SECURE WIRELESS

NETWORK
IN IŞIK UNIVERSITY
ŞİLE CAMPUS
Designed by VOLKAN MUHTAROĞLU
 WLAN(Wirelass LAN)
 We introduced at 1986 for use in barcode
scanning .
 A properly selected and installed Wi-Fi or
wireless fidelity.
 802.11a, 802.11b, 802.11g technologies,
802.11g is the latest technology. These are
IEEE standard.
GENERAL TOPOGOLY OF
WLAN
 THE PROJECT
The problem is, how can three different users
access over an access point to different type of
data with securily in our campus.
 As another word, if we choose there people
such as; student, university staff and data
processing center worker can access different
type of data or they have different rights when
access from the access point by securily.
 THREE DIFFERENT USER
1) Student
2) University Staff
3) Data Processing Center Worker
 COMPONENTS OF SECURE
WIRELESS NETWORK
I. Cisco Aironet 1100 Series Access Point
II. Radius Server
III. Two Switch(One of them is Managable Switch,
the other one is Backbone Switch)
IV. Vlan
V. Cisco PIX Firewall
VI. WEP & LEAP
VII. Database Server
VIII. Intranet Web Server
 Cisco Aironet 1100 Series Access
Point
 It is a wireless LAN transceiver.
 1100 series is cheaper than the others and its
performances is really efficient.
 It is also managable easily and common all
over the world.
 RADIUS SERVER
 RADIUS is a distributed client/server system
that secures networks against unauthorized
access.
 Use RADIUS in these network environments,
which require access security
 This server also called AAA Server which
means Audit, Authentication and Accounting.
 In my project Radius Server will provide
Authentication and Mac filtering.
 SWITCHES
 Managable Switch
 Backbone Switch

 I will use three different type IP. Student will

take 10.0.x.x, University Staff will take
10.50.x.x, Data Processing Center Worker will
take 192.168.x.x.
 VLAN
 VLAN is a switched network that is logically
segmented.
 I will use Vlan for having different kind of
rights of these there different type of users on
WLAN.
 CISCO PIX FIREWALL
 I chose it because I have it.
 DATABASE AND INTRANET
WEB SERVER
 Database Server : Only Data Processing
Center Worker can access these server.
 Intranet Web Server : Only University Staff
and Only Data Processing Center Worker can
access these server.
 HOW WILL DESIGN BE?
 Firstly; how will student, university staff and data
processing center worker be on the different Vlan,
how can I give different rights them.
 The second thing is how these people come to these
Vlan.
 The third thing which is most important how I can
provide security.
 SSID(Service Set Identifer)
 When connect to WLAN you will see the
name of WLAN, which is SSID.
 FOR VLAN 1
 If we define two different SSID, one of them
broadcasting, the other one is secret.
 For instance; our broadcasting SSID is
tsunami; our not broadcasting(secret) SSID is
Private. If you connect WLAN with access
point everybody sees automatically tsunami
SSID. Also when you connect this, you will
come to Vlan 1 and this Vlan provides to
access only Internet.
 AUTHENTICATION
 If you are not student; you write the not
broadcasting SSID name for accessing, at that
time you will see the Username-Password
Window for having different kind of rights.
 When you enter the username-password, the
information come to Radius Server.
 And now; EAP (Extensible Authentication
Protocol) uses.
AUTHENTICATION TOPOLOGY
WEP(Wired Equivalent Privacy )
i. WEP is an encryption algorithm used by the Shared
Key authentication process for authenticating users
and for encrypting data payloads over only the
wireless segment of the LAN.
ii. The secret key lengths are 40-bit or 104-bit
yielding WEP key lengths of 64 bits and 128 bits.
iii. WEP key is an alphanumeric character string used
in two manners in a wireless LAN.
iv. WEP key can be used :
 Verify the identity of an authenticating station .
 WEP keys can be used for data encryption.
 CRITERIA
The 802.11 standard specifies the following criteria for
security:
 Exportable
 Reasonably Strong
 Self-Synchronizing
 Computationally Efficient
 Optional
WEP meets all these requirements.
WEP supports the security goals of confidentiality,
access control, and data integrity.
 WEP KEY
 WEP key is an alphanumeric character string
used in two manners in a wireless LAN .
 WEP key can be used :
 Verify the identity of an authenticating station .
 WEP keys can be used for data encryption .

WEP KEY TABLE
 EAP(Extensible Authentication
Protocol )
 This authentication type provides the highest level of
security for your wireless network.
 Using the Extensible Authentication Protocol (EAP)
to interact with an EAP-compatible RADIUS server.
 This is type of dynamic WEP key.
 There are five different type of EAP, I will use LEAP
(Lightweight Extensible Authentication Protocol,
designed by Cisco) which is the most secure.
LEAP TOPOLOGY
 MAC(Media Access Control)
ADDRESS FILTERING
 Server checks the address against a list of
allowed MAC addresses.
 If your MAC address is University Staff’s
MAC address, you wil come to Vlan 2 and you
will have thoose rights, if your MAC address
is data processing center worker’s address, you
will come Vlan 3 also you will have those
rights.
MAC FILTERING TOPOLOGY
 STUDENT TOPOLOGY-1

STUDENT
ACCESS
POINT
 STUDENT TOPOLOGY-2

BROADCASTING SSID (TSUNAMI)

STUDENT SWITCH
SSID TSUNAMI

Student takes 10.0.x.x IP ACCESS

and comes Vlan 1 POINT

BACKBONE
SWITCH
 STUDENT GENERAL
TOPOLOGY
BROADCASTING SSID (TSUNAMI)

STUDENT SWITCH

SSID TSUNAMI
ACCESS
POINT
Student takes 10.0.x.x IP
and comes Vlan 1

BACKBONE
SWITCH FIREWALL INTERNET
 UNIVERSITY STAFF
TOPOLOGY-1
NOT BROADCASTING SSID
(PRIVATE)

UNIVERSITY
STAFF

ACCESS
POINT
 UNIVERSITY STAFF
TOPOLOGY-2
NOT BROADCASTING SSID
(PRIVATE)

UNIVERSITY
STAFF

PRIVATE
SSID&AUTHENTICATION RADIUS
&MAC FILTERING ACCESS SWITCH SERVER
POINT
University Staff takes
10.50.x.x IP and comes Vlan 2
 UNIVERSITY STAFF
TOPOLOGY-3
NOT BROADCASTING SSID
(PRIVATE)

SWITCH
UNIVERSITY
STAFF

PRIVATE
SSID&AUTHENTICATION RADIUS
&MAC FILTERING ACCESS SERVER
POINT
University Staff takes
10.50.x.x IP and comes Vlan 2
BACKBONE
SWITCH

INTRANET
WEB SERVER
 UNIVERSITY STAFF GENERAL
TOPOLOGY
NOT BROADCASTING SSID
(PRIVATE)

SWITCH
UNIVERSITY
STAFF

PRIVATE
SSID&AUTHENTICATION
RADIUS
&MAC FILTERING ACCESS SERVER
POINT INTERNET
University Staff takes
10.50.x.x IP and comes Vlan 2
BACKBONE
SWITCH FIREWALL

INTRANET
WEB SERVER
 DATA PROCESSING CENTER
WORKER TOPOLOGY-1
NOT BROADCASTING SSID
(PRIVATE)

DATA
PROCESSING
CENTER
WORKER ACCESS
POINT
 DATA PROCESSING CENTER
WORKER TOPOLOGY-2
NOT BROADCASTING SSID
(PRIVATE)

DATA
PROCESSING
CENTER
WORKER
RADIUS
PRIVATE ACCESS SWITCH SERVER
SSID&AUTHENTICATION POINT
&MAC FILTERING

Data Processing Center Worker takes

192.168.x.x IP and comes Vlan 3
 DATA PROCESSING CENTER
WORKER TOPOLOGY-2
NOT BROADCASTING SSID
(PRIVATE)

SWITCH
DATA
PROCESSING
CENTER
WORKER
RADIUS
PRIVATE ACCESS BACKBONE SERVER
SSID&AUTHENTICATION POINT SWITCH
&MAC FILTERING

Data Processing Center Worker takes

192.168.x.x IP and comes Vlan 3

INTRANET
DATABASE WEB SERVER
SERVER
 DATA PROCESSING CENTER
WORKER GENERAL
TOPOLOGY
NOT BROADCASTING SSID
(PRIVATE)

SWITCH
DATA
PROCESSING
CENTER
WORKER
RADIUS
PRIVATE ACCESS BACKBONE SERVER
SSID&AUTHENTICATION POINT SWITCH INTERNET
&MAC FILTERING

Data Processing Center Worker takes

192.168.x.x IP and comes Vlan 3 FIREWALL

INTRANET
DATABASE WEB SERVER
SERVER
 SECURITY POLICY
 The purpose of this policy is to provide
guidance for the secure operation and
implementation of wireless local area
networks (WLANs).
 AUTHENTICATION
 University Staff and Data Processing Center
Worker have to authenticate the system if they
want to have different kind of rights.
 For authentication, username and password
authentication is used so users must use strong
passwords (alphanumeric and special character
string at least eight characters in length).
 Shared secret (or shared key) authentication
must be used to authenticate to the WLAN
 ENCRYPTION & ACCESS CONTOL

 Distinct WEP keys provide more security than

default keys and reduce the risk of key
compromise.
 SSID

 MAC(Media Access Control)

 FIREWALL
 Firewall provide security based on ports.
 PHYSICAL AND LOGICAL
SECURITY
 Access point must be placed in secure areas,
such as high on a wall, in a wiring closet, or in
a locked enclosure to prevent unauthorized
physical access and user manipulation.
 Access point must have Intrusion Detection
Systems (IDS) at designated areas on Campus
property to detect unauthorized access or
attack.
 CONCLUSION
 With this design Student, University Staff and
Data Processing Center Worker can access
securily; wherever they want, don’t use extra
devices or don’t make any adjusting.
QUESTION ?
 REFERENCES
• Cisco Press 802.11 Wireless Network Site Surveying and
Installation book.
• Cisco Securing 802.11 Wireless Networks handbook.
• Cisco Aironet 1100 Series Access Point Quick Start Guide.
• Certified Wireless Network AdministratorTM Official Study Guide.
• Wireless Network Solutions (Paul Williams)
• http://www.cisco.com/en/US/tech/tk722/tk809/tk723/
tsd_technology_support_sub-protocol_home.html
• http://www.cisco.com/en/US/tech/tk722/tk809/
tsd_technology_support_protocol_home.html
• http://www.webopedia.com/TERM/M/MAC_address.html
• http://searchnetworking.techtarget.com/originalContent/
0,289142,sid7_gci843996,00.html