Professional Documents
Culture Documents
Threats and Risk Mitigation 2nd Generation Architecture (Wireless Enclaves) Rogue Detection and Wireless IDS Future Directions
Presented by Jeffery Mauth Pacific Northwest National Laboratory jeff.mauth@pnl.gov
July 2004
July 2004
DOE passwords have a lifetime of no more than 6 months Keystroke capture tools are being used more and more by the bad guys 6 months is a lifetime for a bad guy to do bad things Difficult to detect since username/password is real Shared resources across DOE exacerbate the problem 2-Factor one time passwords solve this problem almost
Automated functions requiring authentication are more difficult Replay attacks *MAY* be possible in some circumstances Multi-site access with a single token challenging
Office of Science programs generally have many visitors both on-site and remote from around the world, security policy must accommodate National Security programs generally require security policies that are much more restrictive Business and financial systems also require protection but all PNNL staff need access to these systems Wireless networks have unique issues
PNNL evaluated different strategies to solve these problems and determined that an enclave solution was best for PNNL
U.S. Department of Energy Pacific Northwest National Laboratory
4
2-Factor OTP a critical part of the enclave design Multiple enclaves with different security policies Programmatic requirements determine which enclave Each enclave isolated from others by firewall
Prior to implementation, gnashing of teeth, wails, the world is ending as we know it After implementation most staff not seriously impacted, the gnashing has stopped, we are still here, there are still some quiet wails though Benefit: Lower risk associated with external access into the lab and improved access control to meet programmatic needs Still a work in progress
U.S. Department of Energy Pacific Northwest National Laboratory
5
2-Factor OTP solutions for a single site are relatively straight forward
Single management policy and funding stream Risk management and acceptance by site
Multiple management policies and funding streams Risk management and acceptance more difficult
Who trusts who, and how much to trust them? Changes in risk profile at a single site affects other sites
Questions on implementation
One token or many How willing will the user base be Will it harm scientific productivity
Threats and Risk Mitigation 2nd Generation Architecture (Wireless Enclaves) Rogue Detection and Wireless IDS Future Directions
July 2004
Internet
Campus
Primary risk is that an outside attacker will bypass enterprise firewall via rogue. Note: Airspace DMZ covers entire campus. Different than wired DMZ.
U.S. Department of Energy Pacific Northwest National Laboratory
10
SSID's configured on Cisco AP's RadioLAN VisitorLAN browser RFnet WEP 128bit User auth through 802.1x (EAP-TLS)
router
firewall
router
firewall
router
Primary Goals
Pagers, cell phones, Blackberries, smart phones Metro Area Network (IEEE 802.16)
* Target popular unlicensed protocols, but address new DOE orders as needed
Combined AirDefense-Cisco solution provides sufficient mitigation with the best functional capability, the most flexibility, at the least cost.
See figure below for multi-layered approach to wireless security and IDS.
PNNL has evaluated 5 different products against detailed evaluation criteria (ISS, AirWave, Open Source, AirDefense, and Cisco)
Rapidly changing wireless arena (both threats and opportunities) Basic Rogue Detection/Location Advanced Detection
Sensor Only (LAIs, mobile)
Wireless rogue detection is essential whether wireless is authorized or not for use in an enterprise. Easy to install wireless that bypass firewalls, either knowingly or not. Wireless enclaves provide good solution for providing flexible architectures and levels of security. Technology is moving rapidly; more alternatives soon. Industry direction and investments will drive strong adoption of wireless in the marketplace. Wireless on ramp to networks for many devices. How will this affect DOE and other government agencies?
DOE N 205.8 and other directives
Questions?
Contact Information Dave Hostetler Wireless LAN Project Manager dave.hostetler@pnl.gov 509-375-2293 Jeffery Mauth jeff.mauth@pnl.gov 509-375-2511
July 2004