Performance Anxiety: Managing & Securing Your WLAN
By Susan Nunziata
For Jon Covington, Network Engineer at Ronald Reagan UCLA Medical Center, the ultimate goal in managing and securing the facility's Cisco WLAN is to ensure uninterrupted patient care. Covington and his team are concerned with protecting patient privacy, tracking rogues and defending the wireless network against unwanted traffic.
Covington turned to AirDefense Solutions, which was acquired in late 2008 by Motorola, to deploy a solution that would give him the insight he needed, as well as integrate with the existing Cisco 802.11a/b/g network. (see case study, page 10).
John Sendejar, Business Unit Manager, External Relations, of the Corpus Christi Digital Community Development Corp. (CCDCDC) a unit of the City of Corpus Christi, TX, faced an entirely different challenge: getting his arms around a Tropos wireless mesh network that had been installed and previously managed by Earthlink. The network was unceremoniously dropped in the city's lap in May 2008 after Earthlink announced it was exiting the municipal WiFi space.
"Outside of getting an Excel spreadsheet with about 1,300 Access Points listed on it, I actually didn't know what I had in the field," says Sendejar. "It was really difficult to fathom what was up, what was down, what was not working, what was configured badly, what was communicating to us. We just had no way to be able to do that. Not a tool in place to be able to very quickly assess your wireless network and the functionality and performance of it."
Sendejar is the only full-paid staff member of CCDCDC. He works with a team of 10 network technicians who share responsibility for both the city's wired and wireless networks. It took them four weeks to physically audit the network's APs, which were scattered across 147 square miles.
The manual audit turned up valuable information that Sendejar previously didn't have access to -- such as how the APs were configured and what SSID was being displayed.
But, it wasn't until the city deployed the AirWave WLAN management solution from Aruba Networks that Sendejar was able to get a keen grasp of what he was dealing with. "[AirWave's] representative helped us install, and it was done by 10 in the morning. By the end of that day I had identified three fourths of my assets in the field. [I knew] what information they were displaying, what SSIDs were configured, whether they were on a certain firmware or not, and what longitudinal and latitudinal information they were displaying. I then could look at them in the field and, because of [AirWave's] association with Google Earth, I could display that device over a GIS map. I can't tell you how much information I had in one day at my fingertips. It took us four weeks [to do the manual audit] and I still couldn't grasp it because I couldn't physically see how it all came together on a visual display."
For Clemson University, the first goal is to create the "stadium of the future" at its 80,000-seat Memorial Stadium. Managing traffic on the network, as well as securing m-commerce solutions, are among the priorities for Clemson.
The project, known as iTiger, uses an 802.11n Cisco Unified Wireless Network. The effort is seen as a launching pad to integrating the entire college campus, says Jim Bottum, the university's Vice Provost for Computing and Information Technology.
Enterprises in every vertical are recognizing the exponential growth in wireless devices. Or, as UCLA's Covington aptly puts it: "Wireless is as ubiquitous as walking."
In addition to Cisco, Motorola/AirDefense, and Aruba/AirWave, numerous other vendors offer a variety of WLAN management and security solutions, including Meru Networks, AirTight Networks and AirMagnet.
Indeed, AirMagnet, which markets security, performance and compliance solutions for WLANs, surveyed 342 enterprises in November and December 2008 and found that 92% plan to extend their WLAN deployments in 2009. Two-thirds of respondents say their WLAN deployments now support at least one "mission critical" application. Gartner estimates that $168 million was spent on WLAN intrusion detection systems alone in 2008. John Girard, VP/Distinguished Analyst at Gartner says most companies have moved rapidly from trying to keep WLANs out of their organizations to fully embracing them widely across all corporate facilities.
Enterprises are entering a phase where having a comprehensive mobility strategy is at the core of their business, says Cisco's Chris Kozup, Senior Manager Mobility Solutions.
The exponential growth in the number of wireless devices at play in any organization is changing the requirements for WLAN management and security. "Every electronic device is wirelessly enabled, whether it's your iPhone, a laptop, a barcode scanner, specialized devices such as pumps used in healthcare, WiFi tags used on assets," says Brian Wergo, AirWave's GM. Adds Aruba Networks' Michael Tennefoss, Head Of Strategic Marketing, "It's not just the devices, but what they do to your network and how you administer access."
While security is always crucial, organizations also are looking for unprecedented levels of granularity about how each user is behaving on the network, for auditing and compliance purposes.
"When we started the company in 2001, the primary concern was rogues," says Dr. Amit Sinha, Fellow and Chief Technologist for AirDefense Solutions. "Over the past two to three years we've seen the mobile enterprise is like a juggernaut. They want to monitor their airspace 24/7. And, they want to track individual devices and users not just in real time but historically on a minute-by-minute basis."
Enterprises are completely changing the way they're looking at WLAN management, says Rachna Ahlawat, VP Strategic Marketing at Meru Networks. "[WLAN] management used to be looked at as infrastructure and RF management. Now we're seeing people interested in session management. The earlier practice was managing access points. Now, they want to see if every user on an AP is connected correctly and if they've connected successfully."
The VPN Approach
For some enterprises, a mobile VPN plays a key role in their WLAN security setup. For example, women's apparel retail chain maurices, a division of Dress Barn, deployed Columbitech's mobile VPN across its 650 stores. The solution enables the retailer to enhance its overall security in order to meet PCI compliance requirements. It gives users secure access to its wireless network as well as added protection and authentication features for its existing Fujitsu iPAD handheld computers.
The end user interface is crucial, notes Columbitech President Asa Holmstrom. "Typical users tell us they don't even want to see our applications. It's a security product. They don't want to worry about it, they just want to know it's working."
Likewise, First National Bank uses a single software solution from NCP engineering GmbH that integrates data encryption, a dynamic personal firewall, Friendly Net Detection, and one-time password token and certificate support through a public key infrastructure (PKI).
Authentication policy is key, says Chris Witeck, Director of Product Management for VPN vendor SonicWALL. "Authentication policy is one of the most overlooked aspects of how you secure your network," he says. "Some customers focus on endpoint detection, others focus on traffic issues. The best practice is defense and depth. You want application security, network security and device security."
PlayStations and D-Link routers are just some of the devices caught in the net of WLAN security at Ronald Reagan UCLA Medical Center
When the University of California Los Angeles opened its Ronald Reagan UCLA Medical Center in July 2008, the wireless network was integral to the state-of-the-art facility, says Jon Covington, the hospital's Wireless Engineer.
The 10-story, 1 million-square-foot medical center uses its Cisco 802.11a/b/g WLAN to facilitate more than 3,000 Computers On Wheels (COWs), which are used by clinical and administrative staff for Electronic Medical Records, among other applications. The network also enables some 2,000 Cisco 7921 VoWiFi phones used by the facility's highly mobile staff. Hospital clientele also get free campus-wide WiFi.
The organization has multiple objectives in managing its network, including:
- Ensuring security for network users
- Detecting rogue devices
- Detecting intrusions
- Intrusion prevention and mitigation
- Understanding coverage patterns
The medical center chose Motorola's AirDefense Solutions to achieve these objectives. AirDefense
integrates with the Cisco
network's Wireless Control System.
So far, the facility has had uncovered six rogues, none of which were malicious. One patient was discovered behind his closed hospital room door enthusiastically engaged with his PlayStation.
"It's more the notion of people saying, 'I don't have wireless, I'll bring my own, I can use my own SSID. I'm just going to hide over here and not make a lot of noise.' Of course, you do make quite a bit of noise when you bring a new SSID to our environment, and we know it."
In another incident, someone in the orthopedics department plugged in a rogue D-Link router. "It was driving the whole floor crazy," says Covington. "Your APs in the enterprise are set at a certain power level, and also the cell sizes are measured to accommodate a certain density. As soon as you bring in something that's unmanaged, that's turned up full power, you drown out everything that is trying to associate to that access point to get an IP address. It's like being in a shouting contest with a guy who has a bullhorn."
The forensics is crazy
AirDefense allows the user to run packet-capture and pinpoint the location of an unauthorized device to within 10 feet. "The forensics is crazy," says Covington. "It's real time and lag time. To show the breadcrumb trail is incredible."
Covington says UCLA hasn't realized ROI on the solution yet, but "it has shown its worth."
For example, he says, "If a nurse or technician can't do something because there's interference in the air, that's how you weigh the ROI at that point. If the noise is in the air from your particular rogue device, you're affecting patient care, and the tentacles of that reach very far." //
What is our first level of defense? How are we keeping the bad guys out of the network?
How do users log in and how do we support different levels of authentication? Are we using industry best practices?
How do we segment different users on the network within the four walls or across our campus?
How does the remote worker connect so that the edge of the network can be as secure as possible?
Do we have an acceptable use policy for how wireless should be used?
What tools do we use to enforce our policy, and do we have someone monitoring these? Even a policy of "no use" requires a way to enforce it.
Have we deployed multiple SSIDs to support different users and different types of devices?
Can we detect a rogue AP before, not after, an attack happens?
How secure is the perimeter of our network to protect against RF leaks and parking-lot attacks? Do we have a way to support the network so that signals don't leak out?
How do we comply with regulations such as PCI (in retail), FIPS (in government) HIPAA (in healthcare) or Sarbannes Oxley (in financial services)?
Is our management and security solution scalable to the growing number of wireless devices, end users, controllers and APs that are coming into our enterprise?
Are we keeping things simple for our end users? If not, they may choose convenience over security.