Implementing Security for
Wireless Networks
Presenter Name
Job Title
Company
Session Prerequisites
Hands-on experience with Microsoft® Windows®
server and client operating systems and Active
Directory®
Basic understanding of wireless LAN technology
Basic understanding of Microsoft® Certificate
Services
Basic understanding of RADIUS and remote access
protocols
Level 300
Agenda
Overview of Wireless Solutions
Securing a Wireless Network
Implementing a Wireless Network Using
Password Authentication
Configuring Wireless Network Infrastructure
Components
Configuring Wireless Network Clients
Identifying the Need to
Secure a Wireless Network
When designing security for a wireless network
consider:
Network authentication and authorization
Data protection
Wireless access point configuration
Security management
The abuse of
Wireless Networks is growing!
Common Security Threats
to Wireless Networks
Security Threats Include:
Disclosure of confidential information
Unauthorized access to data
Impersonation of an authorized client
Interruption of the wireless service
Unauthorized access to the Internet
Accidental threats
Unsecured home wireless setups
Unauthorized WLAN implementations
Understanding Wireless Network
Standards and Technologies
Standard
802.11
802.11a
802.11b
802.11g
Description
A base specification that defines the transmission concepts for
Wireless LANs
Transmission speeds up to 54 megabits (Mbps) per second
11 Mbps
Good range but susceptible to radio signal interference
54 Mbps
Shorter ranges than 802.11b
802.1X - a standard that defines a port-based access control mechanism of
authenticating access to a network and, as an option, for managing keys used to
protect traffic
Wireless Network
Implementation Options
Wireless network implementation options
include:
Wi-Fi Protected Access with Pre-Shared Keys
(WPA-PSK)
Wireless network security using Protected Extensible
Authentication Protocol (PEAP) and passwords
Wireless network security using Certificate Services
Choose the Appropriate
Wireless Network Solution
Passwords Used
for Client
Authentication
Typical Data
Encryption Method
None
NO
YES
Uses WPA encryption
key to authenticate to
network
WPA
Small to medium
organization
Internet
Authentication
Services (IAS)
Certificate required
for the IAS server
NO
However, a certificate is
issued to validate the
IAS server
YES
WPA or Dynamic
WEP
Medium to large
organization
Internet
Authentication
Services (IAS)
Certificate Services
YES
NO
Certificates used but
may be modified to
require passwords
WPA or Dynamic
WEP
Typical
Environment
Wi-Fi Protected Access
with Pre-Shared Keys
(WPA-PSK)
Small Office/Home
Office (SOHO)
Password-based wireless
network security
Certificate-based wireless
network security
Additional
Infrastructure
Components
Required?
Certificates Used
for Client
Authentication
Wireless Network
Solution
Agenda
Overview of Wireless Solutions
Securing a Wireless Network
Implementing a Wireless Network Using
Password Authentication
Configuring Wireless Network Infrastructure
Components
Configuring Wireless Network Clients
Understanding Elements
of WLAN Security
To effectively secure a wireless network consider:
Authentication of the person or device connecting to the
wireless network
Authorization of the person or device to use the WLAN
Protection of the data transmitted over the WLAN
Audit WLAN
Access
Providing Effective
Authentication and Authorization
Standard
Extensible Authentication Protocol-Transport Layer
Security (EAP-TLS)
Protected Extensible Authentication ProtocolMicrosoft-Challenge Handshake Authentication
Protocol v2 (PEAP-MS-CHAP v2)
Tunneled Transport Layer Security (TTLS)
Description
Uses public key certificates to
authenticate clients
A two-stage authentication method
using a combination of TLS and MSCHAP v2 for password authentication
A two-stage authentication method
similar to PEAP
Microsoft does not support this method
Protecting WLAN Data
Transmissions
Wireless data encryption standards in use today
include:
Wired Equivalent Privacy (WEP)
Dynamic WEP, combined with 802.1X authentication, provides
adequate data encryption and integrity
Compatible with most hardware and software devices
(How is this a “wired equivalent”?! Trust me: WEP sucks)
http://www.isaac.cs.berkeley.edu/isaac/wep-faq.html
Wi-Fi Protected Access (WPA)
Changes the encryption key with each packet
Uses a longer initialization vector
Adds a signed message integrity check value
Incorporates an encrypted frame counter
(WPA is only if you are serious about security)
Alternative Approaches to
Encrypt WLAN Traffic
Alternatives used to protect WLAN traffic
include the use of:
Virtual Private Network (VPN)
Internet Protocol Security (IPSec)
System Requirements for Implementing
802.1X
Components
Requirements
Client devices
Windows XP and Pocket PC 2003 provide built-in support
Microsoft provides an 802.1X client for Windows 2000 operating systems
RADIUS/IAS and
certificate servers
Windows Server 2003 Certificate Services and Windows Server 2003
Internet Authentication Service (IAS) are supported
Wireless access
points
At a minimum, should support 802.1X authentication and 128-bit WEP for
data encryption
Guidelines for Securing
Wireless Networks
Require data protection for all wireless
communications
Require 802.1X authentication to help prevent
spoofing, wardrivers, and accidental threats to
your network
Use software scanning tools to locate and shut
down rogue access points on your corporate
network
Agenda
Overview of Wireless Solutions
Securing a Wireless Network
Implementing a Wireless Network Using
Password Authentication
Configuring Wireless Network Infrastructure
Components
Configuring Wireless Network Clients
Components Required to
Implement PEAP-MS-CHAP v2
Components
Wireless Client
Explanation
Requires a WLAN adapter that supports 802.1X and dynamic WEP or WPA encryption
User and computers accounts are created in the domain
Must support 802.1X and dynamic WEP or WPA encryption
Wireless Access Point
The wireless access point and RADIUS server have a shared secret to enable them to
securely identify each other
Uses Active Directory to verify the credentials of WLAN clients
RADIUS/IAS Server
Makes authorization decisions based upon an access policy
May also collect accounting and audit information
Certificate installed to provide server authentication
Design Criteria for
PEAP-MS-CHAP v2 Solution
Security Requirements
Scalability
Availability
Platform Support
Extensibility
Standards Conformance
How 802.1X with PEAP
and Passwords Works
Wireless Access Point
Wireless Client
1
Radius (IAS)
Client Connect
2
Client Authentication
Server Authentication
Key Agreement
4
WLAN Encryption
Key Distribution
Authorization
5
Internal Network
3
Identifying the Services
for the PEAP WLAN Network
Branch Office
IAS/DNS/DC
Headquarters
LAN
Primary
Secondary
Access Points
Secondary
IAS/CA/DC
Access Points
LAN
IAS/DNS/DC
Primary
DHCP
WLAN Clients
WLAN Clients
•
•
•
•
•
Domain Controller (DC)
RADIUS (IAS)
Certification Authority (CA)
DHCP Services (DHCP)
DNS Services (DNS)
Agenda
Overview of Wireless Solutions
Securing a Wireless Network
Implementing a Wireless Network Using
Password Authentication
Configuring Wireless Network Infrastructure
Components
Configuring Wireless Network Clients
Preparing the Environment
Install the WLAN Scripts using:
Microsoft WLAN-PEAP.msi
Install the additional tools on the IAS servers:
Group Policy Management Console
CAPICOM
DSACLs.exe
The .MSI is on the DVD you’ll get today!
Preparing the Environment
 Creating Security Groups
demo
 Installing CAPICOM
Configuring the Network
Certification Authority
The CA is used to issue Computer Certificates to the IAS
Servers
To install Certificate Services, log on with an account that is a
member of:
Enterprise Admins
Domain Admins
Consider that Certificate Services in Window Server 2003
Standard Edition does not provide:
Auto enrollment of certificates to both computers and users
Version 2 certificate templates
Editable certificate templates
Archival of keys
Reviewing the Certification
Authority Installation Parameters
Certificate Templates Available: Computer (Machine)
Drive and path of CA request files: C:\CAConfig
Length of CA Key:
2048 bits
Validity Period:
25 years
Validity Period of Issued Certificates: 2 years
CRL Publishing Interval:
7 days
CRL Overlap Period:
4 days
Installing the
Certification Authority
1. Run MSSsetup CheckCAenvironment
2. Run MSSsetup InstallCA
3. Run MSSsetup VerifyCAInstall
4. Run MSSsetup ConfigureCA
5. Run MSSSetup ImportAutoenrollGPO
6. Run MSSsetup VerifyCAConfig
(*You can do all this in the GUI….but why?)
Configuring the
Certification Authority
 Configuring Post-Installation Settings
demo
 Importing the Automatic Certificate Request GPO
 Verifying the Configuration
-
Configuring Internet
Authentication Services (IAS)
IAS uses Active Directory to verify and
authenticate client credentials and makes
authorization decisions based upon configured
policies.
IAS configuration categories include:
IAS Server Settings
IAS Access Policies
RADIUS Logging
Reviewing IAS Configuration
Parameters
IAS parameters that are to be configured
include:
IAS Logging to Windows Event Log
IAS RADIUS Logging
Remote Access Policy
Remote Access Policy Profile
Installing the IAS Server
1. Run MSSsetup CheckIASEnvironment
2. Run MSSsetup InstallIAS
3. Register the IAS server into Active Directory
4. Restart server to automatically enroll the IAS server
certificate
5. Configure logging and the remote access policy
6. Export IAS settings to be imported to another
server
Configuring the IAS Server
 Validating the IAS Environment
 Verifying IAS Server Certificate Deployment
demo
 Post-Installation Configuration Tasks
 Modifying the WLAN Access Policy Profile Settings
 Verifying the Connection Request Policy for WLAN
 Exporting the IAS Settings
-
Configuring
Wireless Access Points
1. Run MssTools AddRadiusClient
2. Run MssTools AddSecRadiusClients
3. Configure the Wireless Access Points
Wireless Access Point
Configuration Parameters
Configure the basic network settings such as :
IP configuration of the access point
Friendly name of the access point
Wireless network name (SSID)
Typical Settings for a Wireless Access Point
include:
Authentication parameters
Encryption parameters
RADIUS authentication
RADIUS accounting
Wireless Access Point
Configuration
demo
 Adding Access Points to the Initial IAS Server
 Configuring Wireless Access Points
Agenda
Overview of Wireless Solutions
Securing a Wireless Network
Implementing a Wireless Network Using
Password Authentication
Configuring Wireless Network Infrastructure
Components
Configuring Wireless Network Clients
Controlling WLAN Access
Using Security Groups
IAS enables you to control access to the wireless
network using Active Directory security groups that are
linked to a specific remote access policy
Security Group
Default Members
Wireless LAN Access
Wireless LAN Users
Wireless LAN Computers
Wireless LAN Users
Domain Users
Wireless LAN Computers
Domain Computers
Configuring Windows XP
WLAN Clients
1. Install required patches and updates
2. Create the WLAN client GPO using GPMC
3. Deploy the WLAN settings
Reviewing WLAN
Client Parameters
Parameter
Group to allow WLAN access
Group to allow WLAN access for users
Group to allow WLAN access for computers
Setting
Wireless LAN Access
Wireless LAN Users
Wireless LAN Computers
WLAN GPO Name
WLAN Client Settings
GPO filtering security group
Wireless LAN Computer Settings
Wireless network policy name
Windows XP WLAN Client Settings (PEAP-WEP)
WLAN network name (SSID)
Northwind (change this to your SSID)
EAP type
PEAP
PEAP authentication method
Secured Password (EAP-MSCHAP v2)
PEAP fast reconnect
Enabled
Creating the WLAN Client
Settings GPO
demo
 Create a WLAN Client GPO Using the GPMC
Session Summary
There are bad people out there who want your WLAN, but
you can deploy this securely!
Determine your organization’s wireless requirements
Require 802.1X authentication
Implement the PEAP and Passwords solution for
organizations that do not utilize a PKI infrastructure
Use the scripts provided by the PEAP and Passwords
solution
Use security groups and Group Policy to control WLAN
client access