WorkSafeBCs Wireless LAN Implementationwith a focus on securityUBCOctober 2, 2008Allan Alton, BSc, CISA, CISSP
AgendaGoalsFunctionalSecurityArchitecture OverviewChallengesFutures
Goals - FunctionalHead Office and 17 area offices/work centresMeeting roomsCommon areas (lobby, atrium, lounge, cafeteria)Parking lot edge (drive-by downloading)From:
Goals - FunctionalEmployee access to internal networkGuest access to InternetBroader Public Sector (BPS) employee access to InternetTo:
Goals - Functionalexisting built-in client adaptersPC Card adapter for exceptionsWindows XP client softwarestandardized client for easier support802.11g and 802.11a onlyno 802.11b due to performance penaltyUsing:
802.11b Exclusion
802.11a
January 2006
0%
June 2006
29%
August 2007
54%
802.11g
January 2006
42%
June 2006
62%
August 2007
84%
802.11b
January 2006
58%
June 2006
37%
August 2007
16%
Goals - SecurityTip for success: Work with your security group from the beginningNetwork Services & IS Security
Goals - SecurityWi-Fi Protected Access 2 (WPA2) onlyFirewall separation from internal networkSSID not broadcast (except for guest)Integration with Active DirectoryWireless intrusion detectionIntrusion detection at wired network entryAccess Points physically hidden
Goals - Securityhttp://support.intel.com/support/wireless/wlan/sb/cs-008413.htm
802.1x EAPTypesFeature or Benefit MD5 --- Message Digest 5TLS --- Transport Layer SecurityTTLS --- Tunneled Transport Layer SecurityPEAP --- Protected Transport Layer SecurityFAST --- Flexible Authentication via Secure TunnelingLEAP --- Lightweight Extensible Authentication ProtocolClient side certificate requirednoyesnonono (PAC)noServer side certificate requirednoyesnoyesno (PAC)noWEP key managementnoyesyesyesyesyesRogue AP detectionnonononoyesyesProviderMSMSFunkMSCiscoCiscoAuthentication AttributesOne wayMutualMutualMutualMutualMutualDeployment DifficultyEasyDifficult (because of client certificate deployment)ModerateModerateModerateModerateWireless SecurityPoorVery HighHighHighHighHigh when strong passwords are used.
Architecture OverviewCentralized controller modelRedundancy measures:Secondary / Tertiary controller assignment for APsUnder-load AP/controller ratio for controller failure802.3ad Link Aggregation for cable failuresSwitch stacks for switch failureMultiple paths to multiple core switchesHSRP for router failureFirewall cluster in active/standby mode
802.3ad link aggregationswitch stack for switch failuremultiple paths to multiple core switchesfirewall cluster in active/standby modetwo slots in core
Drag the side handles to change the width of the text block.
Firewall
Cloud
Laptop computer
Bridge
to mgmt switch ncwis4 port 20
to mgmt switch ncwis4 port 21
User VLANsvlan 8x10.4.x.252
External - vlan 8x - int ae210.4.x.1virtual standby10.4.x.3real
Internal - vlan 898 - int ae110.4.253.254virtual standby10.4.253.253real
7/5
7/4
7/7
7/6
NCWES5 Switch 1
NCWWC1 Controller
16
11
fw1prod8wc1 - Active
12
NCWCS1
2/4
2/5
14
2/7
2/6
15
IntrusionDetection
vlan 89910.4.254.1HSRP group 0 active10.4.254.2HSRP group 1 standby10.4.254.3real
CRWES11
2/4
7/4
fw1prod8wc2 - Standby
CRWWC1 Controller
7/7
2/7
vlan 89810.4.253.1 HSRP active10.4.253.2real
vlan 89810.4.253.1HSRP standby10.4.253.3real
NCWWC2 Controller
12
15
14
11
16
13
AP Managervlan 89910.4.254.12gwy: 10.4.254.1
Managementvlan 89910.4.254.11gwy: 10.4.254.1
External - vlan 8x - int ae210.4.x.1virtual active10.4.x.2real
Internal - vlan 898 - int ae110.4.253.254virtual active10.4.253.252real
to ncihub2
NCC Level 1Computer Room Level 4
CRWCS1
Value of x in addressesxPurposeVLAN11Users RC1181112Users RC1281213Users RC1381314Users RC1481415Users RC1581516Users RC1681621Users RC2182122Users RC2282231Users RC3183132Users RC3283250Users Abbotsford85051Users Burnaby85152Users Coquitlam85253Users Courtenay85354Users Cranbrook85455Users Fort St. John85556Users Kamloops85657Users Kelowna85758Users Nanaimo85859Users Nelson85960Users North Vancouver86061Users Prince George86162Users Surrey86263Users Terrace86364Users Victoria86465Users Whistler86566Users Williams Lake866
AP Managervlan 89910.4.254.16gwy: 10.4.254.2
Managementvlan 89910.4.254.15gwy: 10.4.254.2
User VLANsvlan 8x10.4.x.254
AP Managervlan 89910.4.254.14gwy: 10.4.254.1
Managementvlan 89910.4.254.13gwy: 10.4.254.1
User VLANsvlan 8x10.4.x.253
NCWES5 Switch 2
vlans 811-816, 821-822, 831-832, 850-866, 898-899
19
controller - AP traffic
controller - AP traffic
firewall - internal traffic
firewall - internal traffic
user traffic to/from controller
user traffic to/from internal
user traffic to/from controller
user traffic to/from internal
controller - AP traffic &controller - firewall traffic
controller - AP traffic &controller - firewall traffic
controller - AP traffic &controller - firewall traffic
2/5
2/6
7/5
7/6
vlan 89910.4.254.1HSRP group 0 standby10.4.254.2HSRP group 1 active10.4.254.4real
Mgmt10.47.4.37/28
Mgmt10.47.4.239/27
Mgmt10.47.4.238/27
192.168.9.1
192.168.9.2
s1p1
s2p1
s1p2
s2p2
s1p3
s1p4
s2p4
s2p3
s4p2
s4p2
s4p1
s4p1
s1p1
s2p1
s1p2
s2p2
s1p4
s2p4
s1p3
s2p3
vlan 89910.4.254.5
vlan 89910.4.254.6
1-2
1-2
3-4
3-4
1-2
3-4
1-2
3-4
5-6
5-6
1-2
3-4
1-2
3-4
5-8
9-10
11
12-13
14
15-18
19-20
21-22
23
23
9
11
11
9
13
13
14
14
19-20
19-20
15-16
15-16
to NOC
to NOC
24
24
Firewall - Internal Traffic
Controller - Firewall Traffic
AP to controller
controller to AP
NCWWC1 Controller
fw1prod8wc2 CRstandby
10.3.yy - RC10.ao.99.1 - AO
10.3.yy.dhcp10.ao.99.dhcp
10.3.yy.110.ao.99.1
internal network
10.4.254vlan 899
10.4.254.1HSRP group 010.4.254.2HSRP group 110.4.254.3real NC10.4.254.4real CR
10.4.254.11-12
10.4.254.13-14
10.4.254.15-16
NCWWC2 Controller
CRWWC1 Controller
10.4.xvlan 8x
10.4.x.252
10.4.x.253
10.4.x.254
fw1prod8wc1 NCactive
10.4.x.1virtual10.4.x.3real
10.4.x.1virtual10.4.x.2real
10.4.253vlan 898
10.4.253.254virtual10.4.253.252real
10.4.253.254virtual10.4.253.253real
internal network
10.4.253.1HSRP10.4.253.2real NC10.4.253.3real CR
Value of x in addressesxPurposeVLAN11Users RC1181112Users RC1281213Users RC1381314Users RC1481415Users RC1581516Users RC1681621Users RC2182122Users RC2282231Users RC3183132Users RC3283250Users Abbotsford85051Users Burnaby85152Users Coquitlam85253Users Courtenay85354Users Cranbrook85455Users Fort St. John85556Users Kamloops85657Users Kelowna85758Users Nanaimo85859Users Nelson85960Users North Vancouver86061Users Prince George86162Users Surrey86263Users Terrace86364Users Victoria86465Users Whistler86566Users Williams Lake866
Page: Updated: Confidential For limited internal WorkSafeBC use only
IntrusionDetection
WPA2 Encrypted
User Data
LWAPP Tunnel
Static routes10.4.x via 10.4.253.254
fw1prod1ic2standby
fw1prod1ic1active
10.64.50.12virtual10.64.50.11real
10.64.50.12virtual10.64.50.10real
NCWWC3 controller
fw1prod1ec2standby
fw1prod1ec1active
DMZ externalNCWIS2
trunk vlan 6 ce4
Internet
trunk vlan 6 ce4
10.47.55.254virtual10.47.55.253real192.168.10.253cluster
10.47.55.254virtual10.47.55.252real192.168.10.252cluster
VLAN 7 management10.47.55.199Mgmt10.47.55.9AP Mgmt1.1.1.1Virtual
Guest Data
Ethernet over IP Tunnel
VLAN 6 end users172.21.0.10 - .7.251/21Visitors172.21.7.254Gateway207.34.170.225, 226DNS
172.21.7.254/21virtual172.21.7.253/21real192.168.11.2cluster
172.21.7.254/21virtual172.21.7.252/21real192.168.11.1cluster
Internet Infrastructure
207.34.170.199 NAT wireless visitor
ACS appliancesRADIUS
10.2.221.32acsprod110.2.205.121acsprod2
ce2 trunk vlan 7
ce2 trunk vlan 7
Logical View
Drag the side handles to change the width of the text block.
Firewall
Cloud
Laptop computer
Bridge
to mgmt switch ncwis4 port 20
to mgmt switch ncwis4 port 21
User VLANsvlan 8x10.4.x.252
External - vlan 8x - int ae210.4.x.1virtual standby10.4.x.3real
Internal - vlan 898 - int ae110.4.253.254virtual standby10.4.253.253real
7/5
7/4
7/7
7/6
NCWES5 Switch 1
NCWWC1 Controller
16
11
fw1prod8wc1 - Active
12
NCWCS1
2/4
2/5
14
2/7
2/6
15
IntrusionDetection
vlan 89910.4.254.1HSRP group 0 active10.4.254.2HSRP group 1 standby10.4.254.3real
CRWES11
2/4
7/4
fw1prod8wc2 - Standby
CRWWC1 Controller
7/7
2/7
vlan 89810.4.253.1 HSRP active10.4.253.2real
vlan 89810.4.253.1HSRP standby10.4.253.3real
NCWWC2 Controller
12
15
14
11
16
13
AP Managervlan 89910.4.254.12gwy: 10.4.254.1
Managementvlan 89910.4.254.11gwy: 10.4.254.1
External - vlan 8x - int ae210.4.x.1virtual active10.4.x.2real
Internal - vlan 898 - int ae110.4.253.254virtual active10.4.253.252real
to ncihub2
NCC Level 1Computer Room Level 4
CRWCS1
Value of x in addressesxPurposeVLAN11Users RC1181112Users RC1281213Users RC1381314Users RC1481415Users RC1581516Users RC1681621Users RC2182122Users RC2282231Users RC3183132Users RC3283250Users Abbotsford85051Users Burnaby85152Users Coquitlam85253Users Courtenay85354Users Cranbrook85455Users Fort St. John85556Users Kamloops85657Users Kelowna85758Users Nanaimo85859Users Nelson85960Users North Vancouver86061Users Prince George86162Users Surrey86263Users Terrace86364Users Victoria86465Users Whistler86566Users Williams Lake866
AP Managervlan 89910.4.254.16gwy: 10.4.254.2
Managementvlan 89910.4.254.15gwy: 10.4.254.2
User VLANsvlan 8x10.4.x.254
AP Managervlan 89910.4.254.14gwy: 10.4.254.1
Managementvlan 89910.4.254.13gwy: 10.4.254.1
User VLANsvlan 8x10.4.x.253
NCWES5 Switch 2
vlans 811-816, 821-822, 831-832, 850-866, 898-899
19
controller - AP traffic
controller - AP traffic
firewall - internal traffic
firewall - internal traffic
user traffic to/from controller
user traffic to/from internal
user traffic to/from controller
user traffic to/from internal
controller - AP traffic &controller - firewall traffic
controller - AP traffic &controller - firewall traffic
controller - AP traffic &controller - firewall traffic
2/5
2/6
7/5
7/6
vlan 89910.4.254.1HSRP group 0 standby10.4.254.2HSRP group 1 active10.4.254.4real
Mgmt10.47.4.37/28
Mgmt10.47.4.239/27
Mgmt10.47.4.238/27
192.168.9.1
192.168.9.2
s1p1
s2p1
s1p2
s2p2
s1p3
s1p4
s2p4
s2p3
s4p2
s4p2
s4p1
s4p1
s1p1
s2p1
s1p2
s2p2
s1p4
s2p4
s1p3
s2p3
vlan 89910.4.254.5
vlan 89910.4.254.6
1-2
1-2
3-4
3-4
1-2
3-4
1-2
3-4
5-6
5-6
1-2
3-4
1-2
3-4
5-8
9-10
11
12-13
14
15-18
19-20
21-22
23
23
9
11
11
9
13
13
14
14
19-20
19-20
15-16
15-16
to NOC
to NOC
24
24
Firewall - Internal Traffic
Controller - Firewall Traffic
AP to controller
controller to AP
NCWWC1 Controller
fw1prod8wc2 CRstandby
10.3.yy.dhcp10.ao.99.dhcp
10.3.yy.110.ao.99.1
internal network
10.4.254.1HSRP group 010.4.254.2HSRP group 110.4.254.3real NC10.4.254.4real CR
10.4.254.11-12
10.4.254.13-14
10.4.254.15-16
NCWWC2 Controller
CRWWC1 Controller
10.4.x.252
10.4.x.253
10.4.x.254
fw1prod8wc1 NCactive
10.4.x.1virtual10.4.x.3real
10.4.x.1virtual10.4.x.2real
10.4.253.254virtual10.4.253.252real
10.4.253.254virtual10.4.253.253real
internal network
10.4.253.1HSRP10.4.253.2real NC10.4.253.3real CR
IntrusionDetection
WPA2 Encrypted
User Data
LWAPP Tunnel
Static routes10.4.x via 10.4.253.254
fw1prod1ic2standby
fw1prod1ic1active
NCWWC3 controller
fw1prod1ec2standby
fw1prod1ec1active
DMZ externalNCWIS2
trunk vlan 6 ce4
Internet
trunk vlan 6 ce4
Guest Data
Ethernet over IP Tunnel
Internet Infrastructure
ACS appliancesRADIUS
10.2.221.32acsprod110.2.205.121acsprod2
ce2 trunk vlan 7
ce2 trunk vlan 7
Guest AccessSeparate SSID (broadcast)Ethernet over IP tunnel to Internet DMZAuthentication models wired guest accessSecurID token held by Help DeskWeb page authentication
Guest AccessLegal text: - be a good person or else - transmission not encryptedCall Customer Support Centre if you wish to proceedCustomer Support Centre verifies requirement and provides information to enter
ChallengesSorting out rogues (on vs. off network)Problems in remote officesInterference, rogues, security attacks
FuturesBroader Public Sector accessLocation: Will explore these capabilities802.11n: No real requirementNon-workstation devices: will considerVoice over WLAN No plans, VoIP experimental on wired sideDid site survey for voice coverage
Additional for voiceFirst phase installation
Antenna ResearchGreater RF gain neededUsers are more mobileIntegration with personal protective gearSophisticated look coolness factor
Questions??????
Top Related