Presentation is loading. Please wait.

Presentation is loading. Please wait.

Securing Your Wireless Network Ian Hellen Stirling Goetz Microsoft.

Similar presentations

Presentation on theme: "Securing Your Wireless Network Ian Hellen Stirling Goetz Microsoft."— Presentation transcript:


2 Securing Your Wireless Network Ian Hellen Stirling Goetz Microsoft

3 Agenda Wireless LAN security explained Secure wireless deployment components, Microsoft offerings and benefits Selecting the right WLAN options Microsoft wireless security solutions Microsoft IT case study WLAN scalability and management

4 Wireless LAN Security Many (most?) WLANs have no security or inadequate security 1 in 3 WLANs in major cities unsecured (RSA) But number of WLANs growing by 66% each year (RSA) Small businesses making most use of WLANs Static WEP (Wired Equivalent Privacy) is easily broken: Tools to generate required traffic Statistical cryptanalysis breaks keys quickly The world is not a nice place: Viruses, worms, trojans, spyware, botnets Hackers, spammers, criminals

5 WEPs Fatal Flaw(s) X7!g%k0j37**54bf(jv&8gF… X7!g%k0j37**54bf(jv&8gB)£F.. X7!g %k0j 37**54 bf(jv &8gB) £F.. Thank goodness we use encryption! Har-Har! Take that static WEP-man!

6 How an 802.1X WLAN Works Wireless Access Point Wireless ClientRadius (IAS) Internal Network WLAN Encryption Client Connect 3 3 Key Distribution Authorization 2 2 Client Authentication Server Authentication Key Agreement

7 Anatomy of 802.1X solution Authentication Authorization Data Protection Audit

8 802.1X & EAP DynamicWEP WPA 802.1X EAP Authentication & Key Management Audit EAP Method Authentication Authorization Data Protection Audit Key Management Encryption & Integrity RADIUSAccounting DataProtection

9 Secure Wireless Deployment Components Wireless Clients Wireless Access Points Radio Types: a/b/g Network Authentication: 802.1X, WPA, WPA2/802.11i* Encryption: WEP, TKIP, AES RADIUS Server RADIUS EAP/TLS PEAP-MSCHAPv2 Remote Access Policies User account database Remote Access permissions Credentials = Passwords Certificate Authority (optional) Credentials = Certificates

10 Secure Wireless Deployment Technologies Windows XP Windows Wireless Zero Config Native 802.1X, WPA, and soon WPA2* Certificates, Passwords, Smartcards, RSAToken** Wireless group policy Any Access Point supporting and 802.1X standards Server 2003 IAS EAP/TLS (certificates/smartcard) PEAP (password) Remote access policies Radius proxy functions Improved scaling Server 2003 Active Directory Wireless group policy User and computer authentication Server 2003 Certificate Authority User and computer auto-enrollment

11 Secure Wireless Deployment Benefits Windows XP Integrated Windows Client Standards based security Evolving with the industry Seamless sign-on experience Interoperability Server 2003 IAS Security Manageability Policy-based access management Scalability Deep and wide Server 2003 Active Directory Centralized Administration Client configuration Access management Server 2003 Certificate Authority Automated client updating

12 Hidden SSID Does not provide any real security Easily discoverable in well-used environments Windows client experience is impacted MAC Filtering Does not scale NIC management issue MAC is spoofable Shared mode Sounds like more security but is actually worse Not to be confused with Pre-Shared Key (PSK) which is more secure Open networks and VPNs Grants everyone access to the wireless segment Great for hotspots, not for your business Security Best Practices What NOT to do

13 Security Best Practices What to do Chose an authentication type (EAP Type) EAP-TLS and both user and computer certificates PEAP-MS-CHAP v2 and enforce strong user passwords Pre-Shared Key (only with WPA) Chose a WLAN Data Protection Method WPA using TKIP or AES encryption Dynamic WEP using 802.1X, forcing periodic re- authentication (10 mins) to renew keys

14 Wireless Decision Tree Start SOHO Network ? Certificate Authentication ? WPA Pre-Shared Key yes EAP-TLS yes PEAP no WPA or 802.1X Dynamic WEP for legacy devices WPA or 802.1X Dynamic WEP for legacy devices

15 Configuring WPA-PSK Demonstration

16 WPA Pre-Shared Key Wireless Access Point Wireless Client WLAN Encryption Client Connect 2 2 Client Authentication Key Agreement

17 Factors Influencing Your Choice EAP-TLS PEAP + MSCHAPv2 More secure Need to deploy certificates Better interop Simpler Uses passwords (!) Less interoperable WPA Dynamic WEP Default choice Better security May not be supported on older devices and systems (3 rd party WLAN client) Option for legacy systems (incl. Windows 9x, Windows 2000) Can coexist with WPA

18 Microsoft Wireless Solutions Technology + Prescriptive Guidance Start SOHO Network ? Certificate Authentication ? WPA PSK yes Securing Wireless LANs with Certificate Services yes Securing Wireless LANs with PEAP & Passwords no

19 WPA & Works Wireless Access Point Wireless ClientRadius (IAS) Internal Network WLAN Encryption Certification Authority Directory RADIUS

20 Solution Design Head Office

21 Solution Design Large Branch Office

22 Solution Design Small Office

23 Scaling – Scale Up

24 Scaling – Scale Down

25 Extending – Wired Security

26 Extending – VPN

27 Setting up IAS Policies Demonstration

28 Microsofts Internal Wireless Deployment Wireless Clients Wireless Access Points 23-30K per day Network Authentication: 802.1X 300K authentications per day 300K authentications per day Encryption: dynamic WEP ~ b Cisco APs 90 countries, 300+sites 90 countries, 300+sites Single SSID RADIUS Server Puget Sound 2 Proxy, 4 RADIUS servers Worldwide 5 Proxy/RADIUS servers EAP/TLS Remote Access Policies enforced User account database Remote Access permissions Group Policies for configuration Certificate Authority User and Machine Certificates Autoenrolled

29 Microsofts Future Wireless Deployment Wireless Clients Wireless Access Points Migration to i (WPA2) Thin AP/Wireless Switch Architecture Single Hardware Platform Multiple SSIDs, Independent services Voice, Guest and Corporate Network RADIUS Servers Independent RADIUS servers for each service Different Auth methods for each service Proxies to distribute load User account database Multiple ADs to support Guests and Corporate users. Certificate Authority User and Machine Certificates for corporate services Autoenrolled

30 Install at least two IAS RADIUS servers For best performance, install IAS on domain controllers Use strong RADIUS shared secrets Use as many different RADIUS shared secrets as possible Use IAS RADIUS proxies to scale authentication traffic Use IAS RADIUS proxies for separate account databases Best Practices: Scalability Microsoft RADIUS – Internet Authentication Service (IAS)

31 RADIUS Architecture Scale up or out

32 IAS servers Wireless APs IAS RADIUS proxies Using IAS RADIUS proxies Load balancing of RADIUS traffic

33 IAS servers Forest 1 Forest 2 Wireless APs IAS RADIUS proxies Using IAS RADIUS proxies Cross-forest authentication

34 Security Best Practices Preventing Rogue WLANs User education and policy Ongoing Monitoring Dont use Hidden SSIDs Do use Wireless Group Policy

35 Best Practices: Management Use the Wireless Network (IEEE ) Policies Group Policy settings to automatically configure wireless clients running Windows XP and Windows Server 2003 with your SSID If you have a native-mode domain, use universal groups and global groups to organize your wireless computer and user accounts into a single group. Use certificate auto-enrollment for computer certificates Use certificate auto-enrollment for user certificates "Best Practices for Implementing a Microsoft Windows Server 2003 Public Key Infrastructure" on

36 Wireless Group Policy Demonstration

37 Wireless Provisioning Service (WPS) Automatically provision wireless accounts and configure client network settings for WiFi access Wireless ISP hotspots and roaming contracts Enterprise guest access for visitors Secure, auditable and user friendly guest access Components built into Windows XP SP2 and Windows Server 2003 SP1 and configurable via a downloadable tool downloadable tooldownloadable tool Guidance available online online

38 Aligning with other security initiatives Network Health Compliance Lays down both the network infrastructure and ID Management elements needed for NAP (Network Access Protection) Preserves investment in infrastructure RADIUS is the center of policy making, enforcement and access control for Secure Wireless and NAP Single sign-on Secure Network Segmentation IPSec and 802.1X work together by providing a defense in depth strategy 802.1X – hard outside – offers isolation IPSec – hard inside – offers resource protection

39 Summary You cannot afford to leave your WLANs unprotected Protecting WLANs is simple Chose the right options for you: SOHO – WPA PSK SMORG-Enterprise – WPA + PEAP (Passwords) LORG-Enterprise – WPA + EAP-TLS (Certs)

40 Securing Wireless LANs with Certificates Security Wireless LANs with PEAP and Passwords Microsoft Wireless Portal Microsoft Security Solutions Resources

41 Microsoft Technical Roadshow days of in-depth technology information Birmingham – May Harrogate – 1-2 June London – 7-8 June Register now at:

42 © 2005 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS SUMMARY.

Download ppt "Securing Your Wireless Network Ian Hellen Stirling Goetz Microsoft."

Similar presentations

Ads by Google