Presentation is loading. Please wait.

Presentation is loading. Please wait.

U.S. Department of Energy Pacific Northwest National Laboratory July 2004 Presented by Jeffery Mauth Pacific Northwest National Laboratory

Published byBrittney Peale Modified over 9 years ago

Similar presentations

Presentation on theme: "U.S. Department of Energy Pacific Northwest National Laboratory July 2004 Presented by Jeffery Mauth Pacific Northwest National Laboratory"— Presentation transcript:

1 U.S. Department of Energy Pacific Northwest National Laboratory July 2004 Presented by Jeffery Mauth Pacific Northwest National Laboratory jeff.mauth@pnl.gov 2-Factor Authentication & WiFi Security at PNNL Presentation Outline: 2-Factor Authentication at PNNL Drivers Enclave Design Multiple Sites WiFi Security at PNNL Threats and Risk Mitigation 2nd Generation Architecture (Wireless Enclaves) Rogue Detection and Wireless IDS Future Directions ESCC Meeting, July 21-22, 2004

2 U.S. Department of Energy Pacific Northwest National Laboratory July 2004 2-Factor Authentication at PNNL Drivers Enclave Design Multiple Sites

3 U.S. Department of Energy Pacific Northwest National Laboratory 3 2-Factor Authentication -- Drivers Usernames and Passwords n DOE passwords have a lifetime of no more than 6 months n Keystroke capture tools are being used more and more by the bad guy’s n 6 months is a lifetime for a bad guy to do bad things n Difficult to detect since username/password is real n Shared resources across DOE exacerbate the problem n 2-Factor one time passwords solve this problem … almost Automated functions requiring authentication are more difficult Replay attacks *MAY* be possible in some circumstances Multi-site access with a single token challenging n The PNNL enclave design required 2-Factor OTP

4 U.S. Department of Energy Pacific Northwest National Laboratory 4 2-Factor Authentication -- Enclave Design Multi-Program Labs require Multiple Security Policies n PNNL is an Office of Science Laboratory with a significant National Security mission Office of Science programs generally have many visitors both on-site and remote from around the world, security policy must accommodate National Security programs generally require security policies that are much more restrictive Business and financial systems also require protection but all PNNL staff need access to these systems Wireless networks have unique issues n PNNL evaluated different strategies to solve these problems and determined that an enclave solution was best for PNNL

5 U.S. Department of Energy Pacific Northwest National Laboratory 5 2-Factor Authentication -- Enclave Design Multi-Program Labs require Multiple Security Policies n Enclave Solution implemented at PNNL 2-Factor OTP a critical part of the enclave design Multiple enclaves with different security policies Programmatic requirements determine which enclave Each enclave isolated from others by firewall n Results we have seen at PNNL Prior to implementation, gnashing of teeth, wails, the world is ending as we know it … After implementation most staff not seriously impacted, the gnashing has stopped, we are still here, there are still some quiet wails though Benefit: Lower risk associated with external access into the lab and improved access control to meet programmatic needs Still a work in progress

6 U.S. Department of Energy Pacific Northwest National Laboratory 6 2-Factor Authentication -- Multiple Sites How to work with Others n 2-Factor OTP solutions for a single site are relatively straight forward Single management policy and funding stream Risk management and acceptance by site n Integration between sites becomes more challenging Multiple management policies and funding streams Risk management and acceptance more difficult –Who trusts who, and how much to trust them? –Changes in risk profile at a single site affects other sites n Questions on implementation One token or many How willing will the user base be Will it harm scientific productivity

7 U.S. Department of Energy Pacific Northwest National Laboratory 7

8 U.S. Department of Energy Pacific Northwest National Laboratory July 2004 WiFi Security at PNNL Threats and Risk Mitigation 2nd Generation Architecture (Wireless Enclaves) Rogue Detection and Wireless IDS Future Directions

9 U.S. Department of Energy Pacific Northwest National Laboratory 9 WiFi Security -- Overall Network Goals and Objectives Scalable, Secure, and Flexible Wireless Access n Goal: Multi-Layered Security Basic, low-cost detection and location of “rogue” devices –Sensor functions built in to standard Cisco AP Advanced Wireless IDS functions –AirDefense, wireline methods Dedicated, specialized sensors, as needed (open source & proprietary) –LAIs, sensitive areas, outdoors –Campuses and buildings in different locations across the US (rural to metro) n Goal: Flexible Network Access Multiple, Adaptable Wireless Networks – Different security policies, authentication methods, and users Reliable, Scalable Coverage –High-density 802.11b/g –High-performance 802.11a “hotspots”, as needed Integration with wired networks, target key business applications –Staff productivity, extend network resources, and new mobility applications

10 U.S. Department of Energy Pacific Northwest National Laboratory 10 WiFi Security -- Threats and Risk Mitigation Security Policy Separates Wireless and Wired Networks PNNL Networks (Building Access Control) Wireless Networks (Enclave Access Control) Firewall Campus Internet Building A Threat Building A Wireless Device Primary Rogue Threat Firewall Mitigation  Staff Remote Access / VPN / 2- factor / FW  IDS outbound traffic monitoring  “Wireline” tools  Deploying Wireless IDS campus coverage Primary risk is that an outside attacker will bypass enterprise firewall via rogue. Note: “Airspace DMZ” covers entire campus. Different than wired DMZ. DMZ

11 U.S. Department of Energy Pacific Northwest National Laboratory 11 WiFi Security -- 2 nd Generation Architecture Wireless Enclaves Add Flexibility and Security

12 U.S. Department of Energy Pacific Northwest National Laboratory 12 WiFi Security -- Rogue Detection and Wireless IDS Goals and Challenges * Target popular unlicensed protocols, but address new DOE orders as needed n Primary Goals Achieve Acceptable Risk – Mitigate risks “sufficiently” Cover Full Campus (Inside Buildings) –Mitigate primary threat of rogue “open doors” in ~60 buildings with network connections Efficient 24x7 Operations –Cost-effective integration with overall network security systems, procedures and staff n The Challenges (changing…) Wide Area Network (2G, 2.5G, 3G ) – Pagers, cell phones, Blackberries, “smart phones” – Metro Area Network (IEEE 802.16) Local Area Network (IEEE 802.11 b/g/a or Wi-Fi* – Solid rogue coverage for these popular products and protocols Personal Area Network (IEEE 802.15) – Bluetooth (growing fast); – Zigbee, Ultra Wideband (UWB)

13 U.S. Department of Energy Pacific Northwest National Laboratory 13 WiFi Security -- Rogue Detection and Wireless IDS Combined Solution is Best for PNNL Environment n Combined AirDefense-Cisco solution provides “sufficient mitigation” with the best functional capability, the most flexibility, at the least cost. See figure below for multi-layered approach to wireless security and IDS. n PNNL has evaluated 5 different products against detailed evaluation criteria (ISS, AirWave, Open Source, AirDefense, and Cisco) Rapidly changing wireless arena (both threats and opportunities) On the Wire In the Air Wireline Tools (Covers Entire Network) Combined Access / Sensor (Buildings w/ Cisco APs) Sensor Only (LAIs, mobile) Basic Rogue Detection/LocationAdvanced Detection

14 U.S. Department of Energy Pacific Northwest National Laboratory 14 WiFi Security -- Future Directions Rapid Growth in Use of Wireless Products and Services n Wireless rogue detection is essential whether wireless is authorized or not for use in an enterprise. Easy to install wireless that bypass firewalls, either knowingly or not. n Wireless enclaves provide good solution for providing flexible architectures and levels of security. Technology is moving rapidly; more alternatives soon. n Industry direction and investments will drive strong adoption of wireless in the marketplace. Wireless “on ramp” to networks for many devices. How will this affect DOE and other government agencies? –DOE N 205.8 and other directives

15 U.S. Department of Energy Pacific Northwest National Laboratory July 2004 Questions? Contact Information Dave Hostetler Wireless LAN Project Manager dave.hostetler@pnl.gov 509-375-2293 Jeffery Mauth jeff.mauth@pnl.gov 509-375-2511

Download ppt "U.S. Department of Energy Pacific Northwest National Laboratory July 2004 Presented by Jeffery Mauth Pacific Northwest National Laboratory"

Similar presentations

Rocket Software, Inc. Confidential James Storey General Manager, OSS Unit Rocket Software APNOMS 2003: Managing Pervasive Computing and Ubiquitous Communications.

Rocket Software, Inc. Confidential James Storey General Manager, OSS Unit Rocket Software APNOMS 2003: Managing Pervasive Computing and Ubiquitous Communications.
CS898T Mobile and Wireless Network Handheld Device Security By Yuan Chen July 25 th, 2005.

CS898T Mobile and Wireless Network Handheld Device Security By Yuan Chen July 25 th, 2005.
1 © 2005 Cisco Systems, Inc. All rights reserved. CONFIDENTIAL AND PROPRIETARY INFORMATION Cisco Wireless Strategy Extending and Securing the Network Bill.

1 © 2005 Cisco Systems, Inc. All rights reserved. CONFIDENTIAL AND PROPRIETARY INFORMATION Cisco Wireless Strategy Extending and Securing the Network Bill.
Chapter 10. Understand the importance of establishing a health care organization-wide security program. Identify significant threats—internal, external,

Chapter 10. Understand the importance of establishing a health care organization-wide security program. Identify significant threats—internal, external,
Www.cleo.com Steve Jordan Director. Industry Solutions 05/05/14 Managing Chaos: Data Movement in 2014.

Steve Jordan Director. Industry Solutions 05/05/14 Managing Chaos: Data Movement in 2014.
SAFE Blueprint and the Security Ecosystem. 2 Chapter Topics  SAFE Blueprint Overview  Achieving the Balance  Defining Customer Expectations  Design.

SAFE Blueprint and the Security Ecosystem. 2 Chapter Topics  SAFE Blueprint Overview  Achieving the Balance  Defining Customer Expectations  Design.
The Cable Guys Inc. Drew Leach Tom McLoughlin Philip Mauldin Bill Smith.

The Cable Guys Inc. Drew Leach Tom McLoughlin Philip Mauldin Bill Smith.
Smart Grid - Cyber Security Small Rural Electric George Gamble Black & Veatch

Smart Grid - Cyber Security Small Rural Electric George Gamble Black & Veatch
Building Your Own Firewall Chapter 10. Learning Objectives List and define the two categories of firewalls Explain why desktop firewalls are used Explain.

Building Your Own Firewall Chapter 10. Learning Objectives List and define the two categories of firewalls Explain why desktop firewalls are used Explain.
1 © 2005 Cisco Systems, Inc. All rights reserved. Cisco Confidential Session Number Presentation_ID Cisco Unified Wireless Network Webinar Commercial WLAN.

1 © 2005 Cisco Systems, Inc. All rights reserved. Cisco Confidential Session Number Presentation_ID Cisco Unified Wireless Network Webinar Commercial WLAN.
Chapter 12 Network Security.

Chapter 12 Network Security.
WIRELESS SECURITY DEFENSE T-BONE & TONIC: ALY BOGHANI JOAN OLIVER MIKE PATRICK AMOL POTDAR May 30, 2009 05/30/2009.

WIRELESS SECURITY DEFENSE T-BONE & TONIC: ALY BOGHANI JOAN OLIVER MIKE PATRICK AMOL POTDAR May 30, /30/2009.
Lesson 11-Virtual Private Networks. Overview Define Virtual Private Networks (VPNs). Deploy User VPNs. Deploy Site VPNs. Understand standard VPN techniques.

Lesson 11-Virtual Private Networks. Overview Define Virtual Private Networks (VPNs). Deploy User VPNs. Deploy Site VPNs. Understand standard VPN techniques.
Wireless Security Ysabel Bravo Fall 2004 Montclair State University - NJ.

Wireless Security Ysabel Bravo Fall 2004 Montclair State University - NJ.
Network Access Management Trends in IT Applications for Management Prepared by: Ahmed Ibrahim S09761197.

Network Access Management Trends in IT Applications for Management Prepared by: Ahmed Ibrahim S
Flexible Network Access Overview. Flexible Access an Integral part of Universal Access Policy Universal Access to Campus IT Resources Managed LAN portsFlexible.

Flexible Network Access Overview. Flexible Access an Integral part of Universal Access Policy Universal Access to Campus IT Resources Managed LAN portsFlexible.
A Guide to major network components

A Guide to major network components
Wireless Security Issues Implementing a wireless LAN without compromising your network Marshall Breeding Director for Innovative Technologies and Research.

Wireless Security Issues Implementing a wireless LAN without compromising your network Marshall Breeding Director for Innovative Technologies and Research.
Chapter 3 Application Level Security in Wireless Network IWD2243 : Zuraidy Adnan : Sept 2012.

Chapter 3 Application Level Security in Wireless Network IWD2243 : Zuraidy Adnan : Sept 2012.
Copyright Microsoft Corp. 2006 Ramnish Singh IT Advisor Microsoft Corporation Secure Remote Access Challenges, Choices, Best Practices.

Copyright Microsoft Corp Ramnish Singh IT Advisor Microsoft Corporation Secure Remote Access Challenges, Choices, Best Practices.

Similar presentations

Ads by Google