New Windows build with WLAN access SecRep 24 17-18 May 2016 Ahmed Benallegue/Hassan El Ghouizy/Priyan Ariyansinghe ECMWF network_services@ecmwf.int ECMWF May 19, 2016
Introduction Drivers for the new WLAN access Security challenges and how they were addressed The WLAN access for the new laptop build Wi-Fi authentication for the new laptop build 2
Drivers for the new WLAN access New desktop strategy One image for workstations and laptops provided by ECMWF Requirements for wireless LAN connectivity (WLAN) 3
Security challenges and how they were addressed Challenges Workstations do not move but laptops go everywhere and try to connect to any available Wifi Result: the new ECMWF standard build needs a strong protection Approach 1. The Server and Desktop section defined a standard build 2. The standard build was deployed on an ECMWF laptop 3. The laptop was provided to an external company for an assessment of the security configuration Lost/Stolen scenario Patch level assessment Account/User management Breakout and escalation 4
Security challenges and how they were addressed Results of the review Attention required 5 high risk issues 17 medium risk issues 15 low risk issues Action taken Work hand in hand with the Server and Desktop section All 5 high risk issues were addressed 9 medium risk issues addressed and 8 rejected Rejected = user awareness/will be addressed otherwise/reviewed in the future 5
The WLAN access for the new laptop build Business need New SSID for laptops in ECMWF domain, connected to the LAN Assumption: new standard build is secure Deployment 2 New VLANs for WLAN SSID Use of DHCP service on Infoblox DDI appliances 6
The WLAN access for the new laptop build Infrastructure Security Before 2012 2012-2016 2016-2020 Cisco 2 controllers ~30 APs Client connected to the DMZ PAP authentication for visitors EAP-TLS for staff Aerohive 1 management system ~50 APs Client connected to the DMZ PAP for external users EAP-TLS for staff Aerohive 1 management system ~80 APs User connected to DMZ / LAN MS CHAP auth EAP-TLS for DMZ access Laptop certificate & user auth for LAN access. Enhanced services Autonomous wireless network Easy to set up. Outdoor coverage. Eduroam network. WLAN 7
The WLAN access for the new laptop build 8
The WLAN access for the new laptop build New VLAN deployment: good opportunity to deploy a new DHCP service: Use Infoblox DHCP failover association Simply put, a failover association defines the relationship between a pair of DHCP servers. DHCPDISCOVER packet is received by DHCP servers but only one peer will respond to this request The default is a 50/50 split, so each peer will respond to requests on a (roughly) equal basis. 9
Wi-Fi authentication for the new laptop build Why wireless security is important? Wired networks: Can t intercept the signals down the wire. Controlled environment High security Wireless networks: Data transmitted by WLAN could be intercepted and viewed by an attacker. Unlicensed frequency bands 2.4 GHz and 5Ghz 10
Wi-Fi authentication for the new laptop build Why it s important get the security right for the ECSTAFF wireless network? ECMWF data/research data must be protected Only authorised Devices must be allowed Users don t care about the Security 11
Wi-Fi authentication for the new laptop build Challenges: Secure software, hardware Strong Encryption Access control Strong Authentication 12
Wi-Fi authentication for the new laptop build Secure software, hardware Client Side: Windows 7 SP1 + Windows WLAN controller Aerohive AP120/AP330/AP320/AP170 Server Side: FreeRADIUS Version 2.2.6, SLES SP3 NTLM Auth Kerberos Strong encryption WPA2, AES 13
Wi-Fi authentication for the new laptop build Access control Client Side Authorised Windows 7 Laptops (joined to the domain) Self signed Certificate (Computer level) 14
Wi-Fi authentication for the new laptop build Access control(contd.) Server Side Authorised Windows Laptops E.g: authorise { sql if (!ok) { reject } EAP and PEAP check: EAP-Type == PEAP Auth-Type == eap 15
Wi-Fi authentication for the new laptop build Access control(contd.) Server Side Authorised Access points E.g. client xxx.xxx.xxx.xxx/32 { secret = ****************** shortname = ah-ap-51-rec } 16
Wi-Fi authentication for the new laptop build Strong Authentication: EAP-TLS PEAP-MSCHAP EAP-TLS EAP-TLS Linux Platform Microsoft Platform (Freeradius) PEAP-MSCHAP (NPS) PEAP+MACHAP Linux Platform (Freeradius) Advantages: Advantages: Advantages: Advantages: PEAP+MACHAP Microsoft Platform (NPS) +Secure + Secure +Cross platforms +Easy to Manage +Cross platforms + Ease of Management + Trusted Devices + Trusted devices +Skills +Trusted devices + Defence in depth + Secure + Secure + Skills Disadvantages: Disadvantages: Disadvantages: Disadvantages: - Admin Overhead - No PKI in place - Less secure compared to TLS - Less secure compared to TLS - Certificate - Out of Control -Less involvement - No PKI in place management (PKI) - Untrusted devices - Doesn t support cross platform - Misconfiguration - Out of Control - Doesn t support cross platform 17
Wi-Fi authentication for the new laptop build 18
New Windows build with WLAN access Radius LOGS Thu Apr 7 09:38:26 2016 : Auth: Login OK: [host/xxxxx.ad.ecmwf.int] (from client ah-ap-lan168-f3 port 0 via TLS tunnel) Thu Apr 7 09:46:22 2016 : Auth: Login OK: [host/yyyyy.ad.ecmwf.int] (from client ah-ap-lan168-f3 port 0 via TLS tunnel) Thu Apr 7 09:47:19 2016 : Auth: Login OK: [host/zzzzz.ad.ecmwf.int] (from client ah-ap-lan168-f3 port 0 via TLS tunnel) 19
New Windows build with WLAN access 20