wireless security without a vpn! stirling goetz, microsoft consulting services

Wireless Security without a VPN!

Stirling Goetz, Microsoft Consulting Services

Session Prerequisites

• Hands-on experience with Microsoft® Windows® server and client operating systems and Active Directory®

• Basic understanding of wireless LAN technology

• Basic understanding of Microsoft® Certificate Services

• Basic understanding of RADIUS and remote access protocols

Level 300

Overview of Wireless Solutions

• Overview of Wireless Solutions• Securing a Wireless Network• Implementing a Wireless Network Using

Password Authentication• Configuring Wireless Network Infrastructure

Components• Configuring Wireless Network Clients• Troubleshooting Wireless Network Problems• Best Practices

When designing security for a wireless network consider:When designing security for a wireless network consider:

Network authentication and authorization

Data protection

Wireless access point configuration

Security management

Network authentication and authorization

Data protection

Wireless access point configuration

Security management

Identifying the Need to Secure a Wireless Network

Common Security Threats to Wireless Networks

Security Threats Include:Security Threats Include:

Disclosure of confidential information

Unauthorized access to data

Impersonation of an authorized client

Interruption of the wireless service

Unauthorized access to the Internet

Accidental threats

Unsecured home wireless setups

Unauthorized WLAN implementations

Disclosure of confidential information

Unauthorized access to data

Impersonation of an authorized client

Interruption of the wireless service

Unauthorized access to the Internet

Accidental threats

Unsecured home wireless setups

Unauthorized WLAN implementations

Understanding Wireless Network Standards and Technologies

Standard Description

802.11A base specification that defines the transmission concepts for Wireless LANs

802.11aTransmission speeds up to 54 megabits (Mbps) per second

802.11b

11 Mbps

Good range but susceptible to radio signal interference

802.11g54 Mbps

Shorter ranges than 802.11b

802.1X - a standard that defines a port-based access control mechanism of authenticating access to a network and, as an option, for managing keys used to protect traffic

802.1X - a standard that defines a port-based access control mechanism of authenticating access to a network and, as an option, for managing keys used to protect traffic

Wireless Network Implementation Options

Wireless network implementation options include:Wireless network implementation options include:

Wi-Fi Protected Access with Pre-Shared Keys (WPA-PSK)

Wireless network security using Protected Extensible Authentication Protocol (PEAP) and passwords

Wireless network security using Certificate Services


Wireless network security using Protected Extensible Authentication Protocol (PEAP) and passwords

Wireless network security using Certificate Services

Choosing the Appropriate Wireless Network SolutionWireless Network

Solution

TypicalEnvironment

Additional Infrastructure Components Required?

Certificates Used for Client Authentication

Passwords Usedfor Client Authentication

Typical Data Encryption Method


Small Office/Home Office (SOHO)

None NO

YES Uses WPA encryption key to authenticate to network

WPA

Password-based wireless network security

Small to medium organization

Internet Authentication Services (IAS)Certificate required for the IAS server

NO However, a certificate is issued to validate the IAS server

YES WPA or Dynamic WEP

Certificate-based wireless network security

Medium to large organization

Internet Authentication Services (IAS)Certificate Services

YES

NO Certificates used but may be modified to require passwords

WPA or Dynamic WEP

Securing a Wireless Network• Overview of Wireless Solutions• Securing a Wireless Network• Implementing a Wireless Network using



Understanding Elements of WLAN Security

To effectively secure a wireless network consider:To effectively secure a wireless network consider:

Authentication of the person or device connecting to the wireless network

Authorization of the person or device to use the WLAN

Protection of the data transmitted over the WLAN

Authentication of the person or device connecting to the wireless network

Authorization of the person or device to use the WLAN

Protection of the data transmitted over the WLAN

Audit WLAN

Access

Providing Effective Authentication and Authorization

Standard Description

Extensible Authentication Protocol-Transport Layer Security (EAP-TLS)

Uses public key certificates to authenticate clients

Protected Extensible Authentication Protocol-Microsoft-Challenge Handshake Authentication Protocol v2 (PEAP-MS-CHAP v2)

A two-stage authentication method using a combination of TLS and MS-CHAP v2 for password authentication

Tunneled Transport Layer Security (TTLS)

A two-stage authentication method similar to PEAP

Microsoft does not support this method

Protecting WLAN Data Transmissions

Wireless data encryption standards in use today include:Wireless data encryption standards in use today include:

Wired Equivalent Privacy (WEP)

• Dynamic WEP, combined with 802.1X authentication, provides adequate data encryption and integrity

• Compatible with most hardware and software devices

Wi-Fi Protected Access (WPA)• Changes the encryption key with each packet• Uses a longer initialization vector • Adds a signed message integrity check value• Incorporates an encrypted frame counter

Wired Equivalent Privacy (WEP)

• Dynamic WEP, combined with 802.1X authentication, provides adequate data encryption and integrity

• Compatible with most hardware and software devices

Wi-Fi Protected Access (WPA)• Changes the encryption key with each packet• Uses a longer initialization vector • Adds a signed message integrity check value• Incorporates an encrypted frame counter

Alternative Approaches to Encrypt WLAN Traffic

Alternatives used to protect WLAN traffic include the use of:Alternatives used to protect WLAN traffic include the use of:

Virtual Private Network (VPN)

Internet Protocol Security (IPSec)

Virtual Private Network (VPN)

Internet Protocol Security (IPSec)

System Requirements for Implementing 802.1X

Components Requirements

Client devices

Windows XP and Pocket PC 2003 provide built-in support

Microsoft provides an 802.1X client for Windows 2000 operating systems

RADIUS/IAS and certificate servers

Windows Server 2003 Certificate Services and Windows Server 2003 Internet Authentication Service (IAS) are supported

Wireless access points

At a minimum, should support 802.1X authentication and 128-bit WEP for data encryption

Guidelines for Securing Wireless Networks

Use software scanning tools to locate and shut down rogue WLANs on your corporate networkUse software scanning tools to locate and shut down rogue WLANs on your corporate network

Require data protection for all wireless communications Require data protection for all wireless communications

Require 802.1X authentication to help prevent spoofing, freeloading, and accidental threats to your network

Require 802.1X authentication to help prevent spoofing, freeloading, and accidental threats to your network

Implementing a Wireless Network Using Password Authentication




The Components Required to Implement PEAP-MS-CHAP v2

Components Explanation

Wireless Client

Requires a WLAN adapter that supports 802.1X and dynamic WEP or WPA encryption

User and computers accounts are created in the domain

Wireless Access Point

Must support 802.1X and dynamic WEP or WPA encryption

The wireless access point and RADIUS server have a shared secret to enable them to securely identify each other

RADIUS/IAS Server

Uses Active Directory to verify the credentials of WLAN clients

Makes authorization decisions based upon an access policy

May also collect accounting and audit information

Certificate installed to provide server authentication

Platform SupportPlatform Support

AvailabilityAvailability

Security RequirementsSecurity Requirements

ScalabilityScalability

ExtensibilityExtensibility

Standards ConformanceStandards Conformance

Design Criteria for the PEAP-MS-CHAP v2 Solution

How 802.1X with PEAP and Passwords Works

Wireless Access PointWireless Client Radius (IAS)

Internal Network

WLAN Encryption44

55

11 Client Connect

33Key Distribution

Authorization

22 Client Authentication Server Authentication

Key Agreement

Identifying the Services for the PEAP WLAN Network

Branch OfficeBranch Office

HeadquartersHeadquarters

WLAN Clients

Domain Controller (DC)RADIUS (IAS)Certification Authority (CA)DHCP Services (DHCP)DNS Services (DNS)

DHCP

IAS/DNS/DC

LAN

LAN

Access Points

Access Points

IAS/CA/DC

IAS/DNS/DC

Primary

Secondary

Primary

Secondary

WLAN Clients

Configuring Wireless Network Infrastructure Components




Configuring the Network Certification Authority• The CA is used to issue Computer Certificates to the

IAS Servers• To install Certificate Services, log on with an account

that is a member of:– Enterprise Admins– Domain Admins

• Consider that Certificate Services in Window Server 2003 Standard Edition does not provide:– Auto enrollment of certificates to both computers and users– Version 2 certificate templates – Editable certificate templates – Archival of keys

Reviewing the Certification Authority Installation Parameters

Validity Period of Issued Certificates: 2 yearsValidity Period of Issued Certificates: 2 years

Validity Period: 25 yearsValidity Period: 25 years

Drive and path of CA request files: C:\CAConfigDrive and path of CA request files: C:\CAConfig

Length of CA Key: 2048 bitsLength of CA Key: 2048 bits

CRL Publishing Interval: 7 daysCRL Publishing Interval: 7 days

CRL Overlap Period: 4 daysCRL Overlap Period: 4 days

Certificate Templates Available: Computer (Machine)Certificate Templates Available: Computer (Machine)

Configuring Internet Authentication Services (IAS)

IAS uses Active Directory to verify and authenticate client credentials and makes authorization decisions based upon configured policies.

IAS uses Active Directory to verify and authenticate client credentials and makes authorization decisions based upon configured policies.

IAS configuration categories include:IAS configuration categories include:

IAS Server SettingsIAS Access PoliciesRADIUS Logging

IAS Server SettingsIAS Access PoliciesRADIUS Logging

Reviewing IAS Configuration Parameters

IAS parameters that are to be configured include:IAS parameters that are to be configured include:

Remote Access Policy ProfileRemote Access Policy Profile

IAS RADIUS LoggingIAS RADIUS Logging

Remote Access PolicyRemote Access Policy

IAS Logging to Windows Event LogIAS Logging to Windows Event Log

Configuring Wireless Access Points

Run MssTools AddRadiusClientRun MssTools AddRadiusClient11

Configure the Wireless Access PointsConfigure the Wireless Access Points33

Run MssTools AddSecRadiusClientsRun MssTools AddSecRadiusClients22

Wireless Access Point Configuration Parameters

Configure the basic network settings such as :Configure the basic network settings such as :

IP configuration of the access point Friendly name of the access point Wireless network name (SSID)

IP configuration of the access point Friendly name of the access point Wireless network name (SSID)

Typical Settings for a Wireless Access Point include:Typical Settings for a Wireless Access Point include:

Authentication parametersEncryption parametersRADIUS authenticationRADIUS accounting

Authentication parametersEncryption parametersRADIUS authenticationRADIUS accounting

Configuring Wireless Network Clients




Controlling WLAN Access Using Security Groups

Security Group Default Members

Wireless LAN AccessWireless LAN Users

Wireless LAN Computers

Wireless LAN Users Domain Users

Wireless LAN Computers

Domain Computers

IAS enables you to control access to the wireless network using Active Directory security groups that are linked to a specific remote access policy

IAS enables you to control access to the wireless network using Active Directory security groups that are linked to a specific remote access policy

Install required patches and updates Install required patches and updates 11

Deploy the WLAN settingsDeploy the WLAN settings33

Create the WLAN client GPO using GPMC Create the WLAN client GPO using GPMC 22

Configuring Windows XP WLAN Clients

Troubleshooting Wireless Network Problems




Troubleshooting Procedures

Classify the type of problem that you are experiencing into one of the following categories: Classify the type of problem that you are experiencing into one of the following categories:

Client connection problems

Performance problems

Computer authentication failure

User authentication failure

Client connection problems

Performance problems

Computer authentication failure

User authentication failure

Diagnosing Client Connection Problems

Check the IAS serversCheck the IAS servers

Check Active Directory and network servicesCheck Active Directory and network services

Check client computerCheck client computer

Check the access point configuration settingsCheck the access point configuration settings

Check WAN connectivityCheck WAN connectivity

Check the Certificate AuthorityCheck the Certificate Authority

Check the user/computer accountCheck the user/computer account

Diagnosing Performance Problems

Performance problems can be diagnosed by performing the following tasks :Performance problems can be diagnosed by performing the following tasks :

Use Performance Monitor to identify heavily loaded IAS servers

Verify that access points are configured to use the closest primary IAS server

Revisit the WLAN network design for incorrect access point placement

Client re-authentication may take up to 60 seconds

Use Performance Monitor to identify heavily loaded IAS servers

Verify that access points are configured to use the closest primary IAS server

Revisit the WLAN network design for incorrect access point placement

Client re-authentication may take up to 60 seconds

User or Computer Account Authentication Problems

Authentication problems may be the result of:Authentication problems may be the result of:

The RAS dial-in permission is set to denyThe RAS dial-in permission is set to deny

The account is not a member of the WLAN access groupThe account is not a member of the WLAN access group

IAS authentication issuesIAS authentication issues

The account is incorrect, disabled, or locked outThe account is incorrect, disabled, or locked out

Troubleshooting Tools and Techniques

Tool Description

Network Connections Folder

Provides information about the state of authentication, signal strength, and the IP Address configuration

Tracing on the client computer

Provides detailed information about the EAP authentication process

IAS event logging and Event Viewer

Allows you to view IAS authentication attempts in the system event log

IAS tracing Allows you to troubleshoot complex problems for specific IAS components

System Monitor counters

Allows you to determine how efficiently your server uses IAS and to identify potential performance problems

Best Practices• Overview of Wireless Solutions• Securing a Wireless Network• Implementing a Wireless Network Using



Best Practices for Implementing Secure Wireless Networks

Understand WLAN prerequisitesUnderstand WLAN prerequisites

Choose a client configuration strategyChoose a client configuration strategy

Determine traffic encryption requirementsDetermine traffic encryption requirements

Determine software settings for 802.1X WLANsDetermine software settings for 802.1X WLANs

Determine availability requirementsDetermine availability requirements

Session Summary

Use the scripts provided by the PEAP and Passwords solutionUse the scripts provided by the PEAP and Passwords solution

Implement the PEAP and Passwords solution for organizations that do not utilize a PKI infrastructureImplement the PEAP and Passwords solution for organizations that do not utilize a PKI infrastructure

Determine your organization’s wireless requirementsDetermine your organization’s wireless requirements

Require 802.1X authenticationRequire 802.1X authentication

Use security groups and Group Policy to control WLAN client accessUse security groups and Group Policy to control WLAN client access

Use troubleshooting tools such as client and IAS tracingUse troubleshooting tools such as client and IAS tracing

Next Steps

• Where to find this guidance:– Securing Wireless LANs with Certificate Services

http://go.microsoft.com/fwlink/?LinkId=14843– Security Wireless LANs with PEAP and Passwords

http://www.microsoft.com/technet/security/topics/cryptographyetc/peap_0.mspx

Find additional security training events:

http://www.microsoft.com/seminar/events/security.mspx• Sign up for security communications:

http://www.microsoft.com/technet/security/signup/default.mspx

• Order the Security Guidance Kit: http://www.microsoft.com/security/guidance/order/default.mspx

• Get additional security tools and content:http://www.microsoft.com/security/guidance

http://www.microsoft.com/wifi

Questions and Answers

wireless security without a vpn! stirling goetz, microsoft consulting services

Documents

wireless security

wireless network slide

wireless network clients

wireless network standards

wireless lans

overview of wireless

network wpa password

certificate services