wireless security without a vpn! stirling goetz, microsoft consulting services
Post on 20-Dec-2015
218 views
TRANSCRIPT
Session Prerequisites
• Hands-on experience with Microsoft® Windows® server and client operating systems and Active Directory®
• Basic understanding of wireless LAN technology
• Basic understanding of Microsoft® Certificate Services
• Basic understanding of RADIUS and remote access protocols
Level 300
Overview of Wireless Solutions
• Overview of Wireless Solutions• Securing a Wireless Network• Implementing a Wireless Network Using
Password Authentication• Configuring Wireless Network Infrastructure
Components• Configuring Wireless Network Clients• Troubleshooting Wireless Network Problems• Best Practices
When designing security for a wireless network consider:When designing security for a wireless network consider:
Network authentication and authorization
Data protection
Wireless access point configuration
Security management
Network authentication and authorization
Data protection
Wireless access point configuration
Security management
Identifying the Need to Secure a Wireless Network
Common Security Threats to Wireless Networks
Security Threats Include:Security Threats Include:
Disclosure of confidential information
Unauthorized access to data
Impersonation of an authorized client
Interruption of the wireless service
Unauthorized access to the Internet
Accidental threats
Unsecured home wireless setups
Unauthorized WLAN implementations
Disclosure of confidential information
Unauthorized access to data
Impersonation of an authorized client
Interruption of the wireless service
Unauthorized access to the Internet
Accidental threats
Unsecured home wireless setups
Unauthorized WLAN implementations
Understanding Wireless Network Standards and Technologies
Standard Description
802.11A base specification that defines the transmission concepts for Wireless LANs
802.11aTransmission speeds up to 54 megabits (Mbps) per second
802.11b
11 Mbps
Good range but susceptible to radio signal interference
802.11g54 Mbps
Shorter ranges than 802.11b
802.1X - a standard that defines a port-based access control mechanism of authenticating access to a network and, as an option, for managing keys used to protect traffic
802.1X - a standard that defines a port-based access control mechanism of authenticating access to a network and, as an option, for managing keys used to protect traffic
Wireless Network Implementation Options
Wireless network implementation options include:Wireless network implementation options include:
Wi-Fi Protected Access with Pre-Shared Keys (WPA-PSK)
Wireless network security using Protected Extensible Authentication Protocol (PEAP) and passwords
Wireless network security using Certificate Services
Wi-Fi Protected Access with Pre-Shared Keys (WPA-PSK)
Wireless network security using Protected Extensible Authentication Protocol (PEAP) and passwords
Wireless network security using Certificate Services
Choosing the Appropriate Wireless Network SolutionWireless Network
Solution
TypicalEnvironment
Additional Infrastructure Components Required?
Certificates Used for Client Authentication
Passwords Usedfor Client Authentication
Typical Data Encryption Method
Wi-Fi Protected Access with Pre-Shared Keys (WPA-PSK)
Small Office/Home Office (SOHO)
None NO
YES Uses WPA encryption key to authenticate to network
WPA
Password-based wireless network security
Small to medium organization
Internet Authentication Services (IAS)Certificate required for the IAS server
NO However, a certificate is issued to validate the IAS server
YES WPA or Dynamic WEP
Certificate-based wireless network security
Medium to large organization
Internet Authentication Services (IAS)Certificate Services
YES
NO Certificates used but may be modified to require passwords
WPA or Dynamic WEP
Securing a Wireless Network• Overview of Wireless Solutions• Securing a Wireless Network• Implementing a Wireless Network using
Password Authentication• Configuring Wireless Network Infrastructure
Components• Configuring Wireless Network Clients• Troubleshooting Wireless Network Problems• Best Practices
Understanding Elements of WLAN Security
To effectively secure a wireless network consider:To effectively secure a wireless network consider:
Authentication of the person or device connecting to the wireless network
Authorization of the person or device to use the WLAN
Protection of the data transmitted over the WLAN
Authentication of the person or device connecting to the wireless network
Authorization of the person or device to use the WLAN
Protection of the data transmitted over the WLAN
Audit WLAN
Access
Providing Effective Authentication and Authorization
Standard Description
Extensible Authentication Protocol-Transport Layer Security (EAP-TLS)
Uses public key certificates to authenticate clients
Protected Extensible Authentication Protocol-Microsoft-Challenge Handshake Authentication Protocol v2 (PEAP-MS-CHAP v2)
A two-stage authentication method using a combination of TLS and MS-CHAP v2 for password authentication
Tunneled Transport Layer Security (TTLS)
A two-stage authentication method similar to PEAP
Microsoft does not support this method
Protecting WLAN Data Transmissions
Wireless data encryption standards in use today include:Wireless data encryption standards in use today include:
Wired Equivalent Privacy (WEP)
• Dynamic WEP, combined with 802.1X authentication, provides adequate data encryption and integrity
• Compatible with most hardware and software devices
Wi-Fi Protected Access (WPA)• Changes the encryption key with each packet• Uses a longer initialization vector • Adds a signed message integrity check value• Incorporates an encrypted frame counter
Wired Equivalent Privacy (WEP)
• Dynamic WEP, combined with 802.1X authentication, provides adequate data encryption and integrity
• Compatible with most hardware and software devices
Wi-Fi Protected Access (WPA)• Changes the encryption key with each packet• Uses a longer initialization vector • Adds a signed message integrity check value• Incorporates an encrypted frame counter
Alternative Approaches to Encrypt WLAN Traffic
Alternatives used to protect WLAN traffic include the use of:Alternatives used to protect WLAN traffic include the use of:
Virtual Private Network (VPN)
Internet Protocol Security (IPSec)
Virtual Private Network (VPN)
Internet Protocol Security (IPSec)
System Requirements for Implementing 802.1X
Components Requirements
Client devices
Windows XP and Pocket PC 2003 provide built-in support
Microsoft provides an 802.1X client for Windows 2000 operating systems
RADIUS/IAS and certificate servers
Windows Server 2003 Certificate Services and Windows Server 2003 Internet Authentication Service (IAS) are supported
Wireless access points
At a minimum, should support 802.1X authentication and 128-bit WEP for data encryption
Guidelines for Securing Wireless Networks
Use software scanning tools to locate and shut down rogue WLANs on your corporate networkUse software scanning tools to locate and shut down rogue WLANs on your corporate network
Require data protection for all wireless communications Require data protection for all wireless communications
Require 802.1X authentication to help prevent spoofing, freeloading, and accidental threats to your network
Require 802.1X authentication to help prevent spoofing, freeloading, and accidental threats to your network
Implementing a Wireless Network Using Password Authentication
• Overview of Wireless Solutions• Securing a Wireless Network• Implementing a Wireless Network Using
Password Authentication• Configuring Wireless Network Infrastructure
Components• Configuring Wireless Network Clients• Troubleshooting Wireless Network Problems• Best Practices
The Components Required to Implement PEAP-MS-CHAP v2
Components Explanation
Wireless Client
Requires a WLAN adapter that supports 802.1X and dynamic WEP or WPA encryption
User and computers accounts are created in the domain
Wireless Access Point
Must support 802.1X and dynamic WEP or WPA encryption
The wireless access point and RADIUS server have a shared secret to enable them to securely identify each other
RADIUS/IAS Server
Uses Active Directory to verify the credentials of WLAN clients
Makes authorization decisions based upon an access policy
May also collect accounting and audit information
Certificate installed to provide server authentication
Platform SupportPlatform Support
AvailabilityAvailability
Security RequirementsSecurity Requirements
ScalabilityScalability
ExtensibilityExtensibility
Standards ConformanceStandards Conformance
Design Criteria for the PEAP-MS-CHAP v2 Solution
How 802.1X with PEAP and Passwords Works
Wireless Access PointWireless Client Radius (IAS)
Internal Network
WLAN Encryption44
55
11 Client Connect
33Key Distribution
Authorization
22 Client Authentication Server Authentication
Key Agreement
Identifying the Services for the PEAP WLAN Network
Branch OfficeBranch Office
HeadquartersHeadquarters
WLAN Clients
Domain Controller (DC)RADIUS (IAS)Certification Authority (CA)DHCP Services (DHCP)DNS Services (DNS)
DHCP
IAS/DNS/DC
LAN
LAN
Access Points
Access Points
IAS/CA/DC
IAS/DNS/DC
Primary
Secondary
Primary
Secondary
WLAN Clients
Configuring Wireless Network Infrastructure Components
• Overview of Wireless Solutions• Securing a Wireless Network• Implementing a Wireless Network Using
Password Authentication• Configuring Wireless Network Infrastructure
Components• Configuring Wireless Network Clients• Troubleshooting Wireless Network Problems• Best Practices
Configuring the Network Certification Authority• The CA is used to issue Computer Certificates to the
IAS Servers• To install Certificate Services, log on with an account
that is a member of:– Enterprise Admins– Domain Admins
• Consider that Certificate Services in Window Server 2003 Standard Edition does not provide:– Auto enrollment of certificates to both computers and users– Version 2 certificate templates – Editable certificate templates – Archival of keys
Reviewing the Certification Authority Installation Parameters
Validity Period of Issued Certificates: 2 yearsValidity Period of Issued Certificates: 2 years
Validity Period: 25 yearsValidity Period: 25 years
Drive and path of CA request files: C:\CAConfigDrive and path of CA request files: C:\CAConfig
Length of CA Key: 2048 bitsLength of CA Key: 2048 bits
CRL Publishing Interval: 7 daysCRL Publishing Interval: 7 days
CRL Overlap Period: 4 daysCRL Overlap Period: 4 days
Certificate Templates Available: Computer (Machine)Certificate Templates Available: Computer (Machine)
Configuring Internet Authentication Services (IAS)
IAS uses Active Directory to verify and authenticate client credentials and makes authorization decisions based upon configured policies.
IAS uses Active Directory to verify and authenticate client credentials and makes authorization decisions based upon configured policies.
IAS configuration categories include:IAS configuration categories include:
IAS Server SettingsIAS Access PoliciesRADIUS Logging
IAS Server SettingsIAS Access PoliciesRADIUS Logging
Reviewing IAS Configuration Parameters
IAS parameters that are to be configured include:IAS parameters that are to be configured include:
Remote Access Policy ProfileRemote Access Policy Profile
IAS RADIUS LoggingIAS RADIUS Logging
Remote Access PolicyRemote Access Policy
IAS Logging to Windows Event LogIAS Logging to Windows Event Log
Configuring Wireless Access Points
Run MssTools AddRadiusClientRun MssTools AddRadiusClient11
Configure the Wireless Access PointsConfigure the Wireless Access Points33
Run MssTools AddSecRadiusClientsRun MssTools AddSecRadiusClients22
Wireless Access Point Configuration Parameters
Configure the basic network settings such as :Configure the basic network settings such as :
IP configuration of the access point Friendly name of the access point Wireless network name (SSID)
IP configuration of the access point Friendly name of the access point Wireless network name (SSID)
Typical Settings for a Wireless Access Point include:Typical Settings for a Wireless Access Point include:
Authentication parametersEncryption parametersRADIUS authenticationRADIUS accounting
Authentication parametersEncryption parametersRADIUS authenticationRADIUS accounting
Configuring Wireless Network Clients
• Overview of Wireless Solutions• Securing a Wireless Network• Implementing a Wireless Network Using
Password Authentication• Configuring Wireless Network Infrastructure
Components• Configuring Wireless Network Clients• Troubleshooting Wireless Network Problems• Best Practices
Controlling WLAN Access Using Security Groups
Security Group Default Members
Wireless LAN AccessWireless LAN Users
Wireless LAN Computers
Wireless LAN Users Domain Users
Wireless LAN Computers
Domain Computers
IAS enables you to control access to the wireless network using Active Directory security groups that are linked to a specific remote access policy
IAS enables you to control access to the wireless network using Active Directory security groups that are linked to a specific remote access policy
Install required patches and updates Install required patches and updates 11
Deploy the WLAN settingsDeploy the WLAN settings33
Create the WLAN client GPO using GPMC Create the WLAN client GPO using GPMC 22
Configuring Windows XP WLAN Clients
Troubleshooting Wireless Network Problems
• Overview of Wireless Solutions• Securing a Wireless Network• Implementing a Wireless Network Using
Password Authentication• Configuring Wireless Network Infrastructure
Components• Configuring Wireless Network Clients• Troubleshooting Wireless Network Problems• Best Practices
Troubleshooting Procedures
Classify the type of problem that you are experiencing into one of the following categories: Classify the type of problem that you are experiencing into one of the following categories:
Client connection problems
Performance problems
Computer authentication failure
User authentication failure
Client connection problems
Performance problems
Computer authentication failure
User authentication failure
Diagnosing Client Connection Problems
Check the IAS serversCheck the IAS servers
Check Active Directory and network servicesCheck Active Directory and network services
Check client computerCheck client computer
Check the access point configuration settingsCheck the access point configuration settings
Check WAN connectivityCheck WAN connectivity
Check the Certificate AuthorityCheck the Certificate Authority
Check the user/computer accountCheck the user/computer account
Diagnosing Performance Problems
Performance problems can be diagnosed by performing the following tasks :Performance problems can be diagnosed by performing the following tasks :
Use Performance Monitor to identify heavily loaded IAS servers
Verify that access points are configured to use the closest primary IAS server
Revisit the WLAN network design for incorrect access point placement
Client re-authentication may take up to 60 seconds
Use Performance Monitor to identify heavily loaded IAS servers
Verify that access points are configured to use the closest primary IAS server
Revisit the WLAN network design for incorrect access point placement
Client re-authentication may take up to 60 seconds
User or Computer Account Authentication Problems
Authentication problems may be the result of:Authentication problems may be the result of:
The RAS dial-in permission is set to denyThe RAS dial-in permission is set to deny
The account is not a member of the WLAN access groupThe account is not a member of the WLAN access group
IAS authentication issuesIAS authentication issues
The account is incorrect, disabled, or locked outThe account is incorrect, disabled, or locked out
Troubleshooting Tools and Techniques
Tool Description
Network Connections Folder
Provides information about the state of authentication, signal strength, and the IP Address configuration
Tracing on the client computer
Provides detailed information about the EAP authentication process
IAS event logging and Event Viewer
Allows you to view IAS authentication attempts in the system event log
IAS tracing Allows you to troubleshoot complex problems for specific IAS components
System Monitor counters
Allows you to determine how efficiently your server uses IAS and to identify potential performance problems
Best Practices• Overview of Wireless Solutions• Securing a Wireless Network• Implementing a Wireless Network Using
Password Authentication• Configuring Wireless Network Infrastructure
Components• Configuring Wireless Network Clients• Troubleshooting Wireless Network Problems• Best Practices
Best Practices for Implementing Secure Wireless Networks
Understand WLAN prerequisitesUnderstand WLAN prerequisites
Choose a client configuration strategyChoose a client configuration strategy
Determine traffic encryption requirementsDetermine traffic encryption requirements
Determine software settings for 802.1X WLANsDetermine software settings for 802.1X WLANs
Determine availability requirementsDetermine availability requirements
Session Summary
Use the scripts provided by the PEAP and Passwords solutionUse the scripts provided by the PEAP and Passwords solution
Implement the PEAP and Passwords solution for organizations that do not utilize a PKI infrastructureImplement the PEAP and Passwords solution for organizations that do not utilize a PKI infrastructure
Determine your organization’s wireless requirementsDetermine your organization’s wireless requirements
Require 802.1X authenticationRequire 802.1X authentication
Use security groups and Group Policy to control WLAN client accessUse security groups and Group Policy to control WLAN client access
Use troubleshooting tools such as client and IAS tracingUse troubleshooting tools such as client and IAS tracing
Next Steps
• Where to find this guidance:– Securing Wireless LANs with Certificate Services
http://go.microsoft.com/fwlink/?LinkId=14843– Security Wireless LANs with PEAP and Passwords
http://www.microsoft.com/technet/security/topics/cryptographyetc/peap_0.mspx
Find additional security training events:
http://www.microsoft.com/seminar/events/security.mspx• Sign up for security communications:
http://www.microsoft.com/technet/security/signup/default.mspx
• Order the Security Guidance Kit: http://www.microsoft.com/security/guidance/order/default.mspx
• Get additional security tools and content:http://www.microsoft.com/security/guidance
http://www.microsoft.com/wifi