| Name | Description | Status | Tools |
|---|
| 1 | Firewall | A layer 4 firewall MUST separate the all internet-facing RADIUS server servers and the internal network. Access must be controlled and monitored. | MUST |
|
| 2 | Firewall ICMP | Firewalls MUST permit ICMP to allow centralised monitoring of RADIUS servers | MUST |
|
| 3 | Admin access | System administration (RADIUS and associated systems) MUST be preformed over a private internal network ONLY. | MUST |
|
| 4 | DMZ connectivity | All protocols permitted access to the servers MUST be risk-assessed (e.g. SMB and RDP may present security risks) | MUST |
|
| 5 | External port access | A deny-all policy MUST be applied, permitting only the minimum ports necessary for authentication (e.g. UDP 1812, Status-Server 18121, TCP 2083 if RadSec is used). UDP 1645 MUST NOT be used. | MUST |
|
| 6 | Internal port access | A deny-all policy MUST be applied, permitting only the minimum ports necessary for administration functions (e.g. TCP 3389 for RDP or TCP 22 for SSH) | MUST |
|
| 7 | Patch management | All server operating systems and applications MUST be kept fully patched and up to date (SysAdmins must apply risk assessment criteria to deciding whether to deploy early patches against zero-day exploits or to follow stable releases) | MUST |
|
| 8 | Consistent time | All servers MUST be configured against the same time-synched NTP server to minimise issues with log reconciliation. | MUST |
|
| 9 | Backups | All servers and configuration files MUST be regularly backed up (as a minimum after every configuration change) | MUST |
|
| 10 | Monitoring | Servers MUST be configured to detect and log rogue behaviour such as password brute forcing. Where automated defence is possible, it SHOULD be deployed (e.g. increasing authentication back-off times) | MUST |
|
| 11 | Authentication logs | All authentications to eduroam infrastructure systems MUST be logged. Such logs may constitute personal data and MUST be managed in a GDPR-compliant way. All such logs should be timestamped against a synced NTP source and held for a minimum of <central policy specified period?>. | MUST |
|
| 12 | Alerts | Servers MUST be configured to send alerts (with copies of logs) to SysAdmins so that incidents can be detected dn responded to in real time. Alert systems should be regularly tested for effectiveness. | MUST |
|
| 13 | Traffic interception | NROs MUST NOT deploy interception technology or otherwise monitor the content of visitor or roaming traffic (e.g. do not use TLS or SSL interception proxies) | MUST NOT |
|
| 814 | RadSec | If RadSec is used, X.509 certificates must be used to identify RADIUS servers | MUST (optional) |
|
| 915 | Network segmentation | Network segmentation SHOULD be considered, placing roaming users into a separate segment to local organisation users. | SHOULD |
|
| 1016 | VLAN spoofing countermeasures | the visitor network design should prevent devices from mailiciously placing themselves into unauthorised VLANs | SHOULD |
|
| 1117 | External penetration testing | NROs SHOULD regularly conduct vulnerability assessment of internet-facing eduroam infrastructure. | SHOULD |
|
| 1218 | Internal vulnerability testing | NROs SHOULD regularly conduct vulnerability testing from within the internal network of eduroam infrastructure. | SHOULD |
|
| 1319 | Non-eduroam guests | NRO and its members may offer a public guest Wi-Fi service for thsoe unable to access eudroam; such users SHOULD be provisioned onto a separate network from eduroam visitors, with its own authentication, monitoring, and anti-circumvention measures. | SHOULD |
|
| 20 | Redundancy | NRO-level RADIUS servers SHOULD be deployed in a redundant, diverse configuration to maximise availability and meet SLAs | SHOULD |
|
| 21 | Dedicated servers | NRO-level RADIUS servers SHOULD be dedicated to the task, not supporting other local or national services, in order to reduce their attack surface. | SHOULD (MUST?) |
|
| 22 | Hardened servers | NRO-level RADIUS servers SHOULD be hardened to recognised best practice standards (includes secondary/backup RADIUS, certificate servers etc.) | SHOULD |
|
| 23 |
|
|
|
|
| 24 |
|
|
|
|
| 25 |
|
|
|
|
| 26 | 14 | 15 |
|
|
|
|
