Other Challenges Access Points are dim! Key Management (!!!!) –Manual update = never changed! Access Control with MAC address filtering –= NO SECURITY! Neither is scalable Authentication Authorization Data Protection Audit
WLAN Security Challenges Weak Security in Static WEP Man in the middle attacks are difficult to detect & prevent X7!g%k0j37** Rogue Network X7!g%k0j37**
Alternatives to WEP
VPNs Pros –Familiarity –Hardware Independent –Proven Security Cons –Lacks user transparency –Only user logon (not computer) –Roaming profiles, logon scripts, GPOs broken, shares, management agents, Remote desktop –No reconnect on resume from standby –Complex network structure
VPNs More Cons –No protection for WLAN –Bottleneck at VPN devices –Higher management & hardware cost –Prone to disconnection Yet more cons! (non- MS VPNs) –3 rd party licensing costs –Client compatibility –Many VPN auth schemes (IPsec Xauth) are as bad as WEP!
PEAP encapsulation Server authenticates to client Establishes protected tunnel (TLS) Client authenticates inside tunnel to server No cryptographic binding between PEAP tunnel and tunneled authN method Fix: constrain client (in GPO) to trust only a specific corporate root CA –Foils potential MitM attacks
802.1X over Supplicant Authenticator Authentication Server association EAPOL-start EAP-request/identity EAP-response/identityRADIUS-access-request EAP-requestRADIUS-access-challenge EAP-response (credentials) RADIUS-access-request EAP-successRADIUS-access-accept Access allowed EAPOW-key (WEP) Gotta get on! Calculating this guys key… Accessblocked Calculating my key… (Wow I just dont understand this new maths!)
Session Summary Windows XP has great wireless security features Theres extensive prescriptive guidance available from our website Dont be scared of wireless!
Next Steps Find additional security training events: Sign up for security communications: default.mspx Check out Security360 Get additional security tools and content:
Resources Microsoft Wi-Fi Page: The Unofficial Security Web Page Intercepting Mobile Communications: The Insecurity of Fluhrer, Mantin, Shamir WEP Paper: WiFi Planet: Microsoft Solution for Securing Wireless LANs with PEAP and Passwords (< 1 week) Microsoft Solution for Securing Wireless LANs with Certificates Wifi for SOHO Environments
Credits Thanks to Ian Hellen(MCS) & Steve Riley(Corp) as I borrowed several of their slides!