Teesside University COM2057 Networks and

Systems Administration

Secure Campus Wireless Network Design

ABC University Malaysia.

Philip Martin N3098463

Contents

1. Introduction 3 2. Evaluation of Campus Scenario 3 3. Design 4 4. Security Issues 5, 6 5. Authentication, Encryption and Tunneling 7, 8 6. Legal Issues 8 7. Detailed network diagram 9-13 8. Conclusion 14 7. Bibliography 15

Introduction With the fast movement of technology, it’s now becoming essential to create such a robust and easily upgradable networks. The aim of the report is to design a secure wireless network, the main criteria being that there is access everywhere on the University’s campus. This report will go over my design and thoughts, security issues, encryption techniques and a detailed network diagram of each building in the campus Evaluation of the campus scenario Before anything is implemented into the campus, assumptions need to be made. First of all I started off by assuming the building dimensions as shown in the table below (figure 1). I could then work out the structure of my network and also the task in hand. I also assumed that in the multi-story buildings, each floor is identical and the design would be the same. Some buildings are smaller than others so there is an obvious structure their, but it’s wrong to overlook what the building is used for. For example the guest hostel should have the same amount of wireless access as the male & female hostel, but the guest hostel is smaller and therefor its cheaper to use less access point, but then the wireless coverage wouldn’t be as strong.

However, some buildings on campus are very easy for anyone to come and attack the network if the signal was available. Therefor I believe building number 1 does not need any wireless access for reasons to be explained further on in the report.

Below is a table of dimensions for the campus buildings. This is useful when estimating the amount of access points needed. There will be areas on campus that will be difficult for the wireless signals to reach; the dimensions compared with the wireless strength come to good use when looking for solutions to such problems

BUILDING NUMBER (Dimension) Length x Width (to the nearest 0.5 cm)

1. Multi-Storied Car park (5 floors) N/A

2. Multi-Purpose Hall 50metres x 50metres

3. Guest Hostel (3 floors) 20metres x 60metres

4. Male Hostel (3 floors) 45metres x 50metres

5. Female Hostel (3 floors) 45metres x 45metres

6. Lecture Block 1 40metres x 30metres

7. Lecture Block 2 20metres x 40metres

8. Outdoor Dining 20metres x 10metres

9. Cafeteria 30metres x 30metres

10. Main Building (10 floors) 25metres x 90metres

11. Lecture Theatre 50metres x 20metres

12. Chancellery Block (3 floors) 50metres x 30metres

13. IT/Business Block (3 floors) 45metres x 85metres

14. Engineering Block (3 floors) 60metres x 70metres

Design Once I had made my assumptions and I was happy I then began to construct a design. My design would show the access points and also show the coverage. In the diagram below you can see how I’ve gave the majority of the building full coverage without any interference. As explain, you can see 0% coverage in building number one for security reasons. Another thing to note is the vast amount of access points in the student hostels; my reasons behind this are simple. For the majority of student’s time at university they will be living in there rooms and that therefor means allot of students in the same place at the same time. This then creates a mass demand for network access and with so little coverage it would be impossible to meet their demands. Another major decision was the IT building (Building 13), with the building being one of the most significant buildings on the campus on the bases of its computing needs, I believe this to need as much coverage as possible as shown on my diagram. With at least 6 different access points on site I believe this is acceptable for each floor. I have also made sure that the access points aren’t overlapped more than 5% too make certain no interference will take place on such an important building. The rest of the campus is significant covered with access points, which indicates to me to be a very good structure to build upon.

WIFI Key Scale 1cm= 20metres

Channel 1

Channel 6

Channel 11

Security issues With many wireless networks across the globe, every single one is always liable to attacks even though the majority of people would rather have wireless as their standard choice of network. Biju (2014) provided the stats associated to Security attacks. “The average financial loss due to networks attacks was more than $3million per case with the vast majority of attackers, 78 percent, committed crimes from their home computers.”(Issacs 2014) Therefor the need for network security is massive. The most popular attacks on networks are spoofing. Neil (2014) explains how a spoofing attack can begin. “A spoofing attack occurs when someone pretends to be another user or device connected to the network that is deemed safe, they will then attempt launch attacks, steal data spread malware or bypass access controls.”(DuPaul n.d.) Some of the most common spoofing methods include IP address spoofing attacks, ARP spoofing attacks, and DNS server spoofing attacks, all of which can be done with a laptop within the wireless coverage of a network. This strengthens my case to have 0% coverage in the car park. It would be so easy for someone to drive up and start attacking the network.

Another major issue is war driving. Advacate (2013) described how war driving can effect a company’s network “A War-driving attack consists of a hacker exploring a certain area with Wi-Fi coverage, the hacker will have laptops and mobile devices connected to very strong antennas which will scan for unsecure areas in the network (i.e., no security or no password needed for access). If the hacker has successfully found an unsecure part of the network, they will begin to attack. The hacker can then scan other devices connected to the network and possibly find personal data, company data and financial data as well as log in credentials & passwords”. (S.Advacate n.d) This potential issue again helps my case against the 0% coverage on building 1. There are a few solutions to these problems.

Using up-to-date encryption on your router. WPA2 (AES/CCMP encryption) is at the moment the best encryption possible for a router and very, very hard to crack

Hide the Wireless SSID from broadcast so only people on site will be able to see the name of the network via posters or request.

Change the default passwords and usernames on the network for example your routers settings configuration credentials

While there is no such thing as a fully secure network, the simple things will make your network the most secure it can possibly be. Another solution could be to use packet sniffer. Andy (2014) gave an insight into how packet sniffers work and how they can be used Network technicians use packet sniffers regularly to detect network based problems. Sniffing software is commonly used on wireless networks, however the majority of them can only scan one channel at a time so it is good to have as less channels as possible in your network. Otherwise having a host computer that has multiple wireless interfaces that allow for multichannel capture is also a good option.

However there is a downside, hackers often use packet sniffers for illegal purposes such as spying on network user traffic and collecting passwords.(O’Donnell n.d.) The good news is that there is software to detect packet sniffers (i.e. Antisniff) and this will alarm the administrator someone is looking at such packets on the network.

Authentication, Encryption and Tunneling As time has passed, security and encryption has improved and it will keep on going as new advances in technology breakthrough. Wi-Fi has three main types of encryption that people use today.

WEP – Wired Equivalent Privacy When WEP was first introduced its aim was to make wireless networks as secure as wired networks, as new encryption methods have been introduced hackers found it easy to crack WEP keys with brute force. WEP has two methods of authentication: Open System authentication and shared key authentication which has both been proven to be very weak.

WPA/WPA2 – Wireless Protected Access WPA/2 is todays standard for WLAN security as it has a longer harder to crack key and also the key is different for each packet of data. A technology called TKIP (Temporal Key Integrity Protocol) uses a passphrase, along with the network SSID (Service Set Identifier), to generate unique encryption keys for each wireless client for WPA. One of the biggest improvements to this standard was to use the AES (Advanced Encryption Standard) algorithm and also the introduction of CCMP (Count Cipher Mode Protocol) for WPA2.

AES (Advanced Encryption Standard) AES today is the best algorithm for encrypting and is even used by the US government, ‘The algorithm described by AES is a symmetric-key algorithm, meaning the same key is used for both encrypting and decrypting the data’. VPN – Virtual Private Network A VPN is a technology that creates a secure private network connection over a public network. It uses certain protocols to securely send data over the network infrastructure, this way it makes the information. The protocols used are: The webpage (http://whatismyipaddress.com/vpn) explains the protocols

IP security (IPSec) is used to secure communications over the Internet.

Secure Sockets Layer (SSL) and Transport Layer Security (TLS) use cryptography to secure communications over the Interne

Point-To-Point Tunneling Protocol (PPTP) is another tunneling protocol used to connect a remote client to a private server over the Internet

Layer 2 Tunneling Protocol (L2TP) is a protocol used to tunnel data communications traffic between two sites over the Interne

VPN has a mixed opinion to what people think of it, people like it due to it being an inexpensive way of building a private network, but other dislike it due to its QoS (Quality OF Service), and the QoS can cause packet loss and other performance issues. RADIUS - Remote Authentication Dial In User Service A RADIUS is an AAA (Authentication, Authorization and Accounting) system used by many different companies such as ISPs or University’s. Back when Dial-up was used this was involved evertime someone would want to use the internet. The user would have to enter their credential giving to them by their ISP and then the credential would be checked on a database using RADIUS. If the details were correct, access was granted to the user. Tunneling Tunneling is used when a network wants to send data via another networks connection. What it does is it encapsulates the data from the private network and also the protocols information. This means that the private network protocol information appears to the public network as data.

Margaret (2014) explains an approach to tunneling “One approach to tunneling is the PPTP (Point-To-Point Tunneling Protocol) which was develop by Microsoft. What this does is it keeps proprietary data reasonably secure, even though part of the path(s) between or among end users exists in public communication channels Legal Issues The facts below are used from a student report (Martin 2013) There are many security issues throughout a network these issues can be such things like pornography, viruses hacking, data copying and financial abuse, all these issues are protected by The Computer Misuse Act. This act was passed by parliament in 1990 and it recognised these as the main offences: The webpage (http://www.bbc.co.uk/schools/gcsebitesize/ict/legal/1dataandcomputer misuserev1.shtml) explains the main offences

“Taking access to someone else’s computer without permission, eg looking at

someone e-mails.”

“Gaining access of computer material without permission and intending to commit

further criminal offences, eg hacking into the governments computer and forwarding

confidential emails”

“Changing data on a PC without permission, eg deploying a virus to destroy

someone else's data, or taking money from someone’s bank account.”

When data is lost or stolen The Data Protection Act is always brought into the situation and this is the same for data on a network. Such things like employee’s information or employee’s payroll details are all protected, this then means someone can be prosecuted for breaching the rules, and the rules are very strict.

Detailed Diagrams Building 2 (Multi-Purpose Hall)

Building 3 (Guest Hostel (3 floors))

Building 4, 5 (Female Hostel (3 floors) (Male Hostel (3 floors)(Flip Diagram)

Building 6 (Lecture Block 1)

Building 7 (Lecture Block 2)

Building 8 (Outdoor Dining)

Building 9 (Cafeteria)

Building 10 (Main Building 10 floors)

Building 11 (Lecture theatre)

Building 12, 13, 14 (Chancellery Block (3 floors), IT/Business Block (3 floors), Engineering Block (3 floors))

Conclusion Throughout my design I believe I have followed the guidelines and by doing that built a strong, well-structured network. On my design we can see that they are 43 wireless access points all ranging just over 30metres, I believe they is slightly expensive but the cost of the servers, routers and switches it has been balanced well to fund this. There are also places for the University to upgrade their network with a little more funding, for example small building that are not labeled and do not need coverage at this time. As we can see on building thirteens detailed plan, there is a blue square, this is for the IT Technicians to scan and watch out for hackers. The machines in that building can scan without any need for a human to interact with them, they will only be needed if alerted by the system. I also believe that hackers will be a problem. Due to the wireless coverage secured by WPA2/AES. Hackers will find it very, very difficult. My detailed diagrams have a repeated, secure pattern, each building has a Server, switch, routers and the access points needed for full coverage. Other network hardware can be easily implemented. Overall I believe this is a great wireless network design that the university have been looking for and will be a successful one for the foreseeable future.

Bibliography

Advocate, What is ‘Wardriving’ and How Can It Affect Your Company’s Computer Network?The Security Advocate. Available at: http://www.thesecurityadvocate.com/2013/03/25/what-is-wardriving-and-how-can-it-affect-your-companys-computer-network/ [Accessed November 10, 2014].

BBC, Types of computer misuse.BBC. Available at: http://www.bbc.co.uk/schools/gcsebitesize/ict/legal/1dataandcomputermisuserev1.shtml [Accessed November 12, 2014].

DuPaul, N., Spoofing Attack.Veracode. Available at: http://www.veracode.com/security/spoofing-attack [Accessed November 10, 2014].

Issacs, B., 2014. Network Attacks. [Accessed November 10, 2014].

O’Donnell, A., What is a Packet Sniffer?aboutTechnology. Available at: http://netsecurity.about.com/od/informationresources/a/What-Is-A-Packet-Sniffer.htm [Accessed November 11, 2014].

Rouse, M., 2007. tunneling or port forwarding.TechTarget. Available at: http://searchenterprisewan.techtarget.com/definition/tunneling [Accessed November 12, 2014].

WhatIsMyIPAddress, What is VPN?WhatIsMyIPAddress. Available at: http://whatismyipaddress.com/vpn [Accessed November 11, 2014].

Martin, P., 2013. Introduction to Networks (Report). [Accessed November 12, 2014].