WorkSafeBC’s Wireless WorkSafeBC’s Wireless LAN Implementation LAN Implementation …with a focus on security UBC October 2, 2008 Allan Alton, BSc, CISA, CISSP
Mar 30, 2015
WorkSafeBC’s Wireless LAN WorkSafeBC’s Wireless LAN ImplementationImplementation…with a focus on security
UBCOctober 2, 2008
Allan Alton, BSc, CISA, CISSP
Agenda
• Goals• Functional• Security
• Architecture Overview• Challenges• Futures
Goals - Functional
• Head Office and 17 area offices/work centres• Meeting rooms• Common areas (lobby, atrium, lounge,
cafeteria)• Parking lot edge (drive-by downloading)
From:
Goals - Functional
• Employee access to internal network
• Guest access to Internet
• Broader Public Sector (BPS) employee access to Internet
To:
Goals - Functional
• existing built-in client adapters• PC Card adapter for exceptions
• Windows XP client software• standardized client for easier support
• 802.11g and 802.11a only• no 802.11b due to performance penalty
Using:
802.11b Exclusion
Goals - Security• Tip for success: Work with your security group from the beginning
Network Services & IS Security
Goals - Security• Wi-Fi Protected Access 2 (WPA2) only• Firewall separation from internal network• SSID not broadcast (except for guest)• Integration with Active Directory• Wireless intrusion detection• Intrusion detection at wired network entry• Access Points physically hidden
Goals - Security802.1x EAP
Types→Feature
or Benefit ↓
MD5---
Message Digest 5
TLS---
Transport Layer Security
TTLS---
Tunneled Transport Layer
Security
PEAP---
Protected Transport Layer
Security
FAST---
Flexible Authentication
via Secure Tunneling
LEAP---
Lightweight Extensible
Authentication Protocol
Client side certificate required
no yes no nono
(PAC)no
Server side certificate required
no yes no yesno
(PAC)no
WEP key management
no yes yes yes yes yes
Rogue AP detection
no no no no yes yes
Provider MS MS Funk MS Cisco Cisco
Authentication Attributes
One way Mutual Mutual Mutual Mutual Mutual
Deployment Difficulty
Easy
Difficult (because of client
certificate deployment)
Moderate Moderate Moderate Moderate
Wireless Security Poor Very High High High HighHigh when strong
passwords are used.
http://support.intel.com/support/wireless/wlan/sb/cs-008413.htm
Architecture Overview• Centralized controller model
• Redundancy measures:• Secondary / Tertiary controller assignment for APs• Under-load AP/controller ratio for controller failure• 802.3ad Link Aggregation for cable failures• Switch stacks for switch failure• Multiple paths to multiple core switches• HSRP for router failure• Firewall cluster in active/standby mode
802.3ad link aggregation
switch stack for switch failure
multiple paths to multiple core switches
firewall cluster in active/standby mode
two slots in core
Logical View
Guest Access
• Separate SSID (broadcast)
• Ethernet over IP tunnel to Internet DMZ
• Authentication models wired guest access• SecurID token held by Help Desk• Web page authentication
Guest Access
Legal text:- be a good person or else- transmission not encrypted
Call Customer Support Centre if you wish to proceed
Customer Support Centre verifies requirement and provides information to enter
Challenges
• Sorting out rogues (on vs. off network)
• Problems in remote offices• Interference, rogues, security attacks
Futures• Broader Public Sector access• Location: Will explore these capabilities• 802.11n: No real requirement• Non-workstation devices: will consider• Voice over WLAN
• No plans, VoIP experimental on wired side• Did site survey for voice coverage
Additional for voice
First phase installation
Antenna Research
• Greater RF gain needed
• Users are more mobile
• Integration with personal protective gear
• Sophisticated look – coolness factor
Questions
?
? ?
? ??