Your wirelessnetworkHow to ensure youare meetingGovernment securitystandards

Cabinet Office bestpractice Wi-Figuidelines

OverviewCyber Security is a hot topic but where do you start? The Cabinet Officehas provided some assistance for the Public Sector, to help them securewireless networks, and produced a set of guidelines on Sharing WorkplaceWireless Networks.

These guidelines were produced by the Cabinet Office as a direct result oftheir in-depth technical evaluation of the leading Enterprise Wi-Fi solutionsfor their own Wi-Fi project. The winning solution had several innovativefeatures including a cloud management platform and a more secure andflexible architecture with distributed controllers in each Access Pointinstead of a central controller. As a result the official Wi-Fi guidelines wereupdated to describe how these features could enhance security.

This document builds on the Cabinet Office experience and provides asummary checklist of the features required in enterprise Wi-Fi whenimplementing a secure wireless solution compliant with governmentguidelines.

Download the official guidelines here:https://www.gov.uk/guidance/sharing-workplace-wireless-networks

1

Onboarding users and devices to Wi-Fi There are two approved methods of providing authenticated access to agovernment Wi-Fi network depending on the type of device used. Accessfor guests or users with unknown, non-managed devices (generally referredto as BYOD) should follow method 1. If access is required for users withknown, fully managed (corporate) devices, method 2 should be followed.

Both methods should adhere to these basic rules:

• Only basic internet access should be provided through Wi-Fi • Always use VPNs to provide access to privileged resources and servers

Access method 1 - BYOD, Guest, or GovWifi service devices

Sometimes referred to as user.wifi in the guidelines

Use this method when:

• The device is owned by the user or third party organisation• The device is owned by the organisation but uses internet cloud services only and manages the device using mobile device management• You use a strict ‘always-on’ VPN

This methodshould always:

Choose an enterprise WLAN solution that provides Client Certificationthrough a Radius server using Active Directory Credentials.

Choose an enterprise WLAN solution that provides Private Pre Shared Keysfor added security.

Require usersign up

Provide access tothe internet only

Prohibit users fromaccessing anyinternal systems

Access method 2 - For managed devices

Sometimes referred to as device.wifi in the guidelines Use this method when:

• The user has a managed device without an ‘always-on’ VPN• The user has a managed device with a selective ‘always-on’ VPN policy which allows direct communication on trusted networks

Choose an enterprise WLAN solution that provides Device and ClientCertification through a Radius server using Active Directory Credentialsand a Certification Authority (CA).

This method uses Public Key Infrastructure (PKI) certificates installed onthe managed devices to provide strong authentication of devices andusers:

• They can’t be stolen by rogue networks• They are almost impossible to extract from devices when the private key is stored in a trusted platform module or smart card• Certificates should be checked for validity using an up to date certificate revocation list (CRL) or using Online Certificate Status Protocol (OCSP).

2

Roaming

Network separation

For more information on setting up a secure wireless network for roamingread this government blog:

https://governmenttechnology.blog.gov.uk/2016/06/17/wi-fi-security-and-government-wide-roaming-solutions/

To allow the use of external authentication systems such as Govroam,Eduroam or GovWifi choose an enterprise WLAN solution that supports:

• WPA2-Enterprise Advanced Encryption Standard (AES)• Microsoft Challenge Handshake Authentication Protocol (MS-CHAPv2) • Protected Extensible Authentication Protocol (PEAPv0) EAP method

When configuring the network to allow external authentication forGovernment employees from trusted systems such as Govroam, Eduroamor GovWifi, do not:

• Implement unencrypted or open networks • Implement captive portals - these interfere with ‘always-on’ VPNs • Allow the user to choose their password - they could reuse the passwords they use for other government services• Allow access to internal or privileged networks - these should only be accessible using certificates or a VPN client• Use public pre-shared keys (PSKs) as they provide little privacy between users – use a solution providing per user Private Pre-Shared Keys

To allow secure roaming betweenparticipating buildings within aninfrastructure, choose an enterpriseWLAN solution that supports:

• Public Key Infrastructure certificates with per user Private Pre Shared Keys• Easy onboarding of users – look for examples of integrations using APIs that automate self-registration • Standardising the process by which access is provided to a specific set of SSIDs• Limiting the SSIDs broadcast to approved locations and documents exceptions

Choose an enterprise WLAN solution that provides:

• Isolation by SSID and certificate authority (CA), identified by a device certificate• Dual Ethernet APs to allow separation of networks within the APs • Support for encrypted tunnels between APs and VPN concentrator • A firewall to separate IP addressing, routing and access controls for each Wi-Fi network• VLAN and SSID separation if using multi-tenant environments• QoS by Application and SSID, with bandwidth limitation applied for each SSID as well as each user• The capability to ensure that all clients pass through a gateway device before communicating with devices on the same network and ensuring that only approved services can be accessed

3

Coverage Administration andmonitoring

Choose an enterprise WLAN solution with these considerations:

• Automatic channel selection features• Centrally managed AP hardware• 5 GHz frequency band and 802.11ac support + ac wave 2 and MIMO support• Ensure there’s sufficient uplink bandwidth from APs to the building switch infrastructure• Use 802.11at - type 2 capable switches to power the APs and future- proof the installation • Disable low-bandwidth Wi-Fi protocols like 802.11a and 802.11g on the 5 GHz band and confine legacy clients to the 2.4 GHz band• Ability to broadcast provide SSIDs only to required areas • Ability to disable 2.4 GHz radios on APs in large open plan areas to reduce interference • Ability to manage channel width and implement channel bonding with fall back to a non-overlapping channel• Ability to enable dynamic frequency selection (DFS) or 802.11h for 5 GHz band • Ability to enable ‘band steering’ which works by regulating probe responses to clients and making 5 GHz channels appear more attractive to clients by delaying probe responses to clients on 2.4 GHz • Ability to enable standards based (802.11r) support for smoother roaming for devices on the move • Ability to enable Wi-Fi Voice Enterprise or equivalent if voice support is required

Security and availabilityChoose an enterprise WLAN solution which:

Enables centralmanagement to

provide non-obtrusivesoftware upgrades

with minimaldisruption

Protects accessto all network infrastructure

management interfaceseither directly or indirectly

using two-factorauthentication

Choose an enterprise WLAN solution withthese considerations:

Allow API connection and provide analysis of location data to improvebusiness operations, like real time people finder, crowd managementand emergency response, queue length reporting, hot desk/meetingroom usage and path planning

Provides central management andreports of usage and trends withhistorical network activity and heatmaps to provide a visual insightinto coverage and use

Ability to configure an AcceptableUse Policy against an SSID

4

Wireless network names andauthentication

Choose an enterprise WLAN solution that:

• Provides an easy onboarding process for users to sign up to BYOD, Guest, GovWifi (user.wifi)• Provides access to the internet only• Does not allow users to access any internal systems• Provides per user Private Key Self-Registration against Active Directory • Automatically and securely connects government managed devices to device.wifi • Gives devices access to internal local area network (LAN) resources in ‘home’ buildings or shared buildings following the shared WAN guidance• Doesn’t require any user set up - it just works• Gives devices access to the internet for a VPN when roaming• Can be deployed alongside a VPN client to switch seamlessly between a trusted ‘home’ network and VPN using the same authentication infrastructure• Authenticates devices securely using certificates

Wired LANrequirements

The security and performance of theWLAN is heavily dependent on thewired LAN. This should be configuredas follows:

• Provide uplinks at least twice the bandwidth of the fastest user connection to avoid one person impacting the network• Implement QoS where appropriate• Shared LANs use 802.1x certificate-based authentication or restriction to an authorised MAC address on every accessible floor port• Use the same authentication methods and servers for both Wi-Fi and wired LAN ports • Block guest access on wired LAN ports• Local RADIUS server returns vendor specific attributes (VSAs) to allow the client to access the locally allocated VLAN • Use the local RADIUS server, if required, to filter and rewrite VSAs received from the central RADIUS proxy• Do not span VLANs between shared and non-shared switches without agreement to share a spanning tree instance and mitigate the impact of a broadcast storm

5

For more information on how todeploy intelligent Wi-Fi please getin touch.

Call0845 293 2790 or

visit our websitewww.ait-pg.co.uk

Further reading

Contact

Implement the designFor more information on the Cabinet Office case study that inspired theguidelines, visit the link below:

http://www.aerohive.com/company/press-releases/2015/aerohive-networks-selected-by-uk-cabinet-office-to-underpin-technology-transformation-programme.html

To find out more about how to design and implement a compliant, secureWi-Fi network, visit the link below: https://www.ait-pg.co.uk/solutions-and-services/networking-mobility-security/network-security/

Choose an enterprise WLAN installation partner that:

• Has relevant experience of installing secure wireless networks that meet the criteria described in this document • Provides Prince 2 qualified Project Management • Recommends a Capacity Survey, Coverage Survey and Mounting Survey to identify all the risks prior to design and installation• Includes both logical and physical constraints in the Rick Assessment and Method Statements • Differentiates between general coverage and high capacity • Identifies structured cabling requirements for APs with 2 Cat5e or Cat6 connections per AP • Considers network architecture and Switch requirements especially with regard to PoE support for APs• Includes an assessment of Cyber Security requirements

6