ABS Engineer Update - Bill Waldron on Emory & Henry College Wireless Deployment

During the summer of 2007, ABS was selected by Emory & Henry College, near Abingdon VA, to design and implement a totally new switching infrastructure, a new campus-wide wireless network, and network access control for students and staff. A Cisco Catalyst 6513 core switch was purchased and installed, along with approximately 30 additional Cisco 3560 PoE and non-PoE distribution switches to supplement the existing Cisco switches. Emory & Henry had the advantage of having a fiber backbone from their MDF to nearly every building on the campus. What they did not have was a Layer 3 network. With Layer 3 IDF switches not in the current budget, we went to work designing a segmented Layer 2 network, utilizing the newly purchased 6513 core switch to do the Layer 3 routing. The entire campus was logically subdivided into more than 180 VLANs, segmenting traffic throughout the campus.

With the desire to provide wireless coverage for the entire campus, indoors and outdoors, ABS and Emory & Henry chose the Cisco Unified Wireless solution. Within the 6513 core switch, two Wireless Integrated Service Modules, or WISMs, were implemented for redundant wireless management. Each WISM contains 2 Wireless LAN Controllers and each WLC is capable of managing 150 APs. For outdoor wireless coverage, Cisco 1510 LWAPP MESH APs were strategically placed throughout the campus to provide 802.11g coverage for clients in 100% of the populated areas. For indoor coverage, Cisco 1242AG LWAPP APs were used to provide wireless access in each of the approximately 48 buildings on campus. The result was an all-encompassing WLAN that provides wireless network access for all students, faculty, and staff, regardless of where they are located on this historic campus. Emory & Henry College became the first College in the state of Virginia to attain Unified Wireless coverage on 100% of their campus.

Emory & Henry also had several buildings located just outside of the campus boundaries that had no wired infrastructure to support students or staff. To spread the campus network to these outlying areas, MESH wireless links were designed, utilizing the 802.11a backbone of the Cisco 1510 APs, as well as several Cisco 1030 APs. The solution worked perfectly; it even created one bridge link to a guest residence located more than a quarter of a mile across the campus golf course. Users can now roam across the entire campus, maintaining a reliable wireless link to the EHC Wireless Network.

In order to control access to the newly wired and wireless networks, ABS and college IT staff chose Cisco Network Access Control, or NAC, and Cisco Clean Access to provide approved access to network resources and assurance that minimum requirements were met by all clients accessing those resources. Using a combination of “In-band” and “Out-of-band” configurations allowed the same redundant NAC cluster to manage wired and wireless clients throughout the campus network.

This project was started in mid-June 2007, after students vacated a large portion of the buildings. The wiring of all data drops to support the more than 200 APs was subcontracted to Teleconnect Inc., out of Johnson City, TN. The team at Teleconnect pulled off nothing short of several small miracles in wiring each of the more than 40 historic buildings on the campus, and did it on schedule. Our promise to Emory & Henry was to complete the project by the time students returned to school in August, providing them with a fully functional wireless environment. We achieved this, with time to spare, due to the hard work and dedication of the ABS Engineers.

Emory & Henry College now plans to add WCS, or Wireless Control System, to the solution. This will give them central management, reporting, and monitoring of the 4 Wireless LAN Controllers and all 200+ APs throughout the campus. This type of centralized management is very important when a school has to control large quantities of technology with a small IT staff.

Map of E&H Campus:


~Bill

Bill Waldron
CCNA, CAWFS, MCSE, MCSA
Senior Technology Architect
ABS Technology Architects

ABS Response to Cisco Security Advisory: Cisco Unified Communications Manager CTL Provider Heap Over

ABS would like to make our customers aware of the CTL service being exploited in the CUCM/CCM server via a DoS attack. That service is only usually used if there is some kind of security/encryption being used on the CCM servers beyond the standard features.

This is an exploit that Cisco Unified Communications customers need to know about, and they should be aware that it allows a Denial of Service (DoS) attack. Customers should also be aware that it may not be a service they need to have enabled, depending on the deployment.

For a service fee of $150.00, ABS will provide an engineer to remotely connect to the CCM cluster and confirm that the service is or is not running, and then disable the service (if it is not required) in alignment with the workarounds provided. While doing this, ABS will also have the engineer confirm the current OS and CCM version and patches, as well as verifying the last time a successful backup was run on the server.

Please contact your ABS Account Manager, or Julia Gardner at sales@absnt.com for more information.

Cisco Unified Communications Manager CTL Provider Heap Overflow Summary:

Cisco Unified Communications Manager (CUCM), formerly CallManager, contains a heap overflow vulnerability in the Certificate Trust List (CTL) Provider service that could allow a remote, unauthenticated user to cause a denial of service (DoS) condition or execute arbitrary code. There is a workaround for this vulnerability.

Cisco has made free software available to address these vulnerabilities for affected customers.

Common Vulnerabilities and Exposures (CVE) identifier CVE-2008-0027 has been assigned to this vulnerability.

This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20080116-cucmctl.shtml

Malware Outbreak Report: "Storm Love"

As a follow-up to the last post on the 2008 security outlook, here is some more information about the Storm Network. This is more of their handiwork, multiphase, blended attacks:


Malware Outbreak Report: "Storm Love"

On January 15th, IronPort analysis labs detected a Valentines Day-themed attack that the Storm attack network is launching in advance of February 14th. This campaign uses a blended attack that combines both Email Spamming and malicious HTTP landing pages.

Over the past year, the Storm malware has continued to mutate and proliferate. January marks the one-year anniversary since the initial release of Storm. Storm continues to use events within popular culture to social engineer users into viewing the email and subsequently opening the malicious HTTP link.

IronPort stopped this most recent Storm attack within minutes through the combination of several technologies:

IronPort Reputation Filters: IronPort uses its SenderBase Network to assign reputation scores to Internet IP addresses based on their likelihood to send spam or host malicious websites.
The Email Reputation system blocks 80% of spam at the gateway – including Storm Spam.

The IronPort Web Reputation blocks protected networks from connecting to the Storm HTTP landing pages and the DVS scan engine will block the download of an infected executable. This Storm version may also contain a Phishing component – and despite not being currently active, the Phishing URLs have been preemptively blocked to ensure ongoing customer protection.

SenderBase is aware of the majority of Storm infected PCs and blocked these suspicious senders from sending Storm Spam proactively. For more detailed information about Storm please see IronPort's 2008 Internet Security Trends: http://www.ironport.com/securitytrends/

2008 Internet Security Trends

The objective of the ABS website is to be an information portal for our clients and prospects. While we prefer to present original content to our clients and prospects, in our research, we sometimes come across what we consider to be best-of-breed material and want to make that available to our clients and prospects in its entirety.

We believe the following report, published by IronPort and Cisco, on the state of the spam/virus/malware industry for 2008 is a “must read” for anyone with a network…or connected to the internet. In writing this introduction, we chose our words carefully. The virus/spam/malware authors out there have literally created an industry. They are monitoring and tracking their successes and modifying code to meet their objectives. They are investing in R&D to meet their objective, which is to penetrate your defenses and insert themselves into your operating environments. They have ROI metrics on their “products” and they are working to wreak havoc on your network, your productivity, and your organization.

ABS sees this as a chess game that will run into perpetuity. There is no checkmate for those of us on the defending end of the network security game, there is only the daily battle fought to keep networks running, servers intact, and data uncompromised. The more we know about the trends in the malware industry the better prepared we will be to defend ourselves against the latest intrusion strategy. We highly recommend the following report and would be glad to discuss these ideas with you and your organization.

http://www.absnt.com/files/For-Blog/2008-Internet-Security-Trends.pdf

ABS Engineer Update - Larry Woods on VBCPS Wireless Deployment

As of January 9th, 2008, and over the last year, ABS has worked directly with Virginia Beach City Public Schools to design and install a district wireless coverage implementation project. We have currently completely finished 24 of 86 schools. To date, we have three more High Schools to go and have completed all but two Middle Schools. The end result will be a completely mobile, flexible wireless environment to allow teachers/students the ability to do research and testing through wireless laptop computers wherever the school has the space.

This deployment is currently one of the largest installations ever in Virginia and even along the east coast. It involves 18 Cisco Wireless Integrated Service Modules (also known as WiSMs) that accounts for 36 Cisco Wireless Controllers over seven Cisco 7613 Routers, three Cisco Wireless Control Systems (to allow for management of all Controllers and Access Points), and up to 4,500 Cisco Wireless Access Points. Next week, we will be installing three Cisco Location Appliances that will use the Wireless Infrastructure to triangulate the locations of Wireless clients on floor plan maps of schools imported into the system. We will also be upgrading the entire system from version 4.0.217.0 version of code to 4.2.62.0 permitting the ability to do many more added on features.

We are in the process of installing approximately 160 Cisco 3750 Layer 3 Switches (two per site) and close to 400 Cisco 3560 PoE switches. With this equipment, the network will provide PoE capabilities to all Wireless Access Points and set the Virginia Beach City Public Schools current fiber ring to hand off a 1 Gbps connection to all schools/sites.

Redundancy has been added with multiple connections to the fiber ring and to the equipment at each wiring closet. Redundancy is a big factor in the design of the Cisco Wireless LAN Controllers as well. This system has been designed with the N+1 factor in mind where there is a full redundancy if an entire Cisco 7613 Router chassis goes offline for up to three WiSM modules (six Wireless Controllers). Bottom line, if something happens to a Wireless LAN Controller, the Wireless Access Points that were registered to that Controller will rather seamlessly roam to a backup controller with no problems and barely affecting client wireless usage.

Our plan from this point is to complete the installations of all 86 schools with wireless coverage. After that, there are plans in mind to set Wireless Laptop Carts with Printers installed on top to connect wireless over the network to minimize cables and user confusion also allowing the ability to track laptop carts in buildings. We have also designed and are on the verge of creating a Wireless Guest User access privilege for guests coming in and using the school’s internet connection. This new Wireless infrastructure will also allow for Voice over IP phones to be utilized at each site potentially if this is the direction the school system goes with.

Essentially, we have a very strong plan of attack and have executed this plan almost flawlessly. We have a great team of engineers working hard and diligently through the late hours of the night with the same goal in mind – a perfect installation – for each and every school. This has been very exciting for us and we look forward to continue our efforts even after this project is completed.

~Larry

Larry W. Woods
CAWLFS, CAWLDS, CCNA, CCDA,
CISS, PCWE, PCBA, PCBE
Senior Wireless Architect & Systems Engineer
ABS Technology Architects

Welcome to The Digital Blueprint

Welcome to The Digital Blueprint, the ABS Blog. We are excited to kickoff this blog for our clients, our prospects, our internal team, and anyone who is interested in leading-edge network technology. It is our intent for this to be an open forum to discuss ideas, share content, debate positions, and generally conduct civil and professional discussions about a wide variety of topics. ABS will kickoff discussion topics on a regular basis each month. These topics will range from updates on leading edge projects we ware working to debating the merits of new protocol standards or implementation strategies for a particular technology. We do not see this as a “help desk” site for specific, real time network issues (please click to chat with us for those questions and issues) but we hope that the content from The Digital Blueprint is helpful and interesting. ABS will not be in the business of editing or censoring the opinions or positions of posters, but we will make sure that the posts are respectful and professional and will remove posts that do not meet that standard. We are looking forward to lively interaction with those who find the technology we deploy and facilitate as fascinating as we do. We are excited about what we see on the horizon and we are interested in your ideas and opinions. Thank you for visiting The Digital Blueprint, we are glad to have you join us!