BRIX Group LimitedGOVIS 2007NZ Parliament: Wired for Wireless

1

• Parliamentary Campus
• WIRED for Wireless

2
Agenda

• Parliamentary Service
• Business Need for Wireless
• The 2006 Project
• Security Requirements Standards
• Operational Management
• Lessons
• Summary Risks and Benefits of Wireless

3
Parliamentary Service

• The Parliamentary Service was set up in 1985 to
  provide administrative and support services to
  the House of Representatives and members of
  Parliament.
• The services include providing members with
  secretarial and personal assistance travel
  research and information services IT support
  catering services buildings and the way they
  run and all associated administration

4
Parliamentary Service IT

• Parliamentary Service IT group is directed by
  John Preval
• Axon provides the day to day network management
  support under contract
• The IT group also provides the core Local Area
  Network services across the campus for
  Ministerial Services, DPMC, Parliamentary Counsel
  Office, Office of the Clerk, Cabinet Office and
  Parliamentary Service.
• Part of the LAN network services is the wireless
  service.

5
Business Need for Wireless

• The purpose of deploying a secure and seamless
  wireless network across the Parliamentary campus
  is to serve the needs of Parliament, staff
  members, corporate guests and public guests
• The 2006 WLAN rollout project built on a pilot
  that was designed and installed in late 2005 by
  IBM Integrated Technology Services.
• Initial coverage included Bowen House, the
  Chamber and Select Committee rooms in Parliament
  House.
• The purpose of the 2006 WLAN Project was to
  complete the deployment of a wireless network
  across the whole of the Parliamentary Campus
• At the same time, the technical design was
  upgraded from Cisco WCS to Airwave Management
  Platform - improving the ratio of control servers
  per AP from 160 to 1200

6
Specific User Benefits

• Ease of access to information
• Able to stay connected to my files when not in
  the office
• Email from anywhere on the Campus
• Using the Internet
• Staying in touch with colleagues, staff members
  when away from the office
• Being able to research information
• Being able to accommodate requests for space in
  short notice
• Removing the need to provide network cabling for
  temporary offices

7
The Project

• Purpose Extend corporate LAN by providing
  wireless services across the Parliamentary Campus
• Start Mid Jan 2006
• Finish August 2006
• Project delivered in phases
• Scope extended to cover new Select Committee
  rooms
• Project delivered to plan and budget

8
Project Phases

• ACTIVITY Time Spent
• RFI / RFP 15
• Site Survey 25
• RF Plan 10
• Equipment Purchase 25
• Cabling 50
• Installation 25
• Testing 10
• BAU Signover 0

9
RFI / RFP

• A RFI was issued in mid Jan 2006
• A closed RFP was issued in late Jan 2006
• The final project was awarded to IBM Integrated
  Technology Services in Feb 2006
• Contractual components were managed under a
  formal Statement of Work and IBM boilerplate
  Terms and Conditions

10
802.1x and Design Consideration

• There are three standards dominating the WLAN
  marketplace
• IEEE 802.11b, IEEE 802.11a and IEEE 802.11g.
• Given the difference in operating frequencies,
  802.11b and 802.11a can co exist within the same
  environment, allowing users to move from one to
  another by switching clients, or using a
  dual-band client (combines both radios into a
  single client).
• 802.11g delivers the same 54 Mbps maximum data
  rate as 802.11a, yet it offers an additional and
  compelling advantagebackward compatibility with
  802.11b equipment.
• This means that 802.11b client cards work with
  802.11g AP's, and 802.11g client cards work with
  802.11b APs. 802.11g and 802.11b operate in the
  same 2.4 GHz unlicensed band.
• For high volume or demand networks, an A-B-G mix
  is recommended and will cover older and new
  mobile client cards

11
Site Survey and RF Plan Phase

• The Site Survey is the MOST important part of
  determining the final wireless architecture
• Tools wireless laptop, AP and survey s/w
• The survey involves the use of a mobile Access
  Point (AP) with lots of walking into and around
  office spaces and adjacent floors while
  monitoring signal reception
• Each of the A, B and G radio channels were
  surveyed for Parliament meaning each office was
  revisited for each channel
• 5 Buildings and 25 floors were surveyed during
  the exercise
• Accordingly, TIME must be allowed for a robust
  survey
• Each survey is 3-dimensional ie radio signals
  can be received on floors above and below pending
  the signal strength

12
Site Survey and RF Plan Phase

• The constraints faced during the campus survey
  included access to Ministers and members
  offices, access to the meeting areas, working in
  a Heritage site, working around construction
  sites, sometimes needing a security escort and
  working outside normal hours
• Strong communications are needed to ensure access
  is provided at the right times for the survey
  team and people know what is happening
• The Surveys are reported in a RF Plan normally
  as diagrams of signal density of radio channels,
  the interference patterns and recommended
  settings
• The RF Plan is critical in determining the
  location of the APs, the accepted data
  throughput and the recommended radio strength

13
Installation Phase

• Sourcing Cisco network kit carried a 5-7 week
  lead time
• Cable and patch leads were purchased locally
• To mitigate the time factor, equipment was bought
  in deliberate instalments the first lot was
  purchased DURING the site survey
• This allowed for installation to immediately
  follow the site survey and RF Plan with no loss
  in time
• The following instalments provided a timed
  delivery of equipment as needed

14
Installation Phase

• Three cablers were fully utilised for over 3
  months laying cable, patching panels and
  switches, installing radios and tuning them
• Major constraints office access, finding
  solutions to heritage building code requirements,
  hiding each radio to minimise visual impact,
  running cable without impacting daily activities

15
Hardware

• The infrastructure consists of Cisco Catalyst
  switches and Cisco Access Points.
• 19 x Cisco 3560 Power Over Ethernet Switches
• 3x Cisco 3750 Gigabit Switches
• 63 x Cisco 1231AG Access Points
• 198 x Cisco 1242AG Access points
• 4 x 2100 Blue Socket Gateways
• 1x Cisco 2801 Router
• Over 15km cable

16
Cabling

• Over 15km of cables were laid for the 200 APs
• The general rule of thumb was to not exceed 90m
  per cable run
• Parliament House and The Library are Heritage
  Buildings providing some challenges when
  existing conduits were either too small or
  non-existent
• The Executive Wing (Beehive) has special security
  requirements another challenge

17
Signal Management

• With the (dual band) Cisco AP 1200, the WLAN can
  yield an aggregate data rate of 108 Mbps (54 Mbps
  plus 54 Mbps) per AP (54 Mbps on 802.11a and 54
  Mbps on 802.11g).
• Radio strength is deliberately left on low
  strength to minimise spread of the signal of each
  radio.
• Testing ensured spread was limited to within the
  buildings, thus allowing a better security
  perimeter for monitoring and management
• Separate monitoring devices are deployed to
  ensure a 24x7 realtime survey of activity through
  each AP

18
Operational Management Software

• Airmagnet Enterprise has been installed in
  conjunction with the wireless network as a
  security overlay. Monitoring is 24x7
• The Airwave Management Platform (AMP) provides
  for managing and controlling the configuration of
  the Access Points throughout the Parliament
  Campus.
• The BlueSocket Wireless Gateway provides an
  authentication gateway

19
Security Requirements

• Security for a WLAN is non-negotiable
• Risks are inherent in any wireless technology.
• Some of these risks are similar to those of wired
  networks
• some are exacerbated by wireless connectivity
• and some are new.
• The most significant source of risks in wireless
  networks is that the underlying communications
  medium, the airwave, is open to intruders
• making it the logical equivalent of an Ethernet
  port in the parking lot.

20
Security Issues

• It is assumed that any Government agency
  implementing a WLAN will be familiar with NZSITS
  and will work to comply with its requirements
• Having secured the system and perimeter there
  are 2 main types of security issues for WLANs
  Passive and Active attacks
• A passive attack is where an unauthorised party
  gains access to a WLAN asset and does not modify
  its content e.g. eavesdropping. Passive attacks
  can be either eavesdropping or traffic analysis
• An active attack is where an unauthorised party
  makes modifications to a message, data stream or
  file. It is possible to detect this type of
  attack but it may not be preventable.

21
Securing a WLAN

• Government Agencies must be aware that
  maintaining a secure wireless network is an
  ongoing process that requires greater effort than
  that required for other networks and systems.
• It is important that any government Network
  Support team assess risks more frequently and
  test and evaluate security when wireless
  technologies are deployed.
• Government Agencies must be aware that security
  management practices and controls are especially
  critical to maintaining and operating a secure
  wireless network.
• It is prudent, while we are in the new phase of
  adding wireless to government networks, to
  consult GCSB at the beginning of a WLAN design
  phase and NOT after installation

22
Going Live Operationally

• The installation is complete and testing shows a
  robust environment.
• Now is the time to sign-off the project and press
  the button !?
• WRONG
• Now is the time to check that all operational
  requirements and processes are in place. This
  includes security, monitoring and fail-over

23
Operational Requirements

• Security Policy
• Client setup procedures roles and passwords
• SLAs
• Monitoring and Reporting System
• Monitoring and Reporting Security
• Upgrade procedures to Hardware and Software
• User Management policies
• Business Continuity practice
• Architecture management
• Congratulations you may have just added 2-3
  people to your IT team

24
Lessons Learned

• First thing to note is that all parties declared
  the 2006 Parliamentary WLAN project as a a
  SUCCESS.
• The following key points are recommended for any
  Agencies considering a WLAN implementation
• Consult all primary key stakeholders early at
  the outset of the project and remember,
  especially for Government the No Surprises
  rule.
• A communications plan is required from the
  beginning of the project. Regular communications
  throughout the project, at multiple
  organisational levels, are essential to
  facilitate smooth delivery and minimise issues.

25
Lessons Learned - 2

• Longer lead-times from a tender into start date
  and a realistic completion date will allow for
• stronger analysis in relation to solution and
  security architecture
• time for rigorous planning
• vendors and third parties to secure resources
• Project management is a critical element
  communication and escalation paths need to be
  observed to allow the project manager(s) ensure a
  smooth flow between activity planning, resource
  management and issue mitigation.
• Project manager(s) need to be familiar with the
  environment and people that the project may
  impact.

26
Lessons Learned - 3

• Ensure the vendor has walked the full
  environment before tendering to undertake a site
  survey.
• Know the scope of your WLAN project and its
  hardware and software elements before commencing
  actual work. This facilitates better delivery to
  target.
• Ensure a WLAN Security Policy is developed and
  accepted BEFORE undertaking a WLAN project.
• As with any IT project - ensure business goals
  and technical scope and design are properly
  documented and agreed.
• Regular comms with the local staff are key - In
  this case while senior and operational managers
  knew of the project, campus-wide communications
  did not necessarily flow downwards to office
  staff.

27
Lessons Learned - 4

• When providing an integrated environment using
  leading edge technology, ensure the Vendor has
  fully documented operational processes developed
  before hand over to Business as Usual.
• It is recommended that inclusion of GCSB happen
  as part of the initial analysis and design phase
  of any WLAN project in government.
• From a technical and security perspective, the
  use of IPSec with Microsoft XP is problematic and
  should be avoided.

28
Summary - Risks

• When implementing WLANs, agencies must be aware
  that security management practices and controls
  are especially critical to maintaining and
  operating a secure wireless network.
• The very medium that makes wireless so versatile
  is also its greatest weakness Radio waves

29
Summary - Benefits

• Wireless communications offer organisations and
  users many benefits such as portability and
  flexibility, increased productivity, and lower
  installation costs.
• Wireless technologies cover a broad range of
  differing capabilities oriented toward different
  uses and needs.
• The Parliamentary Campus Wireless Local Area
  Network (WLAN) devices allow users to move their
  laptops from place to place within their offices
  and between buildings without the need for wires
  and without losing network connectivity.
• Less wiring means greater flexibility, increased
  efficiency and reduced wiring costs.

30
Acknowledgements

• John Preval and Louise Mulligan Parliamentary
  Service
• Debbie Clark, John Howell - Axon
• Lisa Woodley, Trevor Jamieson, Ravi Mistry, Phil
  Gardiner IBM ITS