...
Name | Description | Status | Tools | ||
---|---|---|---|---|---|
1 | Physical signage | NRO advises member organisations to deploy physical signage in areas where eduroam is available (e.g. to assist visitors with medical prosthetics) | Should | Evidence: copy of documentation/web page | |
2 | Published locations | NRO ensures all member venue location data is added to the eduroam database (for use in maps etc.) | Should | ||
3 | Web presence | Publishes a site at (tld)/eduroam documenting eduroam activities and locations in their NREN | Should | Evidence: URL/screenshots | |
4 | Maps | Website (3) includes graphical maps of accessible locations, noting additional services such as charging points | May | ||
5 | Contact data | NRO has arranged 365 cover of all named contact points (mail and phone redirects for leave etc) | Should | ||
6 | CAT enabled | NRO maintains a CAT adminstrator/config for its own staff and recommends CAT usage to all members | Should | ||
7 | Training | NRO provides eduroam training to member organisations (either directly or through a third party) | Should | ||
8 | |||||
9 | |||||
10 | 11 |
3c. Technical requirements (MOL)
Name | Description | Status | Tools | ||||
---|---|---|---|---|---|---|---|
1 | Firewall | A layer 4 firewall MUST separate the internet-facing RADIUS server and the internal network. Access must be controlled and monitored. | MUST | ||||
2 | Firewall ICMP | Firewalls MUST permit ICMP to allow centralised monitoring of RADIUS servers | MUST | ||||
3 | Admin access | System administration (RADIUS and associated systems) MUST be preformed over a private internal network ONLY. | MUST | ||||
4 | DMZ connectivity | All protocols permitted access to the servers MUST be risk-assessed (e.g. SMB and RDP may present security risks) | MUST | ||||
5 | External port access | A deny-all policy MUST be applied, permitting only the minimum ports necessary for authentication (e.g. UDP 1812, Status-Server 18121, TCP 2083 if RadSec is used). UDP 1645 MUST NOT be used. | MUST | ||||
6 | Internal port access | A deny-all policy MUST be applied, permitting only the minimum ports necessary for administration functions (e.g. TCP 3389 for RDP or TCP 22 for SSH) | MUST | ||||
7 | Traffic interception | NROs MUST NOT deploy interception technology or otherwise monitor the content of visitor or roaming traffic (e.g. do not use TLS or SSL interception proxies) | MUST NOT | ||||
8 | RadSec | If RadSec is used, X.509 certificates must be used to identify RADIUS servers | MUST (optional) | ||||
89 | Network segmentation | Network segmentation SHOULD be considered, placing roaming users into a separate segment to local organisation users. | SHOULD | ||||
910 | VLAN spoofing countermeasures | the visitor network design should prevent devices from mailiciously placing themselves into unauthorised VLANs | SHOULD | ||||
1011 | Penetration External penetration testing | NROs SHOULD regularly conduct vulnerability assessment of internet-facing eduroam infrastructure. | SHOULD | 11 | 12 | ||
12 | Internal vulnerability testing | NROs SHOULD regularly conduct vulnerability testing from within the internal network of eduroam infrastructure. | SHOULD | ||||
13 | Non-eduroam guests | NRO and its members may offer a public guest Wi-Fi service for thsoe unable to access eudroam; such users SHOULD be provisioned onto a separate network from eduroam visitors, with its own authentication, monitoring, and anti-circumvention measures. | SHOULD | 13||||
14 | |||||||
15 |
4. References
eduroam Compliance Statement https://www.eduroam.org/support/eduroam_Compliance_Statement.pdf
...