2 factor authentication wifi security at pnnl
Download
1 / 15

2-Factor Authentication & WiFi Security at PNNL - PowerPoint PPT Presentation


  • 391 Views
  • Uploaded on

2-Factor Authentication & WiFi Security at PNNL. ESCC Meeting, July 21-22, 2004. Presentation Outline: 2-Factor Authentication at PNNL Drivers Enclave Design Multiple Sites WiFi Security at PNNL Threats and Risk Mitigation 2nd Generation Architecture (Wireless Enclaves)

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about '2-Factor Authentication & WiFi Security at PNNL' - Jimmy


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
2 factor authentication wifi security at pnnl l.jpg

2-Factor Authentication &WiFi Security at PNNL

ESCC Meeting, July 21-22, 2004

Presentation Outline:

2-Factor Authentication at PNNL

Drivers

Enclave Design

Multiple Sites

WiFi Security at PNNL

Threats and Risk Mitigation

2nd Generation Architecture (Wireless Enclaves)

Rogue Detection and Wireless IDS

Future Directions

Presented by

Jeffery Mauth

Pacific Northwest National Laboratory

jeff.mauth@pnl.gov


2 factor authentication at pnnl l.jpg

2-Factor Authentication at PNNL

Drivers

Enclave Design

Multiple Sites


2 factor authentication drivers usernames and passwords l.jpg
2-Factor Authentication -- DriversUsernames and Passwords

  • DOE passwords have a lifetime of no more than 6 months

  • Keystroke capture tools are being used more and more by the bad guy’s

  • 6 months is a lifetime for a bad guy to do bad things

  • Difficult to detect since username/password is real

  • Shared resources across DOE exacerbate the problem

  • 2-Factor one time passwords solve this problem … almost

    • Automated functions requiring authentication are more difficult

    • Replay attacks *MAY* be possible in some circumstances

    • Multi-site access with a single token challenging

  • The PNNL enclave design required 2-Factor OTP


2 factor authentication enclave design multi program labs require multiple security policies l.jpg
2-Factor Authentication -- Enclave DesignMulti-Program Labs requireMultiple Security Policies

  • PNNL is an Office of Science Laboratory with a significant National Security mission

    • Office of Science programs generally have many visitors both on-site and remote from around the world, security policy must accommodate

    • National Security programs generally require security policies that are much more restrictive

    • Business and financial systems also require protection but all PNNL staff need access to these systems

    • Wireless networks have unique issues

  • PNNL evaluated different strategies to solve these problems and determined that an enclave solution was best for PNNL


2 factor authentication enclave design multi program labs require multiple security policies5 l.jpg
2-Factor Authentication -- Enclave DesignMulti-Program Labs requireMultiple Security Policies

  • Enclave Solution implemented at PNNL

    • 2-Factor OTP a critical part of the enclave design

    • Multiple enclaves with different security policies

    • Programmatic requirements determine which enclave

    • Each enclave isolated from others by firewall

  • Results we have seen at PNNL

    • Prior to implementation, gnashing of teeth, wails, the world is ending as we know it …

    • After implementation most staff not seriously impacted, the gnashing has stopped, we are still here, there are still some quiet wails though

    • Benefit: Lower risk associated with external access into the lab and improved access control to meet programmatic needs

    • Still a work in progress


2 factor authentication multiple sites how to work with others l.jpg
2-Factor Authentication -- Multiple SitesHow to work with Others

  • 2-Factor OTP solutions for a single site are relatively straight forward

    • Single management policy and funding stream

    • Risk management and acceptance by site

  • Integration between sites becomes more challenging

    • Multiple management policies and funding streams

    • Risk management and acceptance more difficult

      • Who trusts who, and how much to trust them?

      • Changes in risk profile at a single site affects other sites

  • Questions on implementation

    • One token or many

    • How willing will the user base be

    • Will it harm scientific productivity


Wifi security at pnnl l.jpg

WiFi Security at PNNL

Threats and Risk Mitigation

2nd Generation Architecture (Wireless Enclaves)

Rogue Detection and Wireless IDS

Future Directions


Slide9 l.jpg

Goal: Flexible Network Access

Multiple, Adaptable Wireless Networks

Different security policies, authentication methods, and users

Reliable, Scalable Coverage

High-density 802.11b/g

High-performance 802.11a “hotspots”, as needed

Integration with wired networks, target key business applications

Staff productivity, extend network resources, and new mobility applications

WiFi Security -- Overall Network Goals and ObjectivesScalable, Secure, and Flexible Wireless Access

  • Goal: Multi-Layered Security

    • Basic, low-cost detection and location of “rogue” devices

      • Sensor functions built in to standard Cisco AP

    • Advanced Wireless IDS functions

      • AirDefense, wireline methods

    • Dedicated, specialized sensors, as needed (open source & proprietary)

      • LAIs, sensitive areas, outdoors

      • Campuses and buildings in different locations across the US (rural to metro)


Wifi security threats and risk mitigation security policy separates wireless and wired networks l.jpg
WiFi Security -- Threats and Risk MitigationSecurity Policy SeparatesWireless and Wired Networks

Internet

PNNL Networks

(Building Access Control)

Wireless Networks

(Enclave Access Control)

Mitigation

  • Staff Remote Access / VPN / 2-factor / FW

  • IDS outbound traffic monitoring

  • “Wireline” tools

  • Deploying Wireless IDS campus coverage

Threat

DMZ

Wireless Device

Firewall

Firewall

Building A

Building A

Primary Rogue Threat

Threat

Campus

Primary risk is that an outside attacker will bypass enterprise firewall via rogue. Note: “Airspace DMZ” covers entire campus. Different than wired DMZ.


Wifi security 2 nd generation architecture wireless enclaves add flexibility and security l.jpg
WiFi Security -- 2nd Generation ArchitectureWireless Enclaves AddFlexibility and Security


Slide12 l.jpg

Primary Goals

Achieve Acceptable Risk

Mitigate risks “sufficiently”

Cover Full Campus (Inside Buildings)

Mitigate primary threat of rogue “open doors” in ~60 buildings with network connections

Efficient 24x7 Operations

Cost-effective integration with overall network security systems, procedures and staff

WiFi Security -- Rogue Detection and Wireless IDSGoals and Challenges

  • The Challenges (changing…)

    • Wide Area Network (2G, 2.5G, 3G )

      • Pagers, cell phones, Blackberries, “smart phones”

      • Metro Area Network (IEEE 802.16)

    • Local Area Network (IEEE 802.11b/g/a or Wi-Fi*

      • Solid rogue coverage for these popular products and protocols

    • Personal Area Network (IEEE 802.15)

      • Bluetooth (growing fast);

      • Zigbee, Ultra Wideband (UWB)

* Target popular unlicensed protocols, but address new DOE orders as needed


Wifi security rogue detection and wireless ids combined solution is best for pnnl environment l.jpg
WiFi Security -- Rogue Detection and Wireless IDS Combined Solution is Best forPNNL Environment

  • Combined AirDefense-Cisco solution provides “sufficient mitigation” with the best functional capability, the most flexibility, at the least cost.

    • See figure below for multi-layered approach to wireless security and IDS.

  • PNNL has evaluated 5 different products against detailed evaluation criteria (ISS, AirWave, Open Source, AirDefense, and Cisco)

    • Rapidly changing wireless arena (both threats and opportunities)

Basic Rogue Detection/Location

Advanced Detection

Combined Access / Sensor(Buildings w/ Cisco APs)

Sensor Only (LAIs, mobile)

In the Air

On the Wire

Wireline Tools (Covers Entire Network)


Wifi security future directions rapid growth in use of wireless products and services l.jpg
WiFi Security -- Future DirectionsRapid Growth in Use ofWireless Products and Services

  • Wireless rogue detection is essential whether wireless is authorized or not for use in an enterprise.

    • Easy to install wireless that bypass firewalls, either knowingly or not.

  • Wireless enclaves provide good solution for providing flexible architectures and levels of security.

    • Technology is moving rapidly; more alternatives soon.

  • Industry direction and investments will drive strong adoption of wireless in the marketplace.

    • Wireless “on ramp” to networks for many devices.

    • How will this affect DOE and other government agencies?

      • DOE N 205.8 and other directives


Questions l.jpg

Questions?

Contact Information

Dave Hostetler

Wireless LAN Project Manager

dave.hostetler@pnl.gov

509-375-2293

Jeffery Mauth

jeff.mauth@pnl.gov

509-375-2511