CESG Architectural Patterns Wireless Networking - … 12... · Wireless Networking Page 3 Chapter 1 - Scope Business Scenario 1. This Architectural Pattern presents ways of enabling

CESG Architectural Patterns

Wireless Networking

October 2015 Issue No: 1.1

Architectural Pattern No. 12

Wireless Networking

Issue No: 1.1 October 2015

© Crown copyright 2015

Document History

Version Date Comment

1.0 Feb 2013 First issue

1.1 Oct 2015 First public release

Page 1

Wireless Networking

Purpose & Intended Readership This Architectural Pattern is intended to assist system integrators and accreditors undertaking work for HMG on HMG systems by:

Raising awareness of efficient, risk managed solutions to commonly raised business requirements

Building an understanding of the capabilities and limitations of the Architectural Pattern in the context of a wider system

Identifying the role of and requirements placed on each component of the Architectural Pattern

Assurance Adherence to the principles set out in an Architectural Pattern does not automatically result in a secure system. It remains the role of the accreditor in collaboration with the system integrator, to satisfy themselves that the realisation of this Architectural Pattern and the implementation of each component is appropriate to the context in which it is deployed. CESG provide a range of services that may be used to inform this process.

Summary This Architectural Pattern proposes a number of architectures aimed at managing the security risks of wireless networking. It replaces CESG Infosec Manual Y, Use of WPA2 Unevaluated Wireless Technology in Government Systems. (reference [a]) as the HMG guidance on wireless networking. This guidance is intended for system integrators and accreditors building systems with a wireless networking capability. This document provides guidance rather than mandatory policy. However, for a solution to conform to this Architectural Pattern, all ‘must’ statements need to be followed. The approach is to address the security requirements for a number of commonly used business scenarios. The threat model used to inform the wireless architectures described in this Architectural Pattern can be found at the end of each Scenario. Accreditors and risk decision-makers are advised to take note of the residual risks and threats that are described.

Page 2

Wireless Networking

Contents:

Chapter 1 - Scope ............................. 3

Overview .......................................... 3

Assumptions .................................... 4 Policy and Guidance ........................ 4

Chapter 2 - Scenarios ....................... 5

Scenario 1 ......................................... 5

Business Scenario ........................... 5

Architecture ..................................... 5

Endpoints ......................................... 6

Function ........................................ 6 Security considerations................. 6

Managed wireless infrastructure ...... 6 Function ........................................ 6

Security considerations................. 6 Access Layer ................................... 7

Function ........................................ 7

Security considerations................. 7 Audit and Monitoring ........................ 8

Controls and Residual Risks ............ 8

Scenario 2 ....................................... 12

Business Scenario ......................... 12 Architecture ................................... 13

Endpoints ....................................... 13 Function ...................................... 13 Security considerations............... 13

Managed wireless infrastructure .... 14 Function ...................................... 14

Security considerations............... 14 Access Layer ................................. 15

Function ...................................... 15

Security Considerations .............. 15 Audit and Monitoring ...................... 16

Controls and Residual Risks .......... 16

Scenario 3 ....................................... 20

Business Scenario ......................... 20 Architecture ................................... 20 Endpoints ....................................... 22

Function ...................................... 22 Security considerations............... 22

Managed wireless infrastructure .... 22 Function ...................................... 22

Security Considerations .............. 22

Access Layer ................................ 23

Function ..................................... 23 Security considerations .............. 23

Audit and Monitoring ..................... 24 Controls and Residual Risks ......... 24

Scenario 4....................................... 28

Business Scenario ........................ 28 Architecture ................................... 28 Endpoints ...................................... 29


Wireless Infrastructure .................. 29

Function ..................................... 29

Security Considerations ............. 29 Access Layer ................................ 30


Controls and Residual Risks ......... 30 Audit and Monitoring ..................... 32

Appendix A – Accreditors’ Notes . 33

References ..................................... 34

Glossary ......................................... 35

Page 3

Wireless Networking

Chapter 1 - Scope

Business Scenario

1. This Architectural Pattern presents ways of enabling risk-managed wireless networking using managed and unmanaged components. The architectures described are designed to manage the risks from wireless networking and as such, architectures for a number of frequently-used scenarios are presented.

Overview

2. The fundamental components of a wireless network include wireless Access Points (APs) and wireless endpoints. These components may or may not be managed by an enterprise. Table 1 maps whether a component is managed by an enterprise to a scenario. An architecture for each scenario is then explored in turn.

3. Where a managed endpoint is used, the architecture uses a Virtual Private Network (VPN) solution to encrypt traffic between the managed wireless endpoint and an enterprise VPN gateway. This ensures that the confidentiality and integrity of data in transit over the wireless network is protected.

4. No configuration of a wireless network can guarantee network availability. Due to the nature of the technology, denial of service is always possible through attacks such as radio frequency jamming. Where availability is of concern, wireless should not be used unless there is a fallback solution in place.

Scenario 1 - Describes how a managed endpoint can be used to access services in a managed enterprise network.

Scenario 2 - Complements Scenario 1 additionally addressing where there is a requirement to exert control over the endpoints that can associate with the managed wireless infrastructure.

Scenario 3 - Describes how unmanaged endpoints can be used to access network services using a managed wireless infrastructure.

Scenario 4 - Describes how a managed endpoint can be used with an unmanaged wireless infrastructure to access services in an enterprise network.

5. The architectures proposed are not intended to cover all possible scenarios. However, they may be combined using the common components to meet specific business requirements.

Page 4

Wireless Networking

Wireless Infrastructure

Managed Unmanaged

En

dp

oin

t

Managed Scenarios 1 and 2 Scenario 4

Unmanaged Scenario 3

Table 1 - Wireless access scenarios

Assumptions

The enterprise network is accredited in line with HMG policy

Managed endpoints are accredited in line with HMG policy for storing and processing the sensitivity or protective marking of the data and services to which it will have access

All data in transit over the wireless network is UNCLASSIFIED. Data that has a higher protective marking than UNCLASSIFIED should be encrypted whilst in transit to bring the protective marking of the transmitted data down to UNCLASSIFIED

Policy and Guidance

6. This Architectural Pattern replaces CESG Infosec Manual Y, Use of WPA2 Unevaluated Wireless Technology in Government Systems (reference [a]) as the HMG guidance on wireless networking.

7. This Architectural Pattern is supported by CESG Good Practice Guide No. 10 (GPG 10), Remote Working (reference [b]).

8. All network components should be configured to reduce the risk of being compromised as per CESG Good Practice Guide No. 35 (GPG 35) - Protecting an Internal ICT Network (reference [c]).

9. Managed mobile remote endpoint devices that store or process RESTRICTED data should be configured in accordance with CESG Architectural Pattern No. 11 (AP11). Mobile Remote Endpoint Devices at RESTRICTED (reference [d]) to reduce the risk of compromise.

10. Access to enterprise resources from a mobile or remote device should be through a walled garden architecture. See CESG Architectural Pattern No. 2 (AP2). Walled Gardens for Remote access for further guidance (reference [e]).

Page 5

Wireless Networking

Chapter 2 - Scenarios

Scenario 1

11. Scenario 1 describes how a managed wireless endpoint can be used to access services in an enterprise using a managed infrastructure.

Business Scenario

12. Scenario 1 may, for example, be used where an enterprise wishes to enable users to work away from their desk but within range of a managed wireless infrastructure using an enterprise-managed endpoint. The architecture presented in this Scenario may be used with an existing remote access solution where a VPN gateway is used to access an enterprise network.

Architecture

Enterprise NetworkEndpoint Access Layer

Enterprise Wireless

Internet

Remote Worker

Trusted Endpoint

VPN Tunnel

VPN Gateway

Wireless Worker

Existing infrastructure

Figure 1 - Architecture for Scenario 1

Page 6

Wireless Networking

Endpoints

Function

13. Endpoints are used to access services in the enterprise network. Access to the enterprise network must only be granted to managed endpoints. A remote worker connects to the enterprise network using an internet connection. A wireless worker connects to the enterprise network using the enterprise Wireless Infrastructure. The same VPN gateway may be used for both cases.

Security considerations

14. Managed endpoints must be locked down to reduce the risk of compromise. Countermeasures relevant to wireless endpoints are discussed below. General guidance on client security can be found in CESG Good Practice Guide No. 17 (GPG17), Client System Security (reference [f]).

15. Once the user has associated with the wireless infrastructure, they can connect to the enterprise network by establishing a VPN tunnel to the VPN gateway. All traffic transmitted from the endpoint’s wireless interface must pass through the VPN tunnel. This ensures that all wireless traffic between the endpoint and the VPN gateway is encrypted, reducing the threat from eavesdropping on the wireless traffic.

Managed wireless infrastructure

Function

16. Any user with a wireless endpoint can associate with an AP in the managed wireless infrastructure. In this scenario, credentials are not required to associate with a managed AP. Controls are applied by managing access to services in the enterprise network. The wireless infrastructure is treated as an untrusted bearer and the only connectivity permitted from this infrastructure, is to the VPN gateway. Enterprises wishing to assert control over the endpoints that can associate with the managed wireless infrastructure should refer to Scenario 2.

17. Users wishing to access network services must be in possession of the credentials required to pass through the VPN gateway. Wireless endpoints must authenticate with the VPN gateway after associating with the managed wireless infrastructure. The confidentiality and integrity of data transiting over the wireless network relies on an appropriately configured VPN tunnel between the managed endpoint and the VPN gateway which should be assured to a level appropriate for the traffic being passed.


18. Access points must not be connected directly to the enterprise network as this could provide an unprotected route into the network. The enterprise network should be periodically surveyed to confirm that APs have not been attached directly to the enterprise network. The frequency of these surveys will depend on the risk appetite of the enterprise. Further technical means of detecting

Page 7

Wireless Networking

unauthorised devices connected to the enterprise network, such as 802.1x, may be used to augment the surveys.

19. Management of the wireless infrastructure should not be carried out over the wireless interface. Where this cannot be prevented, such as when diagnosing and correcting RF problems, the wireless management interface should be disabled when not in use.

20. APs should not be easily physically accessible to unauthorised users. This reduces the likelihood of a threat actor tampering with an AP and compromising its integrity.

21. The Service Set Identifier (SSID) of the AP should be changed from its default. APs will be visible far beyond the physical boundary of the enterprise and enterprises may wish to avoid using SSIDs that identify the enterprise with which an AP is associated.

22. Additional technical countermeasures such as wireless location services, wireless intrusion detection systems, and spectrum analysis may be used if the risk profile of the enterprise is deemed to require such countermeasures.

23. No configuration of a wireless network can guarantee network availability. Due to the nature of the technology, denial of service is always possible through jamming.

Access Layer

Function

24. The role of the access layer is to terminate any encryption used to protect the link from the managed endpoint. It must also authenticate the user and the managed endpoint.

25. The access layer should also provide a control against the risk of network layer attacks against the system. Such defences may include advanced features within the firewall, load balancing systems or other protection devices. Some or all of these features may be a function that is provided as part of the VPN gateway.


The access layer should ensure that traffic from the wireless infrastructure can only reach the VPN gateway

The VPN solution should be independently assured as per the relevant requirements of HMG IA Standard 4 (IS4), Management of Cryptographic Systems (reference [g])

The access layer should also protect the VPN gateway and ensure that only VPN traffic (nominally identified by destination port and protocol number) reaches the VPN gateway

Page 8

Wireless Networking

The VPN solution must reduce the protective marking of the data in transit to UNCLASSIFIED

It is recommended that the access layer form part of a Walled Garden Architecture. This will enable the enterprise to assert more control over the services provided to the remote endpoints and reduce the impact of a compromise. See CESG Architectural Pattern No. 2. Walled Gardens for Remote access for further guidance (reference [e])

Audit and monitoring feeds could be taken from all the components within the architecture. Particular requirements for audit and monitoring are discussed in the Audit and Monitoring section below

Audit and Monitoring

26. Audit and monitoring plays an important role in protecting systems and enabling alerting and situational awareness in event of a compromise. Advice on meeting protective monitoring obligations and determining appropriate levels of protective monitoring for HMG Systems can be found in Good Practice Guide No. 13 (GPG 13), Protective Monitoring for HMG ICT Systems (reference [h]).

27. Audit and monitoring information should be taken from the components within the architecture. Example events that should be recorded include:

Users and endpoints that successfully authenticate with the VPN gateway, with multiple failed attempts to authenticate being investigated

Configuration changes to the infrastructure, including VPN gateway and wireless infrastructure. Unauthorised changes must be investigated

Traffic flows through the firewall, ensuring that any configuration errors that could allow flows from the wireless infrastructure to the internet are caught promptly

Controls and Residual Risks

28. The table below outlines the identified risks together with the controls to help mitigate them and the residual risks that are still present after implementing the controls.

ID Risk Control Residual Risk

1 Network Management data such as SSIDs may be used to target a department to compromise their network.

The AP’s SSID should be changed from the manufacturers default and should not identify the department or network to which the AP is connected.

A determined threat actor may still be able to associate an AP (e.g. by mapping the RF signal) with a department or network.

Page 9

Wireless Networking


2 A threat actor within range may remotely compromise a wireless driver in an AP so it can be used as an attack vector to compromise the confidentiality, integrity or availability of data on the enterprise network or data being processed in the AP.

APs should be subject to a patching policy requiring that they are regularly patched.

A threat actor may be able to compromise the AP in a targeted attack by attacking its wireless interface. However, the impact would be limited to having a detrimental effect on availability.

All data passing through the AP should be encrypted using an independently assured product as per the relevant requirements of IS4 (reference [g]).

The wireless infrastructure must be separate from the enterprise network and it must not be possible to access the enterprise network from the wireless infrastructure without presenting the correct access credentials.

3 A threat actor may physically compromise the integrity of an AP to compromise the confidentiality of data being processed in it.

APs should not be easily physically accessible to unauthorised users.

A threat actor may be able to compromise the AP in a targeted attack, however, the impact would be limited to having a detrimental effect on availability.

All data passing through the AP should be encrypted using an independently assured data in transit encryption product as per the relevant requirements of IS4 (reference [g]).

Page 10

Wireless Networking


4 A threat actor may intercept data in transit to compromise its confidentiality.

All traffic transiting the wireless infrastructure must be UNCLASSIFIED. This may be achieved using an independently assured data in transit encryption product as per the relevant requirements of IS4 (reference [g]).

Where a local decision has been taken to use an unassured product for remote access, this should be reconsidered in light of the increased ease with which the traffic could be intercepted.

5 A threat actor may attach an unauthorised AP to the wired enterprise network enabling egress of data compromising the confidentiality of data stored in the wired enterprise network.

RF surveys should be carried out to detect rogue APs attached to the enterprise network.

The rogue AP may masquerade as an authorised AP or may not be transmitting when the survey is carried out. The impact of this will vary depending on how frequently surveys are conducted.

Devices connected to the enterprise network should be periodically surveyed to confirm that they are authorised to be connected to the network.

6 A threat actor may compromise the wireless driver in a managed endpoint to gain access to data stored in the endpoint or enterprise network.

Managed endpoints should be locked down and use a supported operating system.

A determined and capable threat actor within range may still compromise the endpoint.

Managed endpoints should be regularly patched and be physically protected at all times.

Enterprises may wish to consider introducing procedures requiring that the wireless card be disabled when not in use.

Page 11

Wireless Networking


7 A compromised managed endpoint may compromise the confidentiality, integrity or availability of any data that it legitimately has access.

Managed endpoints should be protected appropriately for the protective marking or sensitivity of the information it is required to store and process.

The endpoint protection may not prevent a sophisticated targeted attack and there remains a residual risk that attacks could pass through this defence. However, this risk is not unique to wireless networking.

8 An attacker controlled access point may masquerade as a legitimate managed access point, with the aim of launching network level attacks on endpoints mistakenly associating with the malicious AP.

Controls deployed on endpoints, including use of hardening operating system, VPN configuration, mutual wireless network authentication (see Scenario 2). Frequent wireless surveys and audits.

The endpoint protection may not prevent a sophisticated targeted attack and there remains a residual risk that attacks could pass through this defence.

Table 2 - Risks, controls, and residual risk for Scenario 1

Page 12

Wireless Networking

Scenario 2

29. Scenario 2 complements Scenario 1 and describes controlled access to a managed wireless infrastructure using managed endpoints.

30. This architecture enables an enterprise to exert additional control over the endpoints that associate with its wireless infrastructure. The architecture presented uses a managed endpoint to associate with the wireless infrastructure and then access services in an enterprise network.

Business Scenario

31. A wireless infrastructure will be visible to anyone within range of an AP and this is likely to extend beyond an organisations physical boundary and without additional controls, any wireless endpoint can associate with the enterprise wireless Infrastructure. This scenario addresses the requirement where an enterprise wishes to exert control over the endpoints that associate with its wireless infrastructure. This may be required where there is an identified risk from permitting unmanaged endpoints to associate with the enterprise wireless infrastructure, e.g. there may be negative publicity by allowing unmanaged endpoints to associate with a HMG enterprise wireless infrastructure or there is a requirement to better manage the quality of service offered by the solution. This scenario will require additional administrative burden over Scenario 1 and requires that additional credentials are provided for users and endpoints. This scenario is also appropriate when there is a requirement to limit which wireless infrastructures an endpoint may connect to (e.g. limiting connectivity to enterprise-managed networks) or where there is a higher risk of a targeted attack on the wireless infrastructure and endpoints.

Page 13

Wireless Networking

Architecture


Enterprise Wireless

Internet

Trusted Endpoint

VPN Tunnel

VPN Gateway


Wireless

Authentication

Server

e.g. RADIUS

Wireless Worker

Wireless authentication

traffic


32. The architecture proposed for this scenario requires that endpoints authenticate with the wireless infrastructure before they are permitted to associate with it.

Endpoints

Function

33. The end points in this scenario are deemed to be standard remote access devices that are enterprise-managed, albeit, with wireless enabled.


34. Managed endpoints must be locked down to reduce the risk of compromise. Countermeasures applicable to wireless endpoints are discussed below. General guidance on client security can be found in CESG Good Practice Guide No. 17 (GPG17), Client System Security (reference [f]).

35. Enterprises may wish to configure endpoints so that they can only associate with the managed wireless infrastructure. Where this is a requirement, the

Page 14

Wireless Networking

solution deployed should ensure that there is mutual authentication between the device and the wireless infrastructure.


Function

36. Endpoints must authenticate themselves to an AP in the managed wireless infrastructure before being permitted to associate with the wireless infrastructure.

37. Once associated, users must then authenticate with the VPN gateway to access services in the enterprise network. Confidentiality and integrity of data transiting over the wireless network relies on an appropriately configured and assured VPN tunnel being used between the endpoint and VPN gateway.


Access points must not be connected directly to the enterprise network as this could provide an unprotected route into the network. The enterprise network should be periodically surveyed to confirm that APs have not been attached directly to the enterprise network. The frequency of these surveys will depend on the risk appetite of the enterprise. Further technical means of detecting unauthorised devices connected to the enterprise network, such as 802.1x, may be used to augment the surveys

Management of the wireless infrastructure should not be carried out over the wireless interface. Where this cannot be prevented, such as when diagnosing and correcting RF problems, the wireless management interface should be disabled when not in use


39. The SSID of the AP should be changed from its default. APs will be visible far beyond the physical boundary of the enterprise and enterprises may wish to avoid using SSIDs that identify the enterprise with which an AP is associated.



42. The increased complexity of providing authentication services will have the side effect of increasing the wireless infrastructures attack service. The access points, and related authentication services should be subject to a robust patching and maintenance regime.

Page 15

Wireless Networking

Access Layer

Function

43. The access layer ensures that only authenticated users with managed endpoints associate with the managed wireless infrastructure and enterprise network.

44. The access layer must verify user and endpoint credentials by querying the authentication server before permitting an association with the managed wireless infrastructure. This communication is described as wireless authentication traffic in Figure 2.

45. WPA2 enterprise mode (reference [i]) provides a number of mechanisms for authenticating with a wireless infrastructure and is an example of how endpoints may be authenticated.

46. Once successfully authenticated, the enterprise user can establish a VPN connection with the enterprise VPN gateway. This must be required to access services in the enterprise network. This ensures that all wireless traffic between the endpoint and the VPN gateway is encrypted, reducing the threat from eavesdropping on the wireless traffic.

Security Considerations

Endpoints must authenticate with the wireless authentication server before being permitted to associate the wireless infrastructure

Endpoint and user certificates are likely to be required to authenticate enterprise users and managed endpoints to the enterprise VPN gateway. Credentials or certificates that are used to authenticate with the enterprise VPN gateway should not be reused to authenticate with wireless infrastructure. This reduces the risk of compromising the enterprise network should the wireless authentication credentials be compromised

Where certificates are used to authenticate with the wireless infrastructure, a certificate revocation process to enable revocation of endpoint and user certificates must be implemented. This may be required in the event of a lost or stolen endpoint, or rogue user. Where possible, endpoint certificates should be stored using a Trusted Platform Module (TPM)

The authentication server should determine the status of certificates before granting permission to associate with the wireless infrastructure. Example methods of determining certificate status may be through the use of a Certificate Revocation List (CRL) or the Online Certificate Status Protocol (OCSP). The exact method is not important provided that a mechanism exists for revoking a particular certificate and the access it provides

The access layer should protect the wireless authentication server from network bound attack from the Internet

Page 16

Wireless Networking

Additional technical countermeasures such as wireless location services, wireless intrusion detection systems, and spectrum analysis may be used if the risk profile of the enterprise is deemed to require such countermeasures

The level of assurance required in the wireless infrastructure and its authentication scheme should be determined through the process of a risk assessment. However, given that traffic is independently protected through the use of an assured VPN, it is anticipated that in most cases, no formal assurance of this authentication function would be required


47. Audit and monitoring plays an important role in protecting systems and enabling alerting and situational awareness in event of a compromise. Advice on meeting protective monitoring obligations and determining appropriate levels of protective monitoring for HMG Systems can be found in GPG 13 (reference [h]).


Users and endpoints that successfully authenticate with the VPN gateway should be logged. The VPN gateway should log multiple failed attempts to authenticate. Multiple failed attempts to authenticate must be investigated

Changes to the configuration of the VPN Gateway should be logged together with the user initiating the change. Unauthorised changes should be investigated

Users and endpoints that successfully authenticate with the wireless authentication server should be logged. Multiple failed attempts to authenticate with the wireless authentication server should be investigated

Changes to the configuration of the VPN gateway should be logged together with the user initiating the change. Unauthorised changes should be investigated

Users and endpoints that successfully associate with the wireless infrastructure and, authenticate with the wireless authentication server should also be logged. Multiple failed attempts to authenticate must be investigated

Traffic dropped by the access layer firewall that has originated from the wireless network as this could be an early indicator of problems with the wireless infrastructure or its connected devices



Page 17

Wireless Networking



The AP’s SSID should be changed from the manufacturers default and should not identify the department or network to which the AP is connected.


2 A threat actor within range may remotely compromise a wireless driver in an AP in the wireless infrastructure so it can be used as an attack vector to compromise the confidentiality of data on the enterprise network or data being processed in the wireless infrastructure.

Access to the enterprise network must only be granted to authorised users and endpoints.

By undertaking a targeted attack against an AP’s wireless interface, a threat actor may be able to compromise the AP. However, the impact would be limited to having a detrimental effect on availability.

All data passing through the AP should be encrypted using an appropriate assured product.




Authorised users may physically compromise the integrity of the AP. However, the impact would be limited to having a detrimental effect on availability.

All data passing through the AP should be encrypted using an independently assured data in transit encryption product as per the relevant requirements of HMG IS4 (reference [g]).

Page 18

Wireless Networking


4 A threat actor may intercept data in transit to compromise its confidentiality or integrity.

All traffic transiting the wireless infrastructure must be UNCLASSIFIED. This may be achieved using an independently assured data in transit encryption product as per the relevant requirements of IS4 (reference [g]).

Where a local decision has been taken to use an unassured product for remote access, this should be reconsidered in light of the increased ease with which the traffic could be intercepted.

5 A threat actor may attach a rogue AP to the wired enterprise Network enabling egress of data, compromising the confidentiality of data stored in the wired enterprise network.


The rogue AP may masquerade as an authorised AP or may not be transmitting when the survey is carried out. The impact of this will vary depending on how frequently surveys are conducted.

Devices connected to the enterprise network should be periodically surveyed to confirm that they are authorised to be connected to the network.

6 A threat actor may compromise the wireless driver in a managed endpoint to gain access to data stored in the endpoint or enterprise network.




Enterprises may wish to consider introducing procedures requiring that the wireless card be disabled when not in use.

Page 19

Wireless Networking


7 A compromised managed endpoint may compromise the confidentiality, integrity or availability of any data that it legitimately has access.

Managed endpoints should be protected appropriately for the protective marking or sensitivity of the information it is required to store and process.

The endpoint protection may not prevent a sophisticated targeted attack and there remains a residual risk that attacks could pass through this defence. However, this risk is not unique to wireless networking.




Table 3 - Risks, controls, and residual risks for Scenario 2

Page 20

Wireless Networking

Scenario 3

50. This scenario addresses the requirement where an unmanaged endpoint requires access to network services using an enterprise managed wireless infrastructure. Guest and partner users with unmanaged1 endpoints are both examples considered in this scenario. The architecture proposed for this scenario is compatible with the architecture proposed for Scenario 1. Enterprises may wish to use this same infrastructure to provide managed endpoints with access to services in the enterprise network by layering the two architectures.

Business Scenario

51. This scenario may be appropriate where a guest or partner requires access to Internet services using an enterprise’s managed wireless infrastructure.

Architecture

Figure 3 - Architecture for Partner access for Scenario 3

1 In the context of this scenario, unmanaged endpoints are devices that are not managed by the host enterprise. Endpoints that are managed by a different enterprise are still classed as unmanaged endpoints for the purpose of this Architectural Pattern.

Page 21

Wireless Networking

52. Partner users, in the context of this Architectural Pattern, are users that require access to a home VPN gateway using their own enterprise-managed endpoint. Such users are typically employees of an organisation with a trust relationship with the enterprise hosting the wireless solution. This, for example, may be employees from a different HMG department or a commercial supplier. The VPN gateway of the partner organisation may be added to a white-list of VPN gateways allowing the partner user to directly access their organisation’s VPN gateway without requiring authentication to the access layer. This avoids using a split tunnel and makes it possible for wireless access to be shared with departments who are using CESG-assured data in transit encryption products. An architecture for partner access to a white-listed VPN gateway is shown in Figure 3.


Enterprise Wireless

Internet

Guest web traffic

VPN Gateway


Guest

Captive Portal

Figure 4 - Architecture for Guest access for Scenario 3

53. Guests, in the context of this Architectural Pattern are either users who do not have a trust relationship with the host organisation, or whom wish to access non white-listed services. Such users will need to authenticate to a captive portal before being granted access to Internet services. Figure 4 demonstrates such an arrangement.

Page 22

Wireless Networking

Endpoints

Function

54. Unmanaged endpoints used in this scenario are considered to be devices that are not managed by the host department. Unmanaged endpoints should not be granted access to the enterprise network.

55. While partner and guest endpoints may be managed by an external enterprise, for the purpose of this Architectural Pattern, such endpoints will both be treated as untrusted. There may be scenarios where partner devices are trusted, but this is out of scope for the purpose of this document.

56. It is assumed that guest users will typically require access to Internet services whereas partner users will typically require access to a home VPN gateway.


57. Guest and partner users should be made aware that data transiting over the wireless infrastructure may be visible to threat actors eavesdropping on wireless communications. Encryption of data in transit is not provided by the hosting enterprise.


Function

58. Any user with a wireless endpoint can associate with the wireless infrastructure. Credentials will not be required to associate with a managed AP. Controls are applied by managing access to network services. Guest users will need to authenticate with a captive portal before being permitted access to Internet services. Partner users may connect directly to their white-listed home VPN gateway or they may wish to access network services by connecting as guest users.

59. Enterprises wishing to assert control over the endpoints that can associate with the managed wireless infrastructure should refer to Scenario 2.


The architecture described for this scenario does not provide confidentiality for guest traffic transiting the wireless infrastructure. WPA-PSK provides a mechanism to use a pre-shared key to protect the confidentiality wireless traffic. Departments may wish to consider using WPA-PSK if confidentiality of guest traffic is a concern. The number of guests with which a key is shared should be limited and shared keys should be changed regularly. The frequency of this change should be based on the number of guests with which the key has been shared. Departments should note that any user in possession of the shared key will be able to decrypt all guest traffic using the shared key

Page 23

Wireless Networking

No configuration of a wireless network can guarantee network availability. Due to the nature of the technology, denial of service is always possible through jamming

Access Layer

Function

60. The access layer should authenticate guest users using a captive portal to enable access to Internet services. Guest users that are authorised to use the managed wireless infrastructure should obtain the required credentials from a credential provider. The credential provider may be a receptionist or network administrator who should first check that a user is authorised to use the wireless infrastructure before providing them with the access credentials required to authenticate with the captive portal. Guest user sessions should have a timeout period configured – it is recommended that this be tied to the length time the guest is expected to be visiting the host organisation. Guest credentials should be unique and attributable to each guest user.

61. In some cases, a partner’s enterprise policy may prevent them from using a split tunnel, as may be required when authenticating to a captive portal before connecting to a VPN gateway. The access layer should redirect partner users wishing to connect their enterprise VPN gateway directly to the VPN gateway. In such cases, the enterprise may wish to add the IP address or domain name of the partner VPN gateway to a white-list of VPN gateways enabling direct access to the VPN gateway without requiring authentication with a captive portal.


62. A guard in the access layer should protect the captive portal from network bound attacks from the Internet.

63. Management of the wireless infrastructure should not be carried out over the wireless interface. Where this cannot be prevented, such as when diagnosing and correcting RF problems, the wireless management interface should be disabled when not in use.


65. The Service Set Identifier (SSID) of the AP should be changed from its default. APs will be visible far beyond the physical boundary of the enterprise and enterprises may wish to avoid using SSIDs that identify the enterprise with which an AP is associated.


Page 24

Wireless Networking

67. The captive portal should be configured and tested to ensure compliance with good web application design and implementation. Such checks should include attempts to verify that authorised user sessions cannot be hijacked and that external input (such as username and passwords) is suitably sanitised before checking by the application. Temporary generated passwords should be of a robust form and not predictable.

68. It is important that internet activity can be attributed to authenticated users such that an investigation can be successfully completed should the internet feed be used for malicious purposes. This requirement will have to be fed into the audit and monitoring process and checks made to ensure that user traffic can be attributed to end users as this may involve correlation across differing audit feeds.




Guest users that successfully authenticate to the captive portal should be logged. Multiple failed attempts to authenticate to the portal should be investigated

Departments may wish to consider developing an Acceptable Usage Policy (AUP) for guest access that stipulates acceptable use of the wireless network. Departments may also wish to monitor guest activity to ensure compliance with the AUP

Changes to the configuration of the captive portal should be logged together with the user carrying out the change. Unauthorised changes should be investigated

Attempts to access white-listed VPN gateways should be logged. Such logs may be used to investigate an attack on a white-listed gateway from the enterprise wireless infrastructure

Abnormally high bandwidth usage by guests or partners should be logged and investigated further

Tests should be undertaken to ensure that logged traffic flows can be attributed to individual user credentials in case malicious use needs to be investigated



Page 25

Wireless Networking



The AP’s SSID should be changed from the manufacturer’s default and should not identify the department or network to which the AP is connected.


2 A threat actor within range may remotely compromise a wireless driver in an AP in the wireless infrastructure so it can be used as an attack vector to compromise data being processed in the AP.


By undertaking a targeted attack against an AP’s wireless interface, a threat actor may be able to compromise the AP. However, the impact would be limited to having a detrimental effect on availability.

All data passing through the AP should be UNCLASSIFIED.

Access to network services must only be granted to authorised users.



Authorised users may physically compromise the integrity of the AP. However, the impact would be limited to having a detrimental effect on availability.

All data passing through the AP should be UNCLASSIFIED.

4 A threat actor may intercept data in transit to compromise its confidentiality or integrity.

All traffic transiting the wireless infrastructure must be UNCLASSIFIED.

Page 26

Wireless Networking

5 A threat actor may attach a rogue AP to the wired enterprise network enabling egress of data, compromising the confidentiality of data stored in the wired enterprise network.


The rogue AP may masquerade as an authorised AP or may not be transmitting when the RF survey is carried out and by the time the rogue device is detected; the network may already have been compromised.

Devices connected to the enterprise network should be periodically surveyed to confirm their validity and security.

6 Guest and partner users may abuse the privileges that that they are granted.

Logging and monitoring should be used to detect any abuses of the privileges granted to guests and partner users.

While logging and monitoring is likely to detect abuses of privileges, it is unlikely to prevent such abuses. As a result it is important that sufficient audit information is recorded to ensure that users can be held to account for their actions.

7 An unmanaged endpoint may introduce malware into the enterprise network.

Unmanaged endpoints must not be granted access to the enterprise network.




Page 27

Wireless Networking

9 A threat actor may intercept guest traffic compromising its confidentiality.

Guest users should be made aware that no level of confidentiality is offered to traffic passing over the wireless infrastructure.

Where the use of commercial offering such as WPA-PSK is used to offer basic protections, it should be noted that all guests in possession of the shared key will be able to decrypt traffic transiting the network.

Table 4 - Risks, controls, and residual risks for Scenario 3.

Page 28

Wireless Networking

Scenario 4

72. This scenario shows how a user with a managed endpoint can access services in the home infrastructure using an unmanaged wireless infrastructure.

Business Scenario

73. This scenario may, for example, be appropriate as part of a remote working solution where a user connects to an enterprise network using their home wireless network infrastructure. For further guidance on remote working, please refer to GPG 10, (reference [b]). Note that the use of captive portals may not be appropriate for this scenario.

Architecture


74. To access services in the enterprise network, the user must first establish an association with the relevant unmanaged wireless infrastructure. Managed endpoints may need to be configured to use the unmanaged wireless infrastructure, for example, where WPA-PSK is needs to be configured. Such users should only be granted sufficient privileges to configure an association with the wireless infrastructure. Full administrator privileges in the endpoint

Page 29

Wireless Networking

should not be granted as this may allow a user to compromise controls in the endpoint or increase the impact of a successful compromise of the device.

75. Once a valid association has been created, the user should only be able to establish a VPN connection to the enterprise VPN gateway.

76. Once the VPN tunnel has been established, all traffic must go through the VPN tunnel with split tunnels not being allowed.

Endpoints

Function

77. Managed Endpoint devices are used to access services in the enterprise network.


78. Managed endpoints must be locked down to reduce the risk of compromise. Countermeasures applicable to wireless endpoints are discussed below. General guidance on client security can be found in GPG17, (reference [f]).

79. Once the user has associated with the wireless infrastructure, they can connect to the enterprise network by establishing a VPN tunnel to the VPN gateway. All traffic transmitted from the endpoint’s wireless interface must pass through the VPN tunnel. This ensures that all wireless traffic between the endpoint and the VPN gateway is encrypted, reducing the threat from eavesdropping on the wireless traffic.

Wireless Infrastructure

Function

80. The wireless infrastructure considered in this scenario is unmanaged. That is, it is not managed by the enterprise. Such examples could include home wireless, or a service offered by an internet café or hotel.


81. Associations with wireless infrastructures that require a split tunnel, as may be the case when authenticating to a captive portal must not be permitted. Where this is required, alternative solutions for authenticating with the captive portal should be sought.


Page 30

Wireless Networking

Access Layer

Function

83. The role of the access layer is to terminate any encryption used to protect the link from the managed endpoint. It must also authenticate the user and the managed endpoint.

84. The access layer should also provide a control against the risk of network bound attacks on the availability of the system. Such defences may include advanced features within the firewall, load balancing systems or other denial of service protection devices. This may be a function that is provided as part of the VPN gateway.


85. The VPN solution should be independently assured as per the relevant requirements of IS4 (reference [g]).

86. The access layer should also protect the VPN gateway and ensure that only VPN traffic reaches the VPN gateway.

87. The VPN solution must reduce the protective marking of the data in transit to UNCLASSIFIED.

88. It is recommended that the access layer form part of a Walled Garden Architecture. This will enable the enterprise to assert more control over the services provided to the managed endpoint and reduce the impact of a compromise. See CESG Architectural Pattern No. 2. (reference [e]).



Page 31

Wireless Networking


1 A threat actor may intercept data in transit to compromise its confidentiality or integrity

All traffic transiting the wireless infrastructure must be UNCLASSIFIED. This may be achieved using an using an independently assured data in transit encryption product as per the relevant requirements of IS4 (reference [g]).

2 A threat actor may compromise the wireless driver in a managed endpoint to gain access to data stored in the endpoint or enterprise network




Credentials stored in the managed endpoint should be encrypted using an independently assured product as per the relevant requirements of IS4 (reference [g]).

3 An unmanaged endpoint may introduce malware into the enterprise network

Unmanaged endpoints must not be granted access to the enterprise network.

4 A compromised managed endpoint may compromise the confidentiality, availability or integrity of data that it legitimately has access to.

Managed endpoints should be protected in congruence with storing and processing the sensitivity or protective marking of the data and services to which it will have access.

The endpoint protection may not prevent a sophisticated attack and there remains a residual risk that attacks could pass through this defence.

Page 32

Wireless Networking



Controls deployed on endpoints, including use of hardening operating system, VPN configuration.


Table 5 - Risks, controls, and residual risks for scenario 4



91. Audit and monitoring taps could be taken from all the components within the architecture. Particular requirements for audit and monitoring are discussed in the Audit and Monitoring section below.

92. The VPN gateway should log failed attempts to authenticate. Repeated failures should be investigated.

Page 33

Wireless Networking

Appendix A – Accreditors’ Notes

93. No configuration of a wireless network can guarantee network availability. Due to the nature of the technology, denial of service is always possible through attacks such as jamming. Where availability is a concern, wireless should not be used unless there is a fallback solution in place.

94. Where a shared key is used to encrypt guest traffic, a rogue guest in possession of the shared key will be able to decrypt and view the wireless traffic of all other guests using the same shared key. Changing the key regularly and limiting the number of guests that share a key can reduce the impact of this threat.

95. Where managed endpoints are used to access an enterprise network, there is a residual risk of a compromised managed endpoint compromising the confidentiality, integrity and availability of any data that it legitimately has access. This is the same as with any remote access solution and is why the device should be protected appropriately for the protective marking or sensitivity of the information it is required to store and process.

96. Unauthorised APs attached to the enterprise network could compromise the enterprise network. Wireless surveys should be used to identify unauthorised APs attached to the enterprise network. However, unauthorised APs will only be detected if they are transmitting at the time when the survey is conducted. There is a residual risk that a maliciously deployed AP may only transmit at certain times and hence elude the monitoring effort. It should be noted that if an unauthorised device is detected, the enterprise network may already be compromised and it is advised that this scenario, and how the enterprise would react, is included in any incident response plan.

97. There are additional risks that accreditors should be aware of, when deploying wireless into sensitive locations. Appendix B of this document covers these risks but carries a higher protective marking than the main body. To ensure the pattern can be distributed to maximum effect, Appendix B has been produced as a separate document. Should this scenario apply to your application of this Architectural Pattern, please consult your source of CESG documentation for a copy of Appendix B.

Page 34

Wireless Networking

References

Unless stated otherwise, these documents are available from the CESG website. Users who do not have access should contact CESG Enquiries to enquire about obtaining documents. [a] CESG Infosec Manual Y, Use of WPA2 Unevaluated Wireless Technology in

Government Systems (UK RESTRICTED) – latest issue available from the CESG website

[b] CESG Good Practice Guide No. 10, Remote Working (UNCLASSIFIED) – latest issue available from the CESG website

[c] CESG Good Practice Guide No. 35, Protecting an Internal ICT Network (UNCLASSIFIED) – latest issue available from the CESG website

[d] CESG Architectural Pattern No. 11, Mobile Remote Endpoint Devices at RESTRICTED (UNCLASSIFIED) – latest issue available from the CESG website

[e] CESG Architectural Pattern No. 2. Walled Gardens for Remote Access – latest issue available from the CESG website

[f] CESG Good Practice Guide No. 17, Protective Monitoring for HMG ICT Systems (UNCLASSIFIED) – latest issue available from the CESG website

[g] HMG IA Standard 4, Protective Security Controls for the Handling and Management of Cryptographic Items (OFFICIAL SENSITIVE) – latest issue available from the CESG website

[h] CESG Good Practice Guide No. 13 (GPG 13), Protective Monitoring for HMG ICT Systems (UNCLASSIFIED) – latest issue available from the CESG website

[i] IEEE Std 802.11i-2004, Part 11 Wireless LAN Medium Access Control (MAC) and Physical Layer (PHY) specifications. Amendment 6. Access Control (MAC) Security Enhancements. 2004.

Page 35

Wireless Networking

Glossary

Access Point (AP) The access point provides an endpoint with wireless access to services on a wired network.

Captive portal A captive portal presents an authentication page to guest users that require access to the Internet. This may be used to control access and provide auditing capability to support governance.

Credential provider The credential provider is responsible for providing temporary credentials for Internet access to guests and partners that are authorised to use the managed wireless infrastructure. The credential provider may be a receptionist or network administrator. The credential provider must check that a user is authorised to use the wireless infrastructure before providing them with access credentials.

Enterprise users Enterprise users are typically employees of the HMG department deploying the wireless solution. They will usually be given use of a managed wireless endpoint.

Guest users Guest users are likely to be users visiting the HMG department requiring Internet access. Guest users will typically be in possession of an unmanaged endpoint.

Managed component

A managed component is one that is managed by the enterprise deploying the wireless solution. The enterprise will have increased confidence about the integrity, configuration and maintenance of such components. Managed components should be patched according to an enterprise patching policy and may have additional technical protections designed to protect their confidentiality and integrity.

Partner users Partner users will typically be employees of a department that has a trust relationship with the HMG department deploying the wireless solution. This, for example may be employees from a different HMG department.

Remote Access Solution (RAS)

Technology allowing a user to work remotely through a communications link back to their enterprise network to view or process data stored on that network.

Service Set Identifier (SSID)

The SSID is a text string used to identify a wireless network. SSIDs are usually broadcast from APs.

Unmanaged component

An unmanaged component is one where the enterprise has very little confidence about its integrity, configuration and maintenance because they do not control the component. The lack of confidence in these areas increases the risk of compromise to the networks to which it connects.

CESG provides advice and assistance on information security in support of UK Government. Unless otherwise stated, all material published on this website has been produced by CESG and is considered general guidance only. It is not intended to cover all scenarios or to be tailored to particular organisations or individuals. It is not a substitute for seeking appropriate tailored advice. CESG Hubble Road Cheltenham Gloucestershire GL51 0EX Tel: +44 (0)1242 709141 Email: [email protected] © Crown Copyright 2015

Documents

CESG Architectural Patterns Wireless Networking - … 12... · Wireless Networking Page 3 Chapter 1 - Scope Business Scenario 1. This Architectural Pattern presents ways of enabling