U.S. Department of Energy Pacific Northwest National Laboratory July 2004 Presented by Jeffery Mauth Pacific Northwest National Laboratory [email protected]

U.S. Department of EnergyPacific Northwest National Laboratory

July 2004

Presented byJeffery Mauth

Pacific Northwest National [email protected]

2-Factor Authentication &WiFi Security at PNNL

Presentation Outline: 2-Factor Authentication at PNNL

•Drivers•Enclave Design•Multiple Sites

WiFi Security at PNNL•Threats and Risk Mitigation•2nd Generation Architecture (Wireless Enclaves)•Rogue Detection and Wireless IDS•Future Directions

ESCC Meeting, July 21-22, 2004


July 2004

2-Factor Authentication at PNNL

DriversEnclave DesignMultiple Sites


3

2-Factor Authentication -- Drivers

Usernames and Passwords

DOE passwords have a lifetime of no more than 6 months Keystroke capture tools are being used more and more by the

bad guy’s 6 months is a lifetime for a bad guy to do bad things Difficult to detect since username/password is real Shared resources across DOE exacerbate the problem 2-Factor one time passwords solve this problem … almost

• Automated functions requiring authentication are more difficult• Replay attacks *MAY* be possible in some circumstances• Multi-site access with a single token challenging

The PNNL enclave design required 2-Factor OTP


4

2-Factor Authentication -- Enclave Design

Multi-Program Labs requireMultiple Security Policies

PNNL is an Office of Science Laboratory with a significant National Security mission• Office of Science programs generally have many visitors both on-site

and remote from around the world, security policy must accommodate

• National Security programs generally require security policies that are much more restrictive

• Business and financial systems also require protection but all PNNL staff need access to these systems

• Wireless networks have unique issues PNNL evaluated different strategies to solve these problems

and determined that an enclave solution was best for PNNL


5

2-Factor Authentication -- Enclave Design

Multi-Program Labs requireMultiple Security Policies

Enclave Solution implemented at PNNL• 2-Factor OTP a critical part of the enclave design• Multiple enclaves with different security policies• Programmatic requirements determine which enclave• Each enclave isolated from others by firewall

Results we have seen at PNNL• Prior to implementation, gnashing of teeth, wails, the world is ending

as we know it …• After implementation most staff not seriously impacted, the gnashing

has stopped, we are still here, there are still some quiet wails though• Benefit: Lower risk associated with external access into the lab and

improved access control to meet programmatic needs• Still a work in progress


6

2-Factor Authentication -- Multiple Sites

How to work with Others

2-Factor OTP solutions for a single site are relatively straight forward• Single management policy and funding stream• Risk management and acceptance by site

Integration between sites becomes more challenging• Multiple management policies and funding streams• Risk management and acceptance more difficult

– Who trusts who, and how much to trust them?– Changes in risk profile at a single site affects other sites

Questions on implementation• One token or many• How willing will the user base be• Will it harm scientific productivity


7


July 2004

WiFi Security at PNNL

Threats and Risk Mitigation2nd Generation Architecture (Wireless Enclaves)Rogue Detection and Wireless IDSFuture Directions


9

WiFi Security -- Overall Network Goals and Objectives

Scalable, Secure, and Flexible Wireless Access

Goal: Multi-Layered Security• Basic, low-cost detection and

location of “rogue” devices– Sensor functions built in to standard

Cisco AP

• Advanced Wireless IDS functions– AirDefense, wireline methods

• Dedicated, specialized sensors, as needed (open source & proprietary)

– LAIs, sensitive areas, outdoors – Campuses and buildings in different

locations across the US (rural to metro)

Goal: Flexible Network Access• Multiple, Adaptable Wireless

Networks– Different security policies,

authentication methods, and users• Reliable, Scalable Coverage

– High-density 802.11b/g– High-performance 802.11a

“hotspots”, as needed• Integration with wired networks,

target key business applications– Staff productivity, extend network

resources, and new mobility applications


10

WiFi Security -- Threats and Risk Mitigation

Security Policy SeparatesWireless and Wired Networks

PNNL Networks(Building Access Control)

Wireless Networks (Enclave Access Control)

Firewall

Campus

Internet

Building A

Threat

Threat

Building A

Wireless Device

Primary Rogue Threat

Firewall

Mitigation Staff Remote

Access / VPN / 2-factor / FW

IDS outbound traffic monitoring

“Wireline” tools Deploying

Wireless IDS campus coverage

Primary risk is that an outside attacker will bypass enterprise firewall via rogue. Note: “Airspace DMZ” covers entire campus. Different than wired DMZ.

DMZ


11

WiFi Security -- 2nd Generation Architecture

Wireless Enclaves AddFlexibility and Security

Vernier Access Manger

firewall

VisitorLAN

RadioLAN

RFnet

firewall

PNNL Wireless NetworksSetember, 2003

router router

Out-of-bandManagement

Network

RF netsbuilt on

Cisco APsSSID's configured on Cisco AP's

RadioLAN WEP 128bitVisitorLAN User auth throughbrowserRFnet 802.1x (EAP-TLS)

Internet

POWERFAULT DATA ALARM WEP

open

802.1x

vlan trunk

Cisco AP

1 radiochannel

router

Vernier Control Server


12

WiFi Security -- Rogue Detection and Wireless IDS

Goals and Challenges

* Target popular unlicensed protocols, but address new DOE orders as needed

Primary Goals• Achieve Acceptable Risk

– Mitigate risks “sufficiently”

• Cover Full Campus (Inside Buildings)

– Mitigate primary threat of rogue “open doors” in ~60 buildings with network connections

• Efficient 24x7 Operations– Cost-effective integration with overall

network security systems, procedures and staff

The Challenges (changing…)• Wide Area Network (2G, 2.5G, 3G )

– Pagers, cell phones, Blackberries, “smart phones”– Metro Area Network (IEEE 802.16)

• Local Area Network (IEEE 802.11b/g/a or Wi-Fi*

– Solid rogue coverage for these popular products and protocols

• Personal Area Network (IEEE 802.15)– Bluetooth (growing fast);– Zigbee, Ultra Wideband (UWB)


13

WiFi Security -- Rogue Detection and Wireless IDS

Combined Solution is Best forPNNL Environment

Combined AirDefense-Cisco solution provides “sufficient mitigation” with the best functional capability, the most flexibility, at the least cost.• See figure below for multi-layered approach to wireless security and IDS.

PNNL has evaluated 5 different products against detailed evaluation criteria (ISS, AirWave, Open Source, AirDefense, and Cisco)• Rapidly changing wireless arena (both threats and opportunities)

On the Wire

In the Air

Wireline Tools (Covers Entire Network)

Combined Access / Sensor(Buildings w/ Cisco APs)

Sensor Only (LAIs, mobile)

Basic Rogue Detection/Location Advanced Detection


14

WiFi Security -- Future Directions

Rapid Growth in Use ofWireless Products and Services

Wireless rogue detection is essential whether wireless is authorized or not for use in an enterprise.• Easy to install wireless that bypass firewalls, either knowingly or not.

Wireless enclaves provide good solution for providing flexible architectures and levels of security.• Technology is moving rapidly; more alternatives soon.

Industry direction and investments will drive strong adoption of wireless in the marketplace.• Wireless “on ramp” to networks for many devices.• How will this affect DOE and other government agencies?

– DOE N 205.8 and other directives


July 2004

Questions?Contact Information

Dave HostetlerWireless LAN Project Manager

[email protected]

Jeffery Mauth

[email protected]

509-375-2511

Documents

U.S. Department of Energy Pacific Northwest National Laboratory July 2004 Presented by Jeffery Mauth Pacific Northwest National Laboratory [email protected]