1 / 19

WorkSafeBC’s Wireless LAN Implementation

WorkSafeBC’s Wireless LAN Implementation. UBC October 2, 2008 Allan Alton, BSc, CISA, CISSP. …with a focus on security. Agenda. Goals Functional Security Architecture Overview Challenges Futures. Goals - Functional. From:. Head Office and 17 area offices/work centres Meeting rooms

avani
Download Presentation

WorkSafeBC’s Wireless LAN Implementation

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. WorkSafeBC’s Wireless LAN Implementation UBC October 2, 2008 Allan Alton, BSc, CISA, CISSP …with a focus on security

  2. Agenda • Goals • Functional • Security • Architecture Overview • Challenges • Futures

  3. Goals - Functional From: • Head Office and 17 area offices/work centres • Meeting rooms • Common areas (lobby, atrium, lounge, cafeteria) • Parking lot edge (drive-by downloading)

  4. Goals - Functional To: • Employee access to internal network • Guest access to Internet • Broader Public Sector (BPS) employee access to Internet

  5. Goals - Functional Using: • existing built-in client adapters • PC Card adapter for exceptions • Windows XP client software • standardized client for easier support • 802.11g and 802.11a only • no 802.11b due to performance penalty

  6. 802.11b Exclusion

  7. Goals - Security • Tip for success: Work with your security group from the beginning Network Services & IS Security

  8. Goals - Security • Wi-Fi Protected Access 2 (WPA2) only • Firewall separation from internal network • SSID not broadcast (except for guest) • Integration with Active Directory • Wireless intrusion detection • Intrusion detection at wired network entry • Access Points physically hidden

  9. Goals - Security http://support.intel.com/support/wireless/wlan/sb/cs-008413.htm

  10. Architecture Overview • Centralized controller model • Redundancy measures: • Secondary / Tertiary controller assignment for APs • Under-load AP/controller ratio for controller failure • 802.3ad Link Aggregation for cable failures • Switch stacks for switch failure • Multiple paths to multiple core switches • HSRP for router failure • Firewall cluster in active/standby mode

  11. two slots in core 802.3ad link aggregation switch stack for switch failure multiple paths to multiple core switches firewall cluster in active/standby mode

  12. Logical View

  13. Guest Access • Separate SSID (broadcast) • Ethernet over IP tunnel to Internet DMZ • Authentication models wired guest access • SecurID token held by Help Desk • Web page authentication

  14. Guest Access Legal text:- be a good person or else- transmission not encrypted Call Customer Support Centre if you wish to proceed Customer Support Centre verifies requirement and provides information to enter

  15. Challenges • Sorting out rogues (on vs. off network) • Problems in remote offices • Interference, rogues, security attacks

  16. Futures • Broader Public Sector access • Location: Will explore these capabilities • 802.11n: No real requirement • Non-workstation devices: will consider • Voice over WLAN • No plans, VoIP experimental on wired side • Did site survey for voice coverage

  17. First phase installation Additional for voice

  18. Antenna Research • Greater RF gain needed • Users are more mobile • Integration with personal protective gear • Sophisticated look – coolness factor

  19. Questions ? ? ? ? ? ?

More Related