implementing security for wireless networks presenter name job title company

Implementing Security for Wireless NetworksImplementing Security for Wireless Networks

Presenter NamePresenter NameJob TitleJob TitleCompanyCompany

Session PrerequisitesSession Prerequisites

Hands-on experience with MicrosoftHands-on experience with Microsoft®® Windows Windows®® server and client operating systems and Active server and client operating systems and Active DirectoryDirectory®®

Basic understanding of wireless LAN Basic understanding of wireless LAN technologytechnology

Basic understanding of MicrosoftBasic understanding of Microsoft®® Certificate Certificate ServicesServices

Basic understanding of RADIUS and remote Basic understanding of RADIUS and remote access protocolsaccess protocols

Level 300

AgendaAgenda

Overview of Wireless SolutionsOverview of Wireless SolutionsSecuring a Wireless NetworkSecuring a Wireless NetworkImplementing a Wireless Network Using Password Implementing a Wireless Network Using Password AuthenticationAuthenticationConfiguring Wireless Network Infrastructure ComponentsConfiguring Wireless Network Infrastructure ComponentsConfiguring Wireless Network ClientsConfiguring Wireless Network Clients

When designing security for a wireless When designing security for a wireless network consider:network consider:

Network authentication and authorizationNetwork authentication and authorization

Data protectionData protection

Wireless access point configurationWireless access point configuration

Security managementSecurity management

Identifying the Need to Identifying the Need to Secure a Wireless NetworkSecure a Wireless Network

The abuse of The abuse of Wireless Networks is growing!Wireless Networks is growing!

Security Threats Include:Security Threats Include:Disclosure of confidential information Disclosure of confidential information

Unauthorized access to dataUnauthorized access to data

Impersonation of an authorized clientImpersonation of an authorized client

Interruption of the wireless service Interruption of the wireless service

Unauthorized access to the InternetUnauthorized access to the Internet

Accidental threatsAccidental threats

Unsecured home wireless setupsUnsecured home wireless setups

Unauthorized WLAN implementationsUnauthorized WLAN implementations

Common Security Common Security Threats to Wireless Threats to Wireless NetworksNetworks

Understanding Wireless Network Understanding Wireless Network Standards and TechnologiesStandards and Technologies

Standard Description

802.11 A base specification that defines the transmission concepts for Wireless LANs

802.11a Transmission speeds up to 54 megabits (Mbps) per second

802.11b11 MbpsGood range but susceptible to radio signal interference

802.11g54 Mbps Shorter ranges than 802.11b

802.1X - a standard that defines a port-based access control mechanism of authenticating access to a network and, as an option, for managing keys used to protect traffic

802.1X - a standard that defines a port-based access control mechanism of authenticating access to a network and, as an option, for managing keys used to protect traffic

Wireless network implementation options Wireless network implementation options include:include:

Wi-Fi Protected Access with Pre-Shared Keys Wi-Fi Protected Access with Pre-Shared Keys (WPA-PSK)(WPA-PSK)

Wireless network security using Protected Wireless network security using Protected Extensible Authentication Protocol (PEAP) and Extensible Authentication Protocol (PEAP) and passwords passwords

Wireless network security using Certificate Wireless network security using Certificate Services Services

Wireless Network Wireless Network Implementation OptionsImplementation Options

Choose the AppropriateChoose the AppropriateWireless Network SolutionWireless Network Solution

Wireless Network Solution

TypicalEnvironment

Additional Infrastructure Components

Required?

Certificates Used for Client

Authentication

Passwords Usedfor Client

Authentication

Typical Data Encryption Method

Wi-Fi Protected Access with Pre-Shared Keys

(WPA-PSK)

Small Office/Home Small Office/Home Office (SOHO)Office (SOHO) NoneNone NONO

YES YES

Uses WPA encryption Uses WPA encryption key to authenticate to key to authenticate to

networknetwork

WPAWPA

Password-based wireless network security

Small to medium Small to medium organizationorganization

Internet Internet Authentication Authentication Services (IAS)Services (IAS)

Certificate required Certificate required for the IAS serverfor the IAS server

NO NO

However, a certificate However, a certificate is issued to validate the is issued to validate the

IAS serverIAS server

YESYES WPA or Dynamic WPA or Dynamic WEPWEP

Certificate-based wireless network security

Medium to large Medium to large organizationorganization

Internet Internet AuthenticationAuthentication Services (IAS)Services (IAS)

CertificateCertificate Services Services

YESYES

NO NO

Certificates used but Certificates used but may be modified to may be modified to require passwordsrequire passwords

WPA or Dynamic WPA or Dynamic WEPWEP

AgendaAgenda


To effectively secure a wireless network To effectively secure a wireless network consider:consider:

AuthenticationAuthentication of the person or device connecting to of the person or device connecting to the wireless network the wireless network

AuthorizationAuthorization of the person or device to use the of the person or device to use the WLAN WLAN

ProtectionProtection of the data transmitted over the WLAN of the data transmitted over the WLAN

Understanding Understanding Elements of WLAN Elements of WLAN SecuritySecurity

Audit WLAN

Access

Providing Effective Providing Effective Authentication and Authentication and AuthorizationAuthorization

Standard Description

Extensible Authentication Protocol-Transport Layer Security (EAP-TLS)

Uses public key certificates to Uses public key certificates to authenticate clientsauthenticate clients

Protected Extensible Authentication Protocol-Microsoft-Challenge Handshake Authentication Protocol v2

(PEAP-MS-CHAP v2)

A two-stage authentication method A two-stage authentication method using a combination of TLS and MS-using a combination of TLS and MS-CHAP v2 for password authenticationCHAP v2 for password authentication

Tunneled Transport Layer Security (TTLS)A two-stage authentication method A two-stage authentication method similar to PEAPsimilar to PEAP

Microsoft does Microsoft does notnot support this method support this method

Wireless data encryption standards in use Wireless data encryption standards in use today include:today include:

Wired Equivalent Privacy (WEP)Wired Equivalent Privacy (WEP)Dynamic WEP, combined with 802.1X authentication, Dynamic WEP, combined with 802.1X authentication, provides provides adequateadequate data encryption and integrity data encryption and integrityCompatible with most hardware and software devicesCompatible with most hardware and software devices(How is this a “(How is this a “wired equivalentwired equivalent”?! Trust me: ”?! Trust me: WEP sucksWEP sucks))http://www.isaac.cs.berkeley.edu/isaac/wep-faq.htmlhttp://www.isaac.cs.berkeley.edu/isaac/wep-faq.html

Wi-Fi Protected Access (WPA)Wi-Fi Protected Access (WPA) Changes the encryption key with each packetChanges the encryption key with each packet Uses a longer initialization vector Uses a longer initialization vector Adds a signed message integrity check valueAdds a signed message integrity check value Incorporates an encrypted frame counterIncorporates an encrypted frame counter(WPA is only if you are serious about security)(WPA is only if you are serious about security)

Protecting WLAN Data Protecting WLAN Data TransmissionsTransmissions

http://www.isaac.cs.berkeley.edu/isaac/wep-faq.html

Alternatives used to protect WLAN traffic Alternatives used to protect WLAN traffic include the use of:include the use of:

Virtual Private Network (VPN)Virtual Private Network (VPN)

Internet Protocol Security (IPSec)Internet Protocol Security (IPSec)

Alternative Approaches to Alternative Approaches to Encrypt WLAN TrafficEncrypt WLAN Traffic

System Requirements for System Requirements for Implementing 802.1XImplementing 802.1X

Components Requirements

Client devicesWindows XP and Pocket PC 2003 provide built-in supportWindows XP and Pocket PC 2003 provide built-in support

Microsoft provides an 802.1X client for Windows 2000 operating systems Microsoft provides an 802.1X client for Windows 2000 operating systems

RADIUS/IAS and certificate servers

Windows Server 2003 Certificate Services and Windows Server 2003 Windows Server 2003 Certificate Services and Windows Server 2003 Internet Authentication Service (IAS) are supportedInternet Authentication Service (IAS) are supported

Wireless access points

At a minimum, should support 802.1X authentication and 128-bit WEP for At a minimum, should support 802.1X authentication and 128-bit WEP for data encryptiondata encryption

Require data protection for all wireless Require data protection for all wireless communicationscommunications

Require 802.1X authentication to help Require 802.1X authentication to help prevent spoofing, wardrivers, and prevent spoofing, wardrivers, and accidental threats to your networkaccidental threats to your network

Use software scanning tools to locate and Use software scanning tools to locate and shut down rogue access points on your shut down rogue access points on your corporate networkcorporate network

Guidelines for Securing Guidelines for Securing Wireless NetworksWireless Networks

AgendaAgenda


Components Required toComponents Required toImplement PEAP-MS-CHAP v2Implement PEAP-MS-CHAP v2

ComponentsComponents ExplanationExplanation

Wireless ClientWireless ClientRequires a WLAN adapter that supports 802.1X and dynamic WEP or WPA Requires a WLAN adapter that supports 802.1X and dynamic WEP or WPA encryptionencryption

User and computers accounts are created in the domainUser and computers accounts are created in the domain

Wireless Access PointWireless Access PointMust support 802.1X and dynamic WEP or WPA encryptionMust support 802.1X and dynamic WEP or WPA encryption

The wireless access point and RADIUS server have a shared secret to enable them The wireless access point and RADIUS server have a shared secret to enable them to securely identify each otherto securely identify each other

RADIUS/IAS ServerRADIUS/IAS Server

Uses Active Directory to verify the credentials of WLAN clientsUses Active Directory to verify the credentials of WLAN clients

Makes authorization decisions based upon an access policyMakes authorization decisions based upon an access policy

May also collect accounting and audit informationMay also collect accounting and audit information

Certificate installed to provide server authenticationCertificate installed to provide server authentication

Security RequirementsSecurity Requirements

ScalabilityScalability

AvailabilityAvailability

Platform SupportPlatform Support

ExtensibilityExtensibility

Standards ConformanceStandards Conformance

Design Criteria for Design Criteria for PEAP-MS-CHAP v2 Solution PEAP-MS-CHAP v2 Solution

How 802.1X with PEAPHow 802.1X with PEAPand Passwords Worksand Passwords Works

Wireless Access PointWireless Client Radius (IAS)

Internal Network

WLAN Encryption44

55

11 Client Connect

33Key Distribution

Authorization

22 Client Authentication Server Authentication

Key Agreement

Identifying the ServicesIdentifying the Servicesfor the PEAP WLAN Networkfor the PEAP WLAN Network

Branch OfficeBranch Office

WLAN Clients

• Domain Controller (DC)• RADIUS (IAS)• Certification Authority (CA)• DHCP Services (DHCP)• DNS Services (DNS)

DHCP

IAS/DNS/DC

LAN

LAN

Access Points

Access Points

IAS/CA/DC

IAS/DNS/DC

Primary

Secondary

Primary

Secondary

WLAN Clients

HeadquartersHeadquarters

AgendaAgenda


Preparing the EnvironmentPreparing the Environment

Install the WLAN Scripts using:Install the WLAN Scripts using:Microsoft WLAN-PEAP.msi Microsoft WLAN-PEAP.msi

Install the additional tools on the IAS Install the additional tools on the IAS servers:servers:

Group Policy Management ConsoleGroup Policy Management Console

CAPICOMCAPICOM

DSACLs.exeDSACLs.exe

The .MSI is on the DVD you’ll get today!The .MSI is on the DVD you’ll get today!

Preparing the Environment Creating Security Groups

Installing CAPICOM demo

Configuring the Network Configuring the Network Certification AuthorityCertification Authority

The CA is used to issue Computer Certificates to the The CA is used to issue Computer Certificates to the IAS ServersIAS ServersTo install Certificate Services, log on with an account To install Certificate Services, log on with an account that is a member of:that is a member of:

Enterprise AdminsEnterprise Admins

Domain AdminsDomain Admins

Consider that Certificate Services in Window Server Consider that Certificate Services in Window Server 2003 Standard Edition does 2003 Standard Edition does notnot provide: provide:

Auto enrollment of certificates to both computers and usersAuto enrollment of certificates to both computers and users

Version 2 certificate templates Version 2 certificate templates

Editable certificate templates Editable certificate templates

Archival of keys Archival of keys

Certificate Templates Available: Certificate Templates Available: Computer Computer (Machine)(Machine)

Drive and path of CA request files: Drive and path of CA request files: C:\C:\CAConfigCAConfig

Length of CA Key: Length of CA Key: 2048 2048 bitsbits

Validity Period: Validity Period: 25 25 yearsyears

Validity Period of Issued Certificates: Validity Period of Issued Certificates: 2 2 yearsyears

CRL Publishing Interval: CRL Publishing Interval: 7 days7 days

CRL Overlap Period: CRL Overlap Period: 4 days4 days

Reviewing the Certification Reviewing the Certification Authority Installation ParametersAuthority Installation Parameters

1.1. Run MSSsetup CheckCAenvironmentRun MSSsetup CheckCAenvironment

2.2. Run MSSsetup InstallCARun MSSsetup InstallCA

3.3. Run MSSsetup VerifyCAInstallRun MSSsetup VerifyCAInstall

4.4. Run MSSsetup ConfigureCARun MSSsetup ConfigureCA

5.5. Run MSSSetup ImportAutoenrollGPORun MSSSetup ImportAutoenrollGPO

6.6. Run MSSsetup VerifyCAConfigRun MSSsetup VerifyCAConfig

(*You can do all this in the GUI….but why?)(*You can do all this in the GUI….but why?)

Installing the Installing the Certification AuthorityCertification Authority

Configuring the Certification Authority

Configuring Post-Installation Settings

Importing the Automatic Certificate Request GPO

Verifying the Configuration

-

demo

IAS uses Active Directory to verify and IAS uses Active Directory to verify and authenticate client credentials and makes authenticate client credentials and makes authorization decisions based upon authorization decisions based upon configured policies. configured policies.

IAS configuration categories include:IAS configuration categories include:IAS Server SettingsIAS Server Settings

IAS Access PoliciesIAS Access Policies

RADIUS LoggingRADIUS Logging

Configuring InternetConfiguring InternetAuthentication Services (IAS)Authentication Services (IAS)

IAS parameters that are to be configured IAS parameters that are to be configured include:include:

IAS Logging to Windows Event LogIAS Logging to Windows Event Log

IAS RADIUS LoggingIAS RADIUS Logging

Remote Access PolicyRemote Access Policy

Remote Access Policy ProfileRemote Access Policy Profile

Reviewing IAS Configuration Reviewing IAS Configuration ParametersParameters

1.1. Run MSSsetup CheckIASEnvironmentRun MSSsetup CheckIASEnvironment

2.2. Run MSSsetup InstallIASRun MSSsetup InstallIAS

3.3. Register the IAS server into Active DirectoryRegister the IAS server into Active Directory

4.4. Restart server to automatically enroll the IAS Restart server to automatically enroll the IAS server certificateserver certificate

5.5. Configure logging and the remote access Configure logging and the remote access policypolicy

6.6. Export IAS settings to be imported to another Export IAS settings to be imported to another serverserver

Installing the IAS ServerInstalling the IAS Server

Configuring the IAS Server Validating the IAS Environment

Verifying IAS Server Certificate Deployment

Post-Installation Configuration Tasks

Modifying the WLAN Access Policy Profile Settings

Verifying the Connection Request Policy for WLAN

Exporting the IAS Settings

-

demo

1.1. Run MssTools AddRadiusClientRun MssTools AddRadiusClient

2.2. Run MssTools AddSecRadiusClientsRun MssTools AddSecRadiusClients

3.3. Configure the Wireless Access PointsConfigure the Wireless Access Points

ConfiguringConfiguringWireless Access PointsWireless Access Points

Configure the basic network settings such Configure the basic network settings such as :as :

IP configuration of the access point IP configuration of the access point

Friendly name of the access point Friendly name of the access point

Wireless network name (SSID) Wireless network name (SSID)

Typical Settings for a Wireless Access Point Typical Settings for a Wireless Access Point include:include:

Authentication parametersAuthentication parameters

Encryption parametersEncryption parameters

RADIUS authenticationRADIUS authentication

RADIUS accountingRADIUS accounting

Wireless Access PointWireless Access PointConfiguration ParametersConfiguration Parameters

Wireless Access Point Configuration

Adding Access Points to the Initial IAS Server

Configuring Wireless Access Points demo

AgendaAgenda


Controlling WLAN AccessControlling WLAN AccessUsing Security GroupsUsing Security Groups

Security Group Default Members

Wireless LAN AccessWireless LAN UsersWireless LAN Computers

Wireless LAN Users Domain Users

Wireless LAN Computers Domain Computers

IAS enables you to control access to the wireless network using Active Directory security groups that are linked to a specific remote access policy

IAS enables you to control access to the wireless network using Active Directory security groups that are linked to a specific remote access policy

1.1. Install required patches and updatesInstall required patches and updates

2.2. Create the WLAN client GPO using GPMCCreate the WLAN client GPO using GPMC

3.3. Deploy the WLAN settings Deploy the WLAN settings

Configuring Windows XPConfiguring Windows XPWLAN ClientsWLAN Clients

Reviewing WLANReviewing WLANClient ParametersClient Parameters

Parameter Setting

Group to allow WLAN access Wireless LAN AccessWireless LAN Access

Group to allow WLAN access for usersWireless LAN UsersWireless LAN Users

Group to allow WLAN access for computersWireless LAN ComputersWireless LAN Computers

WLAN GPO Name WLAN Client SettingsWLAN Client Settings

GPO filtering security group Wireless LAN Computer SettingsWireless LAN Computer Settings

Wireless network policy nameWindows XP WLAN Client Settings (PEAP-WEP)Windows XP WLAN Client Settings (PEAP-WEP)

WLAN network name (SSID) Northwind (change this to your SSID)Northwind (change this to your SSID)

EAP type PEAPPEAP

PEAP authentication method Secured Password (EAP-MSCHAP v2)Secured Password (EAP-MSCHAP v2)

PEAP fast reconnect EnabledEnabled

Creating the WLAN Client Settings GPO

Create a WLAN Client GPO Using the GPMC

demo

There are bad people out there who want your There are bad people out there who want your WLAN, but you can deploy this securely!WLAN, but you can deploy this securely!

Determine your organization’s wireless requirementsDetermine your organization’s wireless requirements

Require 802.1X authenticationRequire 802.1X authentication

Implement the PEAP and Passwords solution for Implement the PEAP and Passwords solution for organizations that do not utilize a PKI infrastructureorganizations that do not utilize a PKI infrastructure

Use the scripts provided by the PEAP and Passwords Use the scripts provided by the PEAP and Passwords solutionsolution

Use security groups and Group Policy to control Use security groups and Group Policy to control WLAN client accessWLAN client access

Session SummarySession Summary

implementing security for wireless networks presenter name job title company

Documents

wireless network slide

wireless network standards

wireless network clients

wireless lans

wireless networks presenter

abuse of wireless networks

network wpa password

password authentication