Configure Wireless Security

For all the benefits wireless networks bring to the table--from eliminating cable runs to increasing employee productivity--they can also be as treacherous as quicksand. The problems associated with WLANs are almost as plentiful as the benefits, not the least of which are security threats posed by rogue or misconfigured access points (APs).
No one knows this better than the Global Delivery Infrastructure Services (GDIS) folks at HP. They've spent the last two years commingling the far-flung Wi-Fi resources of HP and Compaq. As Bobby Burch, the network management engineer in charge of wireless management services, puts it, they treat wireless as a hostile network.
With thousands of APs from multiple vendors deployed worldwide, the HP and Compaq wireless networks offered plenty of opportunity for maliciousness. The company knew it had to reign in all those APs to ensure that they met its stringent security requirements for malevolent networking environments.

To do so, HP's GDIS team turned to a Linux-based wireless configuration management software product from AirWave. The AirWave Management Platform (AMP) is a key component in what HP calls its SecureWLAN initiative, the company's overall strategy for rolling out and managing wireless networking in more than 900 offices in 128 countries.
The new setup allows HP's IT personnel to manage multiple vendors' APs via a browser. Almost as importantly, the software has turned the process of updating AP encryption keys into a routine task.

DIFFERING ATTITUDES
When HP and Compaq merged in 2002, they had differing philosophies about wireless networking in general and security specifically. Although both viewed the wireless LAN as a complementary service to the wired LAN and not a substitute, Compaq deployed 100 percent wireless coverage that relied on Wi-Fi's built-in Wired Equivalent Privacy (WEP) for security. HP, conforming to its tighter infosec requirements, deployed wireless only at its larger sites and secured it using the same corporate VPN it used for remote access.
"The VPN vs. WEP issue demonstrates the trade-off between more stringent security and ease of use," says Burch, emphasizing the importance of the former's use of IPSec and two-factor authentication, which HP requires for hostile networking. New cracking tools mean that WEP's encryption can now be broken in minutes, but even before those appeared, WEP was out of compliance with HP's SecureWLAN initiative.

The IEEE has since replaced WEP with 802.11i, which is thought to be much more secure. However, this wasn't ratified until July 2004 and still isn't supported by all vendors' products, so it wasn't an option for Burch. HP did consider Wi-Fi Protected Access (WPA), a software upgrade to WEP designed to work with existing hardware, but rejected it in favor of a VPN.
"We were well-aware of the vulnerabilities of WEP," says Burch. "WPA was considered a temporary fix in lieu of the release of 802.11i and not necessarily an enterprise solution."
HP will eventually migrate all its APs to the VPN infrastructure. A key element in that migration will be the company's ability to manage and configure its global network of APs from a central location, says Burch.

HP first began looking for a WLAN configuration and performance management tool in May 2003. Then, as now, HP's merged wireless networking environment was populated with a variety of what Burch describes as first- and second-generation APs. He defines the former as APs that can be configured only via locally installed proprietary software. This included Proxim's ORiNOCO AP-1000s and Enterasys Networks' RoamAbout AP 2000s, both older models that are no longer available.
According to Burch, the second-generation APs are typically smarter and allow administrators to make changes via Telnet or HTTP without proprietary client software. Falling into this category were Cisco Systems' Aironet 1200 series APs and the company's own HP ProCurve 420 and 520 boxes.

Both sets of APs presented configuration issues. The first-generation products were configurable only via proprietary software running on each HP engineer's PC, and the configuration software wasn't "always on." It provided little in the way of historical data for checking on use and problem trends and patterns, says Burch.
"We evaluated configuration management tools that demonstrated an ability to support HP's heterogeneous wireless environment," he says. "We investigated all the major players, and most off-the-shelf offerings were mapped to a specific vendor.
"Every vendor seemed to be focused on just one or two hardware vendors," says Burch, so they were unsuitable for HP's multivendor environment.

SECURITY CHALLENGES
Security was also a big piece of the equation. "We needed some way to see the security configuration parameters across different models of APs," says Burch.
"Part of the challenge we had was dealing with a variety of security settings with the two architectures," he notes. "We needed a solution that worked in those environments and addressed all the added issues that go along with those technologies, including being able to configure the WEP encryption key, for example."
AirWave's AMP solution met HP's needs for a variety of reasons, says Burch. Most importantly, it can manage and configure multiple vendors' APs, including both the first- and second-generation units already in use within the company.

A variety of methods exist for updating the configuration settings on those APs, he explains. For example, the Enterasys RoamAbout AP 2000s require a proprietary, locally installed client. The ProCurve and Cisco APs use either a Web or Telnet interface to manage configurations. "Each of these offerings essentially allows the technician to configure one or only a handful of APs at a time and requires using their software or writing your own scripts," notes Burch.
AMP gets around this by figuring out how to configure all the necessary parameters on multiple vendors' APs. "Without AMP, we would have no single interface to manage and maintain configurations across all vendors' APs," he says. "By using AMP, we save HP money by reducing operational support time, simplifying management, and reducing training costs."
The capabilities AMP delivers are many and varied, according to Burch. For instance, it can manage AP configuration via groups, and it lets administrators monitor and configure security settings such as Service Set ID (SSID) information and WEP encryption key rotations.

Burch says HP can also use the product to set AP radio settings such as data rates and channel selection, and the tool gives him and other IT personnel regional views of AP health and configurations. It also allows them to make firmware upgrades, all from a central location. AMP can even provide notification when client performance is impacted due to channel overlap, allowing support technicians to review available channels and modify AP configurations accordingly.

SIZE MATTERS
Scalability was another factor HP had to consider for its wireless network. "HP has a large wireless environment, and most of the off-the-shelf products appeared to be single server-based," says Burch. "A single server is sure to max out before HP is done growing its wireless LAN."
To avoid that scenario, HP deployed AMP in a distributed fashion, with two first-tier AMP servers located Atlanta, GA; single first-tier servers in Asia and Europe; and a U.S.-based master console. In this architecture, the first-tier servers collect configuration information from the APs in their domain--about 1,400 in the Americas, 500 in Europe and the Middle East, and 700 in the Asia Pacific region--and pass it up to the master.

From the master console, IT personnel can see all their APs and reconfigure them quickly and easily, according to Burch. "It's critical to audit the network routinely to ensure that the APs remain in compliance with policies and that they haven't been misconfigured, either by mistake or through malicious action," he says. "AMP makes it quick and easy to audit AP settings to find APs that don't comply with security and configuration standards."
In operation, AMP provides real-time configuration status information for each AP on the network and generates an automatic alert when devices are out of compliance. Drilling down on that shows exactly which parameters are out of compliance.

As noted, the AMP software is a key factor in managing HP's wireless security environment. For example, a handful of HP's wireless environments still rely on WEP and its encryption keys, which must be updated regularly for secure access.
"Our largest wireless WEP-based site has 500 APs," says Burch. "It used to take 60 minutes to complete the WEP update across all the APs at this single site using the AP vendor's proprietary client software, which could only configure 50 APs at a time."
That meant HP's IT staff had to perform the same repetitive task 10 times every time it updated the WEP settings. By contrast, AMP can push an update to all 500 APs in about 15 minutes, says Burch.

AMP also provides a means to validate those updates, which is important because mismanaged WEP key updates can leave users unable to communicate via the AP. Unlike proprietary AP management software, AMP provides reports displaying the aggregate number of users at the server, group, and individual AP level. This shows HP technical staff that users can connect after an update, in effect validating that the parameter changes were done correctly.

MINUTES, NOT HOURS
Another benefit of AMP is that it offers the ability to quickly repair out-of-compliance APs, says Burch. "Without AMP auditing all wireless APs, this would take hours, if not days. With AMP, it's a matter of minutes."
In addition, AMP gives HP the ability to drill down into detailed real-time information on individual users and APs. "AMP's graphical interface gives us a snapshot of the wireless environment to use in diagnosing user problems," says Burch.
Burch says this all translates to saving HP big bucks on wireless networking management. Since deploying the AirWave tool, HP's IT staff spends about a fourth less time on wireless networking operational issues such as AP configuration and management, and wireless-related support issues are now resolved in one-fourth the time it took before.

"We've estimated AMP has helped reduce time-to-resolve trouble tickets by 75 percent or more," says Burch. "When a user reports problems, support personnel can quickly locate the user on the network and drill down to view detailed information on both the user session and the AP in use."



Taken from
www.networkcomputing.com/channels/wireless