WatchGuard Security of the Wi-Fi Cloud
Introduction
Across midsize businesses and distributed enterprises, including public sectors, migrating in-house data processing to the cloud has become an accepted strategy for IT departments and service providers. This can raise eyebrows within the security department because data security controls that were traditionally managed in-house now move into the hands of third parties. Cloud-managed Wi-Fi is no exception to this concern. Hence, WatchGuard has taken proactive steps to build a robust security program for the cloud that strengthens its Wi-Fi access and security solutions. The WatchGuard Wi-Fi Cloud security program comprises multiple pillars, as described throughout this paper.
Across midsize businesses and distributed enterprises, including public sectors, migrating in-house data processing to the cloud has become an accepted strategy for IT departments and service providers. This can raise eyebrows within the security department because data security controls that were traditionally managed in-house now move into the hands of third parties. Cloud-managed Wi-Fi is no exception to this concern. Hence, WatchGuard has taken proactive steps to build a robust security program for the cloud that strengthens its Wi-Fi access and security solutions. The WatchGuard Wi-Fi Cloud security program comprises multiple pillars, as described throughout this paper.
Local data plane and cloud management plane
In the WatchGuard Wi-Fi Cloud architecture, the wireless data plane (A) is kept local to the network, while the management plane lives in the cloud (B). Wireless data transacted through WatchGuard access points (APs) does not flow to the Wi-Fi Cloud; rather it is routed locally on the network based on the network’s routing controls. This also facilitates local enforcement of data security controls such as content filtering and forensic logging. The authentication and authorisation functions of the data plane are also kept local to the network. The management console used to configure and monitor the wireless network is provided from the Wi-Fi cloud. This console also provides security monitoring of the Wi-Fi environment at the business to detect and contain any undesirable activity in that airspace.
In the WatchGuard Wi-Fi Cloud architecture, the wireless data plane (A) is kept local to the network, while the management plane lives in the cloud (B). Wireless data transacted through WatchGuard access points (APs) does not flow to the Wi-Fi Cloud; rather it is routed locally on the network based on the network’s routing controls. This also facilitates local enforcement of data security controls such as content filtering and forensic logging. The authentication and authorisation functions of the data plane are also kept local to the network. The management console used to configure and monitor the wireless network is provided from the Wi-Fi cloud. This console also provides security monitoring of the Wi-Fi environment at the business to detect and contain any undesirable activity in that airspace.
The control plane operates locally in the network among APs (C). This plane implements inter-AP messaging for handoffs, load balancing, RF optimisation, etc., and does not require constant input from the management plane past its initial configuration.
Data collected by cloud management plane
The cloud management plane collects and stores MAC and IP addresses of devices on the network that are seen by APs deployed within the network. It also collects metadata about devices such as their Layer 2 wireless activity (probing, associations), OS, hostname, application usage, locations to the level of proximity to APs, and 802.1x login identities that are transmitted over the air in order to connect to the Wi-Fi network.
The cloud management plane collects and stores MAC and IP addresses of devices on the network that are seen by APs deployed within the network. It also collects metadata about devices such as their Layer 2 wireless activity (probing, associations), OS, hostname, application usage, locations to the level of proximity to APs, and 802.1x login identities that are transmitted over the air in order to connect to the Wi-Fi network.
It’s important to note that passwords used for 802.1x authentication are not collected or stored in the Wi-FiCloud, as they are validated by local RADIUS servers.802.1x user passwords are also not readable by the APs since they are only passed between the client and the authentication servers.
For guest Wi-Fi, the cloud management plane also collects and stores identities of guest users used during Wi-Fi authentication to facilitate security audits of guest visitors. Businesses can, if they wish, implement a guest Wi-Fi network with anonymous login as well.
AP-to-Cloud communication
There are three security measures in place to ensure proper protection for AP-to-Cloud communication.
1. Mutual authentication: This occurs anytime an AP initiates a connection with the Wi-Fi Cloud. This is always an inside-out request, and both the AP and cloud authenticate to one another in the process. This verifies the identity of both parties.
2. Per message authentication: This uses an HMAC SHA-1 authentication code for every message sent from anAP to the Wi-Fi Cloud. This ensures the integrity of the communication by confirming the message is sent by the correct entity and is not changed in transit.
3. AES encryption: This is used throughout AP-to-cloud communication. This ensures the messages remain confidential and cannot be intercepted.
There are three security measures in place to ensure proper protection for AP-to-Cloud communication.
1. Mutual authentication: This occurs anytime an AP initiates a connection with the Wi-Fi Cloud. This is always an inside-out request, and both the AP and cloud authenticate to one another in the process. This verifies the identity of both parties.
2. Per message authentication: This uses an HMAC SHA-1 authentication code for every message sent from anAP to the Wi-Fi Cloud. This ensures the integrity of the communication by confirming the message is sent by the correct entity and is not changed in transit.
3. AES encryption: This is used throughout AP-to-cloud communication. This ensures the messages remain confidential and cannot be intercepted.
Wi-Fi Cloud environment in AWS data centre
The WatchGuard Wi-Fi Cloud is deployed as a virtual private cloud (VPC) in the Amazon Web Services (AWS) data centre. In the VPC architecture, the Wi-Fi Cloud environment is logically isolated from environments of other entities that co-exist within the AWS data centre. The physical and environmental security for the VPC is provided by AWS (1). Multiple subnets are provisioned inside the WatchGuard VPC that host WatchGuard application servers. Each subnet hasa network ACL (Access Control List) that only allows certain protocols in and out of the subnet (2). The application server virtual machines are deployed as EC2 (Elastic ComputeCloud) instances and are connected to these subnets. Each EC2 instance that WatchGuard deploys has a host-based firewall that is configured to only allow protocols required for corresponding applications in and out of the server (3).
The WatchGuard Wi-Fi Cloud is deployed as a virtual private cloud (VPC) in the Amazon Web Services (AWS) data centre. In the VPC architecture, the Wi-Fi Cloud environment is logically isolated from environments of other entities that co-exist within the AWS data centre. The physical and environmental security for the VPC is provided by AWS (1). Multiple subnets are provisioned inside the WatchGuard VPC that host WatchGuard application servers. Each subnet hasa network ACL (Access Control List) that only allows certain protocols in and out of the subnet (2). The application server virtual machines are deployed as EC2 (Elastic ComputeCloud) instances and are connected to these subnets. Each EC2 instance that WatchGuard deploys has a host-based firewall that is configured to only allow protocols required for corresponding applications in and out of the server (3).
The WatchGuard applications that run on these EC2 virtual machines themselves are port-hardened to ensure that unwarranted services and ports are not accessible on them (4). The Wi-Fi cloud is deployed in AWS data centres located around the globe.
Vulnerability scanning
WatchGuard regularly performs three types of vulnerability scans on its cloud-hosted applications as follows.
1. Port scans: As compute instances are launched in different parts of the data centre, it is essential to validate that open ports are restricted to only those that are essential for accessing the application functionality. This reduces the attack surface considerably. WatchGuard performs regular port scans on its cloud environment.
2. WAS (Web Application Security) scans: WAS scans focus on finding vulnerabilities at the web application level. Since the cloud application is accessible over HTTPS (port 443) and thus the Internet at large, the objective of a WAS scan is to ensure that there are no exploitable vulnerabilities if an unauthorised user attempts to access the application. Another important objective is to prevent an authorised (authenticated) user from breaching application security controls, such as injection attacks, privilege levels, multi-tenancy, and so on. WatchGuard deploys 24×7 automated WAS scanning using WhiteHat Security services and complements it with twice-a-year manual(deep) scans by WhiteHat Security experts.
3. Software components scans: These scans are performed to audit software modules within the application for any missing security patches, stale versions, and misconfigurations. WatchGuard performs software component scans on all its cloud applications at least once a quarter using the Nessus Enterprise tool.
WatchGuard regularly performs three types of vulnerability scans on its cloud-hosted applications as follows.
1. Port scans: As compute instances are launched in different parts of the data centre, it is essential to validate that open ports are restricted to only those that are essential for accessing the application functionality. This reduces the attack surface considerably. WatchGuard performs regular port scans on its cloud environment.
2. WAS (Web Application Security) scans: WAS scans focus on finding vulnerabilities at the web application level. Since the cloud application is accessible over HTTPS (port 443) and thus the Internet at large, the objective of a WAS scan is to ensure that there are no exploitable vulnerabilities if an unauthorised user attempts to access the application. Another important objective is to prevent an authorised (authenticated) user from breaching application security controls, such as injection attacks, privilege levels, multi-tenancy, and so on. WatchGuard deploys 24×7 automated WAS scanning using WhiteHat Security services and complements it with twice-a-year manual(deep) scans by WhiteHat Security experts.
3. Software components scans: These scans are performed to audit software modules within the application for any missing security patches, stale versions, and misconfigurations. WatchGuard performs software component scans on all its cloud applications at least once a quarter using the Nessus Enterprise tool.
Data encryption
WatchGuard encrypts data in transit using AES. This includes management GUI (HTTPS) communication between the WatchGuard AP and theWi-Fi Cloud and all interactions between different WatchGuard servers and applications in the cloud (HTTPS). AES-encryption is also applied to data at rest. Database backups of WatchGuard applications in the cloud are stored in AWS S3 and Glacier that are also AES-encrypted. The live database of the Wi-Fi Cloud’s Manage, the flagship application that provides the wireless management console, resides in AWS EBS (Elastic Block Storage) and is also AES encrypted.
WatchGuard encrypts data in transit using AES. This includes management GUI (HTTPS) communication between the WatchGuard AP and theWi-Fi Cloud and all interactions between different WatchGuard servers and applications in the cloud (HTTPS). AES-encryption is also applied to data at rest. Database backups of WatchGuard applications in the cloud are stored in AWS S3 and Glacier that are also AES-encrypted. The live database of the Wi-Fi Cloud’s Manage, the flagship application that provides the wireless management console, resides in AWS EBS (Elastic Block Storage) and is also AES encrypted.
Access control
WatchGuard personnel need to access cloud applications for the purposes of provisioning, maintenance and resolving support issues. WatchGuard implements access control mechanisms that limit WatchGuard personnel access of customer accounts to a basic minimum. Privilege escalation for any task that requires higher level of access is subject to the customer’s permission and available for a temporary period of time. Employees who might work with such privileges must pass background screening first. Maintenance access to an EC2 server must go through the bastion hosts. Login to the bastion hosts requires SSH and is allowed only from specific IP addresses. Bastion hosts implement strong access control and auditing functions to prevent unauthorised maintenance access (5).
WatchGuard personnel need to access cloud applications for the purposes of provisioning, maintenance and resolving support issues. WatchGuard implements access control mechanisms that limit WatchGuard personnel access of customer accounts to a basic minimum. Privilege escalation for any task that requires higher level of access is subject to the customer’s permission and available for a temporary period of time. Employees who might work with such privileges must pass background screening first. Maintenance access to an EC2 server must go through the bastion hosts. Login to the bastion hosts requires SSH and is allowed only from specific IP addresses. Bastion hosts implement strong access control and auditing functions to prevent unauthorised maintenance access (5).
Compliance certifications
WatchGuard pursues security compliance certifications that include third party scrutiny (audit) and validation of the WatchGuard Wi-Fi Cloud security controls geared towards confidentiality, integrity, and availability (the CIA triad).
WatchGuard pursues security compliance certifications that include third party scrutiny (audit) and validation of the WatchGuard Wi-Fi Cloud security controls geared towards confidentiality, integrity, and availability (the CIA triad).
WatchGuard has achieved ISO 27001:2013 certification for its Information Security Management System (ISMS). The scope of WatchGuard’s ISO certification covers all its operations.
WatchGuard is currently in the process of obtaining its own SSAE 16 SOC 2 validation for its production Wi-Fi Cloud. Of course, the AWS data centres where WatchGuard applications are hosted are already SSAE 16 SOC 2 certified. However, data centre SSAE certification by itself isn’t adequate to guarantee comprehensive cloud security for the customers. This is because there are a number of cloud operations that are handled by application providers such as WatchGuard that are beyond the scope of SSAE certification of the data centre itself. WatchGuard’s SSAE control framework covers such operations.
Summary
Shifting from traditional controller-based management to modern cloud-based management offers a myriad of benefits, from dramatically reduced TCO to increased scalability. With the WatchGuard Wi-Fi Cloud, businesses can enjoy all of the valuable features afforded by a cloud-based management solution, without ever compromising on security.
Shifting from traditional controller-based management to modern cloud-based management offers a myriad of benefits, from dramatically reduced TCO to increased scalability. With the WatchGuard Wi-Fi Cloud, businesses can enjoy all of the valuable features afforded by a cloud-based management solution, without ever compromising on security.
