Your wireless network

Transcription

1 Your wireless network How to ensure you are meeting Government security standards Cabinet Office best practice Wi-Fi guidelines Overview Cyber Security is a hot topic but where do you start? The Cabinet Office has provided some assistance for the Public Sector, to help them secure wireless networks, and produced a set of guidelines on Sharing Workplace Wireless Networks. These guidelines were produced by the Cabinet Office as a direct result of their in-depth technical evaluation of the leading Enterprise Wi-Fi solutions for their own Wi-Fi project. The winning solution had several innovative features including a cloud management platform and a more secure and flexible architecture with distributed controllers in each Access Point instead of a central controller. As a result the official Wi-Fi guidelines were updated to describe how these features could enhance security. This document builds on the Cabinet Office experience and provides a summary checklist of the features required in enterprise Wi-Fi when implementing a secure wireless solution compliant with government guidelines. Download the official guidelines here: 1

2 Onboarding users and devices to Wi-Fi There are two approved methods of providing authenticated access to a government Wi-Fi network depending on the type of device used. Access for guests or users with unknown, non-managed devices (generally referred to as BYOD) should follow method 1. If access is required for users with known, fully managed (corporate) devices, method 2 should be followed. Both methods should adhere to these basic rules: Only basic internet access should be provided through Wi-Fi Always use VPNs to provide access to privileged resources and servers Access method 1 - BYOD, Guest, or GovWifi service devices Sometimes referred to as user.wifi in the guidelines Use this method when: The device is owned by the user or third party organisation The device is owned by the organisation but uses internet cloud services only and manages the device using mobile device management You use a strict always-on VPN This method should always: Access method 2 - For managed devices Sometimes referred to as device.wifi in the guidelines Use this method when: The user has a managed device without an always-on VPN The user has a managed device with a selective always-on VPN policy which allows direct communication on trusted networks Choose an enterprise WLAN solution that provides Device and Client Certification through a Radius server using Active Directory Credentials and a Certification Authority (CA). This method uses Public Key Infrastructure (PKI) certificates installed on the managed devices to provide strong authentication of devices and users: Require user sign up Provide access to the internet only Prohibit users from accessing any internal systems Choose an enterprise WLAN solution that provides Client Certification through a Radius server using Active Directory Credentials. They can t be stolen by rogue networks They are almost impossible to extract from devices when the private key is stored in a trusted platform module or smart card Certificates should be checked for validity using an up to date certificate revocation list (CRL) or using Online Certificate Status Protocol (OCSP). Choose an enterprise WLAN solution that provides Private Pre Shared Keys for added security. 2

3 Roaming To allow secure roaming between participating buildings within an infrastructure, choose an enterprise WLAN solution that supports: Public Key Infrastructure certificates with per user Private Pre Shared Keys Easy onboarding of users look for examples of integrations using APIs that automate self-registration Standardising the process by which access is provided to a specific set of SSIDs Limiting the SSIDs broadcast to approved locations and documents exceptions For more information on setting up a secure wireless network for roaming read this government blog: To allow the use of external authentication systems such as Govroam, Eduroam or GovWifi choose an enterprise WLAN solution that supports: WPA2-Enterprise Advanced Encryption Standard (AES) Microsoft Challenge Handshake Authentication Protocol (MS-CHAPv2) Protected Extensible Authentication Protocol (PEAPv0) EAP method When configuring the network to allow external authentication for Government employees from trusted systems such as Govroam, Eduroam or GovWifi, do not: Implement unencrypted or open networks Implement captive portals - these interfere with always-on VPNs Allow the user to choose their password - they could reuse the passwords they use for other government services Allow access to internal or privileged networks - these should only be accessible using certificates or a VPN client Use public pre-shared keys (PSKs) as they provide little privacy between users use a solution providing per user Private Pre-Shared Keys Network separation Choose an enterprise WLAN solution that provides: Isolation by SSID and certificate authority (CA), identified by a device certificate Dual Ethernet APs to allow separation of networks within the APs Support for encrypted tunnels between APs and VPN concentrator A firewall to separate IP addressing, routing and access controls for each Wi-Fi network VLAN and SSID separation if using multi-tenant environments QoS by Application and SSID, with bandwidth limitation applied for each SSID as well as each user The capability to ensure that all clients pass through a gateway device before communicating with devices on the same network and ensuring that only approved services can be accessed 3

4 Coverage Choose an enterprise WLAN solution with these considerations: Automatic channel selection features Centrally managed AP hardware 5 GHz frequency band and ac support + ac wave 2 and MIMO support Ensure there s sufficient uplink bandwidth from APs to the building switch infrastructure Use at - type 2 capable switches to power the APs and futureproof the installation Disable low-bandwidth Wi-Fi protocols like a and g on the 5 GHz band and confine legacy clients to the 2.4 GHz band Ability to broadcast provide SSIDs only to required areas Ability to disable 2.4 GHz radios on APs in large open plan areas to reduce interference Ability to manage channel width and implement channel bonding with fall back to a non-overlapping channel Ability to enable dynamic frequency selection (DFS) or h for 5 GHz band Ability to enable band steering which works by regulating probe responses to clients and making 5 GHz channels appear more attractive to clients by delaying probe responses to clients on 2.4 GHz Ability to enable standards based (802.11r) support for smoother roaming for devices on the move Ability to enable Wi-Fi Voice Enterprise or equivalent if voice support is required Administration and monitoring Choose an enterprise WLAN solution with these considerations: Ability to configure an Acceptable Use Policy against an SSID Provides central management and reports of usage and trends with historical network activity and heat maps to provide a visual insight into coverage and use Allow API connection and provide analysis of location data to improve business operations, like real time people finder, crowd management and emergency response, queue length reporting, hot desk/meeting room usage and path planning Security and availability Choose an enterprise WLAN solution which: Enables central management to provide non-obtrusive software upgrades with minimal disruption Protects access to all network infrastructure management interfaces either directly or indirectly using two-factor authentication 4

5 Wired LAN requirements The security and performance of the WLAN is heavily dependent on the wired LAN. This should be configured as follows: Wireless network names and authentication Choose an enterprise WLAN solution that: Provides an easy onboarding process for users to sign up to BYOD, Guest, GovWifi (user.wifi) Provides access to the internet only Does not allow users to access any internal systems Provides per user Private Key Self-Registration against Active Directory Automatically and securely connects government managed devices to device.wifi Gives devices access to internal local area network (LAN) resources in home buildings or shared buildings following the shared WAN guidance Doesn t require any user set up - it just works Gives devices access to the internet for a VPN when roaming Can be deployed alongside a VPN client to switch seamlessly between a trusted home network and VPN using the same authentication infrastructure Authenticates devices securely using certificates Provide uplinks at least twice the bandwidth of the fastest user connection to avoid one person impacting the network Implement QoS where appropriate Shared LANs use 802.1x certificate-based authentication or restriction to an authorised MAC address on every accessible floor port Use the same authentication methods and servers for both Wi-Fi and wired LAN ports Block guest access on wired LAN ports Local RADIUS server returns vendor specific attributes (VSAs) to allow the client to access the locally allocated VLAN Use the local RADIUS server, if required, to filter and rewrite VSAs received from the central RADIUS proxy Do not span VLANs between shared and non-shared switches without agreement to share a spanning tree instance and mitigate the impact of a broadcast storm 5

6 Implement the design Choose an enterprise WLAN installation partner that: Has relevant experience of installing secure wireless networks that meet the criteria described in this document Provides Prince 2 qualified Project Management Recommends a Capacity Survey, Coverage Survey and Mounting Survey to identify all the risks prior to design and installation Includes both logical and physical constraints in the Rick Assessment and Method Statements Differentiates between general coverage and high capacity Identifies structured cabling requirements for APs with 2 Cat5e or Cat6 connections per AP Considers network architecture and Switch requirements especially with regard to PoE support for APs Includes an assessment of Cyber Security requirements Further reading For more information on the Cabinet Office case study that inspired the guidelines, visit the link below: To find out more about how to design and implement a compliant, secure Wi-Fi network, visit the link below: network-security/ Contact For more information on how to deploy intelligent Wi-Fi please get in touch. Call or visit our website 6