Implementing Security for Wireless Networks Presenter Name Job Title Company.

Slides:



Advertisements
Similar presentations
Module 10: Troubleshooting Network Access. Overview Troubleshooting Network Access Resources Troubleshooting LAN Authentication Troubleshooting Remote.
Advertisements

Module 5: Configuring Access for Remote Clients and Networks.
1 Objectives Configure Network Access Services in Windows Server 2008 RADIUS 1.
1 Configuring Virtual Private Networks for Remote Clients and Networks.
DESIGNING A PUBLIC KEY INFRASTRUCTURE
Simple ways to secure Wireless Computers Jay Ferron, ADMT, CISM, CISSP, MCSE, MCSBA, MCT, NSA-IAM, TCI.
Module 10: Configuring Virtual Private Network Access for Remote Clients and Networks.
1 Objectives Wireless Access IPSec Discuss Network Access Protection Install Network Access Protection.
Chapter 7 HARDENING SERVERS.
CN1260 Client Operating System Kemtis Kunanuraksapong MSIS with Distinction MCT, MCITP, MCTS, MCDST, MCP, A+
Hands-On Microsoft Windows Server 2003 Administration Chapter 11 Administering Remote Access Services.
Wireless Security without a VPN! Stirling Goetz, Microsoft Consulting Services.
802.1x EAP Authentication Protocols
Chapter 8: Configuring Network Connectivity. Installing Network Adapters Network adapter cards connect a computer to a network. Installation –Plug and.
Hands-On Microsoft Windows Server 2003 Networking Chapter 1 Windows Server 2003 Networking Overview.
Improving Security. Networking Terms Node –Any device on a network Protocol –Communication standards Host –A node on a network Workstation 1.A PC 2.A.
802.1X in Windows Tom Rixom Alfa & Ariss. Overview 802.1X/EAP 802.1X in Windows Tunneled Authentication Certificates in Windows WIFI Client in Windows.
Virtual Private Network (VPN) © N. Ganesan, Ph.D..
Copyright Microsoft Corp Ramnish Singh IT Advisor Microsoft Corporation Secure Remote Access Challenges, Choices, Best Practices.
Using RADIUS Within the Framework of the School Environment Ed Register Consultant April 6, 2011.
1 Microsoft Windows NT 4.0 Authentication Protocols Password Authentication Protocol (PAP) Challenge Handshake Authentication Protocol (CHAP) Microsoft.
VPN Scenarios © N. Ganesan, Ph.D.. Chapter Objectives.
Windows 2003 and 802.1x Secure Wireless Deployments.
MCTS Guide to Microsoft Windows Server 2008 Network Infrastructure Configuration Chapter 9 Network Policy and Access Services in Windows Server 2008.
Chapter 6 Configuring, Monitoring & Troubleshooting IPsec
Virtual Private Networks (Tunnels). When Are VPN Tunnels Used? VPN with PPTP tunnel Used if: All routers support VPN tunnels You are using MS-CHAP or.
Course 6421A Module 7: Installing, Configuring, and Troubleshooting the Network Policy Server Role Service Presentation: 60 minutes Lab: 60 minutes Module.
Week #10 Objectives: Remote Access and Mobile Computing Configure Mobile Computer and Device Settings Configure Remote Desktop and Remote Assistance for.
Agenda 10:00 11:00 Securing wireless networks 11:00 11:15 Break 11:15 12:00Patch Management in the Enterprise 12:00 1:00 Lunch 1:00 2:30 Network Isolation.
1 Setting up 802.1X networks by using Internet Authentication Service.
Configuring Routing and Remote Access(RRAS) and Wireless Networking
Computer Networks. Network Connections Ethernet Networks Single wire (or bus) runs to all machines Any computer can send info to another computer Header.
Mobile and Wireless Communication Security By Jason Gratto.
Module 8: Configuring Virtual Private Network Access for Remote Clients and Networks.
Module 9: Planning Network Access. Overview Introducing Network Access Selecting Network Access Connection Methods Selecting a Remote Access Policy Strategy.
WIRELESS LAN SECURITY Using
Wireless Networking.
70-411: Administering Windows Server 2012
Objectives Configure routing in Windows Server 2008 Configure Routing and Remote Access Services in Windows Server 2008 Network Address Translation 1.
1 Figure 2-11: Wireless LAN (WLAN) Security Wireless LAN Family of Standards Basic Operation (Figure 2-12 on next slide)  Main wired network.
1 Week 6 – NPS and RADIUS Install and Configure a Network Policy Server Configure RADIUS Clients and Servers NPS Authentication Methods Monitor and Troubleshoot.
Module 8: Designing Network Access Solutions. Module Overview Securing and Controlling Network Access Designing Remote Access Services Designing RADIUS.
Module 9: Configuring IPsec. Module Overview Overview of IPsec Configuring Connection Security Rules Configuring IPsec NAP Enforcement.
1 Chapter 12: VPN Connectivity in Remote Access Designs Designs That Include VPN Remote Access Essential VPN Remote Access Design Concepts Data Protection.
Wireless standards Unit objective Compare and contrast different wireless standards Install and configure a wireless network Implement appropriate wireless.
Module 11: Implementing ISA Server 2004 Enterprise Edition.
Module 8: Planning and Troubleshooting IPSec. Overview Understanding Default Policy Rules Planning an IPSec Deployment Troubleshooting IPSec Communications.
Module 9: Designing Public Key Infrastructure in Windows Server 2008.
Module 8: Designing Security for Authentication. Overview Creating a Security Plan for Authentication Creating a Design for Security of Authentication.
Configuring and Troubleshooting Identity and Access Solutions with Windows Server® 2008 Active Directory®
Welcome Windows Server 2008 安全功能 -NAP. Network Access Protection in Windows Server 2008.
11 SECURING NETWORK COMMUNICATION Chapter 9. Chapter 9: SECURING NETWORK COMMUNICATION2 OVERVIEW  List the major threats to network communications. 
Guide to MCSE , Second Edition, Enhanced1 The Windows XP Security Model User must logon with: Valid user ID Password User receives access token Access.
1 Week #5 Routing and NAT Network Overview Configuring Routing Configuring Network Address Translation Troubleshooting Routing and Remote Access.
Designing a Security Infrastructure Chapter Thirteen.
Wireless Security Rick Anderson Pat Demko. Wireless Medium Open medium Broadcast in every direction Anyone within range can listen in No Privacy Weak.
11 SECURING A NETWORK INFRASTRUCTURE Chapter 7. Chapter 7: SECURING A NETWORK INFRASTRUCTURE2 OVERVIEW  List the criteria for selecting operating systems.
1 Chapter 13: RADIUS in Remote Access Designs Designs That Include RADIUS Essential RADIUS Design Concepts Data Protection in RADIUS Designs RADIUS Design.
1 Objectives Wireless Access IPSec Discuss Network Access Protection Install Network Access Protection.
KAIS T Comparative studies on authentication and key exchange methods for wireless LAN Jun Lei, Xiaoming Fu, Dieter Hogrefe, Jianrong Tan Computers.
4.1 © 2004 Pearson Education, Inc. Exam Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 12: Implementing Security.
1 © 2004, Cisco Systems, Inc. All rights reserved. Wireless LAN (network) security.
Copyright © 2006 Heathkit Company, Inc. All Rights Reserved Introduction to Networking Technologies Wireless Security.
Using Mobile Computers Lesson 12. Objectives Understand wireless security Configure wireless networking Use Windows mobility controls Synchronize data.
KAPLAN SCHOOL OF INFORMATION SYSTEMS AND TECHNOLOGY IT375 Window Enterprise Administration Course Name – IT Introduction to Network Security Instructor.
Module 9: Configuring Network Access
Securing the Network Perimeter with ISA 2004
Configuring and Troubleshooting Routing and Remote Access
Wireless LAN Security 4.3 Wireless LAN Security.
Server-to-Client Remote Access and DirectAccess
Presentation transcript:

Implementing Security for Wireless Networks Presenter Name Job Title Company

Session Prerequisites Hands-on experience with Microsoft ® Windows ® server and client operating systems and Active Directory ® Basic understanding of wireless LAN technology Basic understanding of Microsoft ® Certificate Services Basic understanding of RADIUS and remote access protocols Level 300

Agenda Overview of Wireless Solutions Securing a Wireless Network Implementing a Wireless Network Using Password Authentication Configuring Wireless Network Infrastructure Components Configuring Wireless Network Clients

When designing security for a wireless network consider: Network authentication and authorization Network authentication and authorization Data protection Data protection Wireless access point configuration Wireless access point configuration Security management Security management Identifying the Need to Secure a Wireless Network

The abuse of Wireless Networks is growing!

Security Threats Include: Disclosure of confidential information Unauthorized access to data Impersonation of an authorized client Interruption of the wireless service Unauthorized access to the Internet Accidental threats Unsecured home wireless setups Unauthorized WLAN implementations Common Security Threats to Wireless Networks

Understanding Wireless Network Standards and Technologies StandardDescription A base specification that defines the transmission concepts for Wireless LANs a Transmission speeds up to 54 megabits (Mbps) per second b 11 Mbps Good range but susceptible to radio signal interference g 54 Mbps Shorter ranges than b 802.1X - a standard that defines a port-based access control mechanism of authenticating access to a network and, as an option, for managing keys used to protect traffic

Wireless network implementation options include: Wi-Fi Protected Access with Pre-Shared Keys (WPA-PSK) Wireless network security using Protected Extensible Authentication Protocol (PEAP) and passwords Wireless network security using Certificate Services Wireless Network Implementation Options

Choose the Appropriate Wireless Network Solution Wireless Network Solution Typical Environment Additional Infrastructure Components Required? Certificates Used for Client Authentication Passwords Used for Client Authentication Typical Data Encryption Method Wi-Fi Protected Access with Pre-Shared Keys (WPA-PSK) Small Office/Home Office (SOHO) NoneNOYES Uses WPA encryption key to authenticate to network WPA Password-based wireless network security Small to medium organization Internet Authentication Services (IAS) Certificate required for the IAS server NO However, a certificate is issued to validate the IAS server YES WPA or Dynamic WEP Certificate-based wireless network security Medium to large organization Internet Authentication Services (IAS) Certificate Services YESNO Certificates used but may be modified to require passwords WPA or Dynamic WEP

Agenda Overview of Wireless Solutions Securing a Wireless Network Implementing a Wireless Network Using Password Authentication Configuring Wireless Network Infrastructure Components Configuring Wireless Network Clients

To effectively secure a wireless network consider: Authentication of the person or device connecting to the wireless network Authorization of the person or device to use the WLAN Protection of the data transmitted over the WLAN Understanding Elements of WLAN Security Audit WLAN Access

Providing Effective Authentication and Authorization StandardDescription Extensible Authentication Protocol-Transport Layer Security (EAP-TLS) Uses public key certificates to authenticate clients Protected Extensible Authentication Protocol- Microsoft-Challenge Handshake Authentication Protocol v2 (PEAP-MS-CHAP v2) A two-stage authentication method using a combination of TLS and MS- CHAP v2 for password authentication Tunneled Transport Layer Security (TTLS) A two-stage authentication method similar to PEAP Microsoft does not support this method

Wireless data encryption standards in use today include: Wired Equivalent Privacy (WEP) Dynamic WEP, combined with 802.1X authentication, provides adequate data encryption and integrity Compatible with most hardware and software devices (How is this a “wired equivalent”?! Trust me: WEP sucks) Wi-Fi Protected Access (WPA) Changes the encryption key with each packet Changes the encryption key with each packet Uses a longer initialization vector Uses a longer initialization vector Adds a signed message integrity check value Adds a signed message integrity check value Incorporates an encrypted frame counter Incorporates an encrypted frame counter (WPA is only if you are serious about security) Protecting WLAN Data Transmissions

Alternatives used to protect WLAN traffic include the use of: Virtual Private Network (VPN) Internet Protocol Security (IPSec) Alternative Approaches to Encrypt WLAN Traffic

System Requirements for Implementing 802.1X ComponentsRequirements Client devices Windows XP and Pocket PC 2003 provide built-in support Microsoft provides an 802.1X client for Windows 2000 operating systems RADIUS/IAS and certificate servers Windows Server 2003 Certificate Services and Windows Server 2003 Internet Authentication Service (IAS) are supported Wireless access points At a minimum, should support 802.1X authentication and 128-bit WEP for data encryption

Require data protection for all wireless communications Require 802.1X authentication to help prevent spoofing, wardrivers, and accidental threats to your network Use software scanning tools to locate and shut down rogue access points on your corporate network Guidelines for Securing Wireless Networks

Agenda Overview of Wireless Solutions Securing a Wireless Network Implementing a Wireless Network Using Password Authentication Configuring Wireless Network Infrastructure Components Configuring Wireless Network Clients

Components Required to Implement PEAP-MS-CHAP v2 ComponentsExplanation Wireless Client Requires a WLAN adapter that supports 802.1X and dynamic WEP or WPA encryption User and computers accounts are created in the domain Wireless Access Point Must support 802.1X and dynamic WEP or WPA encryption The wireless access point and RADIUS server have a shared secret to enable them to securely identify each other RADIUS/IAS Server Uses Active Directory to verify the credentials of WLAN clients Makes authorization decisions based upon an access policy May also collect accounting and audit information Certificate installed to provide server authentication

Security Requirements ScalabilityAvailability Platform Support Extensibility Standards Conformance Design Criteria for PEAP-MS-CHAP v2 Solution

How 802.1X with PEAP and Passwords Works Wireless Access Point Wireless ClientRadius (IAS) Internal Network WLAN Encryption Client Connect 3 3 Key Distribution Authorization 2 2 Client Authentication Server Authentication Key Agreement

Identifying the Services for the PEAP WLAN Network Branch Office WLAN Clients Domain Controller (DC) RADIUS (IAS) Certification Authority (CA) DHCP Services (DHCP) DNS Services (DNS) DHCP IAS/DNS/DC LAN Access Points IAS/CA/DC IAS/DNS/DC Primary Secondary Primary Secondary WLAN Clients Headquarters

Agenda Overview of Wireless Solutions Securing a Wireless Network Implementing a Wireless Network Using Password Authentication Configuring Wireless Network Infrastructure Components Configuring Wireless Network Clients

Preparing the Environment Install the WLAN Scripts using: Microsoft WLAN-PEAP.msi Install the additional tools on the IAS servers: Group Policy Management Console CAPICOMDSACLs.exe The.MSI is on the DVD you’ll get today!

Preparing the Environment  Creating Security Groups  Installing CAPICOM demo

Configuring the Network Certification Authority The CA is used to issue Computer Certificates to the IAS Servers To install Certificate Services, log on with an account that is a member of: Enterprise Admins Domain Admins Consider that Certificate Services in Window Server 2003 Standard Edition does not provide: Auto enrollment of certificates to both computers and users Version 2 certificate templates Editable certificate templates Archival of keys

Certificate Templates Available: Computer (Machine) Drive and path of CA request files: C:\CAConfig Length of CA Key: 2048 bits Validity Period: 25 years Validity Period of Issued Certificates: 2 years CRL Publishing Interval: 7 days CRL Overlap Period: 4 days Reviewing the Certification Authority Installation Parameters

 Run MSSsetup CheckCAenvironment  Run MSSsetup InstallCA  Run MSSsetup VerifyCAInstall  Run MSSsetup ConfigureCA  Run MSSSetup ImportAutoenrollGPO  Run MSSsetup VerifyCAConfig (*You can do all this in the GUI….but why?) Installing the Certification Authority

Configuring the Certification Authority  Configuring Post-Installation Settings  Importing the Automatic Certificate Request GPO  Verifying the Configuration - demo

IAS uses Active Directory to verify and authenticate client credentials and makes authorization decisions based upon configured policies. IAS configuration categories include: IAS Server Settings IAS Access Policies RADIUS Logging Configuring Internet Authentication Services (IAS)

IAS parameters that are to be configured include: IAS Logging to Windows Event Log IAS RADIUS Logging Remote Access Policy Remote Access Policy Profile Reviewing IAS Configuration Parameters

 Run MSSsetup CheckIASEnvironment  Run MSSsetup InstallIAS  Register the IAS server into Active Directory  Restart server to automatically enroll the IAS server certificate  Configure logging and the remote access policy  Export IAS settings to be imported to another server Installing the IAS Server

Configuring the IAS Server  Validating the IAS Environment  Verifying IAS Server Certificate Deployment  Post-Installation Configuration Tasks  Modifying the WLAN Access Policy Profile Settings  Verifying the Connection Request Policy for WLAN  Exporting the IAS Settings - demo

 Run MssTools AddRadiusClient  Run MssTools AddSecRadiusClients  Configure the Wireless Access Points Configuring Wireless Access Points

Configure the basic network settings such as : IP configuration of the access point Friendly name of the access point Wireless network name (SSID) Typical Settings for a Wireless Access Point include: Authentication parameters Encryption parameters RADIUS authentication RADIUS accounting Wireless Access Point Configuration Parameters

Wireless Access Point Configuration  Adding Access Points to the Initial IAS Server  Configuring Wireless Access Points demo

Agenda Overview of Wireless Solutions Securing a Wireless Network Implementing a Wireless Network Using Password Authentication Configuring Wireless Network Infrastructure Components Configuring Wireless Network Clients

Controlling WLAN Access Using Security Groups Security GroupDefault Members Wireless LAN Access Wireless LAN Users Wireless LAN Computers Wireless LAN Users Domain Users Wireless LAN Computers Domain Computers IAS enables you to control access to the wireless network using Active Directory security groups that are linked to a specific remote access policy

 Install required patches and updates  Create the WLAN client GPO using GPMC  Deploy the WLAN settings Configuring Windows XP WLAN Clients

Reviewing WLAN Client Parameters ParameterSetting Group to allow WLAN access Wireless LAN Access Group to allow WLAN access for users Wireless LAN Users Group to allow WLAN access for computers Wireless LAN Computers WLAN GPO Name WLAN Client Settings GPO filtering security group Wireless LAN Computer Settings Wireless network policy name Windows XP WLAN Client Settings (PEAP-WEP) WLAN network name (SSID) Northwind (change this to your SSID) EAP type PEAP PEAP authentication method Secured Password (EAP-MSCHAP v2) PEAP fast reconnect Enabled

Creating the WLAN Client Settings GPO  Create a WLAN Client GPO Using the GPMC demo

There are bad people out there who want your WLAN, but you can deploy this securely! Determine your organization’s wireless requirements Require 802.1X authentication Implement the PEAP and Passwords solution for organizations that do not utilize a PKI infrastructure Use the scripts provided by the PEAP and Passwords solution Use security groups and Group Policy to control WLAN client access Session Summary