From itschang@hapi.isis.unc.edu Tue Jan 21 23:38:54 2003 Message-ID: <200301161945.OAA19276@hapi.isis.unc.edu> Date: Thu, 16 Jan 2003 14:45:28 -0500 Subject: [support] SIGNIFICANT: Major Wireless Networking Changes!!! Reply-To: ITS Change From: ITS Change Precedence: Bulk List-Unsubscribe: List-Subscribe: List-Owner: X-List-Host: The UNC List Server Sender: bounce-support-205919@listserv.unc.edu X-LISTMANAGERSQL-Message-Id: To: "The support mailing list" Newsgroups: unc.support NNTP-Posting-Host: 152.2.1.174 X-Trace: news.unc.edu 1042746422 152.2.1.174 (16 Jan 2003 14:47:02 -0500) Organization: University of North Carolina at Chapel Hill Lines: 89 Path: news.unc.edu!not-for-mail Xref: news.unc.edu unc.support:27524 There is a significant and growing 802.11 wireless network infrastructure at UNC-Chapel Hill. We currently have approximately 250 wireless access points and, at any point in time, there are hundreds of active wireless users - a number that will soon be growing into the thousands. Given the range of critical applications being used, including financial transaction, grades, and other applications that contain private personal information, and the inherent lack of security in wireless connections, there is a clear need to implement new policies that will improve the security of data communication over the wireless network. We also expect the State EDP auditors to review wireless security as part of their assessment of campus electronic security practices. These factors, taken together, require us to implement wireless networking security changes now. As part of the 802.11 standard, there is a mechanism called WEP, which appropriately stands for Wired Equivalent Privacy. While there are many reports about the limited effectiveness of WEP and the tools that exist to crack this type of encryption, there are three things to keep in mind in terms of alternatives: (1) The other alternatives that exist today are all very proprietary and would not work with the multitude of wireless clients that exist on the campus. (2) The emerging 802.11i security/privacy standard is just that - still emerging and won't be ready soon enough for our requirements. (3) Although WEP does not offer high security, it’s much better than having no security at all. Depending on the model of wireless card, there are two levels of WEP encryption, one with 64-bit encryption and one with 128-bit encryption. After evaluating the most common wireless card models, we determined that many of them would need new firmware, driver downloads and software updates to support 128-bit encryption. Therefore, we have chosen to use the 64-bit option. Another wireless security issue is related to the SSID (Service Set Identifier.) Currently, our campus access points are set to continually broadcast their SSID. However, it is now considered a "best practice" in wireless security to disable the SSID broadcast on the wireless access points. This helps prevent connections from unauthorized users scanning for available networks, while still allowing users who know the correct SSID to connect. Only users that have configured their wireless adapter to use the known SSID will be able to connect to the wireless network. In summary, - - The existing UNC-Chapel Hill wireless infrastructure is considered insecure and too vulnerable to eavesdropping of sensitive information; this needs to be remedied as quickly as possible. - - The broadcasting of SSIDs on access points must be disabled, requiring all wireless users to have properly configured the appropriate SSID on their wireless client. - - WEP needs to be enabled on all access points and WEP keys configured on all wireless clients. - - These changes need to be made on ALL wireless access points on campus, including those that are departmentally administered. After the dates listed below, ANY access point that does not meet these minimum ITS standards will be removed from the network until appropriately updated. These changes will be implemented on the following timeline: (1) Wednesday Feb 26th -- properly configured SSID is necessary and WEP is configured on the access points, though its use will be optional. (2) Wednesday March 26th -- WEP becomes mandatory. More detailed Change Notices will be forthcoming very soon about these two events. For a more detailed explanation, please visit https://www.unc.edu/security/campus/wireless.html or call 962-HELP. Jim Gogan Director, ITS Networking Jeanne Smythe Director, ITS Computing Policy and Security From fred@metalab.unc.edu Tue Jan 21 23:45:42 2003 X-Authentication-Warning: tribal.metalab.unc.edu: fred owned process doing -bs Date: Fri, 17 Jan 2003 14:00:00 -0500 (EST) From: Fred Stutzman To: "The support mailing list" cc: The support mailing list Subject: [support] Re: SIGNIFICANT: Major Wireless Networking Changes!!! In-Reply-To: <002401c2be54$191a9ce0$06d80298@sis4> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII List-Unsubscribe: List-Subscribe: List-Owner: X-List-Host: The UNC List Server Reply-To: Fred Stutzman Sender: bounce-support-205919@listserv.unc.edu X-LISTMANAGERSQL-Message-Id: Newsgroups: unc.support NNTP-Posting-Host: 152.2.1.174 X-Trace: news.unc.edu 1042830061 152.2.1.174 (17 Jan 2003 14:01:01 -0500) Organization: University of North Carolina at Chapel Hill Lines: 138 Path: news.unc.edu!not-for-mail Xref: news.unc.edu unc.support:27543 Inevitably, people will ask for the linux configuration info. Here is the documentation from cisco: http://www.cisco.com/univercd/cc/td/doc/product/wireless/airo_350/350cards/linux/instlcfg/icglchp4.htm If you can't find the password, try catting ACU.PREFS In addition, Blake Watters came up with the following configuration parameters that go around the Cisco tools: "Configuration with WEP went a lot more smoothly at home. The following is the procedure I used to get 40 bit WEP encryption working in Linux -- this was tested with an Aironet card against a Cisco AP340 access point: iwconfig eth1 essid UNC-1 iwconfig eth1 key **keyname** restricted iwconfig eth1 key on dhcpcd eth1" Hope this is of interest to some people. Best, Fred On Fri, 17 Jan 2003, Bill Geschwind wrote: > Excellent! When I checked the other day I didn't see any step by step > information on how to configure the more popular wireless configurations > on campus. That information is out there now for four different Windows > flavors and two different versions of Mac OS. > > https://www.unc.edu/security/campus/wireless/ssid.html > > That covers my #1 concern. Now, considering that there are a number of > PocketPCs in use on campus, would it be possible to have step by step > configuration information added for PocketPC (and perhaps Linux) as > well? > > Thanks, > Bill > > ********************************************************************* > Bill Geschwind > Technical Assistance Manager > Department of Technology and Systems Support > Division of Student Affairs, University of N. Carolina at Chapel Hill > 03 Teague Hall, CB# 5510 (919) 962-5629 > Chapel Hill, NC 27599 geschwin@email.unc.edu > ********************************************************************* > > -----Original Message----- > From: bounce-support-186294@listserv.unc.edu > [mailto:bounce-support-186294@listserv.unc.edu] On Behalf Of bil hays > Sent: Friday, January 17, 2003 12:45 PM > To: The support mailing list > Subject: [support] Re: SIGNIFICANT: Major Wireless Networking Changes!!! > > Leaving aside the issue of whether this approach enhances security to > any > truly significant degree, if you follow the link provided in the > original > post... > > > For a more detailed explanation, please visit > > https://www.unc.edu/security/campus/wireless.html or call 962-HELP. > > ...there's a link there for wireless configuration. > > > bil > > > > In article <3E28386E.7060105@email.unc.edu>, Jason Griffey > wrote: > > > Even more good questions: how will the WEP key/ > > password work with those of us that use four > > or more buildings on campus regularly? Will there > > just be ONE Key/password for the campus system > > (i'm guessing no, since that would be about as > > secure as they are now). If you're serious about > > security, each Wireless access point will have > > WEP enabled with a different Key/password.... > > and that's just a nightmare for users. > > > > So...more info upcoming? > > > > Jason > > > > Robbie Foust wrote: > > > > > Good question! And another obvious question...how/where do we get > the > > > key/password, and what if students come in my office and ask me for > > > it, what is the policy? Do I give it to them? What about visitors > to > > > the school with wireless laptops? > > > > > > - Robbie > > > > > > > > > Robbie Foust (rfoust@unc.edu) > > > Computing Consultant > > > School of Journalism & Mass Communication > > > University of North Carolina at Chapel Hill > > > > > > --On Friday, January 17, 2003 11:41 AM -0500 Wesley Miaw > > > wrote: > > > > > >> So, will we have to register MAC addresses and get a WEP > key/password > > >> from ATN sometime soon? > > >> > > >> In article <200301161945.OAA19276@hapi.isis.unc.edu>, > > >> ITS Change wrote: > > >> > > >>> - - WEP needs to be enabled on all access points and WEP keys > > >>> configured > > >>> on all wireless clients. > > >>> > > >>> (2) Wednesday March 26th -- WEP becomes mandatory. > > >> > > >> > > > > > -- Fred Stutzman Desk: 962-5646 Cell: 260-8508 www.ibiblio.org