BCS Health Informatics – UCLH Wireless Network, 18 May 2005 th
by user
Comments
Transcript
BCS Health Informatics – UCLH Wireless Network, 18 May 2005 th
BCS Health Informatics – UCLH Wireless Network, 18th May 2005 © LogicaCMG plc 2004. Speakers • Bradley Gamage – LogicaCMG Client Manager • James Hamilton – LogicaCMG Technical Design Authority BCS Health Informatics – UCLH Wireless Network, 18th May 2005 © LogicaCMG plc 2004. Agenda • WLAN – A Business Industry View • Wireless working – An Overview • UCLH – A Case Study • Wireless Technical Session • Summary • Questions BCS Health Informatics – UCLH Wireless Network, 18th May 2005 © LogicaCMG plc 2004. Investing In Technology “The top three enterprise IT spending priorities for 2005 are security, wireless LAN connectivity, and mobile computing devices.” BCS Health Informatics – UCLH Wireless Network, 18th May 2005 © LogicaCMG plc 2004. Data Security “Intuition tells us that a wireless system must be more ‘open’ to hacking and interference, and the industry is doing its best to persuade us that this is not the case” BCS Health Informatics – UCLH Wireless Network, 18th May 2005 © LogicaCMG plc 2004. So Why Wireless? • Simple and quick installation process? • Reduced running and network administration costs? • Increased employee mobility and productivity • Greater organisational flexibility • Downtime eliminated • When office outgrown, network can be taken with you BCS Health Informatics – UCLH Wireless Network, 18th May 2005 © LogicaCMG plc 2004. Deployment Factors Factor Comment Equipment Costs Important, but not a huge issue. “Wireless is relatively cheap” Measurable ROI Not seen as vital – “nice to have”, demand-led Because of low initial cost, ROI justification can be more effort than it’s worth Security IT departments not too worried Management Massive. IT departments dislike the extra work supporting wireless Costs Importance 2 2.5 3 5 Source: Unstrung 2004 BCS Health Informatics – UCLH Wireless Network, 18th May 2005 © LogicaCMG plc 2004. WLAN Shortcomings • Complex technology • Supportability and maintainability • Installation - not a ‘Rip and Replace’ philosophy • Coping with building space use • External Radio Frequency leakage • Security BCS Health Informatics – UCLH Wireless Network, 18th May 2005 © LogicaCMG plc 2004. Security Measures • Don’t install ‘out of the box’ • Seek advice from best-of-breed WiFi providers • Minimise Radio Frequency leakage • Immediately report lost/stolen devices • Regularly audit security policies • Wired = ‘Trusted’; Unwired = ‘Untrusted’ BCS Health Informatics – UCLH Wireless Network, 18th May 2005 © LogicaCMG plc 2004. Before Implementing • Why are we considering deploying a wireless network (i.e. what is the business justification)? • Do we have the resources and processes to manage/support the wireless service? BCS Health Informatics – UCLH Wireless Network, 18th May 2005 © LogicaCMG plc 2004. WLAN in the UCLH • LogicaCMG and IDX Contract – EPR, New Build Network and IT Outsourcing Services Provision • LogicaCMG’s New Build Network Partners: – Marconi – Network Implementation Partner – Aruba Networks – Wireless System Provider BCS Health Informatics – UCLH Wireless Network, 18th May 2005 © LogicaCMG plc 2004. UCLH WLAN Considerations • Patient data held “Sacrosanct” • EPR – A Paperless/Paper-lite office • Minimising use of hospital bed area space • Flexible working – The use of ‘CoWs’ (Computers on Wheels) • Security paramount • Seamless to end user • A scalable, secure, robust and resilient solution BCS Health Informatics – UCLH Wireless Network, 18th May 2005 © LogicaCMG plc 2004. An Example of a ‘CoW’ BCS Health Informatics – UCLH Wireless Network, 18th May 2005 © LogicaCMG plc 2004. ‘Challenges’ • Agree appropriate solution • Perform Building Survey • Undertake an RF Wireless coverage survey • Assess specific implementation issues (SITU, HDU etc) • Upgrade existing IT infrastructure • Agree Installation plan and install BCS Health Informatics – UCLH Wireless Network, 18th May 2005 © LogicaCMG plc 2004. Technical Presentation • Thick v Thin Architecture • Coverage • Security – Different encryption technologies available – Securing the Air • Advanced Features BCS Health Informatics – UCLH Wireless Network, 18th May 2005 © LogicaCMG plc 2004. Decision (1) Thick v Thin: Thick architecture • Thick Access Points - a number of intelligent APs are deployed across the wired network. These APs perform all their own security and talk amongst themselves to handle clients roaming from AP to AP BCS Health Informatics – UCLH Wireless Network, 18th May 2005 © LogicaCMG plc 2004. Decision (1) Thick v Thin: Thin Architecture • Thin Access Points - a number of less intelligent (usually cheaper) APs are deployed. These APs are controlled by a central wireless switch or switches BCS Health Informatics – UCLH Wireless Network, 18th May 2005 © LogicaCMG plc 2004. Decision (1) Thick v Thin: Advantages of Thick APs • Simpler initial configuration and deployment • No potential for bottlenecks at the Wireless – Wired boundaries • Lower initial cost of deployment – whilst Thick APs are usually more expensive than Thin APs, there are no expensive wireless switches to cost • Inherent Resilience – when an AP fails coverage is only lost in the given area – Failure of a wireless switch leads to total loss of wireless coverage – Typically multiple wireless switches are installed – further increasing costs BCS Health Informatics – UCLH Wireless Network, 18th May 2005 © LogicaCMG plc 2004. Decision (1) Thick v Thin: Advantages of Thin APs • Seamless roaming between APs – fresh encryption keys must be renegotiated. With Thick APs this takes hundreds of milliseconds, resulting in high latencies, scalability problems & issues for VOIP • Integrated Management included – Changes can be pushed to all APs at once – Ease of troubleshooting – data is correlated in one place • Facilitates an integrated firewall - allows ‘per User’ access rules & ‘per User’ bandwidth management BCS Health Informatics – UCLH Wireless Network, 18th May 2005 © LogicaCMG plc 2004. Decision (1) Thick v Thin: Advantages of Thin APs • Advanced features through the collaboration of Access Points – Self Healing Networks – Auto RF calibration and configuration – Location determination via triangulation – Advanced security - Rogue AP detection, IDS, etc. BCS Health Informatics – UCLH Wireless Network, 18th May 2005 © LogicaCMG plc 2004. Total Cost of Ownership Decision (1) Thick v Thin: TCO per AP Thick Solution Thin Solution Number of Access Points • UCLH had 270 Access Points / Air Monitors over 7 locations and 3x Wireless Switches BCS Health Informatics – UCLH Wireless Network, 18th May 2005 © LogicaCMG plc 2004. Decision (2) Coverage: Radio Frequency • Protocols – 802.11b – 11Mb operating at 2GHz • Support for legacy devices – 802.11g - 54Mb operating at 2GHz • Extended range of coverage compared with 802.11a – 802.11a – 54Mb operating at 5GHz • Less interference • More non-overlapping channels available, allowing more APs to be deployed in a small area without mutual interference. This increases available bandwidth in a given area BCS Health Informatics – UCLH Wireless Network, 18th May 2005 © LogicaCMG plc 2004. Decision (2) Coverage: Radio Frequency • Unless cost is really an issue – be greedy – choose both and take advantage of the merits of each protocol • Newer WLAN network cards can seamlessly move between 802.11a and 802.11b/g • Newer Access Points have software radios, enabling reconfiguration to either 802.11a or 802.11b/g as appropriate • Look for dual-radio Access Points that allow simultaneous operation of 802.11a and 802.11b/g BCS Health Informatics – UCLH Wireless Network, 18th May 2005 © LogicaCMG plc 2004. Decision (2) Coverage: Wireless Surveys • It is vital to undertake a wireless survey to ensure that you have the correct number and positioning of APs in order to achieve the coverage required. On large installations you simply cannot rely on a paper based exercise • Planning tools do exist, they certainly help with the task and are very important on large installations but they do not identify issues such as – Asbestos, regulations, pipe work/cables – preventing installation – Building materials used and their affect on signal propagation. (Leakage / coverage through floors is difficult to predict) – Large metal objects (filing cabinets) that affect signal strength – Sources of interference – e.g. Microwave Ovens – Other previously installed WLANs BCS Health Informatics – UCLH Wireless Network, 18th May 2005 © LogicaCMG plc 2004. Decision (3) Security: • Many different approaches to security. Increased security typically requires increased costs – WEP – Minimum level of security. Better than none, but proven vulnerable and easily penetrated. Suitable for home use only. VPNs may be layered on top but this increases the administrative burden – Dynamic WEP – better. Requires 802.1x / EAP infrastructure, e.g. RADIUS. User accounts are stored on a server. As a user connects to the WLAN they are dynamically allocated a different encryption key. • EAP (Extensible Authentication Protocol) allows users to identify themselves using a number of different methods, e.g. – EAP - CHAP uses a username and password – EAP - TLS uses client certificates. Very secure but has overhead of certificate administration – EAP - PEAP uses username and password via a secure TLS encrypted channel. Very secure and reduced administration. Becoming de-facto standard. Simple to implement in a Windows environment – EAP - TTLS similar to EAP-PEAP but is not included in Windows products BCS Health Informatics – UCLH Wireless Network, 18th May 2005 © LogicaCMG plc 2004. Decision (3) Security: – TKIP (Temporary Key Integrity Protocol) a.k.a WEP2 – every data frame is rekeyed by TKIP. TKIP synchronises the change between client and AP • May be implemented cheaply using a initial ‘Pre shared key’ • Or 802.1x may be used to provide a dynamic initial key • WiFi Protected Access (WPA) = TKIP + 802.1x + MIC (Message Integrity Check) • The combination of 802.1x, EAP-PEAP / EAP-TLS and TKIP provides a very secure implementation – 802.11i (WPA2) – includes AES (Advanced Encryption Standard). Replaces DES and 3DES and is championed as the Holy Grail of security. Requires more powerful Access Points and Wireless Network Cards to handle the encryption • 802.1x, EAP-PEAP / EAP-TLS and AES. This represents the most secure solution to date BCS Health Informatics – UCLH Wireless Network, 18th May 2005 © LogicaCMG plc 2004. Old Security Concerns • Original security concerns surrounded hackers cracking the Access Point encryption • WEP encryption is weak and easily broken • Using 802.1x and EAP-PEAP/EAP-TLS with TKIP or AES solves this concern BCS Health Informatics – UCLH Wireless Network, 18th May 2005 © LogicaCMG plc 2004. Current Security Concerns Rogue AP • Concern over Rogue Access Points with weak encryption • Installed by Users when wireless isn’t a corporate offering • Installed by Hackers and hidden away BCS Health Informatics – UCLH Wireless Network, 18th May 2005 © LogicaCMG plc 2004. Current Security Concerns Ad-Hoc Networks • Ad-Hoc networks are easily left running by users • They provide a backdoor into the corporate network BCS Health Informatics – UCLH Wireless Network, 18th May 2005 © LogicaCMG plc 2004. Current Security Concerns Honey Pot • A Hacker installs an Access Point configured to look like the corporate APs • DE-AUTH messages are sent to the User - causing them to re-authenticate • Users re-authenticate to the Hacker’s AP BCS Health Informatics – UCLH Wireless Network, 18th May 2005 © LogicaCMG plc 2004. Current Security Concerns DOS – Denial of Service • Hackers may launch a number of DOS attacks against a WLAN – RF jamming – MGMT frame flooding – overwhelms APs ability to operate – DE-AUTH floods – reset established links between APs and Clients – Many, many, more • Such attacks cannot be prevented BCS Health Informatics – UCLH Wireless Network, 18th May 2005 © LogicaCMG plc 2004. Securing the Air Space • Air Monitors (AMs) ‘Sniff’ the airwaves – looking for activity • AMs may be separate devices or part of an AP – They can spot undesired behaviour and alert administrators – Under certain conditions they can launch countermeasures • Less AMs are required than APs in a given area, as they can operate at lower speeds BCS Health Informatics – UCLH Wireless Network, 18th May 2005 © LogicaCMG plc 2004. Air Monitors • Good Air Monitors will also ‘Sniff’ the wired network • Detected Access Points can thus be identified as – Interfering (in the same air space) e.g. next door’s WLAN – Rogue (in the same air space and on the wired network) • Air Monitors will also spot – Honey Pots – AD-HOC networks – DOS attacks • Once a threat is identified – Administrators may be alerted – When multiple AMs exist triangulation can provide location determination – In the case of Honey Pots, Rogue APs, and AD-Hoc networks, the Air Monitor can launch disruption measures – that ‘JAM’ the activity – SOME DOS attacks can be ignored once identified BCS Health Informatics – UCLH Wireless Network, 18th May 2005 © LogicaCMG plc 2004. Decision (4) Dedicated Air Monitors? • Balance of Cost v Performance & Security • APs that go ‘off-channel’ to monitor – Cheaper – no additional expenditure – Inevitable throughput drop – typically 16% • Dedicated AMs offer – Faster detection of undesired wireless activities – Can launch countermeasures without further affecting throughput. – A more complete picture of interference levels. APs provide this functionality for their own channels and offer a limited view of what is happening on other channels. – Fault tolerance – dedicated AMs can convert to APs if a normal AP fails BCS Health Informatics – UCLH Wireless Network, 18th May 2005 © LogicaCMG plc 2004. Advanced Features of Thin Solution Centralized View • APs and AMs report statistics back to the central switch where they are correlated • Signal strength on all channels may be analysed and shown on a ‘Heat Map’ – Very useful for troubleshooting • The position of Rogue APs, Rogue clients (indeed all clients) can be triangulated and shown on building maps. Very useful when being attacked or troubleshooting BCS Health Informatics – UCLH Wireless Network, 18th May 2005 © LogicaCMG plc 2004. Advanced Features of Thin Solution Adaptive Radio Management • The wireless environment is permanently changing – The office next door goes wireless – Shiny new metal filing cabinets are installed • Constant need to – Resurvey – Recalibrate channels – Recalibrate power BCS Health Informatics – UCLH Wireless Network, 18th May 2005 © LogicaCMG plc 2004. Advanced Features of Thin Solution Self-Healing • When APs fail, existing APs recalibrate power and channel allocations to avoid coverage holes • In this example the middle AP fails. The other 2 APs boost their power to compensate BCS Health Informatics – UCLH Wireless Network, 18th May 2005 © LogicaCMG plc 2004. Advanced Features of Thin Solution Integrated Firewall • The centralisation of the Thin Solution facilitates integrated firewalls. This offers several benefits – Increased performance – User context is available at the firewall. As the wireless switch is involved with the authentication of users, the firewall ‘sees’ individual users, not individual IP addresses. Thus per-User policies can be implemented and as the User roams from AP to AP the policy roams with them – This per-User policy can also be used to provide per-User bandwidth allocation – Centralisation facilitates easier troubleshooting – all information is in one place BCS Health Informatics – UCLH Wireless Network, 18th May 2005 © LogicaCMG plc 2004. Summary • UCLH – Business Justification • WLAN Solution – Future proofed – Scalable – Robust – Resilient BCS Health Informatics – UCLH Wireless Network, 18th May 2005 © LogicaCMG plc 2004. The Future? • Faster wireless speeds – 802.11n Promises faster connections, likely to be 100-300Mb/s • VoIP over Wireless – 802.11e Promises a standard for QOS over the ether. Combined with other improvements will lead to wireless VOIP becoming ubiquitous • WiMAX – 802.16 WiMAX – (Worldwide Interoperability for Microwave Access). Addresses the "first-mile/last-mile" connection in wireless metropolitan area networks • Other, as yet undiscovered technologies? BCS Health Informatics – UCLH Wireless Network, 18th May 2005 © LogicaCMG plc 2004. The Future? “In a few years time, the idea of ever having been tethered by wires to a fixed communications infrastructure will seem remarkably quaint” BCS Health Informatics – UCLH Wireless Network, 18th May 2005 © LogicaCMG plc 2004.