Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

#NameDescriptionStatusToolsReview Comments
1Deploy a FirewallA layer 4 firewall MUST separate all internet-facing RADIUS servers and the internal network. Access must be controlled and monitored.MUSTNRO checks that this is the case with the FTLRs & NRO verifies that this has been communicated to eduroam IdPs/SPs (NRO self)
2Allow ICMPFirewalls MUST permit ICMP to allow centralised monitoring of RADIUS serversMUSTNRO shows web site with ICMP monitoring results (OT manually)
3Limit admin accessSystem administration (RADIUS and associated systems) MUST be preformed over a private internal network ONLY.MUSTNRO checks that this is the case with the FTLRs & NRO verifies that this has been communicated to eduroam IdPs/SPs (NRO self)
4Assess connectivity risksAll protocols permitted access to the servers MUST be risk-assessed (e.g. SMB and RDP may present security risks)MUSTCarry out assessment (OT manually)
5Regulate external port accessA deny-all policy MUST be applied, permitting only the minimum ports necessary for authentication (e.g. UDP 1812, Status-Server 18121, TCP 2083 if RadSec is used). UDP 1645 MUST NOT be used.MUSTNRO checks that this is the case with the FTLRs & NRO verifies that this has been communicated to eduroam IdPs/SPs (NRO self)Why do we care about not running 1645. (Or even random other ports, like the hosted SP may do.)
6UDP fragmentationMake sure UDP fragmentation worksMUSTTest this once a year with eduroam managed IdP - one account per organisation, verify results (OT automatic) Can be checked by peers.
7Regulate Internal port accessA deny-all policy MUST be applied, permitting only the minimum ports necessary for administration functions (e.g. TCP 3389 for RDP or TCP 22 for SSH)MUSTNRO checks that this is the case with the FTLRs & NRO verifies that this has been communicated to eduroam IdPs/SPs (NRO self)
8Undertake patch managementAll server operating systems and applications MUST be kept fully patched and up to date (SysAdmins must apply risk assessment criteria to deciding whether to deploy early patches against zero-day exploits or to follow stable releases)MUSTNRO checks that this is the case with the FTLRs & NRO verifies that this has been communicated to eduroam IdPs/SPs (NRO self)
9Ensure consistent timestampsAll servers MUST be configured against the same time-synched NTP server to minimise issues with log reconciliation.MUSTNRO checks that this is the case with the FTLRs & NRO verifies that this has been communicated to eduroam IdPs/SPs (NRO self)
10Make back-upsAll servers and configuration files MUST be regularly backed up (as a minimum after every configuration change)MUSTNRO checks that this is the case with the FTLRs & NRO verifies that this has been communicated to eduroam IdPs/SPs (NRO self)
11Conduct monitoringServers MUST be configured to detect and log rogue behaviour such as password brute forcing. Where automated defence is possible, it SHOULD be deployed (e.g. increasing authentication back-off times)MUSTNRO checks that this is the case with the FTLRs & NRO verifies that this has been communicated to eduroam IdPs/SPs (NRO self)
12Retain authentication logsAll authentications to eduroam infrastructure systems MUST be logged. Such logs may constitute personal data and MUST be managed in a GDPR-compliant way. All such logs should be timestamped against a synced NTP source and held for a minimum of <central policy specified period?>.MUSTNRO checks that this is the case with the FTLRs & NRO verifies that this has been communicated to eduroam IdPs/SPs (NRO self)
13Enable AlertsServers MUST be configured to send alerts (with copies of logs) to SysAdmins so that incidents can be detected and responded to in real time. Alert systems should be regularly tested for effectiveness.MUSTNRO checks that this is the case with the FTLRs (show test results) & NRO verifies that this has been communicated to eduroam IdPs/SPs (NRO self)
14Deploy secure CA serversCA servers MUST be hosted on a dedicated, locked-down server in a secure location,  configured for minimum user access. Such servers SHOULD have a fully qualified domain name, although this MAY not be published through DNS.MUSTNRO verifies that this has been communicated to eduroam IdPs/SPs (NRO self)
15Enable Message-AuthenticatorWhere supported, the Message-Authenticator attribute MUST be enabled to prevent IP spoofed fake message injection. (see reference 8)MUST
EAP requests always carry it
16Adopt AESeduroam wi-fi services MUST implement WPA2 Enterprise with the use of the CCMP (AES) algorithmMUSTNRO verifies that this has been communicated to eduroam IdPs/SPs (NRO self)
17Don't intercept trafficNROs and members MUST NOT deploy interception technology or otherwise monitor the content of visitor or roaming traffic (e.g. do not use TLS or SSL interception proxies)MUST NOTNRO checks that this is the case with the FTLRs & NRO verifies that this has been communicated to eduroam IdPs/SPs (NRO self)
18Disable PAPPassword Authentication Protocol MUST NOT be used between access points and RADIUS serversMUST NOTNRO verifies that this has been communicated to eduroam IdPs/SPs (NRO self)
19DIsable SPAPShiva Password Authentication Protocol MUST NOT be used, as their encryption is reversible (see reference 7)MUST NOTNRO verifies that this has been communicated to eduroam IdPs/SPs (NRO self)
20Disable MS-CHAPv1Challenge Handshake Authentication Protocol is considered weak and MUST NOT be used.MUST NOTNRO verifies that this has been communicated to eduroam IdPs/SPs (NRO self)
21Disable WPA-TKIPThe WPA specification MUST NOT be supported and the TKIP algorithm MUST NOT be employed in eduroam servicesMUST NOTNRO verifies that this has been communicated to eduroam IdPs/SPs (NRO self)
22Suppress AccountingRADIUS accounting messages MUST NOT be forwarded to the eduroam international RADIUS Proxies. They may contain potentially sensitive information and therefore GDPR compliance duties. NB: conflicts with existing policy, which states it SHOULD be supported.MUST NOTCheck accounting messages towards the TLRs (OT automatic)
23Secure RadSec server identitiesIf RadSec is used, X.509 certificates must be used to identify RADIUS serversMUST (optional)Check FTLR server configuration (NRO self), check TLR configuration (OT automatic)
24Deploy dedicated serversNRO-level RADIUS servers SHOULD be dedicated to the task, not supporting other local or national services, in order to reduce their attack surface.SHOULD (MUST?)NRO verifies that this is the case with the FTLRs (NRO self)
25Suppress VLAN attributesDynamic VLAN attributes SHOULD NOT be sent in Access-Accept replies to the NRPS.SHOULD NOT (MUST NOT?)26Adopt network segmentationNetwork segmentation SHOULD be considered, placing roaming users into a separate segment to local organisation users.SHOULDNRO verifies that this has been communicated to eduroam IdPs/SPs (NRO self)
2627Deploy VLAN spoofing countermeasuresthe visitor network design SHOULD prevent devices from mailiciously placing themselves into unauthorised VLANsSHOULDNRO verifies that this has been communicated to eduroam IdPs/SPs (NRO self)
2728Conduct external penetration testingNROs SHOULD regularly conduct vulnerability assessment of internet-facing eduroam infrastructure.SHOULDTo be carried out by the NRO in cooperation with the national CERT team (NRO self)
2829Conduct internal vulnerability testingNROs SHOULD regularly conduct vulnerability testing from within the internal network of eduroam infrastructure.SHOULDTo be carried out by the NRO in cooperation with the national CERT team (NRO self)
2930Separate non-eduroam guestsNRO and its members may offer a public guest Wi-Fi service for those unable to access eudroam; such users SHOULD be provisioned onto a separate network from eduroam visitors, with its own authentication, monitoring, and anti-circumvention measures.SHOULD

3130Incorporate redundancyNRO-level RADIUS servers SHOULD be deployed in a redundant, diverse configuration to maximise availability and meet SLAsSHOULD

3231Deploy hardened serversNRO-level RADIUS servers SHOULD be hardened to recognised best practice standards (includes secondary/backup RADIUS, certificate servers etc.)SHOULD

3332Adopt encrypted commsNRO SHOULD recommend to members that they use a VPN to protect communications between Access Points and the RADIUS server.SHOULD

3433Set Operator-NameWhere possible, NRO and members SHOULD ensure all Access-Request packets proxied to the NRPS contain the Operator-Name attribute correctly set to the relevant realm.SHOULD

3534Set eduroam-SP-CountryAdvised to NROs to set eduroam-SP-Country attribute in particular for RadSecSHOULD
(etlr also does it, but not for RadSec)

...