Implementing Security for
Wireless Networks
Action Items for this session
• Learn something! • Take notes!
• Fill out that evaluation. I love to see your comments and we want to make these better!
Why should you care about wireless
security?
B e ca u se “31337 h4x0r” like th is:
… a re e q u ip p in g ve h icle s like th is: … a n d u sin g to o ls like th e se :
… to g e t in fo a b o u t yo u r W L A N :
… so th e y cra ck it a n d g a in a cce ss: … so th e y ca n “ØwN jØ Ø ” like th is:
Agenda
• Overview of Wireless Solutions
• Securing a Wireless Network
• Implementing a WLAN Using Password
Authentication
• Configuring Wireless Network
Infrastructure Components
When designing security for a wireless network consider: • Network authentication and authorization
• Data protection
• Wireless access point configuration • Security management
Identifying the Need to Secure
a Wireless Network
Security Threats Include:
• 1.Disclosure of confidential information • 2.Unauthorized access to data
• 3.Impersonation of an authorized client • 4.Interruption of the wireless service • 5.Unauthorized access to the Internet • 6.Accidental threats
• 7.Unsecured home wireless setups
• 8.Unauthorized WLAN implementations
Understanding the Standards and
Technologies
Standard Description
802.11 A base specification that defines the transmission concepts for Wireless LANs
802.11a Transmission speeds up to 54 megabits (Mbps) per second 802.11b 11 Mbps Good range 802.11g 802.11i (WPA2) 54 Mbps
Shorter ranges than 802.11b
Establishes a standard authentication and encryption process for wireless networks
802.1X - a standard that defines a port-based access control mechanism of
authenticating access to a network and, as an option, for managing keys used to protect traffic
Wireless network implementation options include: • Wi-Fi Protected Access with Pre-Shared Keys
(WPA-PSK)
• Wireless network security using Protected
Extensible Authentication Protocol (PEAP) and passwords
• Wireless network security using Certificate Services
Choose the right solution
Wireless Network
Solution EnvironmentTypical
Additional Infrastructure Components Required? Certificates Used for Client Authentication Passwords Used for Client Authentication Typical Data Encryption Method Wi-Fi Protected Access with Pre-Shared Keys
(WPA-PSK)
Small Office/Home
Office (SOHO) None NO
YES Uses WPA encryption key to authenticate to network WPA Password-based wireless network security Small to medium organization Internet Authentication Services (IAS) Certificate required for the
IAS server
NO However, a certificate is issued
to validate the IAS server
YES WPA or Dynamic WEP
Certificate-based wireless network security Medium to large organization Internet Authentication Services (IAS) Certificate Services YES NO Certificates used but may be modified
to require passwords
WPA or Dynamic WEP
Agenda
• Overview of Wireless Solutions
• Securing a Wireless Network
• Implementing a WLAN Using Password
Authentication
• Configuring Wireless Network
Infrastructure Components
Effective Authentication and Authorization
Standard Description
Extensible Authentication Protocol-Transport Layer
Security (EAP-TLS) Uses public key certificates to authenticate clients
Protected Extensible Authentication Protocol-Microsoft-Challenge Handshake Authentication
Protocol v2 (PEAP-MS-CHAP v2)
A two-stage authentication method using a combination of TLS and MS-CHAP v2 for password authentication
Tunneled Transport Layer Security (TTLS)
A two-stage authentication method similar to PEAP
Wireless data encryption standards in use today include:
• Wired Equivalent Privacy (WEP)
• Dynamic WEP, combined with 802.1X authentication, provides adequate data encryption and integrity
• Compatible with most hardware and software devices
• H o w is th is a “wired equivalent”? ! T ru st m e : WEP sucks!
• Wi-Fi Protected Access (WPA/WPA2)
• Changes the encryption key with each packet • Uses a longer initialization vector
• Adds a signed message integrity check value • Incorporates an encrypted frame counter
• WPA uses TKIP, WPA2 uses AES
System Requirements for 802.1X
Components Requirements
Client devices
Windows XP and Pocket PC 2003 provide built-in support
Microsoft provides an 802.1X client for Windows 2000 operating systems
RADIUS/IAS and
certificate servers Windows Server 2003 Certificate Services and Windows Server 2003 Internet Authentication Service (IAS) are supported Wireless access
• Require data protection for all wireless communications
• Require 802.1X authentication to help prevent
spoofing, wardrivers, and accidental threats to your network
• Use tools to locate and shut down rogue access points on your corporate network:
• “O ve r th e A ir” - Disassociation attack on rogue APs • “O ve r th e W ire ” – Automatic switch port shutdown
Agenda
• Overview of Wireless Solutions
• Securing a Wireless Network
• Implementing a WLAN Using Password
Authentication
• Configuring Wireless Network
Infrastructure Components
Components for PEAP-MS-CHAP v2
Components Explanation
Wireless Client
Requires a WLAN adapter that supports 802.1X and dynamic WEP or WPA encryption
User and computers accounts are created in the domain Wireless Access
Point
Must support 802.1X and dynamic WEP or WPA encryption
The wireless access point and RADIUS server have a shared secret to enable them to securely identify each other
RADIUS/IAS Server
Uses Active Directory to verify the credentials of WLAN clients Makes authorization decisions based upon an access policy May also collect accounting and audit information
Agenda
• Overview of Wireless Solutions
• Securing a Wireless Network
• Implementing a WLAN Using Password
Authentication
• Configuring Wireless Network
Infrastructure Components
Preparing the Environment
Install the WLAN Scripts using: • Microsoft WLAN-PEAP.msi
Install the additional tools on the IAS servers: • Group Policy Management Console
• CAPICOM • DSACLs.exe
Configuring the Certification Authority
• The CA is used to issue Computer Certificates to the IAS Servers
• To install Certificate Services, log on with an account that is a member of:
• Enterprise Admins • Domain Admins
• Consider that Certificate Services in Window Server 2003 Standard Edition does not provide:
• Auto enrollment of certificates to both computers and users • Version 2 certificate templates
• Editable certificate templates • Archival of keys
Certificate Templates Available: Computer (Machine)
Drive and path of CA request files: C:\CAConfig
Length of CA Key: 2048 bits
Validity Period: 25 years
Validity Period of Issued Certificates: 2 years
CRL Publishing Interval: 7 days
CRL Overlap Period: 4 days
1. Run MSSsetup CheckCAenvironment
2. Run MSSsetup InstallCA
3. Run MSSsetup VerifyCAInstall
4. Run MSSsetup ConfigureCA
5. Run MSSSetup ImportAutoenrollGPO
6. Run MSSsetup VerifyCAConfig
• Y o u ca n d o a ll th is in th e G U I… .bu t w h y?
Configuring the
Certification Authority
Install CA
Configuring Post-Installation Settings
Importing the Automatic Certificate Request GPO
Verifying the Configuration
Internet Authentication Service (IAS) uses Active
Directory to verify and authenticate client credentials and makes authorization decisions based upon configured policies.
IAS configuration categories include: • IAS Server Settings
• IAS Access Policies • RADIUS Logging
IAS parameters that are to be configured include: • IAS Logging to Windows Event Log
• IAS RADIUS Logging • Remote Access Policy
• Remote Access Policy Profile
Are we going to script this?! Yes Sir!!!
Configuring the IAS Server
Validating the IAS Environment
Verifying IAS Server Certificate Deployment
Post-Installation Configuration Tasks
Modifying the WLAN Access Policy Profile Settings
Verifying the Connection Request Policy for WLAN
Exporting the IAS Settings
Configure the basic network settings such as : • IP configuration of the access point
• Friendly name of the access point • Wireless network name (SSID)
Typical Settings for a Wireless Access Point include: • Authentication parameters
• Encryption parameters • RADIUS authentication • RADIUS accounting
Wireless Access Point
Configuration
Adding Access Points to the Initial IAS Server
Configuring Wireless Access Points
Agenda
• Overview of Wireless Solutions
• Securing a Wireless Network
• Implementing a WLAN Using Password
Authentication
• Configuring Wireless Network
Infrastructure Components
Controlling WLAN Access
Using Security Groups
Security Group Default Members
Wireless LAN Access Wireless LAN Users Wireless LAN Computers Wireless LAN Users Domain Users
Wireless LAN Computers Domain Computers
IAS enables you to control access to the wireless
network using Active Directory security groups that are linked to a specific remote access policy
Reviewing WLAN Client Parameters
Parameter Setting
Group to allow WLAN access Wireless LAN Access Group to allow WLAN access for users Wireless LAN Users Group to allow WLAN access for computers Wireless LAN Computers WLAN GPO Name WLAN Client Settings
GPO filtering security group Wireless LAN Computer Settings
Wireless network policy name Windows XP WLAN Client Settings (PEAP-WEP) WLAN network name (SSID) CONTOSO (change this to your SSID)
EAP type PEAP
PEAP authentication method Secured Password (EAP-MSCHAP v2)
Creating the WLAN Client
Settings GPO
Create a WLAN Client GPO Using the GPMC
• There are bad people out there who want your WLAN, but you can deploy it securely!
• D e te rm in e yo u r o rg a n iza tio n ’s w ire le ss re q u ire m e n ts • Require 802.1X authentication
• Implement the PEAP and Passwords solution for organizations that do not utilize a PKI infrastructure
• Use the scripts provided by the PEAP and Passwords solution
• Use security groups and Group Policy to control WLAN client access
• (… .a n d stop kid d in g yo u rse lf w ith W E P )
