New Windows build with WLAN access

Similar documents
Expected Outcomes Able to design the network security for the entire network Able to develop and suggest the security plan and policy

PROTECTED EXTENSIBLE AUTHENTICATION PROTOCOL

How to connect your device using eduroam

Auburn Montgomery AUM Wi-Fi. Windows 7. User s Guide & System Documentation

Connect to eduroam WiFi

Exam Questions CWSP-205

Cisco Exam Implementing Advanced Cisco Unified Wireless Security v2.0 Version: 9.0 [ Total Questions: 206 ]

Cisco Deploying Basic Wireless LANs

Using PEAP and WPA PEAP Authentication Security on a Zebra Wireless Tabletop Printer

Configuring a VAP on the WAP351, WAP131, and WAP371

WAP9112/9114 Quick Start Guide

WLAN Security. Dr. Siwaruk Siwamogsatham. ThaiCERT, NECTEC

IEEE 802.1X workshop. Networkshop 34, 4 April Josh Howlett, JRS Technical Support, University of Bristol. Copyright JNT Association

Cisco 4400 Series Wireless LAN Controllers PEAP Under Unified Wireless Networks with Microsoft Internet Authentication Service (IAS)

Authentication and Security: IEEE 802.1x and protocols EAP based

GHz g. Wireless A+G. User Guide. Notebook Adapter. Dual-Band. Dual-Band WPC55AG a. A Division of Cisco Systems, Inc.

Viewing Status and Statistics

Exam HP2-Z32 Implementing HP MSM Wireless Networks Version: 7.1 [ Total Questions: 115 ]

How to connect to Wi-Fi

Wireless-N. User Guide. USB Network Adapter WUSB300N WIRELESS. Model No.

simplifying... Wireless Access

Application Example (Standalone EAP)

Outline : Wireless Networks Lecture 10: Management. Management and Control Services : Infrastructure Reminder.

Instructions for connecting to winthropsecure

Your wireless network

A Division of Cisco Systems, Inc. GHz g. Wireless-G. USB Network Adapter. User Guide WIRELESS WUSB54G. Model No.

Internet Access: Wireless WVU.Encrypted Network Connecting a Windows 7 Device

Configuring 802.1X Authentication Client for Windows 8

NCR. Wi-Fi Setup Assistant. User guide

FAQ on Cisco Aironet Wireless Security

Module Overview. works Identify NAP enforcement options Identify scenarios for NAP usage

802.1X: Deployment Experiences and Obstacles to Widespread Adoption

Cisco Secure ACS for Windows v3.2 With PEAP MS CHAPv2 Machine Authentication

Wireless for Windows 7

Configuring the Client Adapter through Windows CE.NET

TopGlobal MB8000 Hotspots Solution

Quick Setup Guide. for Standalone Omada Access Points. EAP110 / EAP115 / EAP225 / EAP245 / EAP320 / EAP330 / EAP115-Wall

Authentication and Security: IEEE 802.1x and protocols EAP based

Vendor: HP. Exam Code: HP2-Z32. Exam Name: Implementing HP MSM Wireless Networks. Version: Demo

P ART 3. Configuring the Infrastructure

Windows 7 Configuration for ORU Wireless Networks

Cisco Questions & Answers

Vendor: Cisco. Exam Code: Exam Name: Implementing Advanced Cisco Unified Wireless Security (IAUWS) v2.0. Version: Demo

Campus Wi-Fi. Set up access to eduroam: the University Wi-Fi network

Configuring the Client Adapter through the Windows XP Operating System

Connecting Devices to the PSD-BYOD Network

CS-435 spring semester Network Technology & Programming Laboratory. Stefanos Papadakis & Manolis Spanakis

Zebra Setup Utility, Zebra Mobile Printer, Microsoft NPS, Cisco Controller, PEAP and WPA-PEAP

PEAP under Unified Wireless Networks with ACS 5.1 and Windows 2003 Server

Release Notes for Avaya WLAN 9100 Software Patch Release WLAN Release Notes

IMPORTANT INFORMATION FOR CURTIN WIRELESS ACCESS - STUDENT / WINDOWS XP -

NXC Series. Handbook. NXC Controllers NXC 2500/ Default Login Details. Firmware Version 5.00 Edition 19, 5/

Network Security 1. Module 7 Configure Trust and Identity at Layer 2

Security+ SY0-501 Study Guide Table of Contents

Using EAP-TTLS and WPA EAP-TTLS Authentication Security on a Wireless Zebra Tabletop Printer

Wireless Router at Home

Secure ACS for Windows v3.2 With EAP TLS Machine Authentication

VOCOM II. WLAN Instructions. VOCOM II Tough

Cisco Exam Questions and Answers (PDF) Cisco Exam Questions BrainDumps

A Division of Cisco Systems, Inc. GHz g. Wireless-G. PCI Adapter with SRX 400. User Guide WIRELESS WMP54GX4. Model No.

Implementing Security in Windows 2003 Network (70-299)

Configuring FlexConnect Groups

Aerohive Configuration Guide RADIUS Authentication

Wireless LAN Security. Gabriel Clothier

Configuring the Client Adapter through the Windows XP Operating System

Standard For IIUM Wireless Networking

MCSA Guide to Networking with Windows Server 2016, Exam

Zebra Mobile Printer, Zebra Setup Utility, Cisco ACS, Cisco Controller PEAP and WPA-PEAP

Security and Control for all Devices on the Access Network

Cisco Desktop Collaboration Experience DX650 Security Overview

Exam Questions SY0-401

Security and Control for all Devices on the Access Network

Wireless LANs Designing, Deploying, Managing and Securing an Enterprise Wireless Network

802.1x. ACSAC 2002 Las Vegas

PASS4TEST. IT Certification Guaranteed, The Easy Way! We offer free update service for one year

Configuring the Client Adapter

RSA SecurID Ready with Wireless LAN Controllers and Cisco Secure ACS Configuration Example

WLAN Security Preparing For BYOD and IoT

Aerohive and IntelliGO End-to-End Security for devices on your network

Who can use eduroam. Participating Organizations. How does eduroam work

cnpilot Enterprise AP Release Notes

Release Notes for Avaya WLAN 9100 Access Point Operating System (AOS) Release

eduroam Web Interface User Guide

The following chart provides the breakdown of exam as to the weight of each section of the exam.

RADIUS Configuration Note WINS : Wireless Interoperability & Network Solutions

Csci388. Wireless and Mobile Security Access Control: 802.1X, EAP, and RADIUS. Importance of Access Control. WEP Weakness. Wi-Fi and IEEE 802.

A Division of Cisco Systems, Inc. GHz 2, g. Wireless-G. User Guide. PCI Adapter WIRELESS. with SpeedBooster WMP54GS (EU/UK/LA) Model No.

Security in IEEE Networks

Grandstream Networks, Inc. GWN76xx Wi-Fi Access Points Master/Slave Architecture Guide

Wireless Integration Overview

Wireless technology Principles of Security

WLAN Connection Manual SPP-R410. Mobile Printer Rev

Rhodes University Wireless Network

Attacking Networks. Joshua Wright LightReading LIVE! October 1, 2003

Cross-organisational roaming on wireless LANs based on the 802.1X framework Author:

Wireless-N Business Notebook Adapter

Integration Guide. Eduroam

802.1X Deployment with SU1X

Configuring Cipher Suites and WEP

Securing Your Wireless LAN

Transcription:

New Windows build with WLAN access SecRep 24 17-18 May 2016 Ahmed Benallegue/Hassan El Ghouizy/Priyan Ariyansinghe ECMWF network_services@ecmwf.int ECMWF May 19, 2016

Introduction Drivers for the new WLAN access Security challenges and how they were addressed The WLAN access for the new laptop build Wi-Fi authentication for the new laptop build 2

Drivers for the new WLAN access New desktop strategy One image for workstations and laptops provided by ECMWF Requirements for wireless LAN connectivity (WLAN) 3

Security challenges and how they were addressed Challenges Workstations do not move but laptops go everywhere and try to connect to any available Wifi Result: the new ECMWF standard build needs a strong protection Approach 1. The Server and Desktop section defined a standard build 2. The standard build was deployed on an ECMWF laptop 3. The laptop was provided to an external company for an assessment of the security configuration Lost/Stolen scenario Patch level assessment Account/User management Breakout and escalation 4

Security challenges and how they were addressed Results of the review Attention required 5 high risk issues 17 medium risk issues 15 low risk issues Action taken Work hand in hand with the Server and Desktop section All 5 high risk issues were addressed 9 medium risk issues addressed and 8 rejected Rejected = user awareness/will be addressed otherwise/reviewed in the future 5

The WLAN access for the new laptop build Business need New SSID for laptops in ECMWF domain, connected to the LAN Assumption: new standard build is secure Deployment 2 New VLANs for WLAN SSID Use of DHCP service on Infoblox DDI appliances 6

The WLAN access for the new laptop build Infrastructure Security Before 2012 2012-2016 2016-2020 Cisco 2 controllers ~30 APs Client connected to the DMZ PAP authentication for visitors EAP-TLS for staff Aerohive 1 management system ~50 APs Client connected to the DMZ PAP for external users EAP-TLS for staff Aerohive 1 management system ~80 APs User connected to DMZ / LAN MS CHAP auth EAP-TLS for DMZ access Laptop certificate & user auth for LAN access. Enhanced services Autonomous wireless network Easy to set up. Outdoor coverage. Eduroam network. WLAN 7

The WLAN access for the new laptop build 8

The WLAN access for the new laptop build New VLAN deployment: good opportunity to deploy a new DHCP service: Use Infoblox DHCP failover association Simply put, a failover association defines the relationship between a pair of DHCP servers. DHCPDISCOVER packet is received by DHCP servers but only one peer will respond to this request The default is a 50/50 split, so each peer will respond to requests on a (roughly) equal basis. 9

Wi-Fi authentication for the new laptop build Why wireless security is important? Wired networks: Can t intercept the signals down the wire. Controlled environment High security Wireless networks: Data transmitted by WLAN could be intercepted and viewed by an attacker. Unlicensed frequency bands 2.4 GHz and 5Ghz 10

Wi-Fi authentication for the new laptop build Why it s important get the security right for the ECSTAFF wireless network? ECMWF data/research data must be protected Only authorised Devices must be allowed Users don t care about the Security 11

Wi-Fi authentication for the new laptop build Challenges: Secure software, hardware Strong Encryption Access control Strong Authentication 12

Wi-Fi authentication for the new laptop build Secure software, hardware Client Side: Windows 7 SP1 + Windows WLAN controller Aerohive AP120/AP330/AP320/AP170 Server Side: FreeRADIUS Version 2.2.6, SLES SP3 NTLM Auth Kerberos Strong encryption WPA2, AES 13

Wi-Fi authentication for the new laptop build Access control Client Side Authorised Windows 7 Laptops (joined to the domain) Self signed Certificate (Computer level) 14

Wi-Fi authentication for the new laptop build Access control(contd.) Server Side Authorised Windows Laptops E.g: authorise { sql if (!ok) { reject } EAP and PEAP check: EAP-Type == PEAP Auth-Type == eap 15

Wi-Fi authentication for the new laptop build Access control(contd.) Server Side Authorised Access points E.g. client xxx.xxx.xxx.xxx/32 { secret = ****************** shortname = ah-ap-51-rec } 16

Wi-Fi authentication for the new laptop build Strong Authentication: EAP-TLS PEAP-MSCHAP EAP-TLS EAP-TLS Linux Platform Microsoft Platform (Freeradius) PEAP-MSCHAP (NPS) PEAP+MACHAP Linux Platform (Freeradius) Advantages: Advantages: Advantages: Advantages: PEAP+MACHAP Microsoft Platform (NPS) +Secure + Secure +Cross platforms +Easy to Manage +Cross platforms + Ease of Management + Trusted Devices + Trusted devices +Skills +Trusted devices + Defence in depth + Secure + Secure + Skills Disadvantages: Disadvantages: Disadvantages: Disadvantages: - Admin Overhead - No PKI in place - Less secure compared to TLS - Less secure compared to TLS - Certificate - Out of Control -Less involvement - No PKI in place management (PKI) - Untrusted devices - Doesn t support cross platform - Misconfiguration - Out of Control - Doesn t support cross platform 17

Wi-Fi authentication for the new laptop build 18

New Windows build with WLAN access Radius LOGS Thu Apr 7 09:38:26 2016 : Auth: Login OK: [host/xxxxx.ad.ecmwf.int] (from client ah-ap-lan168-f3 port 0 via TLS tunnel) Thu Apr 7 09:46:22 2016 : Auth: Login OK: [host/yyyyy.ad.ecmwf.int] (from client ah-ap-lan168-f3 port 0 via TLS tunnel) Thu Apr 7 09:47:19 2016 : Auth: Login OK: [host/zzzzz.ad.ecmwf.int] (from client ah-ap-lan168-f3 port 0 via TLS tunnel) 19

New Windows build with WLAN access 20

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback