u.s. department of energy pacific northwest national laboratory july 2004 presented by jeffery mauth...
Post on 16-Dec-2015
218 Views
Preview:
TRANSCRIPT
U.S. Department of EnergyPacific Northwest National Laboratory
July 2004
Presented byJeffery Mauth
Pacific Northwest National Laboratoryjeff.mauth@pnl.gov
2-Factor Authentication &WiFi Security at PNNL
Presentation Outline: 2-Factor Authentication at PNNL
•Drivers•Enclave Design•Multiple Sites
WiFi Security at PNNL•Threats and Risk Mitigation•2nd Generation Architecture (Wireless Enclaves)•Rogue Detection and Wireless IDS•Future Directions
ESCC Meeting, July 21-22, 2004
U.S. Department of EnergyPacific Northwest National Laboratory
July 2004
2-Factor Authentication at PNNL
DriversEnclave DesignMultiple Sites
U.S. Department of EnergyPacific Northwest National Laboratory
3
2-Factor Authentication -- Drivers
Usernames and Passwords
DOE passwords have a lifetime of no more than 6 months Keystroke capture tools are being used more and more by the
bad guy’s 6 months is a lifetime for a bad guy to do bad things Difficult to detect since username/password is real Shared resources across DOE exacerbate the problem 2-Factor one time passwords solve this problem … almost
• Automated functions requiring authentication are more difficult• Replay attacks *MAY* be possible in some circumstances• Multi-site access with a single token challenging
The PNNL enclave design required 2-Factor OTP
U.S. Department of EnergyPacific Northwest National Laboratory
4
2-Factor Authentication -- Enclave Design
Multi-Program Labs requireMultiple Security Policies
PNNL is an Office of Science Laboratory with a significant National Security mission• Office of Science programs generally have many visitors both on-site
and remote from around the world, security policy must accommodate
• National Security programs generally require security policies that are much more restrictive
• Business and financial systems also require protection but all PNNL staff need access to these systems
• Wireless networks have unique issues PNNL evaluated different strategies to solve these problems
and determined that an enclave solution was best for PNNL
U.S. Department of EnergyPacific Northwest National Laboratory
5
2-Factor Authentication -- Enclave Design
Multi-Program Labs requireMultiple Security Policies
Enclave Solution implemented at PNNL• 2-Factor OTP a critical part of the enclave design• Multiple enclaves with different security policies• Programmatic requirements determine which enclave• Each enclave isolated from others by firewall
Results we have seen at PNNL• Prior to implementation, gnashing of teeth, wails, the world is ending
as we know it …• After implementation most staff not seriously impacted, the gnashing
has stopped, we are still here, there are still some quiet wails though• Benefit: Lower risk associated with external access into the lab and
improved access control to meet programmatic needs• Still a work in progress
U.S. Department of EnergyPacific Northwest National Laboratory
6
2-Factor Authentication -- Multiple Sites
How to work with Others
2-Factor OTP solutions for a single site are relatively straight forward• Single management policy and funding stream• Risk management and acceptance by site
Integration between sites becomes more challenging• Multiple management policies and funding streams• Risk management and acceptance more difficult
– Who trusts who, and how much to trust them?– Changes in risk profile at a single site affects other sites
Questions on implementation• One token or many• How willing will the user base be• Will it harm scientific productivity
U.S. Department of EnergyPacific Northwest National Laboratory
7
U.S. Department of EnergyPacific Northwest National Laboratory
July 2004
WiFi Security at PNNL
Threats and Risk Mitigation2nd Generation Architecture (Wireless Enclaves)Rogue Detection and Wireless IDSFuture Directions
U.S. Department of EnergyPacific Northwest National Laboratory
9
WiFi Security -- Overall Network Goals and Objectives
Scalable, Secure, and Flexible Wireless Access
Goal: Multi-Layered Security• Basic, low-cost detection and
location of “rogue” devices– Sensor functions built in to standard
Cisco AP
• Advanced Wireless IDS functions– AirDefense, wireline methods
• Dedicated, specialized sensors, as needed (open source & proprietary)
– LAIs, sensitive areas, outdoors – Campuses and buildings in different
locations across the US (rural to metro)
Goal: Flexible Network Access• Multiple, Adaptable Wireless
Networks– Different security policies,
authentication methods, and users• Reliable, Scalable Coverage
– High-density 802.11b/g– High-performance 802.11a
“hotspots”, as needed• Integration with wired networks,
target key business applications– Staff productivity, extend network
resources, and new mobility applications
U.S. Department of EnergyPacific Northwest National Laboratory
10
WiFi Security -- Threats and Risk Mitigation
Security Policy SeparatesWireless and Wired Networks
PNNL Networks(Building Access Control)
Wireless Networks (Enclave Access Control)
Firewall
Campus
Internet
Building A
Threat
Threat
Building A
Wireless Device
Primary Rogue Threat
Firewall
Mitigation Staff Remote
Access / VPN / 2-factor / FW
IDS outbound traffic monitoring
“Wireline” tools Deploying
Wireless IDS campus coverage
Primary risk is that an outside attacker will bypass enterprise firewall via rogue. Note: “Airspace DMZ” covers entire campus. Different than wired DMZ.
DMZ
U.S. Department of EnergyPacific Northwest National Laboratory
11
WiFi Security -- 2nd Generation Architecture
Wireless Enclaves AddFlexibility and Security
Vernier Access Manger
firewall
VisitorLAN
RadioLAN
RFnet
firewall
PNNL Wireless NetworksSetember, 2003
router router
Out-of-bandManagement
Network
RF netsbuilt on
Cisco APsSSID's configured on Cisco AP's
RadioLAN WEP 128bitVisitorLAN User auth throughbrowserRFnet 802.1x (EAP-TLS)
Internet
POWERFAULT DATA ALARM WEP
open
802.1x
vlan trunk
Cisco AP
1 radiochannel
router
Vernier Control Server
U.S. Department of EnergyPacific Northwest National Laboratory
12
WiFi Security -- Rogue Detection and Wireless IDS
Goals and Challenges
* Target popular unlicensed protocols, but address new DOE orders as needed
Primary Goals• Achieve Acceptable Risk
– Mitigate risks “sufficiently”
• Cover Full Campus (Inside Buildings)
– Mitigate primary threat of rogue “open doors” in ~60 buildings with network connections
• Efficient 24x7 Operations– Cost-effective integration with overall
network security systems, procedures and staff
The Challenges (changing…)• Wide Area Network (2G, 2.5G, 3G )
– Pagers, cell phones, Blackberries, “smart phones”– Metro Area Network (IEEE 802.16)
• Local Area Network (IEEE 802.11b/g/a or Wi-Fi*
– Solid rogue coverage for these popular products and protocols
• Personal Area Network (IEEE 802.15)– Bluetooth (growing fast);– Zigbee, Ultra Wideband (UWB)
U.S. Department of EnergyPacific Northwest National Laboratory
13
WiFi Security -- Rogue Detection and Wireless IDS
Combined Solution is Best forPNNL Environment
Combined AirDefense-Cisco solution provides “sufficient mitigation” with the best functional capability, the most flexibility, at the least cost.• See figure below for multi-layered approach to wireless security and IDS.
PNNL has evaluated 5 different products against detailed evaluation criteria (ISS, AirWave, Open Source, AirDefense, and Cisco)• Rapidly changing wireless arena (both threats and opportunities)
On the Wire
In the Air
Wireline Tools (Covers Entire Network)
Combined Access / Sensor(Buildings w/ Cisco APs)
Sensor Only (LAIs, mobile)
Basic Rogue Detection/Location Advanced Detection
U.S. Department of EnergyPacific Northwest National Laboratory
14
WiFi Security -- Future Directions
Rapid Growth in Use ofWireless Products and Services
Wireless rogue detection is essential whether wireless is authorized or not for use in an enterprise.• Easy to install wireless that bypass firewalls, either knowingly or not.
Wireless enclaves provide good solution for providing flexible architectures and levels of security.• Technology is moving rapidly; more alternatives soon.
Industry direction and investments will drive strong adoption of wireless in the marketplace.• Wireless “on ramp” to networks for many devices.• How will this affect DOE and other government agencies?
– DOE N 205.8 and other directives
U.S. Department of EnergyPacific Northwest National Laboratory
July 2004
Questions?Contact Information
Dave HostetlerWireless LAN Project Manager
dave.hostetler@pnl.gov509-375-2293
Jeffery Mauth
jeff.mauth@pnl.gov
509-375-2511
top related