WLAN Security and HIPAA

Joined
Dec 5, 2003
Messages
517
I am in the process of deploying wireless nodes for independent health care practices (as some of you may know from my previous posts). I need to implement security mechanisms to satisfy the HIPAA guidelines, which to me says I need encryption (WPA/WPA2) with authentication (RADIUS?). The nodes were already purchased (Cisco 1130AG series), so I am not sure if they will support WPA2. However, I need an inexpensive solution (or network appliance) that will run a RADIUS backend. Any ideas on what equipment I need to accomplish this? Furthermore, I would like to put the WLAN on its own VLAN, however I don’t know of any inexpensive routers/switches that will allow me to VLAN and run multiple DHCP scopes. I just started researching, so any ideas would be greatly appreciated.
 
Sonicwall units...WiFiSec.

Their wireless units allow connections to a different subnet...a "padded room" if you will. Then..the clients launch the Global VPN IPSec vpn client..authenticate to get into the primary network. So it's basically IPSec VPN security over wireless.
 
Cisco 1130AG radios support WPA2, you will only need to worry about your wireless clients supporting WPA2, most newer hardware does but older stuff may not.

If you have a Windows 2003 server then you have RADIUS in the form of IAS. If you don't want to do that you can setup a FreeRADIUS server on a linux box. Your Windows server is also capable of running multiple DHCP scopes across hundreds of subnets. You also have the benefit of forcing DNS registration.

If you have any Cisco switches then you can do your VLANs and VLAN maps which can be setup to drop packets from the wireless VLANs destined to a particular subnet for security. A controller based solution will also allow you to setup a local RADIUS server if you don't want to setup on windows.
 
You also have the benefit of forcing DNS registration.

- What are the benefits of forcing DNS registration?

If you have any Cisco switches then you can do your VLANs and VLAN maps which can be setup to drop packets from the wireless VLANs destined to a particular subnet for security. A controller based solution will also allow you to setup a local RADIUS server if you don't want to setup on windows.

- Can you explain this more... I am not a network guru, but I do have a decent understanding. Thanks!
 
I like to do this via a Cisco WLAN controller. One of my medical practice customers just bought a 500 series controller and three 500 series APs. With the controller, all security settings are managed centrally, which saves some time.

I use IAS in Windows to authenicate clients/machines against AD. I push out the WLAN settings via GPO. It takes a little bit of work to get it set up, but it is fool proof when done. There is too much to explain via a post though.
 
Well, DHCP servers dynamically updating the DNS server is helpful because it will update all the DNS records associated with clients when they renew their IP addresses. Setting scavenging on the DNS server is also nice so it deletes old records. That way you spend a lot less time managing DNS.

Yeah, really wasn't very clear on that second paragraph. What switch/routing gear do you have currently? Is there anything in the budget for buying this stuff or do you have to work with what you already have? This information would help me formulate a better response.
 
Our solution was 1240s with the Cisco WLCs and location appliance.

We run the Cisco supplicant on every device we can shoe-horn it on. This was helped by the fact that most of our legacy stuff wouldn't do WPA2. For radius we run triple A.

Works nicely... Except for the rare occasion when it's a total TARFU. :p
 
Cisco WLCs and location appliance

- I understand the WLC can push configuration data to the nodes... however, what does the location applicance do for you?
 
Yeah, really wasn't very clear on that second paragraph. What switch/routing gear do you have currently? Is there anything in the budget for buying this stuff or do you have to work with what you already have? This information would help me formulate a better response.

Unfortunately these medical practices are really small and do not have any type of centralized server or directory service running. They use common SOHO networking equipment, which means unmanaged switches and very simple NAT routers. Furthermore, the APs have to be put in autonomous mode because they do not want to purchase the WLAN controller. I believe I can enabled PEAP on the AP itself and configure a user database, I have not looked into this yet.
 
Unfortunately these medical practices are really small and do not have any type of centralized server or directory service running. They use common SOHO networking equipment, which means unmanaged switches and very simple NAT routers. Furthermore, the APs have to be put in autonomous mode because they do not want to purchase the WLAN controller. I believe I can enabled PEAP on the AP itself and configure a user database, I have not looked into this yet.

I haven't configured it personally, but I think you can use a local AAA database for authentication.
 
Furthermore, the APs have to be put in autonomous mode because they do not want to purchase the WLAN controller. I believe I can enabled PEAP on the AP itself and configure a user database, I have not looked into this yet.

Make sure you order the Autonomous APs then. You can't flip a switch on the APs to make them swap between LWAPP and Autonomous modes. You have to change the software they run on. Cisco has a conversion utility you can download that will convert up to six APs at a time if you end up buying the wrong ones. :D

Yeah, you can setup local RADIUS databases and authentication using either LEAP or PEAP or both, can't remember off the top of my head. If memory serves you can even setup a second AP as a backup RADIUS server for some sort of redundancy in the event the other one dies.
 
Make sure you order the Autonomous APs then. You can't flip a switch on the APs to make them swap between LWAPP and Autonomous modes. You have to change the software they run on. Cisco has a conversion utility you can download that will convert up to six APs at a time if you end up buying the wrong ones. :D

Yeah, you can setup local RADIUS databases and authentication using either LEAP or PEAP or both, can't remember off the top of my head. If memory serves you can even setup a second AP as a backup RADIUS server for some sort of redundancy in the event the other one dies.


The nodes were already ordered, the LWAPP model. I already used the Cisco tool to reflash the firmware to autonomous mode. These health care practices are really small, and will only need one wireless AP, so I can't see purchasing a WLAN controller.

I believe you are correct on setting up a 2nd AP for redundancy, I saw mention of that somewhere in my travels. Hopefully I can setup the node with WPA2 and one of the EAP types of authentication. I need to figure out how to cover the auditing aspect, perhaps there is a provision to email the logs on a daily basis. Otherwise, I guess I can punch a hole through the firewall to access the nodes over the internet, less ideal solution.

Thanks for all your assistance, hopefully everything will go smoothly during the deployment this week.
 
Back
Top