WLAN Security Case Study Topology
Why this topology? We are going to use Cisco Aeronet 1000 LAP. Based on the Datasheet we found that if we use 802.11a we would get a 14m range indoor at full speed but if we user 802.11g we get 27meters at full speed indoor. We choose 802.11g and designed the network with a 25meters of range per access point. Because of roaming, we need at least 30% overlap between APs. But on the other hand we don't want collisions on the access points, so we need at least two channels. In the diagram, the red range is one channel (channel 1) and the green is the other (channel 12).
Concusion of design We need 6 access points with omnidirectional antennas, placed as in the picture. Each access point should support about 30 users.
User separation We would have tree groups: • guests • employees • VoIP Phones Separation between the groups will be made through VLANs. Each VLAN will be matched to a SSID.
Groups Guests
They are not vital and should have minimal access to the network (only Internet use). The connection should be easy to setup, so it needs to be open. The access control will be made through ACLs on the Firewall. Employees
The people who work inside the company should have more access, but this access needs to be over a secure connection. On this connection we will use WPA2. The authentication will be made through 802.1x based on data from a RADIUS server. LEAP will be used to authenticate. VoIP Wireless Phones
The data on this network is very sensitive so it should be protected through QoS mechanisms. It must also be secured, but most phones don't support WPA2, so WPA will be used (phones with WPA2 support will be too expensive). LEAP will also be used here.
Hardware and protocols The Access points will be Cisco Aeronet 1000 Lightweight Access Point (6 of them) because they have a very good coverage, have all needed protocols implemented and integrate in a Cisco built network. Each AP will broadcast all tree SSIDs (because of roaming) and the SSID will be matched to a broadcast domain (VLAN) and the data will be transmitted though trunks on the wired network. The Access Points will be controlled by a central device, a Wireless LAN Controller. The WLC
will control the management of the users associated to the access points because it will have a global view of the wireless network. The authentication will be done though 802.1x on each AP but controlled by the WLC that allow users on the network based on the RADIUS server. The authentications will be negotiated through LEAP. We also need a router and a RADIUS server. The router needs to implement ACLs. The IP wireless IP phones need to support WPA and dot1x.
Possible threats • • • • •
DOS attacks from inside or outside devices that block or interfere with the radio channels VLAN hopping WLC is single point of failure packet capturing on the open network