Scribd Logo
Upload

Welcome to Scribd!

  • PNNL Mauth

    Uploaded by

    Meghana Madineni
    19 views15 pages
    auth

    Original Title

    20040722-PNNL-Mauth

    Copyright

    © Attribution Non-Commercial (BY-NC)

    Available Formats

    PPT, PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document
    auth

    Copyright:

    Attribution Non-Commercial (BY-NC)
    Download as PPT, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    19 views15 pages

    PNNL Mauth

    Uploaded by

    Meghana Madineni
    auth

    Copyright:

    Attribution Non-Commercial (BY-NC)
    Download as PPT, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    of 15

    2-Factor Authentication & WiFi Security at PNNL

    ESCC Meeting, July 21-22, 2004


    Presentation Outline:
    2-Factor Authentication at PNNL

    Drivers Enclave Design Multiple Sites

    WiFi Security at PNNL

    Threats and Risk Mitigation 2nd Generation Architecture (Wireless Enclaves) Rogue Detection and Wireless IDS Future Directions
    Presented by Jeffery Mauth Pacific Northwest National Laboratory jeff.mauth@pnl.gov

    July 2004

    U.S. Department of Energy Pacific Northwest National Laboratory

    2-Factor Authentication at PNNL

    Drivers Enclave Design Multiple Sites

    July 2004

    U.S. Department of Energy Pacific Northwest National Laboratory

    Usernames and Passwords

    2-Factor Authentication -- Drivers

    DOE passwords have a lifetime of no more than 6 months Keystroke capture tools are being used more and more by the bad guys 6 months is a lifetime for a bad guy to do bad things Difficult to detect since username/password is real Shared resources across DOE exacerbate the problem 2-Factor one time passwords solve this problem almost

    Automated functions requiring authentication are more difficult Replay attacks *MAY* be possible in some circumstances Multi-site access with a single token challenging

    The PNNL enclave design required 2-Factor OTP


    U.S. Department of Energy Pacific Northwest National Laboratory
    3

    Multi-Program Labs require Multiple Security Policies

    2-Factor Authentication -- Enclave Design

    PNNL is an Office of Science Laboratory with a significant National Security mission

    Office of Science programs generally have many visitors both on-site and remote from around the world, security policy must accommodate National Security programs generally require security policies that are much more restrictive Business and financial systems also require protection but all PNNL staff need access to these systems Wireless networks have unique issues

    PNNL evaluated different strategies to solve these problems and determined that an enclave solution was best for PNNL
    U.S. Department of Energy Pacific Northwest National Laboratory
    4

    Multi-Program Labs require Multiple Security Policies

    2-Factor Authentication -- Enclave Design

    Enclave Solution implemented at PNNL

    2-Factor OTP a critical part of the enclave design Multiple enclaves with different security policies Programmatic requirements determine which enclave Each enclave isolated from others by firewall

    Prior to implementation, gnashing of teeth, wails, the world is ending as we know it After implementation most staff not seriously impacted, the gnashing has stopped, we are still here, there are still some quiet wails though Benefit: Lower risk associated with external access into the lab and improved access control to meet programmatic needs Still a work in progress
    U.S. Department of Energy Pacific Northwest National Laboratory
    5

    Results we have seen at PNNL

    How to work with Others

    2-Factor Authentication -- Multiple Sites

    2-Factor OTP solutions for a single site are relatively straight forward

    Single management policy and funding stream Risk management and acceptance by site

    Integration between sites becomes more challenging

    Multiple management policies and funding streams Risk management and acceptance more difficult
    Who trusts who, and how much to trust them? Changes in risk profile at a single site affects other sites

    Questions on implementation

    One token or many How willing will the user base be Will it harm scientific productivity

    U.S. Department of Energy Pacific Northwest National Laboratory


    6

    U.S. Department of Energy Pacific Northwest National Laboratory


    7

    WiFi Security at PNNL

    Threats and Risk Mitigation 2nd Generation Architecture (Wireless Enclaves) Rogue Detection and Wireless IDS Future Directions

    July 2004

    U.S. Department of Energy Pacific Northwest National Laboratory

    Scalable, Secure, and Flexible Wireless Access

    WiFi Security -- Overall Network Goals and Objectives

    Goal: Flexible Network Access Multiple, Adaptable Wireless


    Networks

    Goal: Multi-Layered Security Basic, low-cost detection and


    location of rogue devices
    Sensor functions built in to standard Cisco AP

    Reliable, Scalable Coverage


    High-density 802.11b/g High-performance 802.11a hotspots, as needed

    Different security policies, authentication methods, and users

    Advanced Wireless IDS functions


    AirDefense, wireline methods

    Integration with wired networks,

    Dedicated, specialized sensors, as


    LAIs, sensitive areas, outdoors Campuses and buildings in different locations across the US (rural to metro)

    target key business applications


    Staff productivity, extend network resources, and new mobility applications

    needed (open source & proprietary)

    U.S. Department of Energy Pacific Northwest National Laboratory


    9

    Security Policy Separates Wireless and Wired Networks


    PNNL Networks (Building Access Control) Wireless Networks (Enclave Access Control) Mitigation Threat Staff Remote Access / VPN / 2factor / FW DMZ IDS outbound traffic monitoring Firewall Firewall Wireline tools Deploying Building A Wireless IDS campus coverage Primary Rogue Threat Threat

    WiFi Security -- Threats and Risk Mitigation

    Internet

    Wireless Device Building A

    Campus

    Primary risk is that an outside attacker will bypass enterprise firewall via rogue. Note: Airspace DMZ covers entire campus. Different than wired DMZ.
    U.S. Department of Energy Pacific Northwest National Laboratory
    10

    Wireless Enclaves Add Flexibility and Security


    PNNL Wireless Networks
    Internet
    Setember, 2003

    WiFi Security -- 2nd Generation Architecture

    Vernier Control Server

    SSID's configured on Cisco AP's RadioLAN VisitorLAN browser RFnet WEP 128bit User auth through 802.1x (EAP-TLS)

    RF nets built on Cisco APs 1 radio channel


    VisitorLAN

    router

    firewall

    router

    Out-of-band Management Network Vernier Access Manger

    open RadioLAN Cisco AP vlan trunk


    POWERFAULT DATA ALARM

    WEP 802.1x RFnet

    firewall

    router

    U.S. Department of Energy Pacific Northwest National Laboratory


    11

    WiFi Security -- Rogue Detection and Wireless IDS

    Goals and Challenges

    Primary Goals

    Achieve Acceptable Risk


    Cover Full Campus (Inside
    Buildings)
    Mitigate primary threat of rogue open doors in ~60 buildings with network connections Cost-effective integration with overall network security systems, procedures and staff Mitigate risks sufficiently

    The Challenges (changing)


    Wide Area Network (2G, 2.5G, 3G )

    Local Area Network (IEEE 802.11


    b/g/a or Wi-Fi*

    Pagers, cell phones, Blackberries, smart phones Metro Area Network (IEEE 802.16)

    Efficient 24x7 Operations

    Personal Area Network (IEEE 802.15)


    Solid rogue coverage for these popular products and protocols


    Bluetooth (growing fast); Zigbee, Ultra Wideband (UWB)

    * Target popular unlicensed protocols, but address new DOE orders as needed

    U.S. Department of Energy Pacific Northwest National Laboratory


    12

    Combined Solution is Best for PNNL Environment

    WiFi Security -- Rogue Detection and Wireless IDS

    Combined AirDefense-Cisco solution provides sufficient mitigation with the best functional capability, the most flexibility, at the least cost.

    See figure below for multi-layered approach to wireless security and IDS.

    PNNL has evaluated 5 different products against detailed evaluation criteria (ISS, AirWave, Open Source, AirDefense, and Cisco)

    Rapidly changing wireless arena (both threats and opportunities) Basic Rogue Detection/Location Advanced Detection
    Sensor Only (LAIs, mobile)

    In the Air On the Wire

    Combined Access / Sensor (Buildings w/ Cisco APs)

    Wireline Tools (Covers Entire Network)


    U.S. Department of Energy Pacific Northwest National Laboratory
    13

    Rapid Growth in Use of Wireless Products and Services

    WiFi Security -- Future Directions

    Wireless rogue detection is essential whether wireless is authorized or not for use in an enterprise. Easy to install wireless that bypass firewalls, either knowingly or not. Wireless enclaves provide good solution for providing flexible architectures and levels of security. Technology is moving rapidly; more alternatives soon. Industry direction and investments will drive strong adoption of wireless in the marketplace. Wireless on ramp to networks for many devices. How will this affect DOE and other government agencies?
    DOE N 205.8 and other directives

    U.S. Department of Energy Pacific Northwest National Laboratory


    14

    Questions?
    Contact Information Dave Hostetler Wireless LAN Project Manager dave.hostetler@pnl.gov 509-375-2293 Jeffery Mauth jeff.mauth@pnl.gov 509-375-2511

    July 2004

    U.S. Department of Energy Pacific Northwest National Laboratory

    You might also like