WorkSafeBC’s Wireless LAN Implementation

download WorkSafeBC’s Wireless LAN Implementation

If you can't read please download the document

description

WorkSafeBC’s Wireless LAN Implementation. UBC October 2, 2008 Allan Alton, BSc, CISA, CISSP. …with a focus on security. Agenda. Goals Functional Security Architecture Overview Challenges Futures. Goals - Functional. From:. Head Office and 17 area offices/work centres Meeting rooms - PowerPoint PPT Presentation

Transcript of WorkSafeBC’s Wireless LAN Implementation

  • WorkSafeBCs Wireless LAN Implementationwith a focus on securityUBCOctober 2, 2008Allan Alton, BSc, CISA, CISSP

  • AgendaGoalsFunctionalSecurityArchitecture OverviewChallengesFutures

  • Goals - FunctionalHead Office and 17 area offices/work centresMeeting roomsCommon areas (lobby, atrium, lounge, cafeteria)Parking lot edge (drive-by downloading)From:

  • Goals - FunctionalEmployee access to internal networkGuest access to InternetBroader Public Sector (BPS) employee access to InternetTo:

  • Goals - Functionalexisting built-in client adaptersPC Card adapter for exceptionsWindows XP client softwarestandardized client for easier support802.11g and 802.11a onlyno 802.11b due to performance penaltyUsing:

  • 802.11b Exclusion

    802.11a

    January 2006

    0%

    June 2006

    29%

    August 2007

    54%

    802.11g

    January 2006

    42%

    June 2006

    62%

    August 2007

    84%

    802.11b

    January 2006

    58%

    June 2006

    37%

    August 2007

    16%

  • Goals - SecurityTip for success: Work with your security group from the beginningNetwork Services & IS Security

  • Goals - SecurityWi-Fi Protected Access 2 (WPA2) onlyFirewall separation from internal networkSSID not broadcast (except for guest)Integration with Active DirectoryWireless intrusion detectionIntrusion detection at wired network entryAccess Points physically hidden

  • Goals - Securityhttp://support.intel.com/support/wireless/wlan/sb/cs-008413.htm

    802.1x EAPTypesFeature or Benefit MD5 --- Message Digest 5TLS --- Transport Layer SecurityTTLS --- Tunneled Transport Layer SecurityPEAP --- Protected Transport Layer SecurityFAST --- Flexible Authentication via Secure TunnelingLEAP --- Lightweight Extensible Authentication ProtocolClient side certificate requirednoyesnonono (PAC)noServer side certificate requirednoyesnoyesno (PAC)noWEP key managementnoyesyesyesyesyesRogue AP detectionnonononoyesyesProviderMSMSFunkMSCiscoCiscoAuthentication AttributesOne wayMutualMutualMutualMutualMutualDeployment DifficultyEasyDifficult (because of client certificate deployment)ModerateModerateModerateModerateWireless SecurityPoorVery HighHighHighHighHigh when strong passwords are used.

  • Architecture OverviewCentralized controller modelRedundancy measures:Secondary / Tertiary controller assignment for APsUnder-load AP/controller ratio for controller failure802.3ad Link Aggregation for cable failuresSwitch stacks for switch failureMultiple paths to multiple core switchesHSRP for router failureFirewall cluster in active/standby mode

  • 802.3ad link aggregationswitch stack for switch failuremultiple paths to multiple core switchesfirewall cluster in active/standby modetwo slots in core

    Drag the side handles to change the width of the text block.

    Firewall

    Cloud

    Laptop computer

    Bridge

    to mgmt switch ncwis4 port 20

    to mgmt switch ncwis4 port 21

    User VLANsvlan 8x10.4.x.252

    External - vlan 8x - int ae210.4.x.1virtual standby10.4.x.3real

    Internal - vlan 898 - int ae110.4.253.254virtual standby10.4.253.253real

    7/5

    7/4

    7/7

    7/6

    NCWES5 Switch 1

    NCWWC1 Controller

    16

    11

    fw1prod8wc1 - Active

    12

    NCWCS1

    2/4

    2/5

    14

    2/7

    2/6

    15

    IntrusionDetection

    vlan 89910.4.254.1HSRP group 0 active10.4.254.2HSRP group 1 standby10.4.254.3real

    CRWES11

    2/4

    7/4

    fw1prod8wc2 - Standby

    CRWWC1 Controller

    7/7

    2/7

    vlan 89810.4.253.1 HSRP active10.4.253.2real

    vlan 89810.4.253.1HSRP standby10.4.253.3real

    NCWWC2 Controller

    12

    15

    14

    11

    16

    13

    AP Managervlan 89910.4.254.12gwy: 10.4.254.1

    Managementvlan 89910.4.254.11gwy: 10.4.254.1

    External - vlan 8x - int ae210.4.x.1virtual active10.4.x.2real

    Internal - vlan 898 - int ae110.4.253.254virtual active10.4.253.252real

    to ncihub2

    NCC Level 1Computer Room Level 4

    CRWCS1

    Value of x in addressesxPurposeVLAN11Users RC1181112Users RC1281213Users RC1381314Users RC1481415Users RC1581516Users RC1681621Users RC2182122Users RC2282231Users RC3183132Users RC3283250Users Abbotsford85051Users Burnaby85152Users Coquitlam85253Users Courtenay85354Users Cranbrook85455Users Fort St. John85556Users Kamloops85657Users Kelowna85758Users Nanaimo85859Users Nelson85960Users North Vancouver86061Users Prince George86162Users Surrey86263Users Terrace86364Users Victoria86465Users Whistler86566Users Williams Lake866

    AP Managervlan 89910.4.254.16gwy: 10.4.254.2

    Managementvlan 89910.4.254.15gwy: 10.4.254.2

    User VLANsvlan 8x10.4.x.254

    AP Managervlan 89910.4.254.14gwy: 10.4.254.1

    Managementvlan 89910.4.254.13gwy: 10.4.254.1

    User VLANsvlan 8x10.4.x.253

    NCWES5 Switch 2

    vlans 811-816, 821-822, 831-832, 850-866, 898-899

    19

    controller - AP traffic

    controller - AP traffic

    firewall - internal traffic

    firewall - internal traffic

    user traffic to/from controller

    user traffic to/from internal

    user traffic to/from controller

    user traffic to/from internal

    controller - AP traffic &controller - firewall traffic

    controller - AP traffic &controller - firewall traffic

    controller - AP traffic &controller - firewall traffic

    2/5

    2/6

    7/5

    7/6

    vlan 89910.4.254.1HSRP group 0 standby10.4.254.2HSRP group 1 active10.4.254.4real

    Mgmt10.47.4.37/28

    Mgmt10.47.4.239/27

    Mgmt10.47.4.238/27

    192.168.9.1

    192.168.9.2

    s1p1

    s2p1

    s1p2

    s2p2

    s1p3

    s1p4

    s2p4

    s2p3

    s4p2

    s4p2

    s4p1

    s4p1

    s1p1

    s2p1

    s1p2

    s2p2

    s1p4

    s2p4

    s1p3

    s2p3

    vlan 89910.4.254.5

    vlan 89910.4.254.6

    1-2

    1-2

    3-4

    3-4

    1-2

    3-4

    1-2

    3-4

    5-6

    5-6

    1-2

    3-4

    1-2

    3-4

    5-8

    9-10

    11

    12-13

    14

    15-18

    19-20

    21-22

    23

    23

    9

    11

    11

    9

    13

    13

    14

    14

    19-20

    19-20

    15-16

    15-16

    to NOC

    to NOC

    24

    24

    Firewall - Internal Traffic

    Controller - Firewall Traffic

    AP to controller

    controller to AP

    NCWWC1 Controller

    fw1prod8wc2 CRstandby

    10.3.yy - RC10.ao.99.1 - AO

    10.3.yy.dhcp10.ao.99.dhcp

    10.3.yy.110.ao.99.1

    internal network

    10.4.254vlan 899

    10.4.254.1HSRP group 010.4.254.2HSRP group 110.4.254.3real NC10.4.254.4real CR

    10.4.254.11-12

    10.4.254.13-14

    10.4.254.15-16

    NCWWC2 Controller

    CRWWC1 Controller

    10.4.xvlan 8x

    10.4.x.252

    10.4.x.253

    10.4.x.254

    fw1prod8wc1 NCactive

    10.4.x.1virtual10.4.x.3real

    10.4.x.1virtual10.4.x.2real

    10.4.253vlan 898

    10.4.253.254virtual10.4.253.252real

    10.4.253.254virtual10.4.253.253real

    internal network

    10.4.253.1HSRP10.4.253.2real NC10.4.253.3real CR

    Value of x in addressesxPurposeVLAN11Users RC1181112Users RC1281213Users RC1381314Users RC1481415Users RC1581516Users RC1681621Users RC2182122Users RC2282231Users RC3183132Users RC3283250Users Abbotsford85051Users Burnaby85152Users Coquitlam85253Users Courtenay85354Users Cranbrook85455Users Fort St. John85556Users Kamloops85657Users Kelowna85758Users Nanaimo85859Users Nelson85960Users North Vancouver86061Users Prince George86162Users Surrey86263Users Terrace86364Users Victoria86465Users Whistler86566Users Williams Lake866

    Page: Updated: Confidential For limited internal WorkSafeBC use only

    IntrusionDetection

    WPA2 Encrypted

    User Data

    LWAPP Tunnel

    Static routes10.4.x via 10.4.253.254

    fw1prod1ic2standby

    fw1prod1ic1active

    10.64.50.12virtual10.64.50.11real

    10.64.50.12virtual10.64.50.10real

    NCWWC3 controller

    fw1prod1ec2standby

    fw1prod1ec1active

    DMZ externalNCWIS2

    trunk vlan 6 ce4

    Internet

    trunk vlan 6 ce4

    10.47.55.254virtual10.47.55.253real192.168.10.253cluster

    10.47.55.254virtual10.47.55.252real192.168.10.252cluster

    VLAN 7 management10.47.55.199Mgmt10.47.55.9AP Mgmt1.1.1.1Virtual

    Guest Data

    Ethernet over IP Tunnel

    VLAN 6 end users172.21.0.10 - .7.251/21Visitors172.21.7.254Gateway207.34.170.225, 226DNS

    172.21.7.254/21virtual172.21.7.253/21real192.168.11.2cluster

    172.21.7.254/21virtual172.21.7.252/21real192.168.11.1cluster

    Internet Infrastructure

    207.34.170.199 NAT wireless visitor

    ACS appliancesRADIUS

    10.2.221.32acsprod110.2.205.121acsprod2

    ce2 trunk vlan 7

    ce2 trunk vlan 7

  • Logical View

    Drag the side handles to change the width of the text block.

    Firewall

    Cloud

    Laptop computer

    Bridge

    to mgmt switch ncwis4 port 20

    to mgmt switch ncwis4 port 21

    User VLANsvlan 8x10.4.x.252

    External - vlan 8x - int ae210.4.x.1virtual standby10.4.x.3real

    Internal - vlan 898 - int ae110.4.253.254virtual standby10.4.253.253real

    7/5

    7/4

    7/7

    7/6

    NCWES5 Switch 1

    NCWWC1 Controller

    16

    11

    fw1prod8wc1 - Active

    12

    NCWCS1

    2/4

    2/5

    14

    2/7

    2/6

    15

    IntrusionDetection

    vlan 89910.4.254.1HSRP group 0 active10.4.254.2HSRP group 1 standby10.4.254.3real

    CRWES11

    2/4

    7/4

    fw1prod8wc2 - Standby

    CRWWC1 Controller

    7/7

    2/7

    vlan 89810.4.253.1 HSRP active10.4.253.2real

    vlan 89810.4.253.1HSRP standby10.4.253.3real

    NCWWC2 Controller

    12

    15

    14

    11

    16

    13

    AP Managervlan 89910.4.254.12gwy: 10.4.254.1

    Managementvlan 89910.4.254.11gwy: 10.4.254.1

    External - vlan 8x - int ae210.4.x.1virtual active10.4.x.2real

    Internal - vlan 898 - int ae110.4.253.254virtual active10.4.253.252real

    to ncihub2

    NCC Level 1Computer Room Level 4

    CRWCS1

    Value of x in addressesxPurposeVLAN11Users RC1181112Users RC1281213Users RC1381314Users RC1481415Users RC1581516Users RC1681621Users RC2182122Users RC2282231Users RC3183132Users RC3283250Users Abbotsford85051Users Burnaby85152Users Coquitlam85253Users Courtenay85354Users Cranbrook85455Users Fort St. John85556Users Kamloops85657Users Kelowna85758Users Nanaimo85859Users Nelson85960Users North Vancouver86061Users Prince George86162Users Surrey86263Users Terrace86364Users Victoria86465Users Whistler86566Users Williams Lake866

    AP Managervlan 89910.4.254.16gwy: 10.4.254.2

    Managementvlan 89910.4.254.15gwy: 10.4.254.2

    User VLANsvlan 8x10.4.x.254

    AP Managervlan 89910.4.254.14gwy: 10.4.254.1

    Managementvlan 89910.4.254.13gwy: 10.4.254.1

    User VLANsvlan 8x10.4.x.253

    NCWES5 Switch 2

    vlans 811-816, 821-822, 831-832, 850-866, 898-899

    19

    controller - AP traffic

    controller - AP traffic

    firewall - internal traffic

    firewall - internal traffic

    user traffic to/from controller

    user traffic to/from internal

    user traffic to/from controller

    user traffic to/from internal

    controller - AP traffic &controller - firewall traffic

    controller - AP traffic &controller - firewall traffic

    controller - AP traffic &controller - firewall traffic

    2/5

    2/6

    7/5

    7/6

    vlan 89910.4.254.1HSRP group 0 standby10.4.254.2HSRP group 1 active10.4.254.4real

    Mgmt10.47.4.37/28

    Mgmt10.47.4.239/27

    Mgmt10.47.4.238/27

    192.168.9.1

    192.168.9.2

    s1p1

    s2p1

    s1p2

    s2p2

    s1p3

    s1p4

    s2p4

    s2p3

    s4p2

    s4p2

    s4p1

    s4p1

    s1p1

    s2p1

    s1p2

    s2p2

    s1p4

    s2p4

    s1p3

    s2p3

    vlan 89910.4.254.5

    vlan 89910.4.254.6

    1-2

    1-2

    3-4

    3-4

    1-2

    3-4

    1-2

    3-4

    5-6

    5-6

    1-2

    3-4

    1-2

    3-4

    5-8

    9-10

    11

    12-13

    14

    15-18

    19-20

    21-22

    23

    23

    9

    11

    11

    9

    13

    13

    14

    14

    19-20

    19-20

    15-16

    15-16

    to NOC

    to NOC

    24

    24

    Firewall - Internal Traffic

    Controller - Firewall Traffic

    AP to controller

    controller to AP

    NCWWC1 Controller

    fw1prod8wc2 CRstandby

    10.3.yy.dhcp10.ao.99.dhcp

    10.3.yy.110.ao.99.1

    internal network

    10.4.254.1HSRP group 010.4.254.2HSRP group 110.4.254.3real NC10.4.254.4real CR

    10.4.254.11-12

    10.4.254.13-14

    10.4.254.15-16

    NCWWC2 Controller

    CRWWC1 Controller

    10.4.x.252

    10.4.x.253

    10.4.x.254

    fw1prod8wc1 NCactive

    10.4.x.1virtual10.4.x.3real

    10.4.x.1virtual10.4.x.2real

    10.4.253.254virtual10.4.253.252real

    10.4.253.254virtual10.4.253.253real

    internal network

    10.4.253.1HSRP10.4.253.2real NC10.4.253.3real CR

    IntrusionDetection

    WPA2 Encrypted

    User Data

    LWAPP Tunnel

    Static routes10.4.x via 10.4.253.254

    fw1prod1ic2standby

    fw1prod1ic1active

    NCWWC3 controller

    fw1prod1ec2standby

    fw1prod1ec1active

    DMZ externalNCWIS2

    trunk vlan 6 ce4

    Internet

    trunk vlan 6 ce4

    Guest Data

    Ethernet over IP Tunnel

    Internet Infrastructure

    ACS appliancesRADIUS

    10.2.221.32acsprod110.2.205.121acsprod2

    ce2 trunk vlan 7

    ce2 trunk vlan 7

  • Guest AccessSeparate SSID (broadcast)Ethernet over IP tunnel to Internet DMZAuthentication models wired guest accessSecurID token held by Help DeskWeb page authentication

  • Guest AccessLegal text: - be a good person or else - transmission not encryptedCall Customer Support Centre if you wish to proceedCustomer Support Centre verifies requirement and provides information to enter

  • ChallengesSorting out rogues (on vs. off network)Problems in remote officesInterference, rogues, security attacks

  • FuturesBroader Public Sector accessLocation: Will explore these capabilities802.11n: No real requirementNon-workstation devices: will considerVoice over WLAN No plans, VoIP experimental on wired sideDid site survey for voice coverage

  • Additional for voiceFirst phase installation

  • Antenna ResearchGreater RF gain neededUsers are more mobileIntegration with personal protective gearSophisticated look coolness factor

  • Questions??????