worksafebcs wireless lan implementation …with a focus on security ubc october 2, 2008 allan alton,...
TRANSCRIPT
![Page 1: WorkSafeBCs Wireless LAN Implementation …with a focus on security UBC October 2, 2008 Allan Alton, BSc, CISA, CISSP](https://reader035.vdocument.in/reader035/viewer/2022062511/55195daf550346b9198b46da/html5/thumbnails/1.jpg)
WorkSafeBC’s Wireless LAN WorkSafeBC’s Wireless LAN ImplementationImplementation…with a focus on security
UBCOctober 2, 2008
Allan Alton, BSc, CISA, CISSP
![Page 2: WorkSafeBCs Wireless LAN Implementation …with a focus on security UBC October 2, 2008 Allan Alton, BSc, CISA, CISSP](https://reader035.vdocument.in/reader035/viewer/2022062511/55195daf550346b9198b46da/html5/thumbnails/2.jpg)
Agenda
• Goals• Functional• Security
• Architecture Overview• Challenges• Futures
![Page 3: WorkSafeBCs Wireless LAN Implementation …with a focus on security UBC October 2, 2008 Allan Alton, BSc, CISA, CISSP](https://reader035.vdocument.in/reader035/viewer/2022062511/55195daf550346b9198b46da/html5/thumbnails/3.jpg)
Goals - Functional
• Head Office and 17 area offices/work centres• Meeting rooms• Common areas (lobby, atrium, lounge,
cafeteria)• Parking lot edge (drive-by downloading)
From:
![Page 4: WorkSafeBCs Wireless LAN Implementation …with a focus on security UBC October 2, 2008 Allan Alton, BSc, CISA, CISSP](https://reader035.vdocument.in/reader035/viewer/2022062511/55195daf550346b9198b46da/html5/thumbnails/4.jpg)
Goals - Functional
• Employee access to internal network
• Guest access to Internet
• Broader Public Sector (BPS) employee access to Internet
To:
![Page 5: WorkSafeBCs Wireless LAN Implementation …with a focus on security UBC October 2, 2008 Allan Alton, BSc, CISA, CISSP](https://reader035.vdocument.in/reader035/viewer/2022062511/55195daf550346b9198b46da/html5/thumbnails/5.jpg)
Goals - Functional
• existing built-in client adapters• PC Card adapter for exceptions
• Windows XP client software• standardized client for easier support
• 802.11g and 802.11a only• no 802.11b due to performance penalty
Using:
![Page 6: WorkSafeBCs Wireless LAN Implementation …with a focus on security UBC October 2, 2008 Allan Alton, BSc, CISA, CISSP](https://reader035.vdocument.in/reader035/viewer/2022062511/55195daf550346b9198b46da/html5/thumbnails/6.jpg)
802.11b Exclusion
![Page 7: WorkSafeBCs Wireless LAN Implementation …with a focus on security UBC October 2, 2008 Allan Alton, BSc, CISA, CISSP](https://reader035.vdocument.in/reader035/viewer/2022062511/55195daf550346b9198b46da/html5/thumbnails/7.jpg)
Goals - Security• Tip for success: Work with your security group from the beginning
Network Services & IS Security
![Page 8: WorkSafeBCs Wireless LAN Implementation …with a focus on security UBC October 2, 2008 Allan Alton, BSc, CISA, CISSP](https://reader035.vdocument.in/reader035/viewer/2022062511/55195daf550346b9198b46da/html5/thumbnails/8.jpg)
Goals - Security• Wi-Fi Protected Access 2 (WPA2) only• Firewall separation from internal network• SSID not broadcast (except for guest)• Integration with Active Directory• Wireless intrusion detection• Intrusion detection at wired network entry• Access Points physically hidden
![Page 9: WorkSafeBCs Wireless LAN Implementation …with a focus on security UBC October 2, 2008 Allan Alton, BSc, CISA, CISSP](https://reader035.vdocument.in/reader035/viewer/2022062511/55195daf550346b9198b46da/html5/thumbnails/9.jpg)
Goals - Security802.1x EAP
Types→Feature
or Benefit ↓
MD5---
Message Digest 5
TLS---
Transport Layer Security
TTLS---
Tunneled Transport Layer
Security
PEAP---
Protected Transport Layer
Security
FAST---
Flexible Authentication
via Secure Tunneling
LEAP---
Lightweight Extensible
Authentication Protocol
Client side certificate required
no yes no nono
(PAC)no
Server side certificate required
no yes no yesno
(PAC)no
WEP key management
no yes yes yes yes yes
Rogue AP detection
no no no no yes yes
Provider MS MS Funk MS Cisco Cisco
Authentication Attributes
One way Mutual Mutual Mutual Mutual Mutual
Deployment Difficulty
Easy
Difficult (because of client
certificate deployment)
Moderate Moderate Moderate Moderate
Wireless Security Poor Very High High High HighHigh when strong
passwords are used.
http://support.intel.com/support/wireless/wlan/sb/cs-008413.htm
![Page 10: WorkSafeBCs Wireless LAN Implementation …with a focus on security UBC October 2, 2008 Allan Alton, BSc, CISA, CISSP](https://reader035.vdocument.in/reader035/viewer/2022062511/55195daf550346b9198b46da/html5/thumbnails/10.jpg)
Architecture Overview• Centralized controller model
• Redundancy measures:• Secondary / Tertiary controller assignment for APs• Under-load AP/controller ratio for controller failure• 802.3ad Link Aggregation for cable failures• Switch stacks for switch failure• Multiple paths to multiple core switches• HSRP for router failure• Firewall cluster in active/standby mode
![Page 11: WorkSafeBCs Wireless LAN Implementation …with a focus on security UBC October 2, 2008 Allan Alton, BSc, CISA, CISSP](https://reader035.vdocument.in/reader035/viewer/2022062511/55195daf550346b9198b46da/html5/thumbnails/11.jpg)
802.3ad link aggregation
switch stack for switch failure
multiple paths to multiple core switches
firewall cluster in active/standby mode
two slots in core
![Page 12: WorkSafeBCs Wireless LAN Implementation …with a focus on security UBC October 2, 2008 Allan Alton, BSc, CISA, CISSP](https://reader035.vdocument.in/reader035/viewer/2022062511/55195daf550346b9198b46da/html5/thumbnails/12.jpg)
Logical View
![Page 13: WorkSafeBCs Wireless LAN Implementation …with a focus on security UBC October 2, 2008 Allan Alton, BSc, CISA, CISSP](https://reader035.vdocument.in/reader035/viewer/2022062511/55195daf550346b9198b46da/html5/thumbnails/13.jpg)
Guest Access
• Separate SSID (broadcast)
• Ethernet over IP tunnel to Internet DMZ
• Authentication models wired guest access• SecurID token held by Help Desk• Web page authentication
![Page 14: WorkSafeBCs Wireless LAN Implementation …with a focus on security UBC October 2, 2008 Allan Alton, BSc, CISA, CISSP](https://reader035.vdocument.in/reader035/viewer/2022062511/55195daf550346b9198b46da/html5/thumbnails/14.jpg)
Guest Access
Legal text:- be a good person or else- transmission not encrypted
Call Customer Support Centre if you wish to proceed
Customer Support Centre verifies requirement and provides information to enter
![Page 15: WorkSafeBCs Wireless LAN Implementation …with a focus on security UBC October 2, 2008 Allan Alton, BSc, CISA, CISSP](https://reader035.vdocument.in/reader035/viewer/2022062511/55195daf550346b9198b46da/html5/thumbnails/15.jpg)
Challenges
• Sorting out rogues (on vs. off network)
• Problems in remote offices• Interference, rogues, security attacks
![Page 16: WorkSafeBCs Wireless LAN Implementation …with a focus on security UBC October 2, 2008 Allan Alton, BSc, CISA, CISSP](https://reader035.vdocument.in/reader035/viewer/2022062511/55195daf550346b9198b46da/html5/thumbnails/16.jpg)
Futures• Broader Public Sector access• Location: Will explore these capabilities• 802.11n: No real requirement• Non-workstation devices: will consider• Voice over WLAN
• No plans, VoIP experimental on wired side• Did site survey for voice coverage
![Page 17: WorkSafeBCs Wireless LAN Implementation …with a focus on security UBC October 2, 2008 Allan Alton, BSc, CISA, CISSP](https://reader035.vdocument.in/reader035/viewer/2022062511/55195daf550346b9198b46da/html5/thumbnails/17.jpg)
Additional for voice
First phase installation
![Page 18: WorkSafeBCs Wireless LAN Implementation …with a focus on security UBC October 2, 2008 Allan Alton, BSc, CISA, CISSP](https://reader035.vdocument.in/reader035/viewer/2022062511/55195daf550346b9198b46da/html5/thumbnails/18.jpg)
Antenna Research
• Greater RF gain needed
• Users are more mobile
• Integration with personal protective gear
• Sophisticated look – coolness factor
![Page 19: WorkSafeBCs Wireless LAN Implementation …with a focus on security UBC October 2, 2008 Allan Alton, BSc, CISA, CISSP](https://reader035.vdocument.in/reader035/viewer/2022062511/55195daf550346b9198b46da/html5/thumbnails/19.jpg)
Questions
?
? ?
? ??