Solid Security
Wireless has become a ubiquitous service expectation and a near-universal public policy goal. But cracking methods have become very sophisticated and widespread. Wireless security is now a constant IT challenge -- and an agency imperative, because adverse security publicity can severely damage IT management and organizational standing.
Over the past two years, the Michigan Department of Information Technology (MDIT) has developed an innovative and effective balance of management, operational, technical and enterprise service solutions for wireless communications in a best-practice security environment, providing transferable policy, operational and technical lessons for other jurisdictions.
Michigan is the first state government to have a centrally managed enterprisewide wireless LAN, accelerating a convergence of policies for wired networks and WLANs.
The state has had wireless capability for several years, driven by the following factors:
- Technology maturity, increased manageability and higher-speed standards;
- Changing employee demographics, with a new generation of workers having an expectation of instant connection anytime, anywhere;
- Heavy reliance on e-mail, including wireless Internet; and
- Emphasis on shared services, with associated changes in working relationships with partners.
The first MDIT wireless solution posed numerous challenges. The initial implementation used heterogeneous solutions from several manufacturers, causing many issues with policies, standards, operation, maintenance, compatibility and management.
For example, no enterprisewide policy or standards on WLAN implementations had been developed, and over time, many of our service providers consolidated or discontinued solutions. Wireless LAN was accessible to fiber-connected offices only, prompting users to install their own unsecured, unauthorized wireless LANs within the workplace.
What's more, the recurring monthly charge of $260 per access point (AP) proved cost-prohibitive for most agencies, resulting in limited installation. WLAN services within conference rooms and community areas incurred additional costs, posed hazards because of the cabling required for gear and created security vulnerabilities. Two-factor authentication standards involved additional administration of accounts and monthly charges, and were viewed as too cumbersome by key government executives.
New and Improved
In order to mitigate these security issues and other problems with the original WLAN, MDIT developed, tested and rolled out a new version in 2007. Our improved solution has helped us to achieve the following:
- Improved wireless security that matches or exceeds our wired standards;
- Enterprise standards and service capability;
- WAN/wireless integration that allows us to provide a WLAN for wide area customers;
- Integrated wireline and wireless policies and practices that provide a seamless logon experience; and
- Affordable, cost-effective service.
So far, 16 state offices throughout Michigan have WLAN services -- 13 in the Lansing Metropolitan Area Network, where the largest number of state employees are concentrated. We also have wide area WLAN implementation in three counties, and APs are installed and awaiting a security decision in five other counties.
To overcome some of the initial barriers, staff developed wireless policy and standards in collaboration with the MDIT Office of Enterprise Security. We chose a single product (Cisco Unified Wireless) with proven performance, reliability, security and scalability. Existing infrastructure authentication methods to secure WLAN connectivity were used to eliminate the virtual private network/SecurID authentication requirement. To meet two-factor authentication standards, we used RADIUS and Active Directory (AD) for machine and user account/password authentication.
To ensure higher levels of security, access to private network resources is now limited to state workstations only. AD machine authentication and user identification/password authentication are required before granting wireless access.
In addition, MDIT implemented these best-practice authentication and encryption protocols: Microsoft Server Certificates, MS Challenge Handshake Authentication Protocol Version 2, Protected Extensible Authentication Protocol, Advanced Encryption Standard (AES), Wi-Fi Protected Access 2 and 802.1X.
Granting Guest Access
We provide visitors with wireless guest access in a secure fashion by providing access only to the Internet, not to our internal network. Bandwidth limitations of 384 kilobits per second prevent guest users from consuming too much bandwidth. Web filtering tools such as Blue Coat Proxy and Websense limit and log Internet access by guest clients. Firewalls restrict all guest traffic, and wireless controllers encrypt it inside an AES tunnel.
To provide WLAN service to other offices across the WAN, Hybrid Remote-Edge AP is implemented to remote state offices. H-REAP keeps data traffic local, while allowing the WLAN APs to communicate with the centralized WLAN controllers for manageability.
We configure WAN locations to keep wireless traffic local unless users need to access centrally located resources in Lansing. For example, wireless devices in a remote office can use local servers, printers and other resources without needing to send that data over the WAN link. The only traffic that traverses the WAN link is AP-to-controller communication, not actual data traffic. All existing WLAN security practices are applicable. The experience to the WLAN user is now the same across the enterprise.
In addition, our security servers log all web transactions, providing detailed accounting information. This provides the visibility necessary to determine web usage patterns, audit user history, track security issues and develop comprehensive web protection and control policies.
The MDIT telecommunications servÂice catalog contains a description of Michigan's wireless LAN service, defining scope of services, agency responsibilities, and how to order the service. The MDIT Customer Service Center is trained to help clients triage and resolve any connectivity and authentication problems that may be reported with WLAN.
The solution is an innovative and effective balance of management, operational, technical and service solutions in a best-practice security environment, providing lessons applicable to other state and local government jurisdictions.
Lessons Learned
Other state and local governments can benefit from the insight gained by the Michigan Department of Information Technology during deployment:
Policy and Governance
- Gain executive-level sponsorship with clear definition of service requirements.
- Establish enterprise-level policies and standards first.
- Develop sound procedural requirements up front, especially for security.
Processes
- Collaborate with all stakeholders -- security, desktop support and customer service.
- Demonstrate and document the value of testing.
Technology
- Utilize existing infrastructure as much as possible -- Active Directory, RADIUS, VPN concentrators and LAN infrastructure.
- Select all components based on integration and product compatibility.
- Implement Hybrid REAP for wireless WAN to realize cost savings on local WLAN controllers.
- Avoid proprietary technology in your design.