Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...


NameDescriptionStatusTools
1Audit trailNROs MUST ensure that they and their members retain authentication and DHCP logs for <period defined in central policy?> to enable the cooperative resolution of identity in the event of abuse of eduroamMUST
2No sharingNROs MUST ensure that all their members enforce the policy that credentials SHOULD NOT be shared between users (or devices where device authentication is used)MUST
3Physical securityNROs must advise their members that WiFi APs and cabling SHOULD be be secured as much as possible (e.g. to restrict opportunities to introduce network taps or other tampering). All servers MUST be hosted in a secure environment.MUST
4Physical signageNRO advises member organisations to deploy physical signage in areas where eduroam is available (e.g. to assist visitors with medical prosthetics)ShouldSHOULDEvidence: copy of documentation/web page
25Published locationsNRO ensures all member venue location data is added to the eduroam database (for use in maps etc.)ShouldSHOULD
36Web presencePublishes NRO and members SHOULD publish a site at (tld)/eduroam documenting eduroam activities and locations in their NRENShouldSHOULDEvidence: URL/screenshots4MapsWebsite (3) includes graphical maps of accessible locations, noting additional services such as charging points
7May5Contact dataNRO has arranged 365 cover of all named contact points (mail and phone redirects for leave etc)ShouldSHOULD
68

CAT enabled

NRO maintains a CAT adminstrator/config for its own staff and recommends CAT usage to all membersShouldSHOULD
79TrainingNRO provides eduroam training to member organisations (either directly or through a third party)ShouldSHOULD
810Audit trailNROs MUST ensure that they and their members retain authentication and DHCP logs for <period defined in central policy?> to enable the cooperative resolution of identity in the event of abuse of eduroamMUST9No sharingNROs MUST ensure that all their members enforce the policy that credentials SHOULD NOT be shared between users (or devices where device authentication is used)MUST10Physical securityNROs must advise their members that WiFi APs and cabling SHOULD be be secured as much as possible (e.g. to restrict opportunities to introduce network taps or other tampering). All servers MUST be hosted in a secure environment.User educationNRO and members SHOULD implement training for end users on the expected legitimate behaviours of eduroam systems. Many attacks rely on incorrect user responses to inappropriate service behaviours such as password requests, certificate mismatch warnings etc.SHOULD
11ClarityNRO members SHOULD act to minimise any possibility of confusion between eduroam and other guest services they may offer (e.g. to prevent credentials being inappropriately presented)SHOULD
12MapsWebsite (3) includes graphical maps of accessible locations, noting additional services such as charging pointsMAY
13MUST1112131415



3c. Technical requirements (MOL)


NameDescriptionStatusTools
1FirewallA layer 4 firewall MUST separate all internet-facing RADIUS servers and the internal network. Access must be controlled and monitored.MUST
2Firewall ICMPFirewalls MUST permit ICMP to allow centralised monitoring of RADIUS serversMUST
3Admin accessSystem administration (RADIUS and associated systems) MUST be preformed over a private internal network ONLY.MUST
4DMZ connectivityAll protocols permitted access to the servers MUST be risk-assessed (e.g. SMB and RDP may present security risks)MUST
5External port accessA deny-all policy MUST be applied, permitting only the minimum ports necessary for authentication (e.g. UDP 1812, Status-Server 18121, TCP 2083 if RadSec is used). UDP 1645 MUST NOT be used.MUST
6Internal port accessA deny-all policy MUST be applied, permitting only the minimum ports necessary for administration functions (e.g. TCP 3389 for RDP or TCP 22 for SSH)MUST
7Patch managementAll server operating systems and applications MUST be kept fully patched and up to date (SysAdmins must apply risk assessment criteria to deciding whether to deploy early patches against zero-day exploits or to follow stable releases)MUST
8Consistent timeAll servers MUST be configured against the same time-synched NTP server to minimise issues with log reconciliation.MUST
9BackupsAll servers and configuration files MUST be regularly backed up (as a minimum after every configuration change)MUST
10MonitoringServers MUST be configured to detect and log rogue behaviour such as password brute forcing. Where automated defence is possible, it SHOULD be deployed (e.g. increasing authentication back-off times)MUST
11Authentication logsAll authentications to eduroam infrastructure systems MUST be logged. Such logs may constitute personal data and MUST be managed in a GDPR-compliant way. All such logs should be timestamped against a synced NTP source and held for a minimum of <central policy specified period?>.MUST
12AlertsServers MUST be configured to send alerts (with copies of logs) to SysAdmins so that incidents can be detected dn responded to in real time. Alert systems should be regularly tested for effectiveness.MUST
13Traffic interceptionNROs MUST NOT deploy interception technology or otherwise monitor the content of visitor or roaming traffic (e.g. do not use TLS or SSL interception proxies)MUST NOT
14RadSecIf RadSec is used, X.509 certificates must be used to identify RADIUS serversMUST (optional)
15Network segmentationNetwork segmentation SHOULD be considered, placing roaming users into a separate segment to local organisation users.SHOULD
16VLAN spoofing countermeasuresthe visitor network design should prevent devices from mailiciously placing themselves into unauthorised VLANsSHOULD
17External penetration testingNROs SHOULD regularly conduct vulnerability assessment of internet-facing eduroam infrastructure.SHOULD
18Internal vulnerability testingNROs SHOULD regularly conduct vulnerability testing from within the internal network of eduroam infrastructure.SHOULD
19Non-eduroam guestsNRO and its members may offer a public guest Wi-Fi service for thsoe unable to access eudroam; such users SHOULD be provisioned onto a separate network from eduroam visitors, with its own authentication, monitoring, and anti-circumvention measures.SHOULD
20RedundancyNRO-level RADIUS servers SHOULD be deployed in a redundant, diverse configuration to maximise availability and meet SLAsSHOULD
21Dedicated serversNRO-level RADIUS servers SHOULD be dedicated to the task, not supporting other local or national services, in order to reduce their attack surface.SHOULD (MUST?)
22Hardened serversNRO-level RADIUS servers SHOULD be hardened to recognised best practice standards (includes secondary/backup RADIUS, certificate servers etc.)SHOULD
23



24



25



26



4. References