Securing Your Wireless Network Ian Hellen Stirling Goetz Microsoft
Agenda Wireless LAN security explained Secure wireless deployment components, Microsoft offerings and benefits Selecting the right WLAN options Microsoft wireless security solutions Microsoft IT case study WLAN scalability and management
Wireless LAN Security Many (most?) WLANs have no security or inadequate security 1 in 3 WLANs in major cities unsecured (RSA) But number of WLANs growing by 66% each year (RSA) Small businesses making most use of WLANs Static WEP (Wired Equivalent Privacy) is easily broken: Tools to generate required traffic Statistical cryptanalysis breaks keys quickly The world is not a nice place: Viruses, worms, trojans, spyware, botnets Hackers, spammers, criminals
WEP’s Fatal Flaw(s) N Har-Har! Take that static WEP-man! Thank goodness we use encryption! X7!g%k0j37**54bf(jv&8gF… Har-Har! Take that static WEP-man! X7!g%k0j 37**54bf(jv &8gB)£F.. IH N
Client Authentication Server Authentication How an 802.1X WLAN Works Wireless Client Wireless Access Point Radius (IAS) 1 Client Connect 2 Client Authentication Server Authentication Key Agreement WLAN Encryption 4 5 3 Key Distribution Authorization Internal Network
Anatomy of 802.1X solution Authentication Authorization SG Data Protection Audit
Encryption & Integrity 802.1X & EAP 802.1X Authentication Authentication & Key Management Authorization EAP EAP Method Data Protection Key Management WPA Encryption & Integrity SG Dynamic WEP Protection Data RADIUS Accounting Audit Audit
Secure Wireless Deployment Components Wireless Clients Wireless Access Points Radio Types: 802.11 a/b/g Network Authentication: 802.1X, WPA, WPA2/802.11i* Encryption: WEP, TKIP, AES RADIUS Server RADIUS EAP/TLS PEAP-MSCHAPv2 Remote Access Policies User account database Remote Access permissions Credentials = Passwords Certificate Authority (optional) Credentials = Certificates
Secure Wireless Deployment Technologies Windows XP Windows Wireless Zero Config Native 802.1X, WPA, and soon WPA2* Certificates, Passwords, Smartcards, RSAToken** Wireless group policy Any Access Point supporting 802.11 and 802.1X standards Server 2003 IAS EAP/TLS (certificates/smartcard) PEAP (password) Remote access policies Radius proxy functions Improved scaling Server 2003 Active Directory User and computer authentication Server 2003 Certificate Authority User and computer auto-enrollment
Secure Wireless Deployment Benefits Windows XP Integrated Windows Client Standards based security Evolving with the industry Seamless sign-on experience Interoperability Server 2003 IAS Security Manageability Policy-based access management Scalability Deep and wide Server 2003 Active Directory Centralized Administration Client configuration Access management Server 2003 Certificate Authority Automated client updating
Security Best Practices What NOT to do Hidden SSID Does not provide any real security Easily discoverable in well-used environments Windows client experience is impacted MAC Filtering Does not scale NIC management issue MAC is spoofable “Shared” mode Sounds like more security but is actually worse Not to be confused with Pre-Shared Key (PSK) which is more secure Open networks and VPN’s Grants everyone access to the wireless segment Great for hotspots, not for your business
Security Best Practices What to do Chose an authentication type (EAP Type) EAP-TLS and both user and computer certificates PEAP-MS-CHAP v2 and enforce strong user passwords Pre-Shared Key (only with WPA) Chose a WLAN Data Protection Method WPA using TKIP or AES encryption Dynamic WEP using 802.1X, forcing periodic re-authentication (10 mins) to renew keys
Wireless Decision Tree Start SOHO Network ? WPA Pre-Shared Key yes Certificate Authentication ? PEAP no IH EAP-TLS yes WPA or 802.1X Dynamic WEP for legacy devices
Configuring WPA-PSK Demonstration
Client Authentication WPA Pre-Shared Key Wireless Client Wireless Access Point 1 Client Connect 2 Client Authentication Key Agreement WLAN Encryption 3 4
Factors Influencing Your Choice EAP-TLS PEAP + MSCHAPv2 More secure Need to deploy certificates Better interop Simpler Uses passwords (!) Less interoperable WPA Dynamic WEP Default choice Better security May not be supported on older devices and systems (3rd party WLAN client) Option for legacy systems (incl. Windows 9x, Windows 2000) Can coexist with WPA
Microsoft Wireless Solutions Technology + Prescriptive Guidance Start SOHO Network ? WPA PSK yes Certificate Authentication ? no IH yes Securing Wireless LANs with Certificate Services Securing Wireless LANs with PEAP & Passwords
WPA & Works Wireless Client Wireless Access Point Radius (IAS) Certification Authority Directory WLAN Encryption RADIUS Internal Network
Solution Design Head Office IH
Solution Design Large Branch Office IH
Solution Design Small Office IH
Scaling – Scale Up IH
Scaling – Scale Down IH
Extending – Wired Security IH
Extending – VPN IH
Setting up IAS Policies Demonstration
Microsoft’s Internal Wireless Deployment Wireless Clients Wireless Access Points 23-30K per day Network Authentication: 802.1X 300K authentications per day Encryption: dynamic WEP ~5000 802.11b Cisco APs 90 countries, 300+sites Single SSID RADIUS Server Puget Sound 2 Proxy, 4 RADIUS servers Worldwide 5 Proxy/RADIUS servers EAP/TLS Remote Access Policies enforced User account database Remote Access permissions Group Policies for configuration Certificate Authority User and Machine Certificates Autoenrolled
Microsoft’s Future Wireless Deployment Wireless Clients Wireless Access Points Migration to 802.11i (WPA2) Thin AP/Wireless Switch Architecture Single Hardware Platform Multiple SSIDs, Independent services Voice, Guest and Corporate Network RADIUS Servers Independent RADIUS servers for each service Different Auth methods for each service Proxies to distribute load User account database Multiple ADs to support Guests and Corporate users. Certificate Authority User and Machine Certificates for corporate services Autoenrolled
Best Practices: Scalability Microsoft RADIUS – Internet Authentication Service (IAS) Install at least two IAS RADIUS servers For best performance, install IAS on domain controllers Use strong RADIUS shared secrets Use as many different RADIUS shared secrets as possible Use IAS RADIUS proxies to scale authentication traffic Use IAS RADIUS proxies for separate account databases
RADIUS Architecture Is this redundant? Scale up or out
Using IAS RADIUS proxies Load balancing of RADIUS traffic IAS servers IAS RADIUS proxies Wireless APs
Using IAS RADIUS proxies Cross-forest authentication IAS servers IAS servers IAS RADIUS proxies Wireless APs
Security Best Practices Preventing Rogue WLANs User education and policy Ongoing Monitoring Don’t use Hidden SSIDs Do use Wireless Group Policy
Best Practices: Management Use the Wireless Network (IEEE 802.11) Policies Group Policy settings to automatically configure wireless clients running Windows XP and Windows Server 2003 with your SSID If you have a native-mode domain, use universal groups and global groups to organize your wireless computer and user accounts into a single group. Use certificate auto-enrollment for computer certificates Use certificate auto-enrollment for user certificates "Best Practices for Implementing a Microsoft Windows Server 2003 Public Key Infrastructure" on http://www.microsoft.com/pki.
Wireless Group Policy Demonstration
Wireless Provisioning Service (WPS) Automatically provision wireless accounts and configure client network settings for WiFi access Wireless ISP hotspots and roaming contracts Enterprise guest access for visitors Secure, auditable and user friendly guest access Components built into Windows XP SP2 and Windows Server 2003 SP1 and configurable via a downloadable tool Guidance available online
Aligning with other security initiatives Network Health Compliance Lays down both the network infrastructure and ID Management elements needed for NAP (Network Access Protection) Preserves investment in infrastructure RADIUS is the center of policy making, enforcement and access control for Secure Wireless and NAP Single sign-on Secure Network Segmentation IPSec and 802.1X work together by providing a defense in depth strategy 802.1X – hard outside – offers isolation IPSec – hard inside – offers resource protection Can we talk about this?
Summary You cannot afford to leave your WLANs unprotected Protecting WLANs is simple Chose the right options for you: SOHO – WPA PSK SMORG-Enterprise – WPA + PEAP (Passwords) LORG-Enterprise – WPA + EAP-TLS (Certs)
Resources Securing Wireless LANs with Certificates http://go.microsoft.com/fwlink/?LinkId=14843 Security Wireless LANs with PEAP and Passwords http://www.microsoft.com/technet/security/topics/cryptographyetc/peap_0.mspx Microsoft Wireless Portal http://www.microsoft.com/wifi Microsoft Security Solutions http://www.microsoft.com/technet/security IH
Microsoft Technical Roadshow 2005 2-days of in-depth technology information Birmingham – 24-25 May Harrogate – 1-2 June London – 7-8 June Register now at: www.microsoft.com/uk/techroadshow
www.microsoft.com/uk/security www.microsoft.com/uk/technet/learning © 2005 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS SUMMARY.