worksafebcs wireless lan implementation …with a focus on security ubc october 2, 2008 allan alton,...

WorkSafeBC’s Wireless LAN WorkSafeBC’s Wireless LAN ImplementationImplementation…with a focus on security

UBCOctober 2, 2008

Allan Alton, BSc, CISA, CISSP

Agenda

• Goals• Functional• Security

• Architecture Overview• Challenges• Futures

Goals - Functional

• Head Office and 17 area offices/work centres• Meeting rooms• Common areas (lobby, atrium, lounge,

cafeteria)• Parking lot edge (drive-by downloading)

From:

Goals - Functional

• Employee access to internal network

• Guest access to Internet

• Broader Public Sector (BPS) employee access to Internet

To:

Goals - Functional

• existing built-in client adapters• PC Card adapter for exceptions

• Windows XP client software• standardized client for easier support

• 802.11g and 802.11a only• no 802.11b due to performance penalty

Using:

802.11b Exclusion

Goals - Security• Tip for success: Work with your security group from the beginning

Network Services & IS Security

Goals - Security• Wi-Fi Protected Access 2 (WPA2) only• Firewall separation from internal network• SSID not broadcast (except for guest)• Integration with Active Directory• Wireless intrusion detection• Intrusion detection at wired network entry• Access Points physically hidden

Goals - Security802.1x EAP

Types→Feature

or Benefit ↓

MD5---

Message Digest 5

TLS---

Transport Layer Security

TTLS---

Tunneled Transport Layer

Security

PEAP---

Protected Transport Layer

Security

FAST---

Flexible Authentication

via Secure Tunneling

LEAP---

Lightweight Extensible

Authentication Protocol

Client side certificate required

no yes no nono

(PAC)no

Server side certificate required

no yes no yesno

(PAC)no

WEP key management

no yes yes yes yes yes

Rogue AP detection

no no no no yes yes

Provider MS MS Funk MS Cisco Cisco

Authentication Attributes

One way Mutual Mutual Mutual Mutual Mutual

Deployment Difficulty

Easy

Difficult (because of client

certificate deployment)

Moderate Moderate Moderate Moderate

Wireless Security Poor Very High High High HighHigh when strong

passwords are used.

http://support.intel.com/support/wireless/wlan/sb/cs-008413.htm

Architecture Overview• Centralized controller model

• Redundancy measures:• Secondary / Tertiary controller assignment for APs• Under-load AP/controller ratio for controller failure• 802.3ad Link Aggregation for cable failures• Switch stacks for switch failure• Multiple paths to multiple core switches• HSRP for router failure• Firewall cluster in active/standby mode

802.3ad link aggregation

switch stack for switch failure

multiple paths to multiple core switches

firewall cluster in active/standby mode

two slots in core

Logical View

Guest Access

• Separate SSID (broadcast)

• Ethernet over IP tunnel to Internet DMZ

• Authentication models wired guest access• SecurID token held by Help Desk• Web page authentication

Guest Access

Legal text:- be a good person or else- transmission not encrypted

Call Customer Support Centre if you wish to proceed

Customer Support Centre verifies requirement and provides information to enter

Challenges

• Sorting out rogues (on vs. off network)

• Problems in remote offices• Interference, rogues, security attacks

Futures• Broader Public Sector access• Location: Will explore these capabilities• 802.11n: No real requirement• Non-workstation devices: will consider• Voice over WLAN

• No plans, VoIP experimental on wired side• Did site survey for voice coverage

Additional for voice

First phase installation

Antenna Research

• Greater RF gain needed

• Users are more mobile

• Integration with personal protective gear

• Sophisticated look – coolness factor

Questions

?

? ?

? ??