...

BCS Health Informatics – UCLH Wireless Network, 18 May 2005 th

by user

on
Category: Documents
10

views

Report

Comments

Transcript

BCS Health Informatics – UCLH Wireless Network, 18 May 2005 th
BCS Health Informatics – UCLH Wireless Network, 18th May 2005
© LogicaCMG plc 2004.
Speakers
• Bradley Gamage – LogicaCMG Client Manager
• James Hamilton – LogicaCMG Technical Design Authority
BCS Health Informatics – UCLH Wireless Network, 18th May 2005
© LogicaCMG plc 2004.
Agenda
• WLAN – A Business Industry View
• Wireless working – An Overview
• UCLH – A Case Study
• Wireless Technical Session
• Summary
• Questions
BCS Health Informatics – UCLH Wireless Network, 18th May 2005
© LogicaCMG plc 2004.
Investing In Technology
“The top three enterprise IT spending priorities for
2005 are security, wireless LAN connectivity, and
mobile computing devices.”
BCS Health Informatics – UCLH Wireless Network, 18th May 2005
© LogicaCMG plc 2004.
Data Security
“Intuition tells us that a wireless system must be
more ‘open’ to hacking and interference, and the
industry is doing its best to persuade us that this
is not the case”
BCS Health Informatics – UCLH Wireless Network, 18th May 2005
© LogicaCMG plc 2004.
So Why Wireless?
• Simple and quick installation process?
• Reduced running and network administration
costs?
• Increased employee mobility and productivity
• Greater organisational flexibility
• Downtime eliminated
• When office outgrown, network can be taken with
you
BCS Health Informatics – UCLH Wireless Network, 18th May 2005
© LogicaCMG plc 2004.
Deployment Factors
Factor
Comment
Equipment Costs
Important, but not a huge issue. “Wireless is relatively
cheap”
Measurable ROI
Not seen as vital – “nice to have”, demand-led
Because of low initial cost, ROI justification can be more
effort than it’s worth
Security
IT departments not too worried
Management
Massive. IT departments dislike the extra work supporting
wireless
Costs
Importance
2
2.5
3
5
Source: Unstrung 2004
BCS Health Informatics – UCLH Wireless Network, 18th May 2005
© LogicaCMG plc 2004.
WLAN Shortcomings
• Complex technology
• Supportability and maintainability
• Installation - not a ‘Rip and Replace’ philosophy
• Coping with building space use
• External Radio Frequency leakage
• Security
BCS Health Informatics – UCLH Wireless Network, 18th May 2005
© LogicaCMG plc 2004.
Security Measures
• Don’t install ‘out of the box’
• Seek advice from best-of-breed WiFi providers
• Minimise Radio Frequency leakage
• Immediately report lost/stolen devices
• Regularly audit security policies
• Wired = ‘Trusted’; Unwired = ‘Untrusted’
BCS Health Informatics – UCLH Wireless Network, 18th May 2005
© LogicaCMG plc 2004.
Before Implementing
• Why are we considering deploying a wireless
network (i.e. what is the business justification)?
• Do we have the resources and processes to
manage/support the wireless service?
BCS Health Informatics – UCLH Wireless Network, 18th May 2005
© LogicaCMG plc 2004.
WLAN in the UCLH
• LogicaCMG and IDX Contract
– EPR, New Build Network and IT Outsourcing Services
Provision
• LogicaCMG’s New Build Network Partners:
– Marconi – Network Implementation Partner
– Aruba Networks – Wireless System Provider
BCS Health Informatics – UCLH Wireless Network, 18th May 2005
© LogicaCMG plc 2004.
UCLH WLAN Considerations
• Patient data held “Sacrosanct”
• EPR – A Paperless/Paper-lite office
• Minimising use of hospital bed area space
• Flexible working – The use of ‘CoWs’ (Computers on
Wheels)
• Security paramount
• Seamless to end user
• A scalable, secure, robust and resilient solution
BCS Health Informatics – UCLH Wireless Network, 18th May 2005
© LogicaCMG plc 2004.
An Example of a ‘CoW’
BCS Health Informatics – UCLH Wireless Network, 18th May 2005
© LogicaCMG plc 2004.
‘Challenges’
• Agree appropriate solution
• Perform Building Survey
• Undertake an RF Wireless coverage survey
• Assess specific implementation issues (SITU,
HDU etc)
• Upgrade existing IT infrastructure
• Agree Installation plan and install
BCS Health Informatics – UCLH Wireless Network, 18th May 2005
© LogicaCMG plc 2004.
Technical Presentation
• Thick v Thin Architecture
• Coverage
• Security
– Different encryption technologies available
– Securing the Air
• Advanced Features
BCS Health Informatics – UCLH Wireless Network, 18th May 2005
© LogicaCMG plc 2004.
Decision (1)
Thick v Thin: Thick architecture
• Thick Access Points - a number of intelligent APs are deployed across
the wired network. These APs perform all their own security and talk
amongst themselves to handle clients roaming from AP to AP
BCS Health Informatics – UCLH Wireless Network, 18th May 2005
© LogicaCMG plc 2004.
Decision (1)
Thick v Thin: Thin Architecture
• Thin Access Points - a number of less intelligent (usually cheaper)
APs are deployed. These APs are controlled by a central wireless
switch or switches
BCS Health Informatics – UCLH Wireless Network, 18th May 2005
© LogicaCMG plc 2004.
Decision (1)
Thick v Thin: Advantages of Thick APs
• Simpler initial configuration and deployment
• No potential for bottlenecks at the Wireless – Wired boundaries
• Lower initial cost of deployment – whilst Thick APs are usually more
expensive than Thin APs, there are no expensive wireless switches to cost
• Inherent Resilience – when an AP fails coverage is only lost in the given area
– Failure of a wireless switch leads to total loss of wireless coverage
– Typically multiple wireless switches are installed – further increasing costs
BCS Health Informatics – UCLH Wireless Network, 18th May 2005
© LogicaCMG plc 2004.
Decision (1)
Thick v Thin: Advantages of Thin APs
• Seamless roaming between APs – fresh encryption keys must be
renegotiated. With Thick APs this takes hundreds of milliseconds, resulting in
high latencies, scalability problems & issues for VOIP
• Integrated Management included
– Changes can be pushed to all APs at once
– Ease of troubleshooting – data is correlated in one place
• Facilitates an integrated firewall - allows ‘per User’ access rules & ‘per User’
bandwidth management
BCS Health Informatics – UCLH Wireless Network, 18th May 2005
© LogicaCMG plc 2004.
Decision (1)
Thick v Thin: Advantages of Thin APs
• Advanced features through the collaboration of Access Points
– Self Healing Networks
– Auto RF calibration and configuration
– Location determination via triangulation
– Advanced security - Rogue AP detection, IDS, etc.
BCS Health Informatics – UCLH Wireless Network, 18th May 2005
© LogicaCMG plc 2004.
Total Cost of Ownership
Decision (1)
Thick v Thin: TCO per AP
Thick Solution
Thin Solution
Number of Access Points
• UCLH had 270 Access Points / Air Monitors over 7 locations and 3x
Wireless Switches
BCS Health Informatics – UCLH Wireless Network, 18th May 2005
© LogicaCMG plc 2004.
Decision (2)
Coverage: Radio Frequency
• Protocols
– 802.11b – 11Mb operating at 2GHz
• Support for legacy devices
– 802.11g - 54Mb operating at 2GHz
• Extended range of coverage compared with 802.11a
– 802.11a – 54Mb operating at 5GHz
• Less interference
• More non-overlapping channels available, allowing more APs
to be deployed in a small area without mutual interference.
This increases available bandwidth in a given area
BCS Health Informatics – UCLH Wireless Network, 18th May 2005
© LogicaCMG plc 2004.
Decision (2)
Coverage: Radio Frequency
• Unless cost is really an issue – be greedy – choose both and
take advantage of the merits of each protocol
• Newer WLAN network cards can seamlessly move between
802.11a and 802.11b/g
• Newer Access Points have software radios, enabling
reconfiguration to either 802.11a or 802.11b/g as appropriate
• Look for dual-radio Access Points that allow simultaneous
operation of 802.11a and 802.11b/g
BCS Health Informatics – UCLH Wireless Network, 18th May 2005
© LogicaCMG plc 2004.
Decision (2)
Coverage: Wireless Surveys
• It is vital to undertake a wireless survey to ensure that you have
the correct number and positioning of APs in order to achieve
the coverage required. On large installations you simply cannot
rely on a paper based exercise
• Planning tools do exist, they certainly help with the task and are
very important on large installations but they do not identify
issues such as
– Asbestos, regulations, pipe work/cables – preventing installation
– Building materials used and their affect on signal propagation.
(Leakage / coverage through floors is difficult to predict)
– Large metal objects (filing cabinets) that affect signal strength
– Sources of interference – e.g. Microwave Ovens
– Other previously installed WLANs
BCS Health Informatics – UCLH Wireless Network, 18th May 2005
© LogicaCMG plc 2004.
Decision (3)
Security:
• Many different approaches to security. Increased security typically
requires increased costs
– WEP – Minimum level of security. Better than none, but proven
vulnerable and easily penetrated. Suitable for home use only. VPNs may
be layered on top but this increases the administrative burden
– Dynamic WEP – better. Requires 802.1x / EAP infrastructure, e.g.
RADIUS. User accounts are stored on a server. As a user connects to
the WLAN they are dynamically allocated a different encryption key.
• EAP (Extensible Authentication Protocol) allows users to identify
themselves using a number of different methods, e.g.
– EAP - CHAP uses a username and password
– EAP - TLS uses client certificates. Very secure but has overhead of
certificate administration
– EAP - PEAP uses username and password via a secure TLS encrypted
channel. Very secure and reduced administration. Becoming de-facto
standard. Simple to implement in a Windows environment
– EAP - TTLS similar to EAP-PEAP but is not included in Windows products
BCS Health Informatics – UCLH Wireless Network, 18th May 2005
© LogicaCMG plc 2004.
Decision (3)
Security:
– TKIP (Temporary Key Integrity Protocol) a.k.a WEP2 – every data
frame is rekeyed by TKIP. TKIP synchronises the change
between client and AP
• May be implemented cheaply using a initial ‘Pre shared key’
• Or 802.1x may be used to provide a dynamic initial key
• WiFi Protected Access (WPA) = TKIP + 802.1x + MIC
(Message Integrity Check)
• The combination of 802.1x, EAP-PEAP / EAP-TLS and TKIP
provides a very secure implementation
– 802.11i (WPA2) – includes AES (Advanced Encryption Standard).
Replaces DES and 3DES and is championed as the Holy Grail of
security. Requires more powerful Access Points and Wireless
Network Cards to handle the encryption
• 802.1x, EAP-PEAP / EAP-TLS and AES. This represents the
most secure solution to date
BCS Health Informatics – UCLH Wireless Network, 18th May 2005
© LogicaCMG plc 2004.
Old Security Concerns
• Original security concerns surrounded hackers cracking the Access Point
encryption
• WEP encryption is weak and easily broken
• Using 802.1x and EAP-PEAP/EAP-TLS with TKIP or AES solves this concern
BCS Health Informatics – UCLH Wireless Network, 18th May 2005
© LogicaCMG plc 2004.
Current Security Concerns
Rogue AP
• Concern over Rogue Access Points with weak encryption
• Installed by Users when wireless isn’t a corporate offering
• Installed by Hackers and hidden away
BCS Health Informatics – UCLH Wireless Network, 18th May 2005
© LogicaCMG plc 2004.
Current Security Concerns
Ad-Hoc Networks
• Ad-Hoc networks are easily left running by users
• They provide a backdoor into the corporate network
BCS Health Informatics – UCLH Wireless Network, 18th May 2005
© LogicaCMG plc 2004.
Current Security Concerns
Honey Pot
• A Hacker installs an Access Point configured to look like the corporate APs
• DE-AUTH messages are sent to the User - causing them to re-authenticate
• Users re-authenticate to the Hacker’s AP
BCS Health Informatics – UCLH Wireless Network, 18th May 2005
© LogicaCMG plc 2004.
Current Security Concerns
DOS – Denial of Service
• Hackers may launch a number of DOS attacks against a WLAN
– RF jamming
– MGMT frame flooding – overwhelms APs ability to operate
– DE-AUTH floods – reset established links between APs and
Clients
– Many, many, more
• Such attacks cannot be prevented
BCS Health Informatics – UCLH Wireless Network, 18th May 2005
© LogicaCMG plc 2004.
Securing the Air Space
• Air Monitors (AMs) ‘Sniff’ the
airwaves – looking for activity
• AMs may be separate devices or
part of an AP
– They can spot undesired
behaviour and alert administrators
– Under certain conditions they
can launch countermeasures
• Less AMs are required than APs
in a given area, as they can
operate at lower speeds
BCS Health Informatics – UCLH Wireless Network, 18th May 2005
© LogicaCMG plc 2004.
Air Monitors
• Good Air Monitors will also ‘Sniff’ the wired network
• Detected Access Points can thus be identified as
– Interfering (in the same air space) e.g. next door’s WLAN
– Rogue (in the same air space and on the wired network)
• Air Monitors will also spot
– Honey Pots
– AD-HOC networks
– DOS attacks
• Once a threat is identified
– Administrators may be alerted
– When multiple AMs exist triangulation can provide location determination
– In the case of Honey Pots, Rogue APs, and AD-Hoc networks, the Air
Monitor can launch disruption measures – that ‘JAM’ the activity
– SOME DOS attacks can be ignored once identified
BCS Health Informatics – UCLH Wireless Network, 18th May 2005
© LogicaCMG plc 2004.
Decision (4)
Dedicated Air Monitors?
• Balance of Cost v Performance & Security
• APs that go ‘off-channel’ to monitor
– Cheaper – no additional expenditure
– Inevitable throughput drop – typically 16%
• Dedicated AMs offer
– Faster detection of undesired wireless activities
– Can launch countermeasures without further affecting throughput.
– A more complete picture of interference levels. APs provide this
functionality for their own channels and offer a limited view of
what is happening on other channels.
– Fault tolerance – dedicated AMs can convert to APs if a normal
AP fails
BCS Health Informatics – UCLH Wireless Network, 18th May 2005
© LogicaCMG plc 2004.
Advanced Features of Thin Solution
Centralized View
• APs and AMs report statistics back
to the central switch where they are
correlated
• Signal strength on all channels may
be analysed and shown on a ‘Heat
Map’ – Very useful for
troubleshooting
• The position of Rogue APs, Rogue
clients (indeed all clients) can be
triangulated and shown on building
maps. Very useful when being
attacked or troubleshooting
BCS Health Informatics – UCLH Wireless Network, 18th May 2005
© LogicaCMG plc 2004.
Advanced Features of Thin Solution
Adaptive Radio Management
• The wireless environment is
permanently changing
– The office next door goes
wireless
– Shiny new metal filing cabinets
are installed
• Constant need to
– Resurvey
– Recalibrate channels
– Recalibrate power
BCS Health Informatics – UCLH Wireless Network, 18th May 2005
© LogicaCMG plc 2004.
Advanced Features of Thin Solution
Self-Healing
• When APs fail, existing APs
recalibrate power and channel
allocations to avoid coverage
holes
• In this example the middle AP
fails. The other 2 APs boost their
power to compensate
BCS Health Informatics – UCLH Wireless Network, 18th May 2005
© LogicaCMG plc 2004.
Advanced Features of Thin Solution
Integrated Firewall
• The centralisation of the Thin Solution facilitates integrated
firewalls. This offers several benefits
– Increased performance
– User context is available at the firewall. As the wireless switch is
involved with the authentication of users, the firewall ‘sees’
individual users, not individual IP addresses. Thus per-User
policies can be implemented and as the User roams from AP to
AP the policy roams with them
– This per-User policy can also be used to provide per-User
bandwidth allocation
– Centralisation facilitates easier troubleshooting – all information is
in one place
BCS Health Informatics – UCLH Wireless Network, 18th May 2005
© LogicaCMG plc 2004.
Summary
• UCLH
– Business Justification
• WLAN Solution
– Future proofed
– Scalable
– Robust
– Resilient
BCS Health Informatics – UCLH Wireless Network, 18th May 2005
© LogicaCMG plc 2004.
The Future?
• Faster wireless speeds
– 802.11n Promises faster connections, likely to be 100-300Mb/s
• VoIP over Wireless
– 802.11e Promises a standard for QOS over the ether. Combined
with other improvements will lead to wireless VOIP becoming
ubiquitous
• WiMAX
– 802.16
WiMAX – (Worldwide Interoperability for Microwave
Access). Addresses the "first-mile/last-mile" connection in
wireless metropolitan area networks
• Other, as yet undiscovered technologies?
BCS Health Informatics – UCLH Wireless Network, 18th May 2005
© LogicaCMG plc 2004.
The Future?
“In a few years time, the idea of ever having been
tethered by wires to a fixed communications
infrastructure will seem remarkably quaint”
BCS Health Informatics – UCLH Wireless Network, 18th May 2005
© LogicaCMG plc 2004.
Fly UP