Implementing Security for Wireless Networks Presenter Name Job Title Company.
-
date post
18-Dec-2015 -
Category
Documents
-
view
220 -
download
4
Transcript of Implementing Security for Wireless Networks Presenter Name Job Title Company.
Implementing Security for Wireless NetworksImplementing Security for Wireless Networks
Presenter NamePresenter NameJob TitleJob TitleCompanyCompany
Session PrerequisitesSession Prerequisites
Hands-on experience with MicrosoftHands-on experience with Microsoft®® Windows Windows®® server and client operating systems and Active server and client operating systems and Active DirectoryDirectory®®
Basic understanding of wireless LAN Basic understanding of wireless LAN technologytechnology
Basic understanding of MicrosoftBasic understanding of Microsoft®® Certificate Certificate ServicesServices
Basic understanding of RADIUS and remote Basic understanding of RADIUS and remote access protocolsaccess protocols
Level 300
AgendaAgenda
Overview of Wireless SolutionsOverview of Wireless SolutionsSecuring a Wireless NetworkSecuring a Wireless NetworkImplementing a Wireless Network Using Password Implementing a Wireless Network Using Password AuthenticationAuthenticationConfiguring Wireless Network Infrastructure ComponentsConfiguring Wireless Network Infrastructure ComponentsConfiguring Wireless Network ClientsConfiguring Wireless Network Clients
When designing security for a wireless When designing security for a wireless network consider:network consider:
Network authentication and authorizationNetwork authentication and authorization
Data protectionData protection
Wireless access point configurationWireless access point configuration
Security managementSecurity management
Identifying the Need to Identifying the Need to Secure a Wireless NetworkSecure a Wireless Network
The abuse of The abuse of Wireless Networks is growing!Wireless Networks is growing!
Security Threats Include:Security Threats Include:Disclosure of confidential information Disclosure of confidential information
Unauthorized access to dataUnauthorized access to data
Impersonation of an authorized clientImpersonation of an authorized client
Interruption of the wireless service Interruption of the wireless service
Unauthorized access to the InternetUnauthorized access to the Internet
Accidental threatsAccidental threats
Unsecured home wireless setupsUnsecured home wireless setups
Unauthorized WLAN implementationsUnauthorized WLAN implementations
Common Security Common Security Threats to Wireless Threats to Wireless NetworksNetworks
Understanding Wireless Network Understanding Wireless Network Standards and TechnologiesStandards and Technologies
Standard Description
802.11 A base specification that defines the transmission concepts for Wireless LANs
802.11a Transmission speeds up to 54 megabits (Mbps) per second
802.11b11 MbpsGood range but susceptible to radio signal interference
802.11g54 Mbps Shorter ranges than 802.11b
802.1X - a standard that defines a port-based access control mechanism of authenticating access to a network and, as an option, for managing keys used to protect traffic
802.1X - a standard that defines a port-based access control mechanism of authenticating access to a network and, as an option, for managing keys used to protect traffic
Wireless network implementation options Wireless network implementation options include:include:
Wi-Fi Protected Access with Pre-Shared Keys Wi-Fi Protected Access with Pre-Shared Keys (WPA-PSK)(WPA-PSK)
Wireless network security using Protected Wireless network security using Protected Extensible Authentication Protocol (PEAP) and Extensible Authentication Protocol (PEAP) and passwords passwords
Wireless network security using Certificate Wireless network security using Certificate Services Services
Wireless Network Wireless Network Implementation OptionsImplementation Options
Choose the AppropriateChoose the AppropriateWireless Network SolutionWireless Network Solution
Wireless Network Solution
TypicalEnvironment
Additional Infrastructure Components
Required?
Certificates Used for Client
Authentication
Passwords Usedfor Client
Authentication
Typical Data Encryption Method
Wi-Fi Protected Access with Pre-Shared Keys
(WPA-PSK)
Small Office/Home Small Office/Home Office (SOHO)Office (SOHO) NoneNone NONO
YES YES
Uses WPA encryption Uses WPA encryption key to authenticate to key to authenticate to
networknetwork
WPAWPA
Password-based wireless network security
Small to medium Small to medium organizationorganization
Internet Internet Authentication Authentication Services (IAS)Services (IAS)
Certificate required Certificate required for the IAS serverfor the IAS server
NO NO
However, a certificate However, a certificate is issued to validate the is issued to validate the
IAS serverIAS server
YESYES WPA or Dynamic WPA or Dynamic WEPWEP
Certificate-based wireless network security
Medium to large Medium to large organizationorganization
Internet Internet AuthenticationAuthentication Services (IAS)Services (IAS)
CertificateCertificate Services Services
YESYES
NO NO
Certificates used but Certificates used but may be modified to may be modified to require passwordsrequire passwords
WPA or Dynamic WPA or Dynamic WEPWEP
AgendaAgenda
Overview of Wireless SolutionsOverview of Wireless SolutionsSecuring a Wireless NetworkSecuring a Wireless NetworkImplementing a Wireless Network Using Password Implementing a Wireless Network Using Password AuthenticationAuthenticationConfiguring Wireless Network Infrastructure ComponentsConfiguring Wireless Network Infrastructure ComponentsConfiguring Wireless Network ClientsConfiguring Wireless Network Clients
To effectively secure a wireless network To effectively secure a wireless network consider:consider:
AuthenticationAuthentication of the person or device connecting to of the person or device connecting to the wireless network the wireless network
AuthorizationAuthorization of the person or device to use the of the person or device to use the WLAN WLAN
ProtectionProtection of the data transmitted over the WLAN of the data transmitted over the WLAN
Understanding Understanding Elements of WLAN Elements of WLAN SecuritySecurity
Audit WLAN
Access
Providing Effective Providing Effective Authentication and Authentication and AuthorizationAuthorization
Standard Description
Extensible Authentication Protocol-Transport Layer Security (EAP-TLS)
Uses public key certificates to Uses public key certificates to authenticate clientsauthenticate clients
Protected Extensible Authentication Protocol-Microsoft-Challenge Handshake Authentication Protocol v2
(PEAP-MS-CHAP v2)
A two-stage authentication method A two-stage authentication method using a combination of TLS and MS-using a combination of TLS and MS-CHAP v2 for password authenticationCHAP v2 for password authentication
Tunneled Transport Layer Security (TTLS)A two-stage authentication method A two-stage authentication method similar to PEAPsimilar to PEAP
Microsoft does Microsoft does notnot support this method support this method
Wireless data encryption standards in use Wireless data encryption standards in use today include:today include:
Wired Equivalent Privacy (WEP)Wired Equivalent Privacy (WEP)Dynamic WEP, combined with 802.1X authentication, Dynamic WEP, combined with 802.1X authentication, provides provides adequateadequate data encryption and integrity data encryption and integrityCompatible with most hardware and software devicesCompatible with most hardware and software devices(How is this a “(How is this a “wired equivalentwired equivalent”?! Trust me: ”?! Trust me: WEP sucksWEP sucks))http://www.isaac.cs.berkeley.edu/isaac/wep-faq.htmlhttp://www.isaac.cs.berkeley.edu/isaac/wep-faq.html
Wi-Fi Protected Access (WPA)Wi-Fi Protected Access (WPA) Changes the encryption key with each packetChanges the encryption key with each packet Uses a longer initialization vector Uses a longer initialization vector Adds a signed message integrity check valueAdds a signed message integrity check value Incorporates an encrypted frame counterIncorporates an encrypted frame counter(WPA is only if you are serious about security)(WPA is only if you are serious about security)
Protecting WLAN Data Protecting WLAN Data TransmissionsTransmissions
Alternatives used to protect WLAN traffic Alternatives used to protect WLAN traffic include the use of:include the use of:
Virtual Private Network (VPN)Virtual Private Network (VPN)
Internet Protocol Security (IPSec)Internet Protocol Security (IPSec)
Alternative Approaches to Alternative Approaches to Encrypt WLAN TrafficEncrypt WLAN Traffic
System Requirements for System Requirements for Implementing 802.1XImplementing 802.1X
Components Requirements
Client devicesWindows XP and Pocket PC 2003 provide built-in supportWindows XP and Pocket PC 2003 provide built-in support
Microsoft provides an 802.1X client for Windows 2000 operating systems Microsoft provides an 802.1X client for Windows 2000 operating systems
RADIUS/IAS and certificate servers
Windows Server 2003 Certificate Services and Windows Server 2003 Windows Server 2003 Certificate Services and Windows Server 2003 Internet Authentication Service (IAS) are supportedInternet Authentication Service (IAS) are supported
Wireless access points
At a minimum, should support 802.1X authentication and 128-bit WEP for At a minimum, should support 802.1X authentication and 128-bit WEP for data encryptiondata encryption
Require data protection for all wireless Require data protection for all wireless communicationscommunications
Require 802.1X authentication to help Require 802.1X authentication to help prevent spoofing, wardrivers, and prevent spoofing, wardrivers, and accidental threats to your networkaccidental threats to your network
Use software scanning tools to locate and Use software scanning tools to locate and shut down rogue access points on your shut down rogue access points on your corporate networkcorporate network
Guidelines for Securing Guidelines for Securing Wireless NetworksWireless Networks
AgendaAgenda
Overview of Wireless SolutionsOverview of Wireless SolutionsSecuring a Wireless NetworkSecuring a Wireless NetworkImplementing a Wireless Network Using Password Implementing a Wireless Network Using Password AuthenticationAuthenticationConfiguring Wireless Network Infrastructure ComponentsConfiguring Wireless Network Infrastructure ComponentsConfiguring Wireless Network ClientsConfiguring Wireless Network Clients
Components Required toComponents Required toImplement PEAP-MS-CHAP v2Implement PEAP-MS-CHAP v2
ComponentsComponents ExplanationExplanation
Wireless ClientWireless ClientRequires a WLAN adapter that supports 802.1X and dynamic WEP or WPA Requires a WLAN adapter that supports 802.1X and dynamic WEP or WPA encryptionencryption
User and computers accounts are created in the domainUser and computers accounts are created in the domain
Wireless Access PointWireless Access PointMust support 802.1X and dynamic WEP or WPA encryptionMust support 802.1X and dynamic WEP or WPA encryption
The wireless access point and RADIUS server have a shared secret to enable them The wireless access point and RADIUS server have a shared secret to enable them to securely identify each otherto securely identify each other
RADIUS/IAS ServerRADIUS/IAS Server
Uses Active Directory to verify the credentials of WLAN clientsUses Active Directory to verify the credentials of WLAN clients
Makes authorization decisions based upon an access policyMakes authorization decisions based upon an access policy
May also collect accounting and audit informationMay also collect accounting and audit information
Certificate installed to provide server authenticationCertificate installed to provide server authentication
Security RequirementsSecurity Requirements
ScalabilityScalability
AvailabilityAvailability
Platform SupportPlatform Support
ExtensibilityExtensibility
Standards ConformanceStandards Conformance
Design Criteria for Design Criteria for PEAP-MS-CHAP v2 Solution PEAP-MS-CHAP v2 Solution
How 802.1X with PEAPHow 802.1X with PEAPand Passwords Worksand Passwords Works
Wireless Access PointWireless Client Radius (IAS)
Internal Network
WLAN Encryption44
55
11 Client Connect
33Key Distribution
Authorization
22 Client Authentication Server Authentication
Key Agreement
Identifying the ServicesIdentifying the Servicesfor the PEAP WLAN Networkfor the PEAP WLAN Network
Branch OfficeBranch Office
WLAN Clients
• Domain Controller (DC)• RADIUS (IAS)• Certification Authority (CA)• DHCP Services (DHCP)• DNS Services (DNS)
DHCP
IAS/DNS/DC
LAN
LAN
Access Points
Access Points
IAS/CA/DC
IAS/DNS/DC
Primary
Secondary
Primary
Secondary
WLAN Clients
HeadquartersHeadquarters
AgendaAgenda
Overview of Wireless SolutionsOverview of Wireless SolutionsSecuring a Wireless NetworkSecuring a Wireless NetworkImplementing a Wireless Network Using Password Implementing a Wireless Network Using Password AuthenticationAuthenticationConfiguring Wireless Network Infrastructure ComponentsConfiguring Wireless Network Infrastructure ComponentsConfiguring Wireless Network ClientsConfiguring Wireless Network Clients
Preparing the EnvironmentPreparing the Environment
Install the WLAN Scripts using:Install the WLAN Scripts using:Microsoft WLAN-PEAP.msi Microsoft WLAN-PEAP.msi
Install the additional tools on the IAS Install the additional tools on the IAS servers:servers:
Group Policy Management ConsoleGroup Policy Management Console
CAPICOMCAPICOM
DSACLs.exeDSACLs.exe
The .MSI is on the DVD you’ll get today!The .MSI is on the DVD you’ll get today!
Preparing the Environment Creating Security Groups
Installing CAPICOM demo
Configuring the Network Configuring the Network Certification AuthorityCertification Authority
The CA is used to issue Computer Certificates to the The CA is used to issue Computer Certificates to the IAS ServersIAS ServersTo install Certificate Services, log on with an account To install Certificate Services, log on with an account that is a member of:that is a member of:
Enterprise AdminsEnterprise Admins
Domain AdminsDomain Admins
Consider that Certificate Services in Window Server Consider that Certificate Services in Window Server 2003 Standard Edition does 2003 Standard Edition does notnot provide: provide:
Auto enrollment of certificates to both computers and usersAuto enrollment of certificates to both computers and users
Version 2 certificate templates Version 2 certificate templates
Editable certificate templates Editable certificate templates
Archival of keys Archival of keys
Certificate Templates Available: Certificate Templates Available: Computer Computer (Machine)(Machine)
Drive and path of CA request files: Drive and path of CA request files: C:\C:\CAConfigCAConfig
Length of CA Key: Length of CA Key: 2048 2048 bitsbits
Validity Period: Validity Period: 25 25 yearsyears
Validity Period of Issued Certificates: Validity Period of Issued Certificates: 2 2 yearsyears
CRL Publishing Interval: CRL Publishing Interval: 7 days7 days
CRL Overlap Period: CRL Overlap Period: 4 days4 days
Reviewing the Certification Reviewing the Certification Authority Installation ParametersAuthority Installation Parameters
1.1. Run MSSsetup CheckCAenvironmentRun MSSsetup CheckCAenvironment
2.2. Run MSSsetup InstallCARun MSSsetup InstallCA
3.3. Run MSSsetup VerifyCAInstallRun MSSsetup VerifyCAInstall
4.4. Run MSSsetup ConfigureCARun MSSsetup ConfigureCA
5.5. Run MSSSetup ImportAutoenrollGPORun MSSSetup ImportAutoenrollGPO
6.6. Run MSSsetup VerifyCAConfigRun MSSsetup VerifyCAConfig
(*You can do all this in the GUI….but why?)(*You can do all this in the GUI….but why?)
Installing the Installing the Certification AuthorityCertification Authority
Configuring the Certification Authority
Configuring Post-Installation Settings
Importing the Automatic Certificate Request GPO
Verifying the Configuration
-
demo
IAS uses Active Directory to verify and IAS uses Active Directory to verify and authenticate client credentials and makes authenticate client credentials and makes authorization decisions based upon authorization decisions based upon configured policies. configured policies.
IAS configuration categories include:IAS configuration categories include:IAS Server SettingsIAS Server Settings
IAS Access PoliciesIAS Access Policies
RADIUS LoggingRADIUS Logging
Configuring InternetConfiguring InternetAuthentication Services (IAS)Authentication Services (IAS)
IAS parameters that are to be configured IAS parameters that are to be configured include:include:
IAS Logging to Windows Event LogIAS Logging to Windows Event Log
IAS RADIUS LoggingIAS RADIUS Logging
Remote Access PolicyRemote Access Policy
Remote Access Policy ProfileRemote Access Policy Profile
Reviewing IAS Configuration Reviewing IAS Configuration ParametersParameters
1.1. Run MSSsetup CheckIASEnvironmentRun MSSsetup CheckIASEnvironment
2.2. Run MSSsetup InstallIASRun MSSsetup InstallIAS
3.3. Register the IAS server into Active DirectoryRegister the IAS server into Active Directory
4.4. Restart server to automatically enroll the IAS Restart server to automatically enroll the IAS server certificateserver certificate
5.5. Configure logging and the remote access Configure logging and the remote access policypolicy
6.6. Export IAS settings to be imported to another Export IAS settings to be imported to another serverserver
Installing the IAS ServerInstalling the IAS Server
Configuring the IAS Server Validating the IAS Environment
Verifying IAS Server Certificate Deployment
Post-Installation Configuration Tasks
Modifying the WLAN Access Policy Profile Settings
Verifying the Connection Request Policy for WLAN
Exporting the IAS Settings
-
demo
1.1. Run MssTools AddRadiusClientRun MssTools AddRadiusClient
2.2. Run MssTools AddSecRadiusClientsRun MssTools AddSecRadiusClients
3.3. Configure the Wireless Access PointsConfigure the Wireless Access Points
ConfiguringConfiguringWireless Access PointsWireless Access Points
Configure the basic network settings such Configure the basic network settings such as :as :
IP configuration of the access point IP configuration of the access point
Friendly name of the access point Friendly name of the access point
Wireless network name (SSID) Wireless network name (SSID)
Typical Settings for a Wireless Access Point Typical Settings for a Wireless Access Point include:include:
Authentication parametersAuthentication parameters
Encryption parametersEncryption parameters
RADIUS authenticationRADIUS authentication
RADIUS accountingRADIUS accounting
Wireless Access PointWireless Access PointConfiguration ParametersConfiguration Parameters
Wireless Access Point Configuration
Adding Access Points to the Initial IAS Server
Configuring Wireless Access Points demo
AgendaAgenda
Overview of Wireless SolutionsOverview of Wireless SolutionsSecuring a Wireless NetworkSecuring a Wireless NetworkImplementing a Wireless Network Using Password Implementing a Wireless Network Using Password AuthenticationAuthenticationConfiguring Wireless Network Infrastructure ComponentsConfiguring Wireless Network Infrastructure ComponentsConfiguring Wireless Network ClientsConfiguring Wireless Network Clients
Controlling WLAN AccessControlling WLAN AccessUsing Security GroupsUsing Security Groups
Security Group Default Members
Wireless LAN AccessWireless LAN UsersWireless LAN Computers
Wireless LAN Users Domain Users
Wireless LAN Computers Domain Computers
IAS enables you to control access to the wireless network using Active Directory security groups that are linked to a specific remote access policy
IAS enables you to control access to the wireless network using Active Directory security groups that are linked to a specific remote access policy
1.1. Install required patches and updatesInstall required patches and updates
2.2. Create the WLAN client GPO using GPMCCreate the WLAN client GPO using GPMC
3.3. Deploy the WLAN settings Deploy the WLAN settings
Configuring Windows XPConfiguring Windows XPWLAN ClientsWLAN Clients
Reviewing WLANReviewing WLANClient ParametersClient Parameters
Parameter Setting
Group to allow WLAN access Wireless LAN AccessWireless LAN Access
Group to allow WLAN access for usersWireless LAN UsersWireless LAN Users
Group to allow WLAN access for computersWireless LAN ComputersWireless LAN Computers
WLAN GPO Name WLAN Client SettingsWLAN Client Settings
GPO filtering security group Wireless LAN Computer SettingsWireless LAN Computer Settings
Wireless network policy nameWindows XP WLAN Client Settings (PEAP-WEP)Windows XP WLAN Client Settings (PEAP-WEP)
WLAN network name (SSID) Northwind (change this to your SSID)Northwind (change this to your SSID)
EAP type PEAPPEAP
PEAP authentication method Secured Password (EAP-MSCHAP v2)Secured Password (EAP-MSCHAP v2)
PEAP fast reconnect EnabledEnabled
Creating the WLAN Client Settings GPO
Create a WLAN Client GPO Using the GPMC
demo
There are bad people out there who want your There are bad people out there who want your WLAN, but you can deploy this securely!WLAN, but you can deploy this securely!
Determine your organization’s wireless requirementsDetermine your organization’s wireless requirements
Require 802.1X authenticationRequire 802.1X authentication
Implement the PEAP and Passwords solution for Implement the PEAP and Passwords solution for organizations that do not utilize a PKI infrastructureorganizations that do not utilize a PKI infrastructure
Use the scripts provided by the PEAP and Passwords Use the scripts provided by the PEAP and Passwords solutionsolution
Use security groups and Group Policy to control Use security groups and Group Policy to control WLAN client accessWLAN client access
Session SummarySession Summary