Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

#NameDescriptionStatusToolsReview Comments
1Deploy a FirewallA layer 4 firewall MUST separate all internet-facing RADIUS servers and the internal network. Access must be controlled and monitored.MUSTNRO checks that this is the case with the FTLRs & NRO verifies that this has been communicated to eduroam IdPs/SPs (NRO self)
2Allow ICMPFirewalls MUST permit ICMP to allow centralised monitoring of RADIUS serversMUSTNRO shows web site with ICMP monitoring results (OT manually)
3Limit admin accessSystem administration (RADIUS and associated systems) MUST be preformed over a private internal network ONLY.MUSTNRO checks that this is the case with the FTLRs & NRO verifies that this has been communicated to eduroam IdPs/SPs (NRO self)
4Assess connectivity risksAll protocols permitted access to the servers MUST be risk-assessed (e.g. SMB and RDP may present security risks)MUSTCarry out assessment (OT manually)
5Regulate external port accessA deny-all policy MUST be applied, permitting only the minimum ports necessary for authentication (e.g. UDP 1812, Status-Server 18121, TCP 2083 if RadSec is used). UDP 1645 MUST NOT be used.MUSTNRO checks that this is the case with the FTLRs & NRO verifies that this has been communicated to eduroam IdPs/SPs (NRO self)Why do we care about not running 1645. (Or even random other ports, like the hosted SP may do.)the hosted SP may do.)
6UDP fragmentationMake sure UDP fragmentation worksMUSTTest this once a year with eduroam managed IdP - one account per organisation, verify results (OT automatic) 6Make sure UDP fragmentation works Can be checked by peers.
7Regulate Internal port accessA deny-all policy MUST be applied, permitting only the minimum ports necessary for administration functions (e.g. TCP 3389 for RDP or TCP 22 for SSH)MUSTNRO checks that this is the case with the FTLRs & NRO verifies that this has been communicated to eduroam IdPs/SPs (NRO self)
8Undertake patch managementAll server operating systems and applications MUST be kept fully patched and up to date (SysAdmins must apply risk assessment criteria to deciding whether to deploy early patches against zero-day exploits or to follow stable releases)MUSTNRO checks that this is the case with the FTLRs & NRO verifies that this has been communicated to eduroam IdPs/SPs (NRO self)
9Ensure consistent timestampsAll servers MUST be configured against the same time-synched NTP server to minimise issues with log reconciliation.MUST

10Make back-upsAll servers and configuration files MUST be regularly backed up (as a minimum after every configuration change)MUST

11Conduct monitoringServers MUST be configured to detect and log rogue behaviour such as password brute forcing. Where automated defence is possible, it SHOULD be deployed (e.g. increasing authentication back-off times)MUST

12Retain authentication logsAll authentications to eduroam infrastructure systems MUST be logged. Such logs may constitute personal data and MUST be managed in a GDPR-compliant way. All such logs should be timestamped against a synced NTP source and held for a minimum of <central policy specified period?>.MUST

13Enable AlertsServers MUST be configured to send alerts (with copies of logs) to SysAdmins so that incidents can be detected dn responded to in real time. Alert systems should be regularly tested for effectiveness.MUST

14Deploy secure CA serversCA servers MUST be hosted on a dedicated, locked-down server in a secure location,  configured for minimum user access. Such servers SHOULD have a fully qualified domain name, although this MAY not be published through DNS.MUST

15Enable Message-AuthenticatorWhere supported, the Message-Authenticator attribute MUST be enabled to prevent IP spoofed fake message injection. (see reference 8)MUST
EAP requests always carry it
16Adopt AESeduroam wi-fi services MUST implement WPA2 Enterprise with the use of the CCMP (AES) algorithmMUST

17Don't intercept trafficNROs and members MUST NOT deploy interception technology or otherwise monitor the content of visitor or roaming traffic (e.g. do not use TLS or SSL interception proxies)MUST NOT

18Disable PAPPassword Authentication Protocol MUST NOT be used between access points and RADIUS serversMUST NOT

19DIsable SPAPShiva Password Authentication Protocol MUST NOT be used, as their encryption is reversible (see reference 7)MUST NOT

20Disable MS-CHAPv1Challenge Handshake Authentication Protocol is considered weak and MUST NOT be used.MUST NOT

21Disable WPA-TKIPThe WPA specification MUST NOT be supported and the TKIP algorithm MUST NOT be employed in eduroam servicesMUST NOT

22Suppress AccountingRADIUS accounting messages MUST NOT be forwarded to the eduroam international RADIUS Proxies. They may contain potentially sensitive information and therefore GDPR compliance duties. NB: conflicts with existing policy, which states it SHOULD be supported.MUST NOT

23Secure RadSec server identitiesIf RadSec is used, X.509 certificates must be used to identify RADIUS serversMUST (optional)

24Deploy dedicated serversNRO-level RADIUS servers SHOULD be dedicated to the task, not supporting other local or national services, in order to reduce their attack surface.SHOULD (MUST?)

25Suppress VLAN attributesDynamic VLAN attributes SHOULD NOT be sent in Access-Accept replies to the NRPS.SHOULD NOT (MUST NOT?)

26Adopt network segmentationNetwork segmentation SHOULD be considered, placing roaming users into a separate segment to local organisation users.SHOULD

27Deploy VLAN spoofing countermeasuresthe visitor network design SHOULD prevent devices from mailiciously placing themselves into unauthorised VLANsSHOULD

28Conduct external penetration testingNROs SHOULD regularly conduct vulnerability assessment of internet-facing eduroam infrastructure.SHOULD

29Conduct internal vulnerability testingNROs SHOULD regularly conduct vulnerability testing from within the internal network of eduroam infrastructure.SHOULD

30Separate non-eduroam guestsNRO and its members may offer a public guest Wi-Fi service for those unable to access eudroam; such users SHOULD be provisioned onto a separate network from eduroam visitors, with its own authentication, monitoring, and anti-circumvention measures.SHOULD

31Incorporate redundancyNRO-level RADIUS servers SHOULD be deployed in a redundant, diverse configuration to maximise availability and meet SLAsSHOULD

32Deploy hardened serversNRO-level RADIUS servers SHOULD be hardened to recognised best practice standards (includes secondary/backup RADIUS, certificate servers etc.)SHOULD

33Adopt encrypted commsNRO SHOULD recommend to members that they use a VPN to protect communications between Access Points and the RADIUS server.SHOULD

34Set Operator-NameWhere possible, NRO and members SHOULD ensure all Access-Request packets proxied to the NRPS contain the Operator-Name attribute correctly set to the relevant realm.SHOULD

35Set eduroam-SP-CountryAdvised to NROs to set eduroam-SP-Country attribute in particular for RadSecSHOULD
(etlr also does it, but not for RadSec)

...