................34 Risk Mitigation .......................................................................................................................................35 Post Implementation Support and Issues ....................................................................................................37 Post Implementation Support..................................................................................................................37 Post Implementation Support Resources ................................................................................................38 Maintenance Plan....................................................................................................................................38 Conclusion, Outcomes, and Reflection.......................................................................................................39 Project Summary.....................................................................................................................................39 Deliverables ............................................................................................................................................40 Outcomes ................................................................................................................................................40 Reflection................................................................................................................................................41 References...................................................................................................................................................44 Appendix A – Router Configuration Guide:...............................................................................................45
    • IMPLEMENTATION OF A SECURE WIRELESS NETWORK 5 Firmware Upgrade ..................................................................................................................................45 WAP Configuration ................................................................................................................................47 Security Configuration............................................................................................................................49 Appendix B – RADIUS Server Configuration Guide:................................................................................54 RADIUS Server Installation ...................................................................................................................54 Generation of Authentication Certificates ..............................................................................................55 RADIUS Server Configuration...............................................................................................................56 WAP Configuration ................................................................................................................................60 Windows Machine Firewall Settings......................................................................................................62 Appendix C – Wi-FI Acceptable Use Policy:.............................................................................................67 Appendix D – Penetration Test:..................................................................................................................71 Appendix E – RADIUS and WAP Troubleshooting Tips: .........................................................................75 No Users Can Log In ..............................................................................................................................75 Some Users Can Log In, But Others Cannot ..........................................................................................76 My Users Can‘t Access The Internet......................................................................................................77
    • IMPLEMENTATION OF A SECURE WIRELESS NETWORK 6 Introduction Network security has become an important topic in the past decade due to many high profile hacking incidents and an even greater number of unreported instances of information theft and destruction. The consequences of an incident can be widespread, but are not always obvious and can include embarrassment to an organization, breach of confidentiality, breach of personal privacy, legal liability, disruption of activities, financial loss, and even threat to personal safety(Furnell, Katsikas, & Lopez, 2008, pp. 11-12). The diversification of network devices and ways to access the internet is making security even more difficult to attain. The issue is further exacerbated by the surge in bring-your-own-device (BYOD) policies in the workplace due to the accompanying demand for Wi-Fi network access in addition to traditional wired Ethernet. With the changing nature of technology comes pressure on businesses to keep up with the times and increase productivity by making access easier for all employees. Unfortunately, this causes an imbalance in the confidentiality, integrity, and availability (CIA) triad. More availability often causes a decrease in confidentiality, integrity, or both. Project scope This capstone will tackle the implementation of a secure wireless network in a small business from start to finish. First an audit of business needs, current technology, and Wi-Fi networks in the area will be conducted. Second, functional end-user requirements will be examined to determine the ideal project design and resource requirements. Third, all methodology will be applied to project development, quality assurance, and implementation. The final expected product will be a fully configured WPA2 Enterprise Wi-Fi network, RADIUS server, and the accompanying guides so that any business can replicate the process.
    • IMPLEMENTATION OF A SECURE WIRELESS NETWORK 7 Post implementation support resources and a maintenance plan will be included in the project as well so that businesses can maintain their Wi-Fi network and troubleshoot any problems they encounter. The particular small business featured in this project operates in a downtown two story office, has ten employees, and uses a variety of operating systems and computers to achieve required business functions. There is a dedicated IT manager and a few other employees with basic IT knowledge, but the overall skill level of the IT department is fairly low and they can only provide tier 1 tech support in house. Because of the small business size, only one WAP will be configured for the Wi-Fi network. Larger businesses with more floor space will need to add WAPs to get good coverage, but can otherwise use the instructions as-is. Defense of the Solution Often small businesses lack the budget to purchase network devices or invest in other security measures found in larger corporations. This problem is aggravated by a rate of outside hacking attempts equivalent to or sometimes higher than the volume seen by large businesses because would-be criminals know that midsize businesses are easier targets due to less funding available for IT security. Smaller organizations don‘t put information security in their list of top priorities until it is too late. A poll conducted by the National Cyber Security Alliance showed that more than 30% of small and midsize businesses think they would take a bolt of lightning in the chest before they experience a network attack (Hietala, 2004, p. 4). When an incident does take place, midsize businesses then have to scramble to clean up the mess and usually in a panic implement the fastest (and often the costliest) security measures they can afford. The purpose of this project is to empower smaller organizations with cost-effective security measures they can implement that will lower their chance of being attacked. There is no
    • IMPLEMENTATION OF A SECURE WIRELESS NETWORK 8 need to sacrifice a large percentage of budget money needed elsewhere when consumer-grade equipment can be modified with an open source operating system to provide the same functionality and quality as corporate grade devices. Normally, a small business would have to hire outside help to plan and implement a project of this scale due to the level of expertise required to implement a secure WLAN. A typical small to mid-size organization may have an in-house IT department, but due to organizational needs members of the IT staff are not usually experts in any one area and instead have a broad knowledge of all IT topics. This project will act as a free guide so that any IT department can implement the recommendations with a minimal amount of customization work. Methodology Justification The chosen approach for this project is to set up a Wi-Fi network that uses WPA2 Enterprise encryption and RADIUS authentication to provide an extra layer of security over standard WPA2. RADIUS authentication enables the accounting feature which tracks all login events. In addition, with RADIUS each user has a separate account so IT administrators can more easily track network abnormalities to a specific user. WPA2 Enterprise authentication is usually out of reach for the average small business due to implementation costs – a RADIUS server must be purchased, and the WAPs used must support WPA2 Enterprise and the RADIUS accounting feature. Using open source router firmware gives a consumer grade router the features of an enterprise grade router at a fraction of the cost. Using a Windows-based RADIUS program allows the use of a normal Windows machine as a RADIUS server so that an expensive server is unneeded. Organization of the Capstone Report The remainder of the project will proceed as follows:
    • IMPLEMENTATION OF A SECURE WIRELESS NETWORK 9 1. A systems and process audit will occur to discover all aspects of the problem being addressed. 2. Project requirements will be defined to include functional and detailed requirements as well as existing gaps. 3. A project plan will be developed with project phases, timelines, dependencies, and milestones. 4. The selected approach will be explained including shortcomings and other options. 5. The scalability and expected long term consequences of the chosen approach will be discussed. 6. Details of the project development process will be listed including hardware, software, tech stack, and architecture details. 7. All resources used will be covered to include manpower, consumables, and funds. 8. The final output and deliverables will be addressed. 9. A quality assurance approach with test cases and acceptance criteria will be presented. 10. The implementation plan will be developed with strategy, rollout phases, go-live details, dependencies, and deliverables. 11. A risk assessment will be performed that will discuss the quantitative and qualitative risks associated with project implementation. 12. A cost/benefit analysis that will show benefit shortfall risks and cost overrun risks will be completed. 13. Risk mitigation strategies and alternative plans will be discussed. 14. Post implementation support will be covered.
    • IMPLEMENTATION OF A SECURE WIRELESS NETWORK 10 15. A discussion of post implementation support resources will occur. 16. A maintenance plan will be developed to include short-term and long term maintenance. 17. The entire project will be summarized from different points of view. 18. Deliverables resulting from the project will be discussed. 19. Human and technical outcomes will be addressed. 20. Final reflections on the entire process will be included. Systems and Process Audit Several different audits were performed before project design commenced. A technology audit was completed to discover what devices were already on the network and what wireless spectrum would be best for complete coverage. A business process audit was also performed in order to determine if there were inefficiencies present that could be remedied by installing a wireless network. Audit Details The technology audit began with an inventory of all network enabled devices. Their current IP addresses, MAC addresses, and wireless capability (or lack of it) were recorded in a spreadsheet for tracking. ANmap scan was then run on the network to look for any unreported devices (or intruders). No rogue devices or WAPs were found in the scan. The total number of network devices found was three desktop computers, one server, three laptop computers, one media enabled TV, two network printers, and one network share drive. Of those devices, the three laptops, TV, network printers, and network share drive all currently have wireless NICs. The next audit performed was a wireless site survey to determine what broadcast range should be used for the WAP. Due to the central location of the business, there are many wireless
    • IMPLEMENTATION OF A SECURE WIRELESS NETWORK 11 networks already in range. The N band was not as saturated, but not all devices found in the inventory had N capability, so the G band would be best cost-wise. In the G band, channels 6 and 11 were highly saturated, but channel 1 was almost empty. To try to avoid overlapping channels and interference (from packet collisions) channel 1 would be the best option for the WAP. For the business and process audit, all employees were surveyed and asked how they would use Wi-Fi if it were available to them. This method was chosendue to the small number of employees (only ten). For a larger business, it might be more effective to have each department poll their employees, gather the results, and then forward the results on to the IT department. The results of the audit will be covered in more detail under the business impacts heading, but the general consensus was all employees felt Wi-Fi availability could increase their productivity. Problem Statement The main issue facing this small business is the need to connect portable devices to the network. The laptops in use by employees are just the tip of the iceberg. Most employees also bring their personally owned tablets with them to work and use them when they are on customer calls. Because Wi-Fi is not available at the primary business location they tether their tablets to their phones when they need internet access at work. This has increased data charges for the corporate cell phone plan being paid for by the company, but the charges were authorized because the company president felt they were warranted. The only reason Wi-Fi has not been installed yet is that the employees in the IT department expressed their fears over the inherent insecurity of Wi-Fi access. Although it makes sense from a cost standpoint, network security still needs to be taken into account when
    • IMPLEMENTATION OF A SECURE WIRELESS NETWORK 12 considering the implementation of a Wireless Local Area Network (WLAN). Extra configuration of Wi-Fi network devices is necessary to ensure security. Legal implications of the Wi-Fi access need to be factored in as well. What if an employee (or an unauthorized user) misuses network resources or commits a crime while using the Wi-Fi connection? Problem Causes Wi-Fi networks can be insecure for a number of reasons. The primary reason is misconfiguration of the wireless router. Often Wi-Fi routers are installed but not configured beyond changing the default password. This is especially common in smaller businesses that use consumer grade routers (and inexperienced IT personnel) due to the lower cost. The older generations of wireless routers default to WEP as the security protocol. Unfortunately, WEP is easy to crack and there are free cracking programs available for download by anyone who wants them. Another error that contributes to the insecurity of WLANs is network coverage. Users don‘t want their signal to be constantly dropping, so often extra Wi-Fi access points are purchased and the signal strength is turned up to max. The drawback to a strong broadcast signal is the likelihood that someone sitting across the street from the business will be able to pick up that signal. That means that a potential attacker would not even have to enter the premises to conduct an attack – he or she could sit in the comfort of a coffee shop or car. Finally, there is human error. Users do not take extra precautions while using a Wi-Fi network, especially not one that is password protected. A password means it is secure right? Wrong. Depending on the configuration of the network, users without the Wi-Fi key can break in. Legitimate users of the network (or those with the key) can listen in on all network traffic and even send spoofed packets to impersonate other users. One hacker with the right equipment
    • IMPLEMENTATION OF A SECURE WIRELESS NETWORK 13 and software could intercept and save all user login credentials and then empty bank accounts, alter customer records, upload viruses, steal confidential company information, and so on. Business Impacts The choice not to install a WLAN would probably keep a network more secure as a whole, but an expanding business would incur additional costs to install more wired network infrastructure and/or upgrade the current outdated infrastructure. It would also be more expensive in the long run to continue paying for higher data plans on business phones because there is no Wi-Fi connection available. Using personal Wi-Fi enabled devices in the workplace can increase employee productivity. According to Entner (2008), ―for almost 40%, or roughly 77 million American wireless consumers, their employer believed that the use of a wireless device had such a significant impact on productivity that the employer paid at least part of their employees‘ wireless bill‖ (p. 6). So there are a substantial number of businesses that already see enough of a difference in efficiency to pay for data charges on their employees‘ cell phone bills. Employers who do not choose to make Wi-Fi access available could be losing out on a potential productivity increase. There is the potential workplace culture could change once Wi-Fi is available. It would be easy for employees to bring their laptops to meetings, or even to another coworker‘s desk while working on a project. These mobility options can increase collaboration opportunities, but can also provide a distraction in certain environments. Some managers might not like the idea of everyone having mobile devices during meetings. As the workplace changes, policies for when (and when not) it is acceptable to use mobile devices may have to be developed by members of company leadership.
    • IMPLEMENTATION OF A SECURE WIRELESS NETWORK 14 Cost Analysis While value is important to all businesses, there is another key factor that has to be taken into consideration for the small business environment: Ease of setup and deployment. Since small businesses do not always have an in-house IT department, potential Wi-Fi solutions should be as easy to configure as possible. Keeping both the cost and ease of use factors in mind, here is the proposed cost breakdown for a secure Wi-Fi solution: Cost-Effective Solution 5 Wireless N Routers $175-$425 DD-WRT free TekCert free TekRadius free Old Windows Machine (XP- Windows 7) $200-$300 Total Cost $375-$725 The high variance in wireless router cost is because there are several routers being considered at this point in time. If the lowest cost one ($35) passes all tests, it will be chosen for use in the final configuration. Also, five access points will more than satisfy the needs of most small businesses. Depending on the floor plan and building material, a small business may not need more than two access points. The windows machine will be configured to run a radius server so that the WLAN can use 802.1x enterprise grade authentication. Risk Analysis The largest risk to implementing Wi-Fi is the chance of unauthorized users penetrating the network resulting in data loss or modification. Several steps are being taken to mitigate this risk including the use of WPA2 enterprise encryption, separate logons for each user, and
    • IMPLEMENTATION OF A SECURE WIRELESS NETWORK 15 deactivation of the Wi-Fi during non-business hours. Proper configuration of the WLAN paired with good security policies should reduce the risk down to an acceptable level. Another risk is that the Wi-Fi network is used by legitimate users to commit crimes. While this potential exists on the LAN as well, the average criminal is more apt to think their personally owned device (POD) is not being monitored while they know their work computer is. This risk cannot be completely mitigated, but it can be reduced by the implementation of a mandatory acceptable use policy that all users must review and sign before being granted Wi-Fi access. Detailed and Functional Requirements The end-user and detailed requirements of a Wi-Fi network were examined in addition to the existing gaps that a Wi-Fi network could fill. The main source of information on end-user requirements was the current company management. Detailed requirements were discovered by examining what other businesses in the same field asked for in their wireless networks. Finally, the question of what difference a Wi-Fi network would make was answered. Functional (end-user) Requirements The number one functional requirement for end-users was that the secure wireless network is easy to implement and maintain. None of the employees are very savvy in technology, though one (who acts as the IT manager) knows the basics of Windows server configuration. The IT manager does not know anything about Linux, so using any kind of Linux based solution for a user authentication (RADIUS) server is out of the question. Any solution needs to be simple to troubleshoot and repair as well. All network troubleshooting is normally done in-house to save on costly consulting fees. A guide detailing
    • IMPLEMENTATION OF A SECURE WIRELESS NETWORK 16 installation and troubleshooting steps would be an ideal final product for the IT department as a whole to follow. Management also requested that the Wi-Fi network be easy to expand and upgrade in the future to wireless N once all devices used are confirmed compatible with that bandwidth. Currently, the laptops only have wireless G cards and management does not want to upgrade the cards since they were planning to buy new laptops in a year anyway. To meet the need for future wireless N, an access point that supports G and N would be the best option. Wireless AC standard is now available, but the equipment is too costly at this time to justify purchase. Detailed Requirements To help maintain security by avoiding over-coverage, the wireless equipment used needs to have firmware that allows broadcast strength to be tweaked. The WAP signal should not be easily detectable from across the street, and if at all possible should even be weak in the neighboring shops on either side of the business. The WAP firmware should also support a scheduling function so it can automatically be cut off during non-business hours. The security authentication used for Wi-Fi will have to be compatible with all kinds of devices including mobile phones and tablets of all operating systems. A possible authentication that will fit that requirement is PEAP-MS-CHAPv2 with 802.1x (WPA2 Enterprise) security. A RADIUS server is required to implement 802.1x security, so a computer will need to be bought or reassigned to be the RADIUS server. To make RADIUS work properly, the wireless router selected will also need firmware support for the RADIUS accounting feature. Existing Gaps After the installation of Wi-Fi, employees will be able to connect their tablets to network resources. That should facilitate the transfer of customer files and notes over to the network
    • IMPLEMENTATION OF A SECURE WIRELESS NETWORK 17 drive for tracking. Management has been considering an Android-based customer ticketing system, but the project was put off because connectivity to database server on the network was needed to upload final tickets. Once Wi-Fi is up and running, the ticketing system idea can be revisited. Employees (and management) will also be able to connect their phones to the Wi-Fi network instead of using the corporate data plan. The business will be able to downgrade the plan and save over $200 a month due to the expected drop in data usage. This savings alone justifies the small investment that will be spent on Wi-Fi equipment. Project Design A definition of project scope is needed in order to focus resources on the particular problem and avoid getting sidetracked. All assumptions must be included in the overall project design so that existing gaps can be identified. Clear project phases including timelines and dependencies are the key to successful implementation. While planning a project, resource requirements, risk factors, milestones, and final deliverables should be considered. Scope This project will cover the selection, configuration, and implementation of wireless networking equipment. As a site and equipment survey has already been completed, no survey will take place during theproject designs phase. The configuration of the wired network will not be altered except for adding static IP addresses for the RADIUS server and WAP in the configuration of the current LAN router. The wireless network will reside on the same subnet as the wired network. Business could choose to segregate the two networks to provide an additional security layer, but that will not be included in the documentation as it is an advanced skill that may not be present in the average small business IT staff.
    • IMPLEMENTATION OF A SECURE WIRELESS NETWORK 18 An acceptable use policy for employees to review and sign will be developed, but it will be up to the organization to implement it. Any organization wishing to utilize the acceptable use policy will need to run it by their legal team first to make sure it meets all legal (and organizational) requirements. Basic instructions for connecting to the new Wi-Fi network will also be included, but some mobile devices might have a slightly different setup process which the guide will not cover. A guide for configuring the RADIUS authentication server will be developed, but it will be the IT manager‘s responsibility to create logins for all employees with strong passwords. A penetration test will also be performed on the wireless network after all equipment is installed and properly configured. The penetration test will not be extended in length – the main focus will be to work for an hour to see if there are any weaknesses which can be easily exploited. A reasonable hacker looks for low hanging fruit – so it is unlikely that person would spend longer than an hour trying to penetrate the wireless network. A hacker with enough intent and motivation will always succeed in getting into a network (eventually). The purpose of all security measures is not to completely prevent penetration, but rather to discourage all but the most persistent hackers. Other information assurance methods should be implemented across the network to fully protect all company data, including awareness training for employees (humans are the weakest link). Assumptions The main assumption of this scenario is that the small business wishing to install a WLAN already has a wired LAN in place. Businesses looking to configure a network from scratch may need to use other resources in addition to this guide. Potentially, the documentation developed could be used to install a new wireless network without configuring a wired network –
    • IMPLEMENTATION OF A SECURE WIRELESS NETWORK 19 this would be ideal for a business wishing for complete device mobility. If that was the plan, the WAP would just need to be directly plugged into the router supplied by the ISP, though it would be more secure to also install a firewall device in between the router which connects the WAN and the WLAN. Another assumption is the business plans to allow employees to connect their personal Wi-Fi devices to the network. While a Wi-Fi network could be configured to only allow company computers to connect to it, that idea is not realistic in today‘s workplace. Employees (and managers) will bring their own devices with them to work, and they will end up using those devices for at least some productivity tasks. It is better to allow Wi-Fi connection and place as many safeguards as possible (including mandatory user awareness training) than leave those users to find a way to do business on those devices on their own. For this project to work there will need to be at least one Windows machine already present on the physical network or the business is willing to purchase one.Preferably, the Windows machine should be dedicated to use as a RADIUS server. Very cheap refurbished Windows machines that would meet the requirements of the RADIUS software can be found for $200-$300. If a business is unable to afford that cost, a current machine on the network could be used as the RADIUS server in addition to normal business tasks as long as the user is trained on use of the RADIUS software and understands the ramifications of accidentally closing the application or restarting the machine. Project Phases The project will consist of the following phases: 1. Commercially available consumer grade wireless routers that support DD-WRT (an open source router firmware) will be tested and compared.
    • IMPLEMENTATION OF A SECURE WIRELESS NETWORK 20 2. A cost-benefit analysis between consumer grade and enterprise grade wireless routers will be conducted to determine the best option. 3. The wireless router (or WAP) which best meets all detailed and functional requirements will be selected for use. 4. The WAP and RADIUS server will be configured and installed. 5. Preliminary Wi-Fi testing will occur to ensure user connectivity. 6. A Wi-Fi penetration test will be conducted. 7. All results and documentation (including the acceptable use policy) will be compiled and submitted to the business. 8. Post-implementation support will be provided to include regular system maintenance. Timelines Step one will begin immediately upon project approval. Step one, two, and three should be completed within three business days. Step four and five will take an additional seven business days depending on how long it takes to get equipment. Step six and seven will last approximately five business days. Total time on the project should not take longer than 15 business days and might be complete sooner if the configuration process goes smoothly. Dependencies All steps in the process are fairly linear, with the exception of the acceptable use policy which can be developed during any of the other phases. Router and RADIUS server configuration cannot begin until the equipment is selected and acquired. Testing cannot commence until the equipment is installed. A penetration test cannot be performed until proper configuration of the Wi-Fi network has been verified. The documentation will be developed all
    • IMPLEMENTATION OF A SECURE WIRELESS NETWORK 21 through the phases, but cannot be compiled into its final draft until after all the preceding steps are complete. Resource Requirements For the particular business featured in this project, one wireless router (or WAP) will be required. Larger businesses will need more access points depending on floor space and the number of expected Wi-Fi users. If multiple WAPs are used, the IT department will need to decide if they want overlapping seamless coverage (that may not work well on all mobile devices) or if they want to separate the WAPs (isolation could provide better security). A Windows machine that is at least running Windows XP will be needed for the RADIUS server. It is recommended that the machine be running Windows 7 since Windows XP is hitting its end of life in 2014 after which support will not be provided, and Windows Vista is largely considered to be an unreliable and difficult to administer operating system by both consumers and businesses. The IT manager should be able to acquire or reallocate a machine that works fairly easily as long as funding is approved. Once the WAP and Windows machine are acquired, some software and firmware will need to be downloaded. Download instructions and locations will be included in the configuration manual. If a consumer grade router is chosen, the correct version of DD-WRT firmware will need to be downloaded. For the RADIUS server to work TekCERT and TekRADIUS must be acquired. All software is free, but the business might choose to upgrade to the enterprise version of TekCERT and TekRADIUS for additional features and support. The hardware and software will need to be procured as soon as everything is approved for faster install time. Manpower requirements will be fairly low – one or two individuals can accomplish all tasks as long as they are allowed to devote their full attention to the project. One
    • IMPLEMENTATION OF A SECURE WIRELESS NETWORK 22 person will be needed upon project commencement to make decisions regarding the hardware and software purchasing. The second person would be helpful once the configuration phase begins. Risk Factors There are several risks present during the project design and development phases. The most significant risk is the discovery of an oversight in project planning. If all business drivers were not identified in the discovery phase, the final project output may not meet business needs. To prevent problems from cropping up, thorough pre-implementation audits must be completed and the project should be re-evaluated for alignment with business drivers at every milestone. Another risk is a lack of resources (either manpower or funding) could prevent project implementation. The Wi-Fi network is being designed to require minimal funding in order to mitigate that possibility, but it is hard to predict if other technology problems will crop up that pull manpower from the Wi-Fi implementation. If the IT department becomes overwhelmed with other projects, it will be hard for them to stay on track. Having a timeline for project completion can help mitigate the risk because then all members of the department will know when and where to focus their energy for optimum effectiveness. Important Milestones The most significant milestone is project completion. Other milestones will be step three when the equipment is selected, step five once the equipment has been installed and tested, and step six after the penetration test is performed. Those events were chosen as milestones due to their importance in the final product. When any milestone is achieved, progress and any difficulties discovered will be reported to management. Milestone tracking will help keep the project on track and allow for quick
    • IMPLEMENTATION OF A SECURE WIRELESS NETWORK 23 adjustment of objectives if they do not meet business requirements. Additional milestones may be added as the project progresses or if more accountability is requested by management. Deliverables The final objective and primary deliverable is the installation of a Wi-Fi network that uses WPA2 Enterprise encryption. Other deliverables include a configuration guide for the router and RADIUS server, acceptable use policy, penetration test results, and WLAN troubleshooting tips to help the system administrator keep the WLAN functioning. Additional deliverables may be provided in the final product if they are requested by management or a need for them is determined in the process of completing the project. Methodology Several different approaches were considered in the research phase of this project. None of the options were completely wrong, but in the end the approach that seemed the most correct for the particular small business in question was selected. Other businesses may find different approaches to Wi-Fi design meet their business drivers better than the one chosen in this project. Approach Explanation The approach taken in this project is to design a secure wireless network that is as inexpensive and easy to configure as possible (without compromising on security). Security, functionality, and ease of use are often pictured in a triad relationship because more of one factor usually means sacrificing one or both of the other factors. From the very beginning the premise of this project was a precarious balancing act. The small business wanted equal amounts of all three elements – something that provides enterprise-grade features at a very low cost (functionality), is easy for their IT department to install and maintain (ease-of-use), and is resistant to hacking attempts (security).
    • IMPLEMENTATION OF A SECURE WIRELESS NETWORK 24 It was clear from the beginning traditional secure networking technologies would not be useful since they were way out of budget. The easiest route for Wi-Fi implementation would be to use enterprise grade equipment. Most options have a simple web interface, automatically sync with one another, and are a cinch to manage using a central access point controller. Larger businesses usually opt for this type of equipment, but it is not affordable for small businesses. When budget is an issue, IT personnel quickly think of Linux-based technologies as a solution to the problem. After all, there are many good free versions of Linux out there (including server distributions) just waiting to be downloaded. This approach was not realistic when contrasted with one of the main business needs – ease of use. The IT department does not have the Linux expertise needed to configure an enterprise-grade solution, so outside contractors would need to be hired to install, configure, and maintain the system. Once again, the idea exceeds a small business budget. The chosen approach melds free software with technology that the current IT department does know how to use – Windows. Even better, Windows Server edition is not even needed because the RADIUS software will run on any machine. An enterprise-grade WAP can be created by taking a cheap consumer-grade wireless router and modifying it with DD-WRT to give it the feature set needed. In order to make both parts of the project as easy to implement and maintain as possible, step-by-step guides will be created during installation. Approach Defense In this case, an enterprise-grade solution means 802.1x (WPA2 Enterprise) encryption. If a small business just wanted regular WPA2 encryption it could easily be accomplished by buying just about any consumer grade Wi-Fi router on the market and plugging it into the LAN. WPA2
    • IMPLEMENTATION OF A SECURE WIRELESS NETWORK 25 is definitely more secure that WEP or WPA which both have exploits written for them, but WPA2 is missing some important business features. WPA2 does not provide a way to track user logins. All users log in with the same password. This means it is much harder to keep track of who is misusing the network, and if a hacker gets the password, every single device on the network must be reconfigured with a new password. WPA2 Enterprise solves both problems – each user has a separate login account, and detailed logs are kept of who logged on and when. If one account is compromised, it can easily be deactivated and only one machine on the network will need to be reconfigured. Even better, the offending hacker can be tracked by going through the logs and finding what MAC address was used to login. The MAC address can then be added to the block list on the Wi-Fi router to prevent future logins (unless you have a smart hacker who spoofs MACs). What typically causes WPA2 Enterprise to be expensive and difficult to implement is that is requires a RADIUS server for authentication and accounting as well as a router/WAP that supports the accounting feature. RADIUS servers are typically either Linux machines which are challenging for average IT personnel to administer, or Windows-based servers that are very costly. The only WAPs that support WPA2 Enterprise authentication out of the box are more expensive (by several hundred dollars apiece) than consumer-grade routers. In addition, there are so many options out there for authentication protocols used by RADIUS that choices can quickly become overwhelming. Since one of the main goals of the project is security, the two most secure authentication protocols PEAP-MS-CHAPv2 and EAP-TLS were researched and compared. EAP-TLS is by far the most secure authentication protocol, but it is also very labor intensive to implement. Each device must have an authentication certificate installed on it in addition to the certificate present.
    • IMPLEMENTATION OF A SECURE WIRELESS NETWORK 26 In addition, some mobile devices do not support EAP-TLS authentication protocol, but PEAP- MS-CHAPv2 is supported by all devices. EAP-TLS authentication is a multi-step process – a wireless client associates with an access point, the access point sends an authentication request, the RADIUS server presents its certificate to the client, the client responds back with its certificate, and then the cipher is established and the client can access the Wi-Fi network. PEAP-MS-CHAPv2 authentication is similar to EAP-TLS up until the client response to the server certificate. With PEAP-MS- CHAPv2, the client response is a username/password hash instead of a certificate. The difference in authentication means PEAP-MS-CHAPv2 is vulnerable to a type of man-in-the-middle (MITM) attack where the attacker sets up a rogue access points to try to collect client authentication requests. Once the authentication hashes are collected then can be attacked using dictionary or brute-force cracking software. There are ways to mitigate that vulnerability which will be discussed later in the project. PEAP-MS-CHAPv2 was chosen for project configuration because of its universal compatibility and veritable ease of installation compared to EAP-TLS. PEAP-MS-CHAPv2 is more scalable than EAP-TLS because network administrators only have to worry about installing the certificate on the RADIUS authentication server. The long-term success of PEAP-MS- CHAPv2 is a given due to its wide support worldwide – it is likely that new devices will continue to support it as an authentication protocol. Project Development Before and during project development, needs for hardware, software, tech stack, architecture, and resources were all evaluated. Adjustments will be made as needed to ensure the final product is aligned with business needs.
    • IMPLEMENTATION OF A SECURE WIRELESS NETWORK 27 Hardware For the business covered in this project, one wireless access point is needed, but multiple access points can be purchased for those wishing to adapt this plan to a larger business. In addition, a Windows machine will be used to host the RADIUS server for wireless authentication. Larger businesses that already have a dedicated authentication may not need to purchase an additional machine. The router chosen for this project is the Alpha AIP-W411 which supports both 802.11G and 802.11N bandwidths and is compatible with DD-WRT firmware. A refurbished Windows 7 computer will also have to be purchased to act as the RADIUS server. No WLAN cards are needed as all mobile devices already support at least the G standard. Software All software needed for the WPA2 enterprise network can be downloaded for free off the Internet. The correct version of DD-WRT for the Alpha router can be obtained from dd-wrt.com and the software needed for the RADIUS configuration (TekCERT and TekRADIUS) is located on yasin-kaplan.software.informer.com. Businesses may choose to upgrade the freeware versions of the software to gain additional features, but the upgraded versions are not required. Tech Stack The physical layer will consist of the Wi-Fi NICs and the router configured as a WAP. 802.11G will be used as the wireless standard and operates at both the physical and data link layers. ARP which is used to find addresses of all devices on the network operates at the network layer. TCP and UDP which are used to transmit network packets are part of the transport layer and RADIUS authentication takes place at the session layer. The authentication protocol used (as discussed previously) will be PEAP-MS-CHAPv2.
    • IMPLEMENTATION OF A SECURE WIRELESS NETWORK 28 Architecture Details The wireless network configured in this project will consist of one AP used in infrastructure mode. The WAP will be attached to the LAN through a switch that is already in place on the network. Alternatively, a very small business could just plug the WAP directly into the main router. All full sized computers will remain on the wired Ethernet, but any new computers or portable devices will connect to the network through the WAP. Resources Used The project is designed so one person can manage all the setup and planning if necessary, though ideally two individuals should be dedicated to the setup process if a speedy implementation is needed. Once installation is complete, one employee will be needed to configure and troubleshoot devices, but they will still have time to accomplish other tech support related tasks. At least one dedicated individual is needed for the project to provide overall coordination and continuity. Splitting the responsibility for oversight of different phases between different employees is not a good idea without a coordinator who can ensure communication is occurring through every step of project implementation. A dedicated project manager will ensure all milestones are accomplished and the timeline is adhered to. Funding will be needed for the initial equipment purchase before installation can begin (by phase 4 of the project). In addition, extra man hours may be required for a rush job so those costs should be considered during phases 1-3. The equipment is a low enough cost that all money can be paid up front instead of in installments.
    • IMPLEMENTATION OF A SECURE WIRELESS NETWORK 29 Final Output Several products will be the end result of this project including the design of a Wi-Fi network, installation of a RADIUS server, and reconfiguration of Wi-Fi devices on the network so they can use WPA2 enterprise. As part of the final network configuration, different RADIUS logins will be created for each device on the network, and the accounting feature will be enabled to prevent multiple concurrent logins using the same credentials. The Wi-Fi access point will have several security measures including limited broadcast times and range. In addition, a configuration guide will be developed along with an acceptable use policy. After the new Wi-Fi network is completely operational, a penetration test will be conducted to verify network security and the results of the penetration test will be another final output. There will be many intangible benefits to project completion in addition to the tangible benefits. A Wi-Fi network can provide increased productivity (some of which can be tracked), but it can also build employee teamwork. Instead of being isolated to their desks and cubicles, employees will be able to move around freely and communicate with one another. Spontaneous collaboration during work can occur when a discussion between employees turns into a joint brainstorming session recorded on their mobile devices. Creativity can be fostered more easily in a flexible environment than a fixed one. Ideas which never cropped up in the past may be spurred into fruition by a Wi-Fi network (this process doesn‘t work right…hey we could make an app for this). Quality Assurance The best laid plans can end in failure if measures are not taken to assure the quality of the final product. Not only should the job be complete, it should have the highest quality output possible upon completion.
    • IMPLEMENTATION OF A SECURE WIRELESS NETWORK 30 Quality Assurance Approach Quality Assurance Principles: - The Wi-Fi network should be as secure as (or more secure than) the LAN. - Customer data and confidential business data will not pass through the WLAN unencrypted. - The most effective form of network encryption will be used for all traffic. - Wi-Fi network downtime will be kept to a minimum. - No legitimate user should experience loss of coverage within the business facility. Criterion The IT Department Wi-Fi network uses the highest form of security supported by all network devices. Stays abreast of new Wi-Fi standards and implements fixes for any security vulnerabilities. All traffic on the Wi-Fi network is encrypted. Monitors network traffic to ensure no unencrypted data is seen on the Wi-Fi connection. There is minimal downtime of Wi-Fi service during business hours. Responds immediately to network connectivity problems and follows a backup plan in case the main authentication server fails. Wi-Fi network should be accessible throughout the business facility. Conducts regular coverage surveys to ensure broadcast strength, antennae, and broadcast channel are configured for optimum coverage. Wi-Fi network should be resistant to hacking attempts. Conducts routine penetration tests and ensures all recommended security measures have been implemented. Solution Testing The solution was rolled out for testing on a virtual machine running Windows 7. The virtual machine was used to update router firmware, configure the WAP, and set up the RADUIS server. Once all setup processes were complete, testing was conducted on the 802.1x solution by logging into the Wi-Fi network with various devices. Devices tested on the Wi-Fi network include a Windows 8 PC, a Windows 7 laptop, an Android phone, an iPhone, and a Windows 8 RT tablet.
    • IMPLEMENTATION OF A SECURE WIRELESS NETWORK 31 The following acceptance criteria are proposed for final implementation: Milestone Deliverable Acceptance Criteria WAP is ready to deploy on the Wi-Fi network 1 Alpha AIP-411 Router with DD-WRT firmware All firmware flashes are successful. Router is configured to act as a WAP with DHCP disabled on the same subnet as the gateway router. WAP has all security features configured 1 secure WAP Specific configuration changes are made including limiting broadcast strength, automatic disabling of Wi-Fi during non- business hours, and changing the default login credentials to the WAP configuration page. RADIUS server is functional 1 RADIUS server for 802.1x authentication RADIUS server is installed on the designated Windows machine The correct settings are used to enable PEAP-MS-CHAPv2 authentication. Clients are able to authenticate on the WPA2 Enterprise network 1 fully functional WPA2 Enterprise network Login credentials are configured on the RADIUS server for each individual client. Clients are able to log on to the network and download files. Implementation Plan Due to the simplicity of the small business environment, rollout will not have to occur in a tiered process. Larger businesses may wish to make modifications to the rollout plan such as rolling out one WAP at a time. Strategy for the Implementation In this project, rollout will occur sequentially with one phase immediately following another. An alternative for a busy IT department is to build in a delay between each phase so there will be time to work on other projects concurrently. The reason consecutive succeeding phases were selected was to complete the entire project as quickly as possible so that the small business could begin reaping the benefits. Phases of the Rollout Phases of the rollout will occur as follows:
    • IMPLEMENTATION OF A SECURE WIRELESS NETWORK 32 Phase Testing Criteria Router configuration VM-based configuration on a test router Firmware update is successful and documented so that the process is repeatable. Router (WAP) is configured to meet security standards. WAP deployment Test router configured for Wi-Fi connections but not linked to the LAN WAP signal is detectable in all areas of the business site, but signal does not transmit far outside the building. WAP is pingable on the LAN and can access the Internet. RADIUS configuration VM Windows box with the correct software RADIUS server is installed on the host machine. A user group is created for wireless users and the correct authentication method is specified. RADIUS deployment Test account generated and used by a laptop on the isolated Wi-Fi network Login credentials are entered into the RADIUS database for every Wi-Fi device that will be connected to the network. User training Managers will receive training first and provide feedback All company employees have received training on what usage is allowed network and have signed the acceptable use policy. Wi-Fi device configuration Company owned mobile devices configured to work on the test network Wi-Fi devices of all employees have been configured properly to login to the WPA2 Enterprise network. Details of the Go-Live The project will be considered fully implemented once all authorized mobile devices are able to connect to the WPA2 Enterprise network. All mobile devices (including Android, Windows, and Apple) will be eligible to use the Wi-Fi network as long as they have been registered with the IT department. The go-live will be verified by the IT department manager. After the go-live, the network configuration will be fine-tuned and support will be provided to all end users. Dependencies 802.1x network setup is a sequential process – no steps can be skipped or the configuration will not be fully operational. WPA2 Enterprise authentication cannot be enabled
    • IMPLEMENTATION OF A SECURE WIRELESS NETWORK 33 on the WAP until the RADIUS server is up and running. RADIUS accounting (or WPA2 Enterprise) cannot be enabled unless the WAP has been flashed to DD-WRT firmware. Deliverables - Fully configured WPA2 Enterprise Wi-Fi network - Router configuration guide - RADIUS configuration guide - Acceptable use policy - Penetration test results - Network troubleshooting guide Training Plan for Users Training will consist of two phases. First, all managers will be taught how to configure their devices to connect to the WPA2 Enterprise network and briefed on acceptable network use. Second, all employees will receive training on acceptable network use. Training will be provided by the IT department in the form of a presentation and handouts. All training will take place before devices are authorized for use on the network. Risk Assessment Implementing a Wi-Fi network has benefits, but it also adds risk to business operations. It is important for all businesses to consider every risk including consequences and possible mitigations before going ahead with a project. Quantitative and Qualitative Risks Three main risks were identified in the risk assessment conducted prior to project implementation: Risk Likelihood Severity Controllability Overall Qualitati Overall Quantitative
    • IMPLEMENTATION OF A SECURE WIRELESS NETWORK 34 ve Value Value WAP gets fried from too much load on the device. Low for a smaller business, medium for a larger company. Low – It would just result in the business needing to purchase a new router. Medium – Network traffic monitoring can help businesses discover when they should upgrade or add more WAPs. Low $35 to replace the router with one of the same model. Radius server crashes during business hours. Medium – the server will have the heaviest load during business hours so would be most likely to crash then. Medium – It will prevent more users from logging on while down and once a reboot is done all users who are on the network will have to be booted to regain RADIUS accounting functions. Medium – Ensuring any other load on the RADIUS server is minimal and conducting regular hardware and software maintenance will help mitigate this problem. Medium Between 15 minutes and 3 hours of down time = $75 to $900. Hacker succeeds in penetrating the Wi-Fi network. Low – PEAP-MS- CHAPv2 is not very vulnerable to attacks and would discourage most hackers. High – In this case, severe damage could be inflicted on the LAN and confidential company data could be stolen. High – Measures can be taken to further secure the network including user education, proper WAP configuration, and the use of strong passwords. Low This can‘t be quantified – potential of extremely high losses plus possible loss of customer base. Cost/Benefit Analysis Below are the potential benefit short falls and overrun consequences that correspond to the three identified risk areas: Risk Area Benefit Shortfall Shortfall Cost Cost Overrun Overrun Consequences WAP Low risk that Alpha router does not provide enough coverage for the business. $35 to purchase another router so 2 WAPs would be on the network. Low risk that the Alpha router is unable to handle a large number of A different router may need to be purchased – could cost up to $85.
    • IMPLEMENTATION OF A SECURE WIRELESS NETWORK 35 simultaneous users. Progress on project implementation could be delayed while waiting for a replacement router. RADIUS Server Windows machine / TekRadiusconfiguration proves hard to manage with a large number of users on the network. Low risk as long as the business has less than 50 employees. Medium risk for a larger business. An upgraded machine would have to be purchased at the cost of $1200- $1500 and the user database would have to be transferred to FreeRadius (cost of labor). Low risk that the business decides to upgrade to a paid version of TekRADIUS and use a server instead of a regular Windows machine for hosting the software. Up to $350 for software upgrades and anywhere from $1500 - $3000 for a real server. This could easily consumer the IT budget of a small business for the entire year. Wi-Fi Security PEAP-MS-CHAPv2 authentication does not provide adequate protection from hacking. Very low risk in the next year or two. Depends on what the hacker decides to do while on the network – a shortfall is not quantifiable. The small business decides to implement EAP- TLS encryption instead to provide higher security. Medium risk. Up to $350 for the software upgrades needed. Some mobile devices that don‘t support EAP-TLS would have to be replaced which could cost upwards of $500 a device. Risk Mitigation Several steps can be taken to reduce risk associated with the router used for the WAP. First, the IT department should look for other potential routers that meet all 802.1x requirements including DD-WRT firmware options and RADIUS accounting support. If a problem with the AIP-W411 hardware is discovered, it will speed up the process of purchasing a replacement. In addition, the AIP-W411 is so cheap, it might be a good idea for the IT department to just keep an extra on hand. The pro of that choice would be there would be no time lost waiting for a replacement device to arrive because it would already be sitting in the IT department ready to go. The con is the business would pay $35 for a device that might not ever be needed.
    • IMPLEMENTATION OF A SECURE WIRELESS NETWORK 36 Ways to reduce risk to the RADIUS server include limiting the machine used for RADIUS server hosting to only that one task, and regular system maintenance. Assigning only one task to the Windows machine will reduce overall load on the device and help it to crash less and last longer. Regular system maintenance should include routine updates and patching, regular virus scans and system backups, and the removal of dust accumulation from the interior of the machine.There are no cons to routine system maintenance, but a small business will lose out on potential productivity by dedicating one machine entirely to use as a RADIUS server. The pros are that by adopting these mitigation strategy, crashes will be less likely and the machine will have a longer lifespan. PEAP- MS-CHAPv2 was selected in order to increase Wi-Fi security, but it does have some vulnerabilities associated with authentication and man in the middle attacks. In order to further reduce the chance of a hacking attack some extra precautions can be taken. First, wireless broadcast strength should be limited so that there is poor reception in neighboring locations. Second, RADIUS passwords should be generated by the IT department of appropriate length and complexity (16 character minimum) instead of allowing users to choose their own passwords. Third, user accounts should be immediately disabled if an employee is fired or quits, and temporarily disabled while an employee is on vacation. Fourth, the broadcast hours should be limited to business hours only. Another option that should be considered is planning for a future upgrade to EAP-TLS encryption (the most secure) by only purchasing mobile devices that have support for that encryption method. Once all devices on the network are EAP-TLS enabled, it should be implemented network-wide. If new vulnerabilities in PEAP-MS-CHAPv2 are discovered, the business can rollback to using a wired network only until EAP-TLS can be installed. The pros of
    • IMPLEMENTATION OF A SECURE WIRELESS NETWORK 37 using PEAP-MS-CHAPv2 is that it is fairly easy to implement, supported by all devices, and provides stronger encryption than standard WPA2. The cons are the vulnerabilities that have been found in the protocol, the fact that login credentials must be created for each device, and that it must be paired with a RADIUS server. Post Implementation Support and Issues It is not adequate to plan and implement a project – ongoing support and maintenance must take place in order to keep the product working. Good support guides help reduce the need for hiring expensive outside consultants. Regular maintenance extends the working life of resources and reduces unplanned down time. PostImplementation Support After the Wi-Fi network is installed, all members of the IT department who did not directly participate in project implementation will be given training on the WLAN setup and how to administer the network. Administrator training is the first line of support – it is important that all admins know how the system works so they can detect any inconsistencies. All members of the IT department will be able to offer tier one troubleshooting service after the training cycle is complete. Since the Wi-Fi network was specifically built to be easy to administer and maintain, it is unlikely that tier two support will be needed. If members of the IT department encounter problems they cannot solve they can always refer back to the project manager. In case a problem cannot be solved within the organization, the next line of support will be to contact the specific software programmers (DD-WRT or TekRADIUS forums depending on the problem).
    • IMPLEMENTATION OF A SECURE WIRELESS NETWORK 38 Post Implementation Support Resources The small business implementation of 802.1x by design does not need a great amount of support resources. One member of IT personnel will need to be on call during business hours to troubleshoot any connection issues and register new devices on the Wi-Fi network. No other personnel will be needed for daily support. Certain tasks in the maintenance plan may require the assistance of another member of the IT department to ensure timely task completion. In-house set up guides for reference and a basic troubleshooting guide will all be provided in deliverables. Some other resources that would be beneficial in providing user support would be an Excel or Access tracking database for PODs registered on the Wi-Fi network, and a shared calendar of maintenance tasks for IT departmental coordination. The project implementation team should also survey the rest of the IT department to determine if there are any other support resources they would find beneficial. Maintenance Plan To ensure regular maintenance takes place, a schedule of maintenance tasks was created: Weekly Monthly Quarterly Yearly WAP Verify access restrictions still meet organizational requirements. Add/modify blocked sites, services, and hours as needed. Do a quick coverage survey to make sure there is not over coverage or under coverage. Switch to a different Wi- Fi channel if needed. Check for updated DD-WRT firmware and install when available. Perform a systems audit to determine if WAP still meets organization needs or if an updated router should be purchased. Windows Machine Check for Windows updates, virus scan definitions, and do a quick virus scan. Backup all system files. Defragment the drives if needed. Check load on memory to verify the computer is not overburdened. Vacuum all dust out of case fans and interior. Check to make sure all cables are tightly connected and no wear is present. Determine whether OS still meets organizational policies – upgrade to a newer OS if needed. Consider hardware upgrades and/or
    • IMPLEMENTATION OF A SECURE WIRELESS NETWORK 39 replacing the system. RADIUS server, logs, and accounts Check accounting logs for unusual activity and possible errors. Backup SQL-Lite database of RADIUS users. Check for software updates. Ensure all inactive accounts are disabled. Change user passwords to conform to good security practices. Consider upgrading encryption to EAP-TLS or other stronger encryption that is available if supported by all organizational devices. Conclusion, Outcomes, and Reflection In actuality, a task is never completed – only advanced to another phase. Across the business world there are different models that express the same meaning – there is a functional process starting with inputs (needs), progressing to planning, testing, implementation, and then support and review of work accomplished, which uncovers more business needs that feed back into the cycle. Project Summary This project covered the implementation of a Wi-Fi network for a small business that had only used a wired LAN for operations. First a systems and process audit was conducted to uncover business drivers and survey current software and hardware on the network. Second, detailed and functional requirements were examined to define a scope for the project. Third, project timelines, dependencies, resource requirements, milestones and tentative deliverables were determined. Fourth, a methodology was developed which synced with business needs and the system audit. Fifth, details of the project to include hardware, software, and architecture were fleshed out. Sixth, a quality assurance plan was created for solution testing. Seventh, an implementation plan was created so verifiable phases, dependencies, and strategies would be in place during rollout. Eighth, a risk assessment was performed with a cost/benefit analysis and
    • IMPLEMENTATION OF A SECURE WIRELESS NETWORK 40 risk mitigations to ensure there were no unintended consequences before final implementation. Ninth, post implementation support plans, resources, and maintenance schedules were developed so continual process improvement would occur after the go-live. Finally, all deliverables were provided to the end-user. Deliverables The final deliverables are present in the 5 appendices attached to this document. There is a configuration and setup guide for the chosen Wi-Fi router to include all firmware update instructions. Detailed setup and configuration instructions for the Windows-based RADIUS server were also developed. As part of the RADIUS setup guide, firewall configuration instructions are included as it became evident in testing that the Windows firewall was blocking all RADIUS authentication requests. A Wi-Fi acceptable use policy was developed so that the small business would have the complete package – not just the equipment. Employee awareness is just as important (if not more important) than the best security measures. A penetration test was performed on the PEAP-MS-CHAPv2 authentication process to show how strong passwords can significantly increase security. Finally, a basic troubleshooting guide was developed based on problems encountered during project implementation. Outcomes The project was implemented on my home network – not so lucky with the small business factor. I work for the government in a role I can‘t really discuss other than to say I don‘t get to do cool projects like this one. The small business in question is completely fictional – though the husband and I really do have that many mobile devices. I really wanted to make a plan that any business could customize to meet their needs – hence the suggestions throughout the capstone of how the plan can be customized.
    • IMPLEMENTATION OF A SECURE WIRELESS NETWORK 41 I am really quite proud of my product overall. Many of the tasks were a stretch for me and I do think it is something that someone might find of use. I think my only regret is not having more time to work on the project. I feel there are some areas I could have covered in more detail. I wanted to try out EAP-TLS encryption on the network, but my Microsoft Surface tablet does not support it and I would have had to pay for the business versions of TekRADIUSand TekCERT. I tested PEAP-MS-CHAPv2 on all of our mobile devices and encountered no problems getting the authentication process to work. Reflection First off, I am not a Linux guru – those non-tech savvy IT department employees I mentioned were a reflection of me. I had originally intended to build all facets of the 802.1x network on open source software. Two weeks into the process my FreeRadius server was still not working and I was wishing there was no such thing as Linux. I started to think about completely changing the project to something I do know well – like information assurance. That made me consider the reasons why I chose the topic of secure Wi-Fi in the first place. I started considering the topic because I came across some articles during other classes I took at WGU which hinted at the inherent insecurity of Wi-Fi. The authors‘ justification was if they can collect all the traffic going between computer and router, someone will eventually find a hack to exploit the traffic, no matter what security features are in place. Then I started thinking about how there are Wi-Fi networks everywhere these days – hospitals, coffee shops, Wal-Mart, the doctor‘s office, work and wondering just how secure they really are. I realized that larger business have all kinds of nice software and shiny toys they can install on their Wi-Fi networks to increase security, but small businesses are left out in the cold.
    • IMPLEMENTATION OF A SECURE WIRELESS NETWORK 42 All the small businesses I have visited that use Wi-Fi are using consumer-grade routers. There might be some out there with higher grade equipment, but usually there just isn‘t room in the budget. I firmly believe small businesses are today‘s innovators. Their intellectual property should be protected just as much as the intellectual property of multi-national corporations. If large businesses are dealing with intrusions from China, Russia, and other nation-state actors, what is happening to small businesses behind the scenes that they never even detect? I knew almost nothing about WPA2 Enterprise security before I began working on this project other than I had heard it was more secure. Once I started my research, I was completely overwhelmed with all of the authentication options available. Since I am not that Linux savvy, I decided to come up with a plan I unofficially called ―RADIUS for dummies‖ with a goal of developing a set of instructions any user who can turn on a computer can follow to make their very own enterprise grade network. It had to be cheap (I don‘t have that much money), easy to configure, easy to maintain, and still be secure. After much trial and error, I think I found a great solution. The first Wi-Fi router I modded was an ASUS RT-N16 that I had sitting around. Everything went smoothly until it came time to set up RADIUS accounting. Turns out, the router does not support that. It took me another week to figure out why. For some reason, RADIUS accounting is only supported by Atheros chipset routers and my RT-N16 is not an Atheros chipset. I had to start again from square one, but the second go round I got smart and looked at only Atheros chipset routers listed on the DD-WRT website. I don‘t even remember how I came across TekRADIUS, but it is a great piece of software. The guy who wrote it doesn‘t have the greatest English mastery in the world, and the user guide is not detailed at all. It took me several days to find how to configure the thing to
    • IMPLEMENTATION OF A SECURE WIRELESS NETWORK 43 authenticate using PEAP-MS-CHAPv2, and it took another day before I figured out where the logs were. Turned out the certificates I had generated using some Microsoft administrative tools were not working right, so that is when I stumbled upon TekCERT. Ironically enough, I finally got the FreeRADIUS server working when it was time to penetration test everything. I still feel FreeRADIUS (and really all the Linux options) are out of the realm of the average small business IT knowledge. Maybe if I get motivated enough I will write a FreeRADIUS for dummies guide since I have broken it in about every way possible. I think my most important lesson learned out of all of this is the importance of having a final goal in mind when working on a project. Until I knew exactly what I wanted to do, I kept getting distracted by shiny objects. I think I lost about a week of project time playing with Backtrack 5 and then trying to get the new Kali Linux to work properly on VMWare. I also spent way too much time trying to get that FreeRADIUS server to work when I should have started looking for alternates much sooner. It is ok if the final product is not quite what you envision – as long as it still meets all requirements, and most importantly, as long as it works.
    • IMPLEMENTATION OF A SECURE WIRELESS NETWORK 44 References Entner, R. (2008). The increasingly important impact of wireless broadband technology and services on the U.S. economy. Retrieved from CTIA the wireless association: http://files.ctia.org/pdf/Final_OvumEconomicImpact_Report_5_21_08.pdf Furnell, S., Katsikas, S., & Lopez, J. (2008). Securing infomation and communications systems: Principles, technologies, and applications. Norwood, MA: Artech House. Hietala, J. (2004). Network security - A guide for small and mid-sized businesses. Retrieved from SANS institute reading room: http://www.sans.org/reading_room/whitepapers/basics/network-security- guide-small-mid-sized-businesses_1539
    • IMPLEMENTATION OF A SECURE WIRELESS NETWORK 45 Appendix A – Router Configuration Guide: This guide provides setup instructions for an Alpha AIP-W411 router. Included are details on how to flash the firmware to DD-WRT, what options to change in order to get it to act as a WAP, and some basic security configuration tips for businesses. Firmware Upgrade 1. Go to http://www.dd-wrt.com/site/support/router-database and enter AIP-W411 into the search field. 2. Click on the router model in the list. 3. Download both the factory-to-ddwrt.bin and alfa-aip-w411-webflash.bin. 4. Plug router directly into computer (make sure you are plugged into one of the router LAN ports). 5. Make sure router is powered on. 6. Open a web browser and type 192.168.1.1 into the address bar. 7. Login with user name admin and password admin. 8. Navigate to the System Tools menu. 9. Click on Firmware Upgrade. 10. Choose the factory-to-ddwrt file that was downloaded in the earlier step. 11. Hit Upgrade/Ok.
    • IMPLEMENTATION OF A SECURE WIRELESS NETWORK 46 12. Enter in the username/password combo you want after it restarts - if it doesn‘t restart then just type in 192.168.1.1 again and that should get you to the change username/password page. 13. Go to the administration tab. 14. Click on the Firmware upgrade sub tab. 15. This time choose the alfa-aip flash file.
    • IMPLEMENTATION OF A SECURE WIRELESS NETWORK 47 16. Hit upgrade. 17. After it is done you will probably get a page not found message. 18. The router is now ready for configuration. WAP Configuration 1. Navigate to the router (192.168.1.1), log in, and go to the setup tab, basic set up sub tab. 2. Change the local IP address to one on the same sub-net as the LAN router. 3. Wan connection type should be set to disabled. 4. Check assign WAN port to switch (gives you an extra LAN port since you don‘t need the WAN port). 5. DHCP type should be DHCP server, but select disable since your LAN router will be providing DHCP.
    • IMPLEMENTATION OF A SECURE WIRELESS NETWORK 48 6. Hit save, then enter 192.168.0.250 (or the correct address) to log back in at the new IP address.
    • IMPLEMENTATION OF A SECURE WIRELESS NETWORK 49 Security Configuration 1. Navigate to the router (192.168.0.250), log in, and go to the access restrictions tab, WAN access sub tab. You are going to go through steps to limit router broadcast hours to business hours of M-F 0700-1700. Feel free to modify the days and hours to meet your business requirements. 2. Select policy 1. 3. Check enable. 4. Name policy Weekend Deny. 5. Check the deny button. 6. Check Sun and Sat as days and set times to 24 hours.
    • IMPLEMENTATION OF A SECURE WIRELESS NETWORK 50 7. Hit save. 8. Select policy 2. 9. Check enable. 10. Name policy Before Hours Deny. 11. Check the deny button. 12. Check all weekdays and set times to 0:00 to 7:00. 13. Hit save. 14. Select policy 3.
    • IMPLEMENTATION OF A SECURE WIRELESS NETWORK 51 15. Check enable. 16. Name policy After Hours Deny. 17. Check the deny button. 18. Check all weekdays and set times to 17:00 to 23:59. 19. Hit save. 20. Select policy 4. 21. Check enable. 22. Name policy Blocked Sites. 23. Check the filter button. 24. Check every day and 24 hours.
    • IMPLEMENTATION OF A SECURE WIRELESS NETWORK 52 25. Under blocked services enter bittorrent, ftp, tftp, and tor. Feel free to add more to the list to suit network needs and policies. 26. Enter in any sites and/or keywords in sites that you do not want users to access. If you run out of room, just add the rest into another policy. Suggested keywords of ‗facebook‘ ‗twitter‘ ‗naked‘ ‗porn‘ ‗xxx‘ ‗proxy‘ (and any others you can think of that violate user access policies). Keywords are better than blocking by URL because a savvy user will just use a proxy to get around the URL block. 27. Hit save.
    • IMPLEMENTATION OF A SECURE WIRELESS NETWORK 53
    • IMPLEMENTATION OF A SECURE WIRELESS NETWORK 54 Appendix B – RADIUS Server Configuration Guide: This guide explains how to download, install, and set up TekRADIUS on a Windows computer. It also provides details on how to configure the RADIUS server with PEAP-MS- CHAPv2 logon, add user accounts, and prevent multiple logins of the same user. Finally, it covers how to configure the WAP to work with the RADIUS server for 802.1x (WPA2 Enterprise) authentication. RADIUS Server Installation 1. Navigate to http://www.tekradius.com/download.html and click on the Download TekRADIUS LT link. 2. Wait for the download to complete, then right click on the file and click Extract All to unzip it. 3. Navigate to the unzipped folder and double click on setup to install. 4. Hit next, I agree, next, allow install into the default folder, install for everyone, and keep hitting next until you get the UAC window that pops up (the UAC window only pops up in Windows Vista or later). 5. Click yes to the window that appears. 6. Hit close once you get the installation complete message.
    • IMPLEMENTATION OF A SECURE WIRELESS NETWORK 55 Generation of Authentication Certificates 1. Navigate to http://www.yasinkaplan.com/tekcert.asp and click on the download TekCERT link. 2. Wait for the download to complete, then right click on the file and click Extract All to unzip it. 3. Navigate to the unzipped folder and double click on setup to install. 4. On Windows 7/8 you may get a message the install was blocked. Try to right click on the setup and run as administrator if that happens. If you are still blocked, hit the more information link and then there should be a run anyway button. 5. Hit next, I agree, next, allow install into the default folder, install for everyone, and keep hitting next until you get the UAC window that pops up (the UAC will not come up if you are on Windows XP). 6. Click yes to the window that appears. 7. Hit close once you get the installation complete message. 8. Open TekCERT and fill in the fields according to the screenshot.
    • IMPLEMENTATION OF A SECURE WIRELESS NETWORK 56 9. Hit the generate certificate button. 10. Click on the browse certificate tab to verify the certificate is now present. RADIUS Server Configuration 1. Open up TekRADIUS LT Manager. 2. Click on the settings tab, service parameters sub tab. 3. Set the listen IP address to your Windows machine IP address. If you do not know the IP address, click on start and in the search bar type cmd. Once the cmd window is open, type ipconfig /all. Find the IP address associated with your Ethernet adapter and use that for the listen IP address in TekRADIUS.
    • IMPLEMENTATION OF A SECURE WIRELESS NETWORK 57 4. Set startup to automatic 5. Set logging to debug 6. Verify the authentication port is 1812. 7. Check secure shutdown 8. Select EAP-MS-CHAP for PEAP inner authentication method 9. Check accounting enabled and enter port 1813. 10. Save settings. 11. Navigate to the groups tab. 12. Click on group name default. 13. At the bottom right are drop down menus. Drop down to attribute, check, authentication- method, PEAP.
    • IMPLEMENTATION OF A SECURE WIRELESS NETWORK 58 14. Hit the add/update attribute button just to the right. 15. Drop down attribute, TLS-Server-Certificate, check, WiFiAuthentication. This is how you select the certificate that you generated with TekCERT. 16. Hit the add/update attribute button again. 17. Navigate to the users tab. This is where you will add all users. A user will be added for testing purposes, then later you can go back on your own and add accounts for all devices using the same attributes. 18. On the top left there is a browse users menu. Drop down User-Name, like, (blank), all and hit the search button. This allows you to see all users added to the database so far.
    • IMPLEMENTATION OF A SECURE WIRELESS NETWORK 59 19. On the bottom left there is a blank for you to enter usernames. Enter in test, then drop down default and hit the add user profile button. The drop down menu is what allows you to select different groups. 20. Now select your new test username, and find the attribute menu at the bottom right. 21. Select attribute, check, User-Password, testing, and hit the add/update button. This is how you are configuring what password the user has to enter at login. 22. Select attribute, check, Simultaneous-Use, enter in 1, and hit the add/update button. This is how you prevent more than 1 user from logging in at a time with those same credentials. 23. Now we have to add our WAP as a client. Navigate to the clients tab 24. At the bottom for NAS enter the WAP IP address (192.168.0.250). 25. Enter in testing for secret (this is the RADIUS shared secret).
    • IMPLEMENTATION OF A SECURE WIRELESS NETWORK 60 26. Choose ietf for vendor. This is the generic choice. 27. Select yes for enabled. 28. Set an interim update period of 60 seconds. 29. Hit the add/update button. 30. Now we need to start the RADIUS server. Click on the service menu at the top and click start. WAP Configuration 1. Navigate to the router (192.168.0.250), log in, and go to the wireless tab, wireless security sub tab. 2. Select WPA2 Enterprise for security mode. 3. Set the RADIUS authentication server address to your RADIUS server (the same one you put for listen IP). At this point you might want to double-check you remembered to set a
    • IMPLEMENTATION OF A SECURE WIRELESS NETWORK 61 static IP address for your RADIUS server and WAP in your LAN router configuration page. 4. Verify RADIUS authentication server port is 1812. 5. Enter in the RADIUS auth shared secret you configured for this client (testing). 6. Enable RADIUS accounting. 7. Set the IP address to your RADIUS server. 8. Verify they accounting server port is 1813. 9. Enter the shared secret again. 10. Set key renewal interval to 360 seconds.
    • IMPLEMENTATION OF A SECURE WIRELESS NETWORK 62 11. Your WAP is now configured – but you might not be able to log in yet. Windows Machine Firewall Settings 1. In order to have your Windows computer allow access to ports 1812 and 1813 you will have to add some firewall exception rules. If you don‘t, you will not be able to authenticate users and no one will be able to log in. Open the control panel on your Windows machine. 2. View by large icons (might be listed as advanced view on some versions of Windows). 3. Double click on the Windows Firewall Icon.
    • IMPLEMENTATION OF A SECURE WIRELESS NETWORK 63 4. Click on the advanced settings icon on the left. 5. Click on inbound rules (on the left again), then click new rule to open the new inbound rule wizard.
    • IMPLEMENTATION OF A SECURE WIRELESS NETWORK 64 6. Click port for the type of rule. 7. Hit next. Choose TCP and then enter 1812-1813 in specified local ports.
    • IMPLEMENTATION OF A SECURE WIRELESS NETWORK 65 8. Hit next. Choose allow the connection. 9. Hit next. Check all boxes for when does this rule apply 10. Name the rule RADIUS server. Hit finish. 11. Now we need to add an outbound rule. Click outbound rules and then click new rule. 12. Select port (like last time). 13. Hit next then select TCP again and specific remote ports of 1812-1813. 14. Hit next and then make sure you click allow the connection (it chooses block by default).
    • IMPLEMENTATION OF A SECURE WIRELESS NETWORK 66 15. Hit next and check all boxes for when does this rule apply. 16. Name your rule RADIUS server again and hit finish. 17. Go back to your TekRADIUS LT manager and verify the service is running. If not, click service run again. 18. Congratulations, you should now be able to log into your WAP and use the test login to authenticate.
    • IMPLEMENTATION OF A SECURE WIRELESS NETWORK 67 Appendix C – Wi-FI Acceptable Use Policy: This Wi-Fi Acceptable use policy is intended to be customized by any business and implemented after review by the legal department. {Business Name} Wi-Fi Acceptable Use Policy {Date} Introduction {Business Name} recognizes that access to Wi-Fi in the workplace gives employees greater opportunities to collaborate, communicate, and accomplish other business tasksthat will increase the productivity and effectiveness of our organization. To that end, we provide access to Wi-Fi for employee use. This Acceptable Use Policy outlines the guidelines and behaviors that users are expected to follow when using company-issued technologies or when using personally-owned devices on the company Wi-Fi network. The {Business Name} network is intended for business purposes only. All activity over the network or using {Business Name} technologies may be monitored and retained. Access to online content via the network may be restricted in accordance with our policies and federal regulations. Employees are expected to follow the same rules for ethical behavior online as offline. Misuse of organizational resources can result in disciplinary action. {Business Name} makes a reasonable effort to ensure employees‘ safety and security online, but will not be held accountable for any harm or damages that result from use of the company Wi-Fi network. Devices Permitted {Business Name}allows all employees to connect company-issued devices to the Wi-Fi network as well as personally-owned devices (PODs). The caveat is all devices that will be used on the Wi-Fi network must be brought to a member of the IT department for configuration. Certain attributes of the device including but not limited to model, operating system, and MAC address will be recorded for tracking of unauthorized devices on the network. The IT department employee will then configure the Wi-Fi connection on the device to include login information and password. All employees must review and sign the acceptable use policy (AUP) before being allowed to utilize the Wi-Fi network. Any device that has not been registered with the IT department is forbidden on the network. Network logging and monitoring does occur, and unauthorized devices that are detected will be immediately barred from access and measures will be taken to locate the device owner. Use of
    • IMPLEMENTATION OF A SECURE WIRELESS NETWORK 68 unauthorized devices on the Wi-Fi network can result in suspension, prosecution, or other disciplinary actions. Usage Policies All technologies provided by the {Business Name} are intended for business purposes. All users are expected to use good judgment and to follow the specifics of this document as well as the spirit of it: be safe, appropriate, careful and kind; don‘t try to get around technological protection measures; use good common sense; and ask if you don‘t know. Wi-Fi Access will not be used for any of the following: 1. Transmit any material (by uploading, posting, email or otherwise) that is unlawful, threatening, abusive, harassing, tortious, defamatory, obscene, libelous, invasive of another's privacy, hateful or racially, ethnically or otherwise objectionable; 2. Harm, or attempt to harm, minors in any way; 3. Impersonate any person or entity or falsely state or otherwise misrepresent your affiliation with a person or entity; forge headers or otherwise manipulate identifiers in order to disguise the origin of any material transmitted through the Wi-Fi network; 4. Transmit any material (by uploading, posting, email or otherwise) that you do not have a right to make available under any law or under contractual or fiduciary relationships (such as inside information, proprietary and confidential information learned or disclosed as part of employment relationships or under non-disclosure agreements); 5. Transmit any material (by uploading, posting, email or otherwise) that infringes any patent, trademark, trade secret, copyright or other proprietary rights of any party; 6. Transmit (by uploading, posting, email or otherwise) any unsolicited or unauthorized advertising, promotional materials, "junk mail," "spam," "chain letters," "pyramid schemes" or any other form of solicitation; 7. Purposely transmit any material (by uploading, posting, email or otherwise) that contains software viruses or any other computer code, files or programs designed to interrupt, destroy or limit the functionality of any computer software or hardware or telecommunications equipment; 8. Interfere with or disrupt the Wi-Fi network or servers or networks connected to the Wi-Fi network, or disobey any requirements, procedures, policies or regulations of networks connected to the Wi-Fi network; 9. Intentionally or unintentionally violate any applicable local, state, national or international law, or any regulations having the force of law;
    • IMPLEMENTATION OF A SECURE WIRELESS NETWORK 69 10. "Stalk" or otherwise harass another; or collect or store, or attempt to collect or store, personal data about third parties without their knowledge or consent; 11. Resell the Wi-Fi network; 12. Use the Wi-Fi network for high volume data transfers, especially sustained high volume data transfers, hosting a web server, IRC server, or any other server. You understand and agree that {Business Name}may disclose your communications and activities using the Wi-Fi network in response to lawful requests by governmental authorities. Downloads Users should not download or attempt to download or run .exe programs over the company Wi- Fi network or onto company resources without express permission from IT staff. You may be able to download other file types, such as images of videos. For the security of our network, download such files only from reputable sites, and only for business purposes. Netiquette Users should always use the Internet, network resources, and online sites in a courteous and respectful manner. Users should also recognize that among the valuable content online is unverified, incorrect, or inappropriate content. Users should use trusted sources when conducting research via the Internet. Users should also remember not to post anything online that they wouldn‘t want bosses, fellow employees, or future employers to see. Once something is online, it‘s out there—and can sometimes be shared and spread in ways you never intended. Personal Safety Users should never share personal information, including phone number, address, social security number, birthday, or financial information, over the Internet unless it is to conduct a valid business transaction on a trusted valid site. Users should recognize that communicating over the Internet brings anonymity and associated risks, and should carefully safeguard the personal information of themselves and others. Policy Modifications {Business Name}may, at its sole discretion, modify the terms and conditions of this Agreement, including the AUP, at any time. Such modifications shall be binding and effective upon posting on the company intranet ‗Wi-Fi Access Policy‘ page or provided in writing to employees. You agree to periodically review the ‗Wi-Fi Access Policy‘ page to maintain awareness of any modifications. By continuing to use the Wi-Fi network after such postings, you accept and agree to any and all such modifications. Indemnification Agreement You shall defend, indemnify and hold {Business Name} and its corporate affiliates and their respective officers, directors, stockholders, employees, contractors, agents, successors and assigns harmless from and against, and shall promptly reimburse them for, any and all losses, claims, damages, settlements, costs, and liabilities of any nature whatsoever (including
    • IMPLEMENTATION OF A SECURE WIRELESS NETWORK 70 reasonable attorneys' fees) to which any of them may become subject arising out of, based upon, as a result of, or in any way connected with, your use of the Wi-Fi network or any breach of this Agreement. Limitation of Liability {Business Name}, its employees, agents, and vendors are not liable for any costs arising, either directly or indirectly, from your use of the Wi-Fi network, specifically including any direct, indirect, incidental, exemplary, multiple, special, punitive, or consequential damages. Violations of this Acceptable Use Policy Violations of this policy may have disciplinary repercussions, including: Suspension of Wi-Fi privileges Suspension of work without pay Loss of employment Legal action and/or prosecution I have read and understood this Acceptable Use Policy and agree to abide by it: __________________________________________ (Employee Printed Name) __________________________________________ __________________ (Employee Signature) (Date)
    • IMPLEMENTATION OF A SECURE WIRELESS NETWORK 71 Appendix D – Penetration Test: The most vulnerable part of PEAP-MS-CHAPv2 authentication is the authentication requests themselves. A hacker could potentially set up an illegal WAP and masquerade as the real WAP by using the same SSID – then all the hacker would need to do is de-authenticate users on the real WAP and wait for them to try to reconnect to the rogues access point. If the users do not look at the authentication certificate and just hit accept, they will then try to authenticate to the rogue WAP. Once the hacker gets credentials, he or she can then attempt to crack the MS-CHAP hash using Asleap. Asleap is a dictionary attack program that cracks the challenge/response pair sent during PEAP authentication. Two different attacks will be shown – the first will be a cracking attempt on a weak five character password. The second will be on a strong randomly generated 19 character password. Attacks on PEAP authentication can be circumvented in two ways. First, make sure client validation of the login certificate is left on. Also train users what a valid certificate looks like so they will notice if something seems off. Second, enforce a strong password policy for all users. Enforce a minimum 16 character length rule, and preferably just have the IT department generate the passwords randomly and then configure them directly into user devices. Here is a screenshot of the logs for the fake freeradius server on the hacker machine:
    • IMPLEMENTATION OF A SECURE WIRELESS NETWORK 72 The last two attempts are the ones we will be cracking with Asleap. First we will try the easy one with the password ―Hello‖: That took all of 1 second to recover. Now for a password of Th1s1s@16CharacterP: Gee that‘s a bummer…We could try brute forcing the password instead, but looking at the stats it would take this long to crack it:
    • IMPLEMENTATION OF A SECURE WIRELESS NETWORK 73 What if the password was a mere 16 characters?
    • IMPLEMENTATION OF A SECURE WIRELESS NETWORK 74 As you can see, even at 16 characters a hacker would be dead before he or she managed to crack the password using normal cracking software. This is why PEAP-MS-CHAPv2 is still considered useable (with the long password caveat) despite the MITM attack potential. The dictionary attack list used was one of the better ones available online – over 60MB in length. There are even better lists out there, which is why it is important to use a long password made up of several words, special characters, numbers, and random punctuation. A great way to make up a strong password that is memorable is to make a fake website address about a memorable event. An example would be http://www.1@mGo1nGt0Th3MOV1es.org. That one would only take 56.18 million trillion trilliontrilliontrillion centuries to guess.
    • IMPLEMENTATION OF A SECURE WIRELESS NETWORK 75 Appendix E – RADIUS and WAPTroubleshooting Tips: The number one rule is nothing ever goes as planned. Things break, especially technological things. These tips were compiled to prevent you from having to surf forums endlessly or call in a specialist when a common problem crops up. No Users Can Log In First, log into your router and make sure the WAP is actually broadcasting. You can find out by navigating to the wireless tab, and basic settings sub tab. Once you are there, check out the setting next to wireless network mode. It should say NG-mixed. Disable means your WAP is disabled. Correct the setting if needed and then hit save. While you are still in the router/WAP config page, double check all the settings match what was in the WAP and RADIUS configuration guides. Pay special attention to the wireless tab, wireless security sub tab to make sure your RADIUS authentication server address, port, and shared secret are correct. Also double check the RADIUS accounting server settings. Now bring up your TekRADIUS LT Manager window. This program should never be closed or your RADIUS server will not work (for obvious reasons). If it was closed, you have found the problem. Once you have the LT Manager open (or re-opened) check the status in the bottom right. If it is red and says TekRADIUS LT Service is stopped, go to service and start. Authentication does not work if the service is stopped. If it is green and says the service is running, we will need to look at more settings. Go to the settings tab, service parameters sub tab. Verify all settings are what was configured using the setup guide. Make sure the listen IP address matches what was in the router config window under RADIUS authentication and accounting server settings. Also verify the ports match what was listed in your router. Now is a good time to navigate to the clients tab as
    • IMPLEMENTATION OF A SECURE WIRELESS NETWORK 76 well and double check the IP address and shared secret for your WAP/router. You will need to restart the TekRADIUS service any time you change settings. The last problem could be something with the groups tab – you might have accidentally set the wrong authentication method or forgotten to add the TLS certificate. Go over to the groups tab and verify the authentication method and TLS server certificate match up with the configuration guide. Then go on over to the users tab and make sure the users are actually a part of that default group. If you are still having issues, it is time to look at the RADIUS logs. In your TekRADIUS LT Manager, click on file (top left) and then on open log file. This will show you all the detailed login, log off, and error messages since you enabled the debugging logs during setup. If you see no attempts at authentication at all, and you have been trying to log on with clients, odds are you are being blocked by the firewall on your Windows machine. Did you add the firewall exceptions suggested in the RADIUS configuration guide? If not, go back and do that. If you did and you still don‘t see any authentication attempts (and the router and RADIUS settings are all correct), it could be your anti-virus software blocking things. If your anti-virus software has its own firewall, you will need to go in there and add inbound and outbound settings for TCP ports 1812-1813. Some Users Can Log In, But Others Cannot This is great news! It means almost all of your settings are correct and there is just something wrong with your user login database or with the device trying to log on. Open up your TekRADIUS LT Manager and navigate over to the users tab. Verify the extra settings are the same for your users who can log in and those who can‘t.
    • IMPLEMENTATION OF A SECURE WIRELESS NETWORK 77 Now let‘s check out passwords – get the user‘s device and try to connect it to the network yourself. If nothing is working, you might need to have it forget the settings for your WAP. Once you do that, you should be able to configure it from scratch again. Make sure you are entering in the same username and password you configured for the device, and then accept the certificate at log on. If that doesn‘t help, be sure to check the RADIUS logs – they can usually shed light into what the problem is. My Users Can’t Access The Internet This one is more likely to be a problem with your LAN router. Can users access files on the LAN share drive? If they can do that, but not get internet, you will need to troubleshoot your LAN router and possibly your cable (or DSL) modem. If you were getting internet when you first started using RADIUS, but now you can‘t, I would suggest a restart of your modem and LAN router. If there is no power switch just unplug them both, wait 15 seconds, plug the modem in, wait 30 seconds, then plug the router back in and wait another minute or two. Check to make sure you can access the internet on your wired connection. If you can‘t, now is the time to call your ISP and complain. If you can access the internet on your LAN but not your Wi-Fi you need to check your LAN router settings. I‘m not sure what kind of router you use so I will just give you the generic walkthrough. Navigate to where you can see connected hosts – this might be under the advanced tab. If you are unsure, consult the manual for your router. Do you see your WAP on that list? What is the IP address? I am betting you have it getting a dynamic IP address which means it is now different from the IP you set under clients on your RADIUS server. The way to fix this is by statically assigning an IP to your WAP. That might be on the same tab or you might have to search a bit. Once you get the IP assigned things should work better (if that was the problem).
    • IMPLEMENTATION OF A SECURE WIRELESS NETWORK 78 Just double check the IP settings in your WAP and RADIUS server again and then restart both of them. Oh, and don‘t forget your WAP must be on the same subnet as the LAN router.