410 likes | 575 Views
Implementing Security for Wireless Networks. Presenter Name Job Title Company. Session Prerequisites. Hands-on experience with Microsoft ® Windows ® server and client operating systems and Active Directory ® Basic understanding of wireless LAN technology
E N D
Implementing Security for Wireless Networks Presenter Name Job Title Company
Session Prerequisites • Hands-on experience with Microsoft® Windows® server and client operating systems and Active Directory® • Basic understanding of wireless LAN technology • Basic understanding of Microsoft® Certificate Services • Basic understanding of RADIUS and remote access protocols Level 300
Agenda • Overview of Wireless Solutions • Securing a Wireless Network • Implementing a Wireless Network Using Password Authentication • Configuring Wireless Network Infrastructure Components • Configuring Wireless Network Clients
Identifying the Need to Secure a Wireless Network • When designing security for a wireless network consider: • Network authentication and authorization • Data protection • Wireless access point configuration • Security management
Common Security Threats to Wireless Networks • Security Threats Include: • Disclosure of confidential information • Unauthorized access to data • Impersonation of an authorized client • Interruption of the wireless service • Unauthorized access to the Internet • Accidental threats • Unsecured home wireless setups • Unauthorized WLAN implementations
Understanding Wireless Network Standards and Technologies 802.1X - a standard that defines a port-based access control mechanism of authenticating access to a network and, as an option, for managing keys used to protect traffic
Wireless Network Implementation Options • Wireless network implementation options include: • Wi-Fi Protected Access with Pre-Shared Keys (WPA-PSK) • Wireless network security using Protected Extensible Authentication Protocol (PEAP) and passwords • Wireless network security using Certificate Services
Agenda • Overview of Wireless Solutions • Securing a Wireless Network • Implementing a Wireless Network Using Password Authentication • Configuring Wireless Network Infrastructure Components • Configuring Wireless Network Clients
Audit WLAN Access Understanding Elements of WLAN Security • To effectively secure a wireless network consider: • Authentication of the person or device connecting to the wireless network • Authorization of the person or device to use the WLAN • Protection of the data transmitted over the WLAN
Protecting WLAN Data Transmissions • Wireless data encryption standards in use today include: • Wired Equivalent Privacy (WEP) • Dynamic WEP, combined with 802.1X authentication, provides adequate data encryption and integrity • Compatible with most hardware and software devices • (How is this a “wired equivalent”?! Trust me: WEP sucks) • http://www.isaac.cs.berkeley.edu/isaac/wep-faq.html • Wi-Fi Protected Access (WPA) • Changes the encryption key with each packet • Uses a longer initialization vector • Adds a signed message integrity check value • Incorporates an encrypted frame counter • (WPA is only if you are serious about security)
Alternative Approaches to Encrypt WLAN Traffic • Alternatives used to protect WLAN traffic include the use of: • Virtual Private Network (VPN) • Internet Protocol Security (IPSec)
Guidelines for Securing Wireless Networks • Require data protection for all wireless communications • Require 802.1X authentication to help prevent spoofing, wardrivers, and accidental threats to your network • Use software scanning tools to locate and shut down rogue access points on your corporate network
Agenda • Overview of Wireless Solutions • Securing a Wireless Network • Implementing a Wireless Network Using Password Authentication • Configuring Wireless Network Infrastructure Components • Configuring Wireless Network Clients
Design Criteria for PEAP-MS-CHAP v2 Solution • Security Requirements • Scalability • Availability • Platform Support • Extensibility • Standards Conformance
1 Client Connect 2 Client Authentication Server Authentication Key Agreement WLAN Encryption Key Distribution 4 3 Authorization 5 How 802.1X with PEAPand Passwords Works Wireless Client Radius (IAS) Wireless Access Point Internal Network
LAN Identifying the Servicesfor the PEAP WLAN Network Branch Office IAS/DNS/DC Headquarters Primary Secondary Access Points Secondary IAS/CA/DC Access Points LAN Primary WLAN Clients IAS/DNS/DC • Domain Controller (DC) • RADIUS (IAS) • Certification Authority (CA) • DHCP Services (DHCP) • DNS Services (DNS) DHCP WLAN Clients
Agenda • Overview of Wireless Solutions • Securing a Wireless Network • Implementing a Wireless Network Using Password Authentication • Configuring Wireless Network Infrastructure Components • Configuring Wireless Network Clients
Preparing the Environment • Install the WLAN Scripts using: • Microsoft WLAN-PEAP.msi • Install the additional tools on the IAS servers: • Group Policy Management Console • CAPICOM • DSACLs.exe • The .MSI is on the DVD you’ll get today!
Preparing the Environment • Creating Security Groups • Installing CAPICOM demo
Configuring the Network Certification Authority • The CA is used to issue Computer Certificates to the IAS Servers • To install Certificate Services, log on with an account that is a member of: • Enterprise Admins • Domain Admins • Consider that Certificate Services in Window Server 2003 Standard Edition does not provide: • Auto enrollment of certificates to both computers and users • Version 2 certificate templates • Editable certificate templates • Archival of keys
Reviewing the Certification Authority Installation Parameters • Certificate Templates Available: Computer (Machine) • Drive and path of CA request files: C:\CAConfig • Length of CA Key: 2048 bits • Validity Period: 25 years • Validity Period of Issued Certificates: 2 years • CRL Publishing Interval: 7 days • CRL Overlap Period: 4 days
Installing the Certification Authority • Run MSSsetup CheckCAenvironment • Run MSSsetup InstallCA • Run MSSsetup VerifyCAInstall • Run MSSsetup ConfigureCA • Run MSSSetup ImportAutoenrollGPO • Run MSSsetup VerifyCAConfig (*You can do all this in the GUI….but why?)
Configuring the Certification Authority • Configuring Post-Installation Settings • Importing the Automatic Certificate Request GPO • Verifying the Configuration demo
Configuring InternetAuthentication Services (IAS) IAS uses Active Directory to verify and authenticate client credentials and makes authorization decisions based upon configured policies. • IAS configuration categories include: • IAS Server Settings • IAS Access Policies • RADIUS Logging
Reviewing IAS Configuration Parameters • IAS parameters that are to be configured include: • IAS Logging to Windows Event Log • IAS RADIUS Logging • Remote Access Policy • Remote Access Policy Profile
Installing the IAS Server • Run MSSsetup CheckIASEnvironment • Run MSSsetup InstallIAS • Register the IAS server into Active Directory • Restart server to automatically enroll the IAS server certificate • Configure logging and the remote access policy • Export IAS settings to be imported to another server
Configuring the IAS Server • Validating the IAS Environment • Verifying IAS Server Certificate Deployment • Post-Installation Configuration Tasks • Modifying the WLAN Access Policy Profile Settings • Verifying the Connection Request Policy for WLAN • Exporting the IAS Settings demo
ConfiguringWireless Access Points • Run MssTools AddRadiusClient • Run MssTools AddSecRadiusClients • Configure the Wireless Access Points
Wireless Access PointConfiguration Parameters • Configure the basic network settings such as : • IP configuration of the access point • Friendly name of the access point • Wireless network name (SSID) • Typical Settings for a Wireless Access Point include: • Authentication parameters • Encryption parameters • RADIUS authentication • RADIUS accounting
Wireless Access Point Configuration • Adding Access Points to the Initial IAS Server • Configuring Wireless Access Points demo
Agenda • Overview of Wireless Solutions • Securing a Wireless Network • Implementing a Wireless Network Using Password Authentication • Configuring Wireless Network Infrastructure Components • Configuring Wireless Network Clients
Controlling WLAN AccessUsing Security Groups IAS enables you to control access to the wireless network using Active Directory security groups that are linked to a specific remote access policy
Configuring Windows XPWLAN Clients • Install required patches and updates • Create the WLAN client GPO using GPMC • Deploy the WLAN settings
Creating the WLAN Client Settings GPO • Create a WLAN Client GPO Using the GPMC demo
Session Summary • There are bad people out there who want your WLAN, but you can deploy this securely! • Determine your organization’s wireless requirements • Require 802.1X authentication • Implement the PEAP and Passwords solution for organizations that do not utilize a PKI infrastructure • Use the scripts provided by the PEAP and Passwords solution • Use security groups and Group Policy to control WLAN client access