Presentation is loading. Please wait.

Presentation is loading. Please wait.

Securing Your Wireless Network

Similar presentations

Presentation on theme: "Securing Your Wireless Network"— Presentation transcript:

1 Securing Your Wireless Network
Ian Hellen Stirling Goetz Microsoft

2 Agenda Wireless LAN security explained
Secure wireless deployment components, Microsoft offerings and benefits Selecting the right WLAN options Microsoft wireless security solutions Microsoft IT case study WLAN scalability and management

3 Wireless LAN Security Many (most?) WLANs have no security or inadequate security 1 in 3 WLANs in major cities unsecured (RSA) But number of WLANs growing by 66% each year (RSA) Small businesses making most use of WLANs Static WEP (Wired Equivalent Privacy) is easily broken: Tools to generate required traffic Statistical cryptanalysis breaks keys quickly The world is not a nice place: Viruses, worms, trojans, spyware, botnets Hackers, spammers, criminals

4 WEP’s Fatal Flaw(s) N Har-Har! Take that static WEP-man!
Thank goodness we use encryption! X7!g%k0j37**54bf(jv&8gF… Har-Har! Take that static WEP-man! X7!g%k0j 37**54bf(jv &8gB)£F.. IH N

5 Client Authentication Server Authentication
How an 802.1X WLAN Works Wireless Client Wireless Access Point Radius (IAS) 1 Client Connect 2 Client Authentication Server Authentication Key Agreement WLAN Encryption 4 5 3 Key Distribution Authorization Internal Network

6 Anatomy of 802.1X solution Authentication Authorization
SG Data Protection Audit

7 Encryption & Integrity
802.1X & EAP 802.1X Authentication Authentication & Key Management Authorization EAP EAP Method Data Protection Key Management WPA Encryption & Integrity SG Dynamic WEP Protection Data RADIUS Accounting Audit Audit

8 Secure Wireless Deployment Components
Wireless Clients Wireless Access Points Radio Types: a/b/g Network Authentication: 802.1X, WPA, WPA2/802.11i* Encryption: WEP, TKIP, AES RADIUS Server RADIUS EAP/TLS PEAP-MSCHAPv2 Remote Access Policies User account database Remote Access permissions Credentials = Passwords Certificate Authority (optional) Credentials = Certificates

9 Secure Wireless Deployment Technologies
Windows XP Windows Wireless Zero Config Native 802.1X, WPA, and soon WPA2* Certificates, Passwords, Smartcards, RSAToken** Wireless group policy Any Access Point supporting and 802.1X standards Server 2003 IAS EAP/TLS (certificates/smartcard) PEAP (password) Remote access policies Radius proxy functions Improved scaling Server 2003 Active Directory User and computer authentication Server 2003 Certificate Authority User and computer auto-enrollment

10 Secure Wireless Deployment Benefits
Windows XP Integrated Windows Client Standards based security Evolving with the industry Seamless sign-on experience Interoperability Server 2003 IAS Security Manageability Policy-based access management Scalability Deep and wide Server 2003 Active Directory Centralized Administration Client configuration Access management Server 2003 Certificate Authority Automated client updating

11 Security Best Practices What NOT to do
Hidden SSID Does not provide any real security Easily discoverable in well-used environments Windows client experience is impacted MAC Filtering Does not scale NIC management issue MAC is spoofable “Shared” mode Sounds like more security but is actually worse Not to be confused with Pre-Shared Key (PSK) which is more secure Open networks and VPN’s Grants everyone access to the wireless segment Great for hotspots, not for your business

12 Security Best Practices What to do
Chose an authentication type (EAP Type) EAP-TLS and both user and computer certificates PEAP-MS-CHAP v2 and enforce strong user passwords Pre-Shared Key (only with WPA) Chose a WLAN Data Protection Method WPA using TKIP or AES encryption Dynamic WEP using 802.1X, forcing periodic re-authentication (10 mins) to renew keys

13 Wireless Decision Tree
Start SOHO Network ? WPA Pre-Shared Key yes Certificate Authentication ? PEAP no IH EAP-TLS yes WPA or 802.1X Dynamic WEP for legacy devices

14 Configuring WPA-PSK Demonstration

15 Client Authentication
WPA Pre-Shared Key Wireless Client Wireless Access Point 1 Client Connect 2 Client Authentication Key Agreement WLAN Encryption 3 4

16 Factors Influencing Your Choice
EAP-TLS PEAP + MSCHAPv2 More secure Need to deploy certificates Better interop Simpler Uses passwords (!) Less interoperable WPA Dynamic WEP Default choice Better security May not be supported on older devices and systems (3rd party WLAN client) Option for legacy systems (incl. Windows 9x, Windows 2000) Can coexist with WPA

17 Microsoft Wireless Solutions Technology + Prescriptive Guidance
Start SOHO Network ? WPA PSK yes Certificate Authentication ? no IH yes Securing Wireless LANs with Certificate Services Securing Wireless LANs with PEAP & Passwords

18 WPA & Works Wireless Client Wireless Access Point Radius (IAS)
Certification Authority Directory WLAN Encryption RADIUS Internal Network

19 Solution Design Head Office

20 Solution Design Large Branch Office

21 Solution Design Small Office

22 Scaling – Scale Up IH

23 Scaling – Scale Down IH

24 Extending – Wired Security

25 Extending – VPN IH

26 Setting up IAS Policies

27 Microsoft’s Internal Wireless Deployment
Wireless Clients Wireless Access Points 23-30K per day Network Authentication: 802.1X 300K authentications per day Encryption: dynamic WEP ~ b Cisco APs 90 countries, 300+sites Single SSID RADIUS Server Puget Sound 2 Proxy, 4 RADIUS servers Worldwide 5 Proxy/RADIUS servers EAP/TLS Remote Access Policies enforced User account database Remote Access permissions Group Policies for configuration Certificate Authority User and Machine Certificates Autoenrolled

28 Microsoft’s Future Wireless Deployment
Wireless Clients Wireless Access Points Migration to i (WPA2) Thin AP/Wireless Switch Architecture Single Hardware Platform Multiple SSIDs, Independent services Voice, Guest and Corporate Network RADIUS Servers Independent RADIUS servers for each service Different Auth methods for each service Proxies to distribute load User account database Multiple ADs to support Guests and Corporate users. Certificate Authority User and Machine Certificates for corporate services Autoenrolled

29 Best Practices: Scalability Microsoft RADIUS – Internet Authentication Service (IAS)
Install at least two IAS RADIUS servers For best performance, install IAS on domain controllers Use strong RADIUS shared secrets Use as many different RADIUS shared secrets as possible Use IAS RADIUS proxies to scale authentication traffic Use IAS RADIUS proxies for separate account databases

30 RADIUS Architecture Is this redundant? Scale up or out

31 Using IAS RADIUS proxies Load balancing of RADIUS traffic
IAS servers IAS RADIUS proxies Wireless APs

32 Using IAS RADIUS proxies Cross-forest authentication
IAS servers IAS servers IAS RADIUS proxies Wireless APs

33 Security Best Practices
Preventing Rogue WLANs User education and policy Ongoing Monitoring Don’t use Hidden SSIDs Do use Wireless Group Policy

34 Best Practices: Management
Use the Wireless Network (IEEE ) Policies Group Policy settings to automatically configure wireless clients running Windows XP and Windows Server 2003 with your SSID If you have a native-mode domain, use universal groups and global groups to organize your wireless computer and user accounts into a single group. Use certificate auto-enrollment for computer certificates Use certificate auto-enrollment for user certificates "Best Practices for Implementing a Microsoft Windows Server 2003 Public Key Infrastructure" on

35 Wireless Group Policy Demonstration

36 Wireless Provisioning Service (WPS)
Automatically provision wireless accounts and configure client network settings for WiFi access Wireless ISP hotspots and roaming contracts Enterprise guest access for visitors Secure, auditable and user friendly guest access Components built into Windows XP SP2 and Windows Server 2003 SP1 and configurable via a downloadable tool Guidance available online

37 Aligning with other security initiatives
Network Health Compliance Lays down both the network infrastructure and ID Management elements needed for NAP (Network Access Protection) Preserves investment in infrastructure RADIUS is the center of policy making, enforcement and access control for Secure Wireless and NAP Single sign-on Secure Network Segmentation IPSec and 802.1X work together by providing a defense in depth strategy 802.1X – hard outside – offers isolation IPSec – hard inside – offers resource protection Can we talk about this?

38 Summary You cannot afford to leave your WLANs unprotected
Protecting WLANs is simple Chose the right options for you: SOHO – WPA PSK SMORG-Enterprise – WPA + PEAP (Passwords) LORG-Enterprise – WPA + EAP-TLS (Certs)

39 Resources Securing Wireless LANs with Certificates
Security Wireless LANs with PEAP and Passwords Microsoft Wireless Portal Microsoft Security Solutions IH

40 Microsoft Technical Roadshow 2005
2-days of in-depth technology information Birmingham – May Harrogate – 1-2 June London – 7-8 June Register now at:

© 2005 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS SUMMARY.

Download ppt "Securing Your Wireless Network"

Similar presentations

Ads by Google