A Free Trial That Lets You Build Big!
Start building with 50+ products and up to 12 months usage for Elastic Compute Service
With the rapid development of mobile Internet and the rapid popularization of smart mobile terminals, teachers and students are increasingly demanding wireless coverage on campus. The degree of campus wireless network construction has gradually become an important indicator for measuring the informatization development of colleges and universities. Colleges and Universities have successively built large-scale wireless campus networks. Because wireless network signals are transmitted in an open space, Wi-Fi protocols are different from wired networks in terms of security. They are vulnerable to hacker attacks and information transmitted over wireless networks is vulnerable to theft and tampering. On campus, students are very active and curious on the Internet, and network attacks often occur. Therefore, wireless campus network security in colleges and universities has its own characteristics. In the construction and O & M of wireless campus networks, the security should be fully considered to ensure reliable and stable operation of wireless networks.
Wireless network security and technical trends
Although the wireless network is easy to install, flexible to use, and easy to expand, due to the features of open wireless network channels, the mobility of access terminals, and the limitations of the computing and storage capabilities of Wireless terminals, many security solutions and technologies in the wired network environment cannot be directly used in wireless networks.
From the very beginning, the IEEE 802.11 Working Group, a standard maker of WLAN wireless networks, considered wireless network security issues. The WEP mechanism defined in the IEEE 802.11-1999 Protocol has many defects. The Protocol does not authenticate users and only authenticates client devices, unauthorized users can also access network resources. The WEP encryption (Wired Equivalent Privacy) method used in the Protocol is an inefficient encryption method, which is easy to be eavesdropped and cracked at the link transmission layer; the message Integrity verification method ICV (Integrity Check Value) used by the Protocol is inefficient, and the content of data frames transmitted wirelessly is easy to be modified by hackers. Therefore, IEEE 802.11 has set up the 802.11i Working Group and put forward security mechanisms such as AES-CCM. In addition, China's National Standardization Organization has also formulated WAPI standards.
At present, from the perspective of campus wireless network management requirements and solutions from various major wireless manufacturers, the integrated management of wired and wireless networks has gradually become a trend, and the corresponding technical products have gradually matured, it can implement a wired and wireless integrated security architecture. The wireless switching, firewall, intrusion detection, and other functional modules are integrated on the wired network hardware platform. The main security functions can be implemented: dynamically detects and filters data packets, prevents various DoS/DDoS attacks, prevents ARP spoofing attacks, recognizes and filters network application layer traffic, and audits and analyzes traffic. The Integrated Management of wired and wireless networks also realizes the unification of wired and wireless access authentication systems and billing systems, which not only facilitates the use of the network, but also achieves the unique service policy control of wireless users.
Wireless Security Issues and Countermeasures
Wireless campus networks face the following major security issues:
1. Attack Detection: unauthorized query and access to system or service vulnerabilities through eavesdropping or forgery.
2. Illegal AP spoofing: allows normal users to access unauthorized aps to obtain authentication and data information of normal users.
3. ARP virus: many campus network ARP viruses flood. Due to the bandwidth sharing mechanism, wireless campus networks are more vulnerable to ARP viruses.
4. DoS Attacks: a large number of service requests are initiated to occupy too many service resources, so that legal users cannot get normal services.
To address the features and security problems of the wireless campus network, you can adopt a variety of security policies at different levels of the Network, as shown in 1. The main measures include:
Figure 1 wireless campus network security policy Diagram
1. establish a complete wireless user authentication and authorization system, and support 802.1X authentication, MAC address authentication, Portal authentication, PPPoE and WAPI authentication, after passing identity authentication, the user can dynamically authorize VLAN and ACL, and set user policies in advance. After a wireless user is authenticated by the authentication system, the wireless controller should identify and bind the user, and assign bandwidth and other attributes. Prevents IP Address Spoofing, bandwidth abuse, and DHCP server attacks.
2. Provides AP-based user access control. For security or billing considerations, wireless controllers are required to support AP-based user access control. When a wireless user accesses the network, the authentication server can send an AP list to the AC that allows the user to access and perform access control on the AC, in this way, wireless users can only access the AP at the specified location.
3. Adopt wireless user isolation measures, including user isolation under the same AP and user isolation under different AP. The AP uses the MAC mutual access control principle to isolate users and ensure that users in the same AP can only communicate with the uplink port; the AP uses MAC address access control or layer-2 network convergence device technology (such as VLAN, PVLAN, and PVC) for isolation to ensure that users under different a p cannot directly communicate with each other. All users must pass the C certification before they can perform layer-3 controlled intercommunication.
4. Data Encryption prevents unauthorized theft of user data. User Data Encryption includes encryption at the wireless link layer and network layer.
5. deploy WIDS/WIPS. The alarm and attack protection functions of illegal devices allow wireless controllers to automatically monitor illegal devices (such as Rouge AP, or AdHoc Wireless terminals), and real-time reporting to the network management center, and automatic protection for illegal device attacks, to maximize the protection of the wireless network.
Security O & M management
Although wireless network-related security technologies and equipment have developed rapidly, it is difficult to use complicated security technologies and excessive security equipment during wireless campus network construction due to system overhead and cost effectiveness. Therefore, the later Security O & M management is an important means to ensure the stable operation of the wireless campus network.
The wireless campus network security O & M management can be divided into four steps: Process Definition, operation monitoring, event analysis, and security response.
1. process Definition stage: according to the school security emergency level system and campus network security management system, predefine the wireless campus network security incident level and security response process, and clarify the response steps and relevant responsibilities of various security incidents, conducts regular security rehearsals.
2. operation Monitoring: establishes a wireless campus network operation monitoring system, the Network Operation Monitoring Center collects and periodically views the running status and alarm logs of wireless network controllers, switches, APS, and other devices in real time to generate security reports.
3. event analysis: the Administrator analyzes abnormal alarms detected in the monitoring center, sorts the running data collected by the monitoring system, filters and audits massive logs, and evaluates security risks.
4. security Response: responds to and processes security events in a timely manner based on predefined processes, saves logs for future reference, and fixes vulnerabilities. This provides potential security threats, propose solutions and organize implementation.
Security design and O & M Cases
In early 2013, Zhejiang University established a large-scale high-speed wireless campus network covering the five campuses of the school. Using a wired and wireless integrated architecture, Zhejiang University deployed nearly 10 thousand dual-band 802.11n Wireless Access APs, full coverage of wireless networks in all teaching areas, Student Dormitory areas, and public areas is achieved, and high-speed access of 450 M wireless networks is achieved in key areas such as teaching and scientific research.
In the design of the wireless campus network solution, the wireless network security requirements and O & M management requirements are taken into account in detail. Topology 2 shows the related networking design ideas as follows:
1. Core layer: the wireless network core of the teaching areas and dormitory areas of the five campuses is interconnected by 10g, and the campus wired and wireless networks share the core layer equipment. The wireless control system is deployed in the form of core switch plug-in cards of each campus. At the same time, in order to ensure security control and defense of partitions, security devices such as firewalls and intrusion detection can be deployed on the core layer, which integrates with the network and provides flexible security control policies.
2. Convergence layer: From the convergence layer, the wireless network uses dedicated optical fiber cables and aggregation switches for independent networking. Each aggregation unit is connected to each building through a redundant 10-Gigabit uplink core switch and dual-gigabit access to each building.
3. access layer: uses a thin AP (Fit AP) + a centralized wireless controller to centrally manage all APs through a wireless controller (AC, the AP is uplinked to the convergence and core of the wireless network through the PoE access switch. The access layer switch is directly connected to a Wireless AP and may suffer from ARP storms, MAC scans, ICMP storms, bandwidth attacks, and other attacks from AP users. Therefore, it must have high attack protection capabilities.
4. User Authentication: based on the original campus Wired Network Authentication database, unified wired and wireless network authentication is achieved. Wireless authentication supports Web Portal, 802.1X, and other security authentication methods. Use different user policies for different user plans.
5. Network Management: deploy a wireless network management system. By managing wireless controllers, you can manage the entire wireless network device to achieve integrated wired and wireless network management and operation monitoring.
Zhejiang University establishes a wireless network O & M system to ensure the safe and reliable operation of the wireless campus network. Set up a network O & M monitoring center to monitor the running status of the wireless campus network through the wireless network management system for 7x24. Set up a wireless network O & M team to sort out the running status and security issues of the wireless network, regular weekly analysis; establish corresponding O & M systems for standardized O & M.
The safe operation of wireless campus network is a system project, which is not simply solved by technical and equipment means. Therefore, we need to pay attention to it in various stages of solution design, network construction, and O & M management, and make overall consideration. The Network Management Department should establish corresponding security operation management systems, clarify the responsibilities and processes of relevant posts, and ensure the safe and stable operation of wireless campus networks. With the development of network technology and security technology, various wireless network security problems will continue to emerge, the Network Management Department needs to conduct in-depth research on wireless network technology, products, application methods, and O & M management for a long time.
Topology of a campus wireless campus network of Zhejiang University
Start building with 50+ products and up to 12 months usage for Elastic Compute Service