Service Offerings Solutions Clients Employment Management Case Studies News & Events Contact Home
Taos, Inc.
Newsletter
Events

April Issue of the Taos Newsletter: Wireless Networking

Case Study: Eliminating Rogue Access Points - Architecting a Wireless Security Solution to Provide for an Enforceable Security Policy


Taos Professional Services Team

When implementing and supporting a campus-wide wireless network, how can the integrity of internal and external security measures be sustained when rogue (unapproved) access points are introduced? The simple answer is to create an internal policy that prohibits employees from installing their own, unofficial access points. However, you can’t enforce the policy if you can’t detect, find, and eliminate the rogue AP’s. Here’s how Taos helped one high-tech client design, build, test, and implement a solution that supported an enforceable policy.

The Customer Challenge

The primary customer challenge was to maintain the integrity of their wireless network throughout two neighboring multi-story buildings. Due to the limitations of “first generation” technology, the company's wireless network was susceptible to internal experimentation (at best) or even sabotage (at worst). Further, due to the possibility of outsiders launching third-party attacks through the company's network via rogue AP’s, there was considerable business risk and liability associated with an insecure wireless network.

While they had a wireless security policy in place that prohibited the installation and use of rogue APs on their network, there was no easy or reliable way to detect the rogue APs and then find their physical location to shut them down. In short, the company couldn’t enforce its policy.

In addition, beyond the problem of rogue APs, there were several other areas the company’s IT management wanted to consider and improve in the new solution. These included better scalability through centralized wireless network management, avoiding the use of MAC address management, and a desire to implement higher speed support (only 802.11b was currently supported) and the next generation of wireless security (WPA, 802.11i).

The Taos Solution

The solution involved the investigation of available technologies and the architecting of a network management system that would allow the client’s IT department to detect and then physically locate and remove any rogue APs. Of course, the solution had to also take into account the additional requirements previously mentioned.

A Taos consultant with expertise in wireless played a key role in the project from the beginning – evaluating and advising on current technologies, planning the solution, doing the required site survey, designing the physical floor plan for proper RF coverage across all floors in two buildings, implementing the Power Over Ethernet (POE) switch for AP, designing the network, testing the solution, and providing a complete set of network diagrams and documentation.

After a thorough evaluation, technologies from AireSpace were selected because they addressed all the requirements. First, and most importantly, the AireSpace solution can easily detect a rogue AP and then, through a sophisticated triangulation technique, provide the physical location of the AP. In addition, the AP can be automatically contained until it can be physically removed.

Other features include:

  • Easy to implement a number of different possible encryption schemes
  • Provides for remote, centralized management with visibility to all access points
  • Fast and simple scalability through Zero-Configuration Deployment (When installing new access points, the management switch automatically sends images and configurations to the AP.)
  • Intelligent RF management (dynamic channel assignment, interference detection and avoidance, load balancing across AP, coverage hole detection and correction, and dynamic power control)

In addition to the AireSpace technology, another key part of the solution was to implement separate guest and employee networks to provide better security. This approach allows visitors to gain e-mail and internet access through the wireless network while keeping the internal network safe. At the same time, the IT group can have full visibility into access usage and the option to disable malicious users if needed.

In researching and evaluating the solution, another interesting decision was made. Because “next generation” wireless security is still evolving, the implementation of EAP or WPA could be a potential maintenance issue going forward and was deemed unnecessary at this time. Instead, it was decided that a Cisco VPN and its associated encryption technology would provide the necessary security on top of the wireless network. This approach still allows the option of migrating to WPA or 802.11i in the future if desired.

To complete the project, the solution was validated through rigorous testing by the Taos consultant, and a comprehensive set of documents detailing the design, the test results, and a detailed implementation plan was delivered to the client.

Results and Benefits

The desired benefits of increased security and ease of administration were realized – the solution provides a secure but flexible framework within which consultants, vendors, and partners can use the wireless network without compromising the company's security. And, by providing wireless access to these communities of users, the company has become a better partner with a more efficient and more flexible place to conduct business.

The success of this effort was directly attributable to the high quality technical design, testing, and documentation provided by the Taos consultant. Taos' flexible Professional Services model allowed the client to maximize the value of their consulting dollar by having the right expert talent working on the right aspect of the project at the right time.

 

© 2004, Taos Mountain, Inc. Offerings | Solutions | Clients | Employment | Management | Case Studies | News & Events | Contact | Home