Implementing Security for Wireless Networks
Action Items for this session Learn something! Take notes! Fill out that evaluation. I love to see your comments and we want to make these better! Most important: Have fun today!
Why should you care about wireless security? B ecause 31337 h4x0r like this: are equipping vehicles like this: and using tools like these: to get info about your W LA N : so they crack it and gain access: so they can ØwN jø Ø like this:
They have their own convention!
Agenda Overview of Wireless Solutions Securing a Wireless Network Implementing a WLAN Using Password Authentication Configuring Wireless Network Infrastructure Components Configuring Wireless Network Clients
Identifying the Need to Secure a Wireless Network When designing security for a wireless network consider: Network authentication and authorization Data protection Wireless access point configuration Security management
The abuse is growing!
Common Threats to Wireless Networks Security Threats Include: 1.Disclosure of confidential information 2.Unauthorized access to data 3.Impersonation of an authorized client 4.Interruption of the wireless service 5.Unauthorized access to the Internet 6.Accidental threats 7.Unsecured home wireless setups 8.Unauthorized WLAN implementations
Understanding the Standards and Technologies Standard Description 802.11 802.11a A base specification that defines the transmission concepts for Wireless LANs Transmission speeds up to 54 megabits (Mbps) per second 802.11b 802.11g 802.11i (WPA2) 11 Mbps Good range 54 Mbps Shorter ranges than 802.11b Establishes a standard authentication and encryption process for wireless networks 802.1X - a standard that defines a port-based access control mechanism of authenticating access to a network and, as an option, for managing keys used to protect traffic
Implementation Options Wireless network implementation options include: Wi-Fi Protected Access with Pre-Shared Keys (WPA-PSK) Wireless network security using Protected Extensible Authentication Protocol (PEAP) and passwords Wireless network security using Certificate Services
Choose the right solution Wireless Network Solution Typical Environment Additional Infrastructure Components Required? Certificates Used for Client Authentication Passwords Used for Client Authentication Typical Data Encryption Method Wi-Fi Protected Access with Pre- Shared Keys (WPA- PSK) Small Office/Home Office (SOHO) None NO YES Uses WPA encryption key to authenticate to network WPA Password-based wireless network security Small to medium organization Internet Authentication Services (IAS) Certificate required for the IAS server NO However, a certificate is issued to validate the IAS server YES WPA or Dynamic WEP Certificate-based wireless network security Medium to large organization Internet Authentication Services (IAS) Certificate Services YES NO Certificates used but may be modified to require passwords WPA or Dynamic WEP
Agenda Overview of Wireless Solutions Securing a Wireless Network Implementing a WLAN Using Password Authentication Configuring Wireless Network Infrastructure Components Configuring Wireless Network Clients
Effective Authentication and Authorization Standard Description Extensible Authentication Protocol-Transport Layer Security (EAP-TLS) Uses public key certificates to authenticate clients Protected Extensible Authentication Protocol- Microsoft-Challenge Handshake Authentication Protocol v2 (PEAP-MS-CHAP v2) A two-stage authentication method using a combination of TLS and MS- CHAP v2 for password authentication Tunneled Transport Layer Security (TTLS) A two-stage authentication method similar to PEAP Microsoft does not support this method
Protecting WLAN Data Transmissions Wireless data encryption standards in use today include: Wired Equivalent Privacy (WEP) Dynamic WEP, combined with 802.1X authentication, provides adequate data encryption and integrity Compatible with most hardware and software devices H ow is this a wired equivalent?! T rust m e: WEP sucks! Wi-Fi Protected Access (WPA/WPA2) Changes the encryption key with each packet Uses a longer initialization vector Adds a signed message integrity check value Incorporates an encrypted frame counter WPA uses TKIP, WPA2 uses AES
System Requirements for 802.1X Components Requirements Client devices Windows XP and Pocket PC 2003 provide built-in support Microsoft provides an 802.1X client for Windows 2000 operating systems RADIUS/IAS and certificate servers Windows Server 2003 Certificate Services and Windows Server 2003 Internet Authentication Service (IAS) are supported Wireless access points At a minimum, should support 802.1X authentication and 128-bit WEP for data encryption
Guidelines for Securing Wireless Networks Require data protection for all wireless communications Require 802.1X authentication to help prevent spoofing, wardrivers, and accidental threats to your network Use tools to locate and shut down rogue access points on your corporate network: O ver the A ir - Disassociation attack on rogue APs O ver the W ire Automatic switch port shutdown
Agenda Overview of Wireless Solutions Securing a Wireless Network Implementing a WLAN Using Password Authentication Configuring Wireless Network Infrastructure Components Configuring Wireless Network Clients
Components for PEAP-MS-CHAP v2 Components Wireless Client Wireless Access Point RADIUS/IAS Server Explanation Requires a WLAN adapter that supports 802.1X and dynamic WEP or WPA encryption User and computers accounts are created in the domain Must support 802.1X and dynamic WEP or WPA encryption The wireless access point and RADIUS server have a shared secret to enable them to securely identify each other Uses Active Directory to verify the credentials of WLAN clients Makes authorization decisions based upon an access policy May also collect accounting and audit information Certificate installed to provide server authentication
Agenda Overview of Wireless Solutions Securing a Wireless Network Implementing a WLAN Using Password Authentication Configuring Wireless Network Infrastructure Components Configuring Wireless Network Clients
Preparing the Environment Install the WLAN Scripts using: Microsoft WLAN-PEAP.msi Install the additional tools on the IAS servers: Group Policy Management Console CAPICOM DSACLs.exe
Configuring the Certification Authority The CA is used to issue Computer Certificates to the IAS Servers To install Certificate Services, log on with an account that is a member of: Enterprise Admins Domain Admins Consider that Certificate Services in Window Server 2003 Standard Edition does not provide: Auto enrollment of certificates to both computers and users Version 2 certificate templates Editable certificate templates Archival of keys
Reviewing the CA Installation Parameters Certificate Templates Available: Drive and path of CA request files: Length of CA Key: Validity Period: Validity Period of Issued Certificates: CRL Publishing Interval: CRL Overlap Period: Computer (Machine) C:\CAConfig 2048 bits 25 years 2 years 7 days 4 days
Installing the Certification Authority 1. Run MSSsetup CheckCAenvironment 2. Run MSSsetup InstallCA 3. Run MSSsetup VerifyCAInstall 4. Run MSSsetup ConfigureCA 5. Run MSSSetup ImportAutoenrollGPO 6. Run MSSsetup VerifyCAConfig Y ou can do all this in the G U I.but w hy?
Configuring the Certification Authority demo Install CA Configuring Post-Installation Settings Importing the Automatic Certificate Request GPO Verifying the Configuration
Configuring IAS Internet Authentication Service (IAS) uses Active Directory to verify and authenticate client credentials and makes authorization decisions based upon configured policies. IAS configuration categories include: IAS Server Settings IAS Access Policies RADIUS Logging
Reviewing IAS Configuration Parameters IAS parameters that are to be configured include: IAS Logging to Windows Event Log IAS RADIUS Logging Remote Access Policy Remote Access Policy Profile Are we going to script this?! Yes Sir!!!
Configuring the IAS Server Validating the IAS Environment demo Verifying IAS Server Certificate Deployment Post-Installation Configuration Tasks Modifying the WLAN Access Policy Profile Settings Verifying the Connection Request Policy for WLAN Exporting the IAS Settings
WAP Configuration Parameters Configure the basic network settings such as : IP configuration of the access point Friendly name of the access point Wireless network name (SSID) Typical Settings for a Wireless Access Point include: Authentication parameters Encryption parameters RADIUS authentication RADIUS accounting
Wireless Access Point Configuration demo Adding Access Points to the Initial IAS Server Configuring Wireless Access Points
Agenda Overview of Wireless Solutions Securing a Wireless Network Implementing a WLAN Using Password Authentication Configuring Wireless Network Infrastructure Components Configuring Wireless Network Clients
Controlling WLAN Access Using Security Groups IAS enables you to control access to the wireless network using Active Directory security groups that are linked to a specific remote access policy Security Group Default Members Wireless LAN Access Wireless LAN Users Wireless LAN Computers Wireless LAN Users Domain Users Wireless LAN Computers Domain Computers
Reviewing WLAN Client Parameters Parameter Setting Group to allow WLAN access Group to allow WLAN access for users Group to allow WLAN access for computers WLAN GPO Name GPO filtering security group Wireless network policy name WLAN network name (SSID) EAP type Wireless LAN Access Wireless LAN Users Wireless LAN Computers WLAN Client Settings Wireless LAN Computer Settings Windows XP WLAN Client Settings (PEAP-WEP) CONTOSO (change this to your SSID) PEAP PEAP authentication method Secured Password (EAP-MSCHAP v2) PEAP fast reconnect Enabled
Creating the WLAN Client Settings GPO demo Create a WLAN Client GPO Using the GPMC
Session Summary There are bad people out there who want your WLAN, but you can deploy it securely! D eterm ine your organization s w ireless requirem ents Require 802.1X authentication Implement the PEAP and Passwords solution for organizations that do not utilize a PKI infrastructure Use the scripts provided by the PEAP and Passwords solution Use security groups and Group Policy to control WLAN client access (.and stop kidding yourself w ith W E P )
Questions and Answers
Go away for 15 minutes