Your wireless network

Similar documents
NHS WI-FI Technical and Security Policies and Guidelines

Wireless LAN Solutions

Exam Questions CWSP-205

BYOD: BRING YOUR OWN DEVICE.

HiveManager Local Cloud

Prepare Your Network for BYOD. Meraki Webinar Series

Securing Cisco Wireless Enterprise Networks ( )

Configuring a VAP on the WAP351, WAP131, and WAP371

Ubiquiti UniFi AC Dual-Radio Access Point with 1300Mbps / 600ft range / 24V Passive PoE

Ruckus ZoneDirector 3450 WLAN Controller (up to 500 ZoneFlex Access Points)

Ruckus ZoneDirector 1106 WLAN Controller (up to 6 ZoneFlex Access Points)

A connected workforce is a more productive workforce

NHS WIFI Technical and Security Policies and Guidelines

802.11ac 3x3 Dual Band High-Powered Wireless Access Point/Client Bridge

PROTECTED EXTENSIBLE AUTHENTICATION PROTOCOL

SOLUTION OVERVIEW THE ARUBA MOBILE FIRST ARCHITECTURE

OWL630 OUTDOOR ACCESS POINT

The following chart provides the breakdown of exam as to the weight of each section of the exam.

Datasheet. Enterprise WiFi System. Models: UAP, UAP-LR, UAP-Pro, UAP-Outdoor, UAP-Outdoor5. Unlimited Indoor/Outdoor AP Scalability in a

Release Notes for Avaya WLAN 9100 AOS-Lite Operating System WAP9112 Release WAP9114 Release 8.1.0

Wireless LAN, WLAN Security, and VPN

The Aruba S3500 Mobility Access Switch

Standard For IIUM Wireless Networking

Wireless AC1750 Wave 2 Dual-Band PoE Access Point

Cisco Securing Cisco Wireless Enterprise Networks (WISECURE) Download Full Version :

Exam HP2-Z32 Implementing HP MSM Wireless Networks Version: 7.1 [ Total Questions: 115 ]

Add a Wireless Network to an Existing Wired Network using a Wireless Access Point (WAP)

Enterprise WiFi System. Datasheet. Tel: +44 (0) Fax: +44 (0)

Cisco WAP371 Wireless-AC/N Dual Radio Access Point with Single Point Setup

Datasheet ac Wave 2 Enterprise Wi-Fi Access Point. Model: UAP-AC-HD. Simultaneous Dual-Band 4x4 Multi-User MIMO

NXC Series. Handbook. NXC Controllers NXC 2500/ Default Login Details. Firmware Version 5.00 Edition 19, 5/

Nuclias by D-Link is a complete cloud-managed networking solution for small to medium-sized organisations with one or more sites.

SUB-TITLE WLAN Management-as-a-Service

802.3at ac 3x3 Dual Band Ceiling Mount Access Point/WDS. Datasheet. can be used with EAP1750H. Key Features. capable switches or injectors

802.3at ac 3x3 Dual Band Ceiling Mount Access Point/WDS. can be used with EAP1750H. Key Features

RUCKUS CLOUD WI-FI Cloud Managed Wi-Fi

Enterprise WiFi System. Datasheet. Models: UAP, UAP-LR, UAP-PRO, UAP-AC, UAP-Outdoor+, UAP-Outdoor5, UAP-AC Outdoor

Wireless# Guide to Wireless Communications. Objectives

Enterprise WiFi System. Datasheet. Models: UAP, UAP-LR, UAP-PRO, UAP-AC, UAP-Outdoor+, UAP-Outdoor5, UAP-AC Outdoor

Aerohive and IntelliGO End-to-End Security for devices on your network

COPYRIGHTED MATERIAL. Contents

For a full description of Wi-Fi Cloud features and functionality, see WatchGuard Wi-Fi Cloud Help.

Wireless technology Principles of Security

FortiNAC. Cisco Airespace Wireless Controller Integration. Version: 8.x. Date: 8/28/2018. Rev: B

L2+ Unified Wired/Wireless Gigabit PoE Switches

23 Must-Have WiFi Features

Basic Wireless Settings on the CVR100W VPN Router

Gigabit Layer 2+ Unified Switches

Aerohive Private PSK. solution brief

Cisco Exam Implementing Advanced Cisco Unified Wireless Security v2.0 Version: 9.0 [ Total Questions: 206 ]

AP AC 1200Mbps Wireless In-Wall Access Point.

NAP ac Dual-Radio Smart Antenna 3x3 Nebula Cloud Managed Access Point

Vendor: HP. Exam Code: HP2-Z32. Exam Name: Implementing HP MSM Wireless Networks. Version: Demo

cnpilot Indoor e400 Gigabit Wi-Fi: ac dual band 2x2 Indoor access point

Potential Mitigation Strategies for the Common Vulnerabilities of Control Systems Identified by the NERC Control Systems Security Working Group

PASS4TEST. IT Certification Guaranteed, The Easy Way! We offer free update service for one year

WAP9112/9114 Quick Start Guide

Enterprise WiFi System. Datasheet. Models: UAP, UAP-LR, UAP-Pro, UAP-Outdoor, UAP-Outdoor5

Enterprise WiFi System. Datasheet. 4Gon Tel: +44 (0) Fax: +44 (0)

802.1x Port Based Authentication

Auranet EAP Solution 2

OmniAccess Instant AP Update

Information Technology Policy Board Members. SUBJECT: Update to County WAN/LAN Wireless Standards

EWS320AP New Product Setup for Distribution & Messaging Guide

TestsDumps. Latest Test Dumps for IT Exam Certification

IP network that supports DHCP or manual assignment of IP address, gateway, and subnet mask

Cisco WAP131 Wireless-N Dual Radio Access Point with PoE

Cisco WAP121 Wireless-N Access Point with Single Point Setup

Expected Outcomes Able to design the network security for the entire network Able to develop and suggest the security plan and policy

New Windows build with WLAN access

1.0 Basic RF Characteristics (15%) 1.1 Describe RF signal characteristics Frequency Amplitude Phase 1.1.

Grandstream Networks, Inc. GWN76xx Wi-Fi Access Points Master/Slave Architecture Guide

Auranet EAP Solution 1

Cisco WAP321 Wireless-N Selectable-Band Access Point with Power over Ethernet

EWS310AP New Product Setup for Distribution & Messaging Guide

Cisco WAP321 Wireless-N Selectable-Band Access Point with Power over Ethernet

ACCESS POINTS. Configuration Specifications

Creating Wireless Networks

ARUBA INSTANT Combining enterprise-class Wi-Fi with unmatched affordability and configuration simplicity

Secure Mobility Challenges. Fat APs, Decentralized Risk. Physical Access. Business Requirements

Add performance and security to your business' wireless network with the Intellinet High-Power Wireless AC1750 Dual-Band Gigabit PoE Access Point.

MR30H. MR30H and Meraki Cloud Management: A Powerful Combination. Robust Feature Set for Multi-dwelling Wireless. Product Highlights

Cisco Small Business 550/560 Wireless Access Points

Simple, full featured and budgetary deployment of single AP or distributed APs Hot-Spot for small scale projects.

Cisco Exam Questions and Answers (PDF) Cisco Exam Questions BrainDumps

Submitted on behalf of the DOE National SCADA Test Bed. Jeff Dagle, PE Pacific Northwest National Laboratory (509)

300Mbps Wireless N Gigabit Ceilling Mount Access Point

MERU EDUCATION GRADE - MEG

D. The bank s web server is using an X.509 certificate that is not signed by a root CA, causing the user ID and password to be sent unencrypted.

Cisco AP 541N Wireless Access Point Part of the Cisco Small Business Pro Series

Wireless AC1200 Concurrent Dual Band PoE Access Point

300Mbps Wireless Gigabit PoE Access Point

AC1200 Dual Band Wireless Controller Kit TEW-821DAP2KAC (v1.0r)

Securing Wireless LANs with Certificate Services

LCOS 8.82 RC1 Feature Notes.

Ubiquiti UniFi UAP-Pro Access Point

P ART 3. Configuring the Infrastructure

Cisco WAP351 Wireless-N Dual Radio Access Point with 5-Port Switch

cnpilot e502s Outdoor Sector AP

Application Example (Standalone EAP)

Transcription:

Your wireless network How to ensure you are meeting Government security standards Cabinet Office best practice Wi-Fi guidelines Overview Cyber Security is a hot topic but where do you start? The Cabinet Office has provided some assistance for the Public Sector, to help them secure wireless networks, and produced a set of guidelines on Sharing Workplace Wireless Networks. These guidelines were produced by the Cabinet Office as a direct result of their in-depth technical evaluation of the leading Enterprise Wi-Fi solutions for their own Wi-Fi project. The winning solution had several innovative features including a cloud management platform and a more secure and flexible architecture with distributed controllers in each Access Point instead of a central controller. As a result the official Wi-Fi guidelines were updated to describe how these features could enhance security. This document builds on the Cabinet Office experience and provides a summary checklist of the features required in enterprise Wi-Fi when implementing a secure wireless solution compliant with government guidelines. Download the official guidelines here: https://www.gov.uk/guidance/sharing-workplace-wireless-networks 1

Onboarding users and devices to Wi-Fi There are two approved methods of providing authenticated access to a government Wi-Fi network depending on the type of device used. Access for guests or users with unknown, non-managed devices (generally referred to as BYOD) should follow method 1. If access is required for users with known, fully managed (corporate) devices, method 2 should be followed. Both methods should adhere to these basic rules: Only basic internet access should be provided through Wi-Fi Always use VPNs to provide access to privileged resources and servers Access method 1 - BYOD, Guest, or GovWifi service devices Sometimes referred to as user.wifi in the guidelines Use this method when: The device is owned by the user or third party organisation The device is owned by the organisation but uses internet cloud services only and manages the device using mobile device management You use a strict always-on VPN This method should always: Access method 2 - For managed devices Sometimes referred to as device.wifi in the guidelines Use this method when: The user has a managed device without an always-on VPN The user has a managed device with a selective always-on VPN policy which allows direct communication on trusted networks Choose an enterprise WLAN solution that provides Device and Client Certification through a Radius server using Active Directory Credentials and a Certification Authority (CA). This method uses Public Key Infrastructure (PKI) certificates installed on the managed devices to provide strong authentication of devices and users: Require user sign up Provide access to the internet only Prohibit users from accessing any internal systems Choose an enterprise WLAN solution that provides Client Certification through a Radius server using Active Directory Credentials. They can t be stolen by rogue networks They are almost impossible to extract from devices when the private key is stored in a trusted platform module or smart card Certificates should be checked for validity using an up to date certificate revocation list (CRL) or using Online Certificate Status Protocol (OCSP). Choose an enterprise WLAN solution that provides Private Pre Shared Keys for added security. 2

Roaming To allow secure roaming between participating buildings within an infrastructure, choose an enterprise WLAN solution that supports: Public Key Infrastructure certificates with per user Private Pre Shared Keys Easy onboarding of users look for examples of integrations using APIs that automate self-registration Standardising the process by which access is provided to a specific set of SSIDs Limiting the SSIDs broadcast to approved locations and documents exceptions For more information on setting up a secure wireless network for roaming read this government blog: https://governmenttechnology.blog.gov.uk/2016/06/17/wi-fi-security-andgovernment-wide-roaming-solutions/ To allow the use of external authentication systems such as Govroam, Eduroam or GovWifi choose an enterprise WLAN solution that supports: WPA2-Enterprise Advanced Encryption Standard (AES) Microsoft Challenge Handshake Authentication Protocol (MS-CHAPv2) Protected Extensible Authentication Protocol (PEAPv0) EAP method When configuring the network to allow external authentication for Government employees from trusted systems such as Govroam, Eduroam or GovWifi, do not: Implement unencrypted or open networks Implement captive portals - these interfere with always-on VPNs Allow the user to choose their password - they could reuse the passwords they use for other government services Allow access to internal or privileged networks - these should only be accessible using certificates or a VPN client Use public pre-shared keys (PSKs) as they provide little privacy between users use a solution providing per user Private Pre-Shared Keys Network separation Choose an enterprise WLAN solution that provides: Isolation by SSID and certificate authority (CA), identified by a device certificate Dual Ethernet APs to allow separation of networks within the APs Support for encrypted tunnels between APs and VPN concentrator A firewall to separate IP addressing, routing and access controls for each Wi-Fi network VLAN and SSID separation if using multi-tenant environments QoS by Application and SSID, with bandwidth limitation applied for each SSID as well as each user The capability to ensure that all clients pass through a gateway device before communicating with devices on the same network and ensuring that only approved services can be accessed 3

Coverage Choose an enterprise WLAN solution with these considerations: Automatic channel selection features Centrally managed AP hardware 5 GHz frequency band and 802.11ac support + ac wave 2 and MIMO support Ensure there s sufficient uplink bandwidth from APs to the building switch infrastructure Use 802.11at - type 2 capable switches to power the APs and futureproof the installation Disable low-bandwidth Wi-Fi protocols like 802.11a and 802.11g on the 5 GHz band and confine legacy clients to the 2.4 GHz band Ability to broadcast provide SSIDs only to required areas Ability to disable 2.4 GHz radios on APs in large open plan areas to reduce interference Ability to manage channel width and implement channel bonding with fall back to a non-overlapping channel Ability to enable dynamic frequency selection (DFS) or 802.11h for 5 GHz band Ability to enable band steering which works by regulating probe responses to clients and making 5 GHz channels appear more attractive to clients by delaying probe responses to clients on 2.4 GHz Ability to enable standards based (802.11r) support for smoother roaming for devices on the move Ability to enable Wi-Fi Voice Enterprise or equivalent if voice support is required Administration and monitoring Choose an enterprise WLAN solution with these considerations: Ability to configure an Acceptable Use Policy against an SSID Provides central management and reports of usage and trends with historical network activity and heat maps to provide a visual insight into coverage and use Allow API connection and provide analysis of location data to improve business operations, like real time people finder, crowd management and emergency response, queue length reporting, hot desk/meeting room usage and path planning Security and availability Choose an enterprise WLAN solution which: Enables central management to provide non-obtrusive software upgrades with minimal disruption Protects access to all network infrastructure management interfaces either directly or indirectly using two-factor authentication 4

Wired LAN requirements The security and performance of the WLAN is heavily dependent on the wired LAN. This should be configured as follows: Wireless network names and authentication Choose an enterprise WLAN solution that: Provides an easy onboarding process for users to sign up to BYOD, Guest, GovWifi (user.wifi) Provides access to the internet only Does not allow users to access any internal systems Provides per user Private Key Self-Registration against Active Directory Automatically and securely connects government managed devices to device.wifi Gives devices access to internal local area network (LAN) resources in home buildings or shared buildings following the shared WAN guidance Doesn t require any user set up - it just works Gives devices access to the internet for a VPN when roaming Can be deployed alongside a VPN client to switch seamlessly between a trusted home network and VPN using the same authentication infrastructure Authenticates devices securely using certificates Provide uplinks at least twice the bandwidth of the fastest user connection to avoid one person impacting the network Implement QoS where appropriate Shared LANs use 802.1x certificate-based authentication or restriction to an authorised MAC address on every accessible floor port Use the same authentication methods and servers for both Wi-Fi and wired LAN ports Block guest access on wired LAN ports Local RADIUS server returns vendor specific attributes (VSAs) to allow the client to access the locally allocated VLAN Use the local RADIUS server, if required, to filter and rewrite VSAs received from the central RADIUS proxy Do not span VLANs between shared and non-shared switches without agreement to share a spanning tree instance and mitigate the impact of a broadcast storm 5

Implement the design Choose an enterprise WLAN installation partner that: Has relevant experience of installing secure wireless networks that meet the criteria described in this document Provides Prince 2 qualified Project Management Recommends a Capacity Survey, Coverage Survey and Mounting Survey to identify all the risks prior to design and installation Includes both logical and physical constraints in the Rick Assessment and Method Statements Differentiates between general coverage and high capacity Identifies structured cabling requirements for APs with 2 Cat5e or Cat6 connections per AP Considers network architecture and Switch requirements especially with regard to PoE support for APs Includes an assessment of Cyber Security requirements Further reading For more information on the Cabinet Office case study that inspired the guidelines, visit the link below: http://www.aerohive.com/company/press-releases/2015/aerohivenetworks-selected-by-uk-cabinet-office-to-underpin-technologytransformation-programme.html To find out more about how to design and implement a compliant, secure Wi-Fi network, visit the link below: https://www.ait-pg.co.uk/solutions-and-services/networking-mobility-security/ network-security/ Contact For more information on how to deploy intelligent Wi-Fi please get in touch. Call 0845 293 2790 or visit our website www.ait-pg.co.uk 6

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback