Presentation is loading. Please wait.

Presentation is loading. Please wait.

Wireless Security without a VPN! Stirling Goetz, Microsoft Consulting Services.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "Wireless Security without a VPN! Stirling Goetz, Microsoft Consulting Services."— Presentation transcript:

1 Wireless Security without a VPN! Stirling Goetz, Microsoft Consulting Services

2 Session Prerequisites Hands-on experience with Microsoft ® Windows ® server and client operating systems and Active Directory ® Basic understanding of wireless LAN technology Basic understanding of Microsoft ® Certificate Services Basic understanding of RADIUS and remote access protocols Level 300

3 Overview of Wireless Solutions Securing a Wireless Network Implementing a Wireless Network Using Password Authentication Configuring Wireless Network Infrastructure Components Configuring Wireless Network Clients Troubleshooting Wireless Network Problems Best Practices

4 When designing security for a wireless network consider: Network authentication and authorization Data protection Wireless access point configuration Security management Network authentication and authorization Data protection Wireless access point configuration Security management Identifying the Need to Secure a Wireless Network

5 Common Security Threats to Wireless Networks Security Threats Include: Disclosure of confidential information Unauthorized access to data Impersonation of an authorized client Interruption of the wireless service Unauthorized access to the Internet Accidental threats Unsecured home wireless setups Unauthorized WLAN implementations Disclosure of confidential information Unauthorized access to data Impersonation of an authorized client Interruption of the wireless service Unauthorized access to the Internet Accidental threats Unsecured home wireless setups Unauthorized WLAN implementations

6 Understanding Wireless Network Standards and Technologies StandardDescription 802.11 A base specification that defines the transmission concepts for Wireless LANs 802.11a Transmission speeds up to 54 megabits (Mbps) per second 802.11b 11 Mbps Good range but susceptible to radio signal interference 802.11g 54 Mbps Shorter ranges than 802.11b 802.1X - a standard that defines a port-based access control mechanism of authenticating access to a network and, as an option, for managing keys used to protect traffic

7 Wireless Network Implementation Options Wireless network implementation options include: Wi-Fi Protected Access with Pre-Shared Keys (WPA-PSK) Wireless network security using Protected Extensible Authentication Protocol (PEAP) and passwords Wireless network security using Certificate Services Wi-Fi Protected Access with Pre-Shared Keys (WPA-PSK) Wireless network security using Protected Extensible Authentication Protocol (PEAP) and passwords Wireless network security using Certificate Services

8 Choosing the Appropriate Wireless Network Solution Wireless Network Solution Typical Environment Additional Infrastructure Components Required? Certificates Used for Client Authentication Passwords Used for Client Authentication Typical Data Encryption Method Wi-Fi Protected Access with Pre- Shared Keys (WPA-PSK) Small Office/Home Office (SOHO) NoneNO YES Uses WPA encryption key to authenticate to network WPA Password-based wireless network security Small to medium organization Internet Authentication Services (IAS) Certificate required for the IAS server NO However, a certificate is issued to validate the IAS server YES WPA or Dynamic WEP Certificate-based wireless network security Medium to large organization Internet Authentication Services (IAS) Certificate Services YES NO Certificates used but may be modified to require passwords WPA or Dynamic WEP

9 Securing a Wireless Network Overview of Wireless Solutions Securing a Wireless Network Implementing a Wireless Network using Password Authentication Configuring Wireless Network Infrastructure Components Configuring Wireless Network Clients Troubleshooting Wireless Network Problems Best Practices

10 Understanding Elements of WLAN Security To effectively secure a wireless network consider: Authentication of the person or device connecting to the wireless network Authorization of the person or device to use the WLAN Protection of the data transmitted over the WLAN Authentication of the person or device connecting to the wireless network Authorization of the person or device to use the WLAN Protection of the data transmitted over the WLAN Audit WLAN Access

11 Providing Effective Authentication and Authorization StandardDescription Extensible Authentication Protocol- Transport Layer Security (EAP-TLS) Uses public key certificates to authenticate clients Protected Extensible Authentication Protocol-Microsoft-Challenge Handshake Authentication Protocol v2 (PEAP-MS- CHAP v2) A two-stage authentication method using a combination of TLS and MS-CHAP v2 for password authentication Tunneled Transport Layer Security (TTLS) A two-stage authentication method similar to PEAP Microsoft does not support this method

12 Protecting WLAN Data Transmissions Wireless data encryption standards in use today include: Wired Equivalent Privacy (WEP) Dynamic WEP, combined with 802.1X authentication, provides adequate data encryption and integrity Compatible with most hardware and software devices Wi-Fi Protected Access (WPA) Changes the encryption key with each packet Uses a longer initialization vector Adds a signed message integrity check value Incorporates an encrypted frame counter Wired Equivalent Privacy (WEP) Dynamic WEP, combined with 802.1X authentication, provides adequate data encryption and integrity Compatible with most hardware and software devices Wi-Fi Protected Access (WPA) Changes the encryption key with each packet Uses a longer initialization vector Adds a signed message integrity check value Incorporates an encrypted frame counter

13 Alternative Approaches to Encrypt WLAN Traffic Alternatives used to protect WLAN traffic include the use of: Virtual Private Network (VPN) Internet Protocol Security (IPSec) Virtual Private Network (VPN) Internet Protocol Security (IPSec)

14 System Requirements for Implementing 802.1X ComponentsRequirements Client devices Windows XP and Pocket PC 2003 provide built-in support Microsoft provides an 802.1X client for Windows 2000 operating systems RADIUS/IAS and certificate servers Windows Server 2003 Certificate Services and Windows Server 2003 Internet Authentication Service (IAS) are supported Wireless access points At a minimum, should support 802.1X authentication and 128- bit WEP for data encryption

15 Guidelines for Securing Wireless Networks Use software scanning tools to locate and shut down rogue WLANs on your corporate network Require data protection for all wireless communications Require 802.1X authentication to help prevent spoofing, freeloading, and accidental threats to your network

16 Implementing a Wireless Network Using Password Authentication Overview of Wireless Solutions Securing a Wireless Network Implementing a Wireless Network Using Password Authentication Configuring Wireless Network Infrastructure Components Configuring Wireless Network Clients Troubleshooting Wireless Network Problems Best Practices

17 The Components Required to Implement PEAP-MS-CHAP v2 ComponentsExplanation Wireless Client Requires a WLAN adapter that supports 802.1X and dynamic WEP or WPA encryption User and computers accounts are created in the domain Wireless Access Point Must support 802.1X and dynamic WEP or WPA encryption The wireless access point and RADIUS server have a shared secret to enable them to securely identify each other RADIUS/IAS Server Uses Active Directory to verify the credentials of WLAN clients Makes authorization decisions based upon an access policy May also collect accounting and audit information Certificate installed to provide server authentication

18 Platform Support Availability Security Requirements Scalability Extensibility Standards Conformance Design Criteria for the PEAP-MS- CHAP v2 Solution

19 How 802.1X with PEAP and Passwords Works Wireless Access Point Wireless ClientRadius (IAS) Internal Network WLAN Encryption 4 4 5 5 1 1 Client Connect 3 3 Key Distribution Authorization 2 2 Client Authentication Server Authentication Key Agreement

20 Identifying the Services for the PEAP WLAN Network Branch Office Headquarters WLAN Clients Domain Controller (DC) RADIUS (IAS) Certification Authority (CA) DHCP Services (DHCP) DNS Services (DNS) DHCP IAS/DNS/DC LAN Access Points IAS/CA/DC IAS/DNS/DC Primary Secondary Primary Secondary WLAN Clients

21 Configuring Wireless Network Infrastructure Components Overview of Wireless Solutions Securing a Wireless Network Implementing a Wireless Network Using Password Authentication Configuring Wireless Network Infrastructure Components Configuring Wireless Network Clients Troubleshooting Wireless Network Problems Best Practices

22 Configuring the Network Certification Authority The CA is used to issue Computer Certificates to the IAS Servers To install Certificate Services, log on with an account that is a member of: –Enterprise Admins –Domain Admins Consider that Certificate Services in Window Server 2003 Standard Edition does not provide: –Auto enrollment of certificates to both computers and users –Version 2 certificate templates –Editable certificate templates –Archival of keys

23 Reviewing the Certification Authority Installation Parameters Validity Period of Issued Certificates: 2 years Validity Period: 25 years Drive and path of CA request files: C:\CAConfig Length of CA Key: 2048 bits CRL Publishing Interval: 7 days CRL Overlap Period: 4 days Certificate Templates Available: Computer (Machine)

24 Configuring Internet Authentication Services (IAS) IAS uses Active Directory to verify and authenticate client credentials and makes authorization decisions based upon configured policies. IAS configuration categories include: IAS Server Settings IAS Access Policies RADIUS Logging IAS Server Settings IAS Access Policies RADIUS Logging

25 Reviewing IAS Configuration Parameters IAS parameters that are to be configured include: Remote Access Policy Profile IAS RADIUS Logging Remote Access Policy IAS Logging to Windows Event Log

26 Configuring Wireless Access Points Run MssTools AddRadiusClient 1 1 Configure the Wireless Access Points 3 3 Run MssTools AddSecRadiusClients 2 2

27 Wireless Access Point Configuration Parameters Configure the basic network settings such as : IP configuration of the access point Friendly name of the access point Wireless network name (SSID) IP configuration of the access point Friendly name of the access point Wireless network name (SSID) Typical Settings for a Wireless Access Point include: Authentication parameters Encryption parameters RADIUS authentication RADIUS accounting Authentication parameters Encryption parameters RADIUS authentication RADIUS accounting

28 Configuring Wireless Network Clients Overview of Wireless Solutions Securing a Wireless Network Implementing a Wireless Network Using Password Authentication Configuring Wireless Network Infrastructure Components Configuring Wireless Network Clients Troubleshooting Wireless Network Problems Best Practices

29 Controlling WLAN Access Using Security Groups Security GroupDefault Members Wireless LAN Access Wireless LAN Users Wireless LAN Computers Wireless LAN UsersDomain Users Wireless LAN Computers Domain Computers IAS enables you to control access to the wireless network using Active Directory security groups that are linked to a specific remote access policy

30 Install required patches and updates 1 1 Deploy the WLAN settings 3 3 Create the WLAN client GPO using GPMC 2 2 Configuring Windows XP WLAN Clients

31 Troubleshooting Wireless Network Problems Overview of Wireless Solutions Securing a Wireless Network Implementing a Wireless Network Using Password Authentication Configuring Wireless Network Infrastructure Components Configuring Wireless Network Clients Troubleshooting Wireless Network Problems Best Practices

32 Troubleshooting Procedures Classify the type of problem that you are experiencing into one of the following categories: Client connection problems Performance problems Computer authentication failure User authentication failure Client connection problems Performance problems Computer authentication failure User authentication failure

33 Diagnosing Client Connection Problems Check the IAS servers Check Active Directory and network services Check client computer Check the access point configuration settings Check WAN connectivity Check the Certificate Authority Check the user/computer account

34 Diagnosing Performance Problems Performance problems can be diagnosed by performing the following tasks : Use Performance Monitor to identify heavily loaded IAS servers Verify that access points are configured to use the closest primary IAS server Revisit the WLAN network design for incorrect access point placement Client re-authentication may take up to 60 seconds Use Performance Monitor to identify heavily loaded IAS servers Verify that access points are configured to use the closest primary IAS server Revisit the WLAN network design for incorrect access point placement Client re-authentication may take up to 60 seconds

35 User or Computer Account Authentication Problems Authentication problems may be the result of: The RAS dial-in permission is set to deny The account is not a member of the WLAN access group IAS authentication issues The account is incorrect, disabled, or locked out

36 Troubleshooting Tools and Techniques ToolDescription Network Connections Folder Provides information about the state of authentication, signal strength, and the IP Address configuration Tracing on the client computer Provides detailed information about the EAP authentication process IAS event logging and Event Viewer Allows you to view IAS authentication attempts in the system event log IAS tracingAllows you to troubleshoot complex problems for specific IAS components System Monitor counters Allows you to determine how efficiently your server uses IAS and to identify potential performance problems

37 Best Practices Overview of Wireless Solutions Securing a Wireless Network Implementing a Wireless Network Using Password Authentication Configuring Wireless Network Infrastructure Components Configuring Wireless Network Clients Troubleshooting Wireless Network Problems Best Practices

38 Best Practices for Implementing Secure Wireless Networks Understand WLAN prerequisites Choose a client configuration strategy Determine traffic encryption requirements Determine software settings for 802.1X WLANs Determine availability requirements

39 Session Summary Use the scripts provided by the PEAP and Passwords solution Implement the PEAP and Passwords solution for organizations that do not utilize a PKI infrastructure Determine your organization’s wireless requirements Require 802.1X authentication Use security groups and Group Policy to control WLAN client access Use troubleshooting tools such as client and IAS tracing

40 Next Steps Where to find this guidance: –Securing Wireless LANs with Certificate Services http://go.microsoft.com/fwlink/?LinkId=14843 –Security Wireless LANs with PEAP and Passwords http://www.microsoft.com/technet/security/topics/cryptographyetc/ peap_0.mspx Find additional security training events: http://www.microsoft.com/seminar/events/security.mspx Sign up for security communications: http://www.microsoft.com/technet/security/signup/ default.mspx Order the Security Guidance Kit: http://www.microsoft.com/security/guidance/order/ default.mspx Get additional security tools and content: http://www.microsoft.com/security/guidance http://www.microsoft.com/wifi

41 Questions and Answers

42

Download ppt "Wireless Security without a VPN! Stirling Goetz, Microsoft Consulting Services."

Similar presentations

1.1 © 2004 Pearson Education, Inc. Exam 70-290 Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 1: Introducing Windows Server.

1.1 © 2004 Pearson Education, Inc. Exam Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 1: Introducing Windows Server.
11 TROUBLESHOOTING Chapter 12. Chapter 12: TROUBLESHOOTING2 OVERVIEW  Determine whether a network communications problem is related to TCP/IP.  Understand.

11 TROUBLESHOOTING Chapter 12. Chapter 12: TROUBLESHOOTING2 OVERVIEW  Determine whether a network communications problem is related to TCP/IP.  Understand.
Module 10: Troubleshooting Network Access. Overview Troubleshooting Network Access Resources Troubleshooting LAN Authentication Troubleshooting Remote.

Module 10: Troubleshooting Network Access. Overview Troubleshooting Network Access Resources Troubleshooting LAN Authentication Troubleshooting Remote.
Module 5: Configuring Access for Remote Clients and Networks.

Module 5: Configuring Access for Remote Clients and Networks.
1 Objectives Configure Network Access Services in Windows Server 2008 RADIUS 1.

1 Objectives Configure Network Access Services in Windows Server 2008 RADIUS 1.
1 Configuring Virtual Private Networks for Remote Clients and Networks.

1 Configuring Virtual Private Networks for Remote Clients and Networks.
Implementing Security for Wireless Networks Presenter Name Job Title Company.

Implementing Security for Wireless Networks Presenter Name Job Title Company.
DESIGNING A PUBLIC KEY INFRASTRUCTURE

DESIGNING A PUBLIC KEY INFRASTRUCTURE
Simple ways to secure Wireless Computers Jay Ferron, ADMT, CISM, CISSP, MCSE, MCSBA, MCT, NSA-IAM, TCI.

Simple ways to secure Wireless Computers Jay Ferron, ADMT, CISM, CISSP, MCSE, MCSBA, MCT, NSA-IAM, TCI.
70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 11: Planning Network Access.

70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 11: Planning Network Access.
Module 10: Configuring Virtual Private Network Access for Remote Clients and Networks.

Module 10: Configuring Virtual Private Network Access for Remote Clients and Networks.
1 Objectives Wireless Access IPSec Discuss Network Access Protection Install Network Access Protection.

1 Objectives Wireless Access IPSec Discuss Network Access Protection Install Network Access Protection.
Chapter 7 HARDENING SERVERS.

Chapter 7 HARDENING SERVERS.
CN1260 Client Operating System Kemtis Kunanuraksapong MSIS with Distinction MCT, MCITP, MCTS, MCDST, MCP, A+

CN1260 Client Operating System Kemtis Kunanuraksapong MSIS with Distinction MCT, MCITP, MCTS, MCDST, MCP, A+
Hands-On Microsoft Windows Server 2003 Administration Chapter 11 Administering Remote Access Services.

Hands-On Microsoft Windows Server 2003 Administration Chapter 11 Administering Remote Access Services.
802.1x EAP Authentication Protocols

802.1x EAP Authentication Protocols
Chapter 8: Configuring Network Connectivity. Installing Network Adapters Network adapter cards connect a computer to a network. Installation –Plug and.

Chapter 8: Configuring Network Connectivity. Installing Network Adapters Network adapter cards connect a computer to a network. Installation –Plug and.
Hands-On Microsoft Windows Server 2003 Networking Chapter 1 Windows Server 2003 Networking Overview.

Hands-On Microsoft Windows Server 2003 Networking Chapter 1 Windows Server 2003 Networking Overview.
Top-Down Network Design Chapter Eight Developing Network Security Strategies Copyright 2010 Cisco Press & Priscilla Oppenheimer.

Top-Down Network Design Chapter Eight Developing Network Security Strategies Copyright 2010 Cisco Press & Priscilla Oppenheimer.
Virtual Private Network (VPN) © N. Ganesan, Ph.D..

Virtual Private Network (VPN) © N. Ganesan, Ph.D..

Similar presentations

Ads by Google