Secure Wi-Fi for Large Scale Events and Arenas

7,198 views
7,100 views

Published on

Presentation to Cambridge Wireless, Security and Defence SIG
Rob Blakemore, 15 November 2011

Published in: Technology, Business
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
7,198
On SlideShare
0
From Embeds
0
Number of Embeds
4,898
Actions
Shares
0
Downloads
0
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Secure Wi-Fi for Large Scale Events and Arenas

  1. 1. 17 November 2011 Secure Wi-Fi for Large Scale Events and Arenas Presentation to Cambridge Wireless, Security and Defence SIG Rob Blakemore, 15 November 2011 © Logica 2008. All rights reserved Agenda Introduction: Rob Blakemore Part 1: Wi-Fi for Large Scale Events and Arenas Part 2: Deploying secure Wi-Fi 17 November 2011 Secure Wi-Fi for Large Scale Events and Arenas No. 2Title of Presentation 1
  2. 2. 17 November 2011 Why Deploy Wi-Fi In Arenas? Secure Wi-Fi for Large Scale Events and Arenas No. 3 Wi-Fi To Overtake Wired Network Traffic By 2015 Cisco’s Global IP Traffic Forecast Secure Wi-Fi for Large Scale Events and Arenas No. 4Title of Presentation 2
  3. 3. 17 November 2011 Challenges • RF Congestion • Current Hardware • Mobility • Security Secure Wi-Fi for Large Scale Events and Arenas No. 5 3rd Generation Wireless – How It Works 1 1 11 11 6 1 6 6 1 1 11 • Mobility is provided through cell based architecture and channel roaming. • Access points (APs) placed to create areas of slightly overlapping Wi-Fi coverage, each on a different frequency channel. • Communication breaks off during ‘roam’. • 2.4 GHz only allows three non-overlapping channels (e.g. 1, 6, 11). • Significant co-channel interference. Note: cells are never “circular”, especially with 802.11n, and you have unpredictable areas of coverage. Secure Wi-Fi for Large Scale Events and Arenas No. 6Title of Presentation 3
  4. 4. 17 November 2011 Gartner: 4th Generation Wireless – Removing Roaming Channel 1 ONLY = no roaming • 4th Generation wireless addresses the performance issues of roaming – by removing roaming altogether. • In 3rd Generation, the client makes the decision on when to access the network, in 4th Generation, the controller of the AP makes the decision. • Removes co-channel interference from other AP’s “Fourth Generation WLAN makes a lot of sense… It makes even more sense in the 802.11n world.” – Mike King, Research Director, Gartner Secure Wi-Fi for Large Scale Events and Arenas No. 7 Range and Throughput of 802.11 Wireless • Data rate and throughput is a function of distance. • To achieve the maximum data rate, you have to be very close to the AP (around 30 feet). • “Edge-Users” will experience a significantly lower data throughput. • The need for the AP to constantly switch to slower protocols in order to support edge users significantly lowers the throughput of the entire system. Secure Wi-Fi for Large Scale Events and Arenas No. 8Title of Presentation 4
  5. 5. 17 November 2011 3rd Generation Wireless – Roaming decision is the client’s choice Handoff (roaming) decision is up to the client, instead of the infrastructure – This leads to “client bunching” and increased “edge users”. Client bunching = client holds on to current AP, at lower data rates, even when closer APs are available to serve at higher data rates. Secure Wi-Fi for Large Scale Events and Arenas No. 9 Stadiums - Exasperation of several problems • No walls to block signals. • Heavy use of metal, resulting in unpredictable signal paths. • Significant number of simultaneous users • Significant mobility can increase edge users at lower rates – lowering throughput in system and not communicating with closest AP. Secure Wi-Fi for Large Scale Events and Arenas No. 10Title of Presentation 5
  6. 6. 17 November 2011 UK Stadium Deployments of 4th Generation Wireless MEN Arena: Capacity 21k Emirates: Capacity 65k Twickenham: Capacity 90k Millennium Stadium: Capacity 95k Secure Wi-Fi for Large Scale Events and Arenas No. 11 Deploying Secure Wi-Fi • Wi-Fi Protected Access (WPA) is the security certification program developed by the Wi-Fi Alliance. • The Wi-Fi Alliance is a trade association, comprising 375 members. • The Wi-Fi Alliance owns the Wi-Fi CERTIFIED logo, and only permits it to be used on products passing rigorous security testing to its standards. • Testing to the “WPA2” standard is required on all Wi-Fi Certified devices certified since 2006. This uses the AES-CCMP encryption standard, and is the security mechanism that should always be deployed wherever hardware supports it. Secure Wi-Fi for Large Scale Events and Arenas No. 12Title of Presentation 6
  7. 7. 17 November 2011 Two modes of WPA2: Personal and Enterprise 1. Personal: [AKA PSK (Pre-shared key) mode] Designed for home and small office networks. Each wireless network device authenticates with the AP using the same 256-bit key. The 256-bit key is derived from a passphrase of 8-63 characters. Vulnerable to dictionary-based attacks. 2. Enterprise: [AKA WPA-802.1X mode] Designed for enterprise networks, it requires a RADIUS authentication server. Every user has their own unique authentication. Extensible Authentication Protocol (EAP) is used for authentication. Secure Wi-Fi for Large Scale Events and Arenas No. 13 Enterprise Authentication with Digital Certificates • The strongest form of wireless security makes use of Digital Certificates in both authentication (and encryption). • Two common wireless mechanisms using Digital Certificates are PEAP and TLS. • Certificates can be stored in the client devices, or held externally in smart cards/USB tokens for greater security. Secure Wi-Fi for Large Scale Events and Arenas No. 14Title of Presentation 7
  8. 8. 17 November 2011 Enterprise – Mutual Authentication with Certificates PEAP – Only the Server Authenticates with a Certificate Client Server Password TLS – Both Client and Server Authenticate with Certificate(s) Client Server Secure Wi-Fi for Large Scale Events and Arenas No. 15 WPA2 – Encryption with AES-CCMP • AES-CCMP is a block cipher encryption algorithm that uses a Temporal Key (TK) of 128-bits to encrypt/decrypt all unicast data packets on the wireless network. • The Temporal Key is derived (over a series of exchanges) from the Pairwise Master Key (PMK). • PMK is always 256-bits, obtained from one of two places: Personal mode: Generated from passphrase (of 8-63 chars). [PMK is identical for all users on WLAN.] Enterprise mode: Generated from material in RADIUS exchange. [PMK is different for all users on WLAN.] • CCMP encryption is currently secure (so long as the PMK remains secret). • CCMP is recommended for all Wi-Fi implementations (Personal & Enterprise). • Never use WEP – and avoid TKIP when possible. Secure Wi-Fi for Large Scale Events and Arenas No. 16Title of Presentation 8
  9. 9. 17 November 2011 Government-Certified Wireless Networking with ‘Manual Y’ • Manual Y is a document written by CESG which identifies the technological and procedural requirements for deploying WPA2 wireless security in Government Systems. • CESG is a branch of GCHQ responsible for advising the UK Government on IT and security issues. • Logica were the very first organisation to successfully pass a IACS review by CESG of a Manual Y implementation. • It covers protectively marked communications up to RESTRICTED level. • Manual Y mandates the use of EAP-TLS, but goes much further to specify additional configuration settings in both the wireless and related technology, and procedural requirements on certificate handling, documentation, training, etc. • Logica have produced documentation and diagrams of practical ‘lessons learnt’ arising from our delivery of the process which will help all future installations. • Logica worked closely with CESG during the first deployment of ‘Manual Y’, and identified and helped CESG address a number of practical implementation issues with the 1st version of the document. Secure Wi-Fi for Large Scale Events and Arenas No. 17 Example: TLS at ABRO (Army Based Repair Agency) • ABRO is a defence engineering business • It offers servicing, repair and re-manufacturing of a variety of equipment to the UK Armed Forces • ABRO own a number of Stores Warehouses in the UK holding essential part supplies • Stores inventory and part selection at ABRO has historically been slow – stock updates performed sporadically on stationary PCs and part selection involves error-prone paper- based procedures. • Moving stores management functions to portable secure wireless devices will bring improved data accuracy (with immediate stock updates), cost efficiencies, and faster job resolution times. • ABRO completed its merger with DARA in April 2008 and re- launched as the Defence Support Group (DSG). Secure Wi-Fi for Large Scale Events and Arenas No. 18Title of Presentation 9
  10. 10. 17 November 2011 Product Evaluation UK Evaluation CAPS: CESG Approved Product Scheme 2 grades: baseline for RESTRICTED enhanced for SECRET US Evaluation FIPS-140 Federal Information Processing Standards [140 = cryptography modules] International Common Criteria (including by UK) EAL (Evaluation Assurance Level) 1 – 7 (indicate rigorousness of testing to specs) • Manual Y is considers correct implementation and configuration of Wi-Fi. • Manual Y is not a direct replacement for Baseline Grade evaluations, but may be appropriate for smaller requirements where flexibility is important. Additional security measures may be required for larger installs. • The Accreditor manages the risk, and will present recommendations to the Department Head. Secure Wi-Fi for Large Scale Events and Arenas No. 19 Example: Additional Accreditation in Defence Sector • DSSO (Defence Security Standards Organisation) Accreditation is required on all MoD IT Systems. • Accreditation of a site is an ongoing process. All significant changes to a system require consultation with the DSSO Accreditor. • The DSSO Accreditor receives advice and considers various Infosec risks (and counter-measures). He decides on the acceptance (or not) of any residual risks. • JSP440 – “The Defence Manual of Security” is the “bible” used by the Accreditor. The latest version includes a new section on wireless deployments, allowing their use up to RESTRICTED. It mandates the involvement and agreement of a DSSO Accreditor in any deployment, along with an independent security review. • In our experience, the Accreditor has mandated both an IACS Review (to ensure compliance to Manual Y) and a CHECK Penetration Test as pre- requisites to deploying a new wireless network on an in-situ Accredited system. • Other organisations (such as CIDA) must also be involved to check on physical security (i.e. TEMPEST) and safety regulations. The CIDA requirements are captured in JSP480. • Logica have proven success in bringing all these bodies together – including the CESG validation team and the DSSO Accreditor – in order to quickly attain common agreement, and ensure that solutions are installed successfully. Secure Wi-Fi for Large Scale Events and Arenas No. 20Title of Presentation 10
  11. 11. 17 November 2011 Questions? Secure Wi-Fi for Large Scale Events and Arenas No. 21 Contact address: rob.blakemore@logica.com 17 November 2011 Secure Wi-FiGuidelines & Samples and Arenas for Large Scale Events No. 22Title of Presentation 11

×