securing your wireless network ian hellen stirling goetz microsoft
TRANSCRIPT
Securing Your Securing Your Wireless NetworkWireless Network
Ian HellenIan Hellen
Stirling GoetzStirling Goetz
MicrosoftMicrosoft
AgendaAgenda
Wireless LAN security explainedWireless LAN security explained
Secure wireless deployment components, Secure wireless deployment components, Microsoft offerings and benefitsMicrosoft offerings and benefits
Selecting the right WLAN optionsSelecting the right WLAN options
Microsoft wireless security solutionsMicrosoft wireless security solutions
Microsoft IT case studyMicrosoft IT case study
WLAN scalability and managementWLAN scalability and management
Wireless LAN SecurityWireless LAN Security
Many (most?) WLANs have no security or inadequate Many (most?) WLANs have no security or inadequate securitysecurity
1 in 3 WLANs in major cities unsecured (RSA)1 in 3 WLANs in major cities unsecured (RSA)
But number of WLANs growing by 66% each year (RSA)But number of WLANs growing by 66% each year (RSA)
Small businesses making most use of WLANsSmall businesses making most use of WLANs
Static WEP (Wired Equivalent Privacy) is easily broken:Static WEP (Wired Equivalent Privacy) is easily broken:
Tools to generate required trafficTools to generate required traffic
Statistical cryptanalysis breaks keys quicklyStatistical cryptanalysis breaks keys quickly
The world is not a nice place:The world is not a nice place:
Viruses, worms, trojans, spyware, botnetsViruses, worms, trojans, spyware, botnets
Hackers, spammers, criminalsHackers, spammers, criminals
WEP’s Fatal Flaw(s) WEP’s Fatal Flaw(s)
X7!g%k0j37**54bf(jv&8gF…X7!g%k0j37**54bf(jv&8gF…
X7!g%k0jX7!g%k0j37**54bf(jv37**54bf(jv&8gB)£F..&8gB)£F..
X7!gX7!g%k0j%k0j37**37**
54bf54bf(jv(jv
&8g&8gB)B)
£F..£F..
Thank goodness we use
encryption!
Har-Har!
Take that static WEP-man!
How an 802.1X WLAN WorksHow an 802.1X WLAN Works
Wireless Access PointWireless Client Radius (IAS)
Internal Network
WLAN Encryption44
55
11 Client Connect
33Key Distribution
Authorization
22 Client Authentication Server Authentication
Key Agreement
Anatomy of 802.1X solution
Authentication
Authorization
Data Protection
Audit
WirelessClient
WirelessAccess Point
RADIUSServer
802.1X & EAP
DynamicDynamicWEPWEP
WPAWPA
802.1X802.1X
EAPEAP
Auth
enti
cati
on &
A
uth
enti
cati
on &
K
ey M
anagem
ent
Key M
anagem
ent
Audit
Audit
EAP MethodEAP Method
Authentication
Authorization
Data Protection
Audit
Key Management
Encryption & Integrity
RADIUSRADIUSAccountingAccounting
Data
D
ata
Pro
tect
ion
Pro
tect
ion
Secure Wireless Deployment Components
Wireless Clients
Wireless Access Points
Radio Types: 802.11 a/b/gNetwork Authentication:
802.1X, WPA, WPA2/802.11i*Encryption: WEP, TKIP, AES
RADIUS Server
RADIUSEAP/TLS PEAP-MSCHAPv2Remote Access Policies
User account database
Remote Access permissionsCredentials = Passwords
Certificate Authority (optional)
Credentials = Certificates
Secure Wireless Deployment Technologies
Windows XP
Windows Wireless Zero ConfigNative 802.1X, WPA, and soon
WPA2*Certificates, Passwords,
Smartcards, RSAToken**Wireless group policy
Any Access Point supporting 802.11 and 802.1X standards
Server 2003 IAS
EAP/TLS (certificates/smartcard)PEAP (password)Remote access policiesRadius proxy functionsImproved scaling
Server 2003 Active
Directory
Wireless group policyUser and computer
authentication
Server 2003 Certificate Authority
User and computer auto-enrollment
Secure Wireless Deployment Benefits
Windows XP
Integrated Windows ClientStandards based securityEvolving with the industrySeamless sign-on experience
Interoperability
Server 2003 IAS
SecurityManageability
Policy-based access management
ScalabilityDeep and wide
Server 2003 Active
Directory
Centralized AdministrationClient configurationAccess management
Server 2003 Certificate Authority
Automated client updating
Hidden SSIDHidden SSIDDoes not provide any real securityDoes not provide any real security
Easily discoverable in well-used environmentsEasily discoverable in well-used environments
Windows client experience is impactedWindows client experience is impacted
MAC FilteringMAC FilteringDoes not scaleDoes not scale
NIC management issueNIC management issue
MAC is spoofableMAC is spoofable
““Shared” modeShared” modeSounds like more security but is actually worseSounds like more security but is actually worse
Not to be confused with Pre-Shared Key (PSK) which is more secureNot to be confused with Pre-Shared Key (PSK) which is more secure
Open networks and VPN’sOpen networks and VPN’sGrants Grants everyoneeveryone access to the wireless segment access to the wireless segment
Great for hotspots, not for your businessGreat for hotspots, not for your business
Security Best Practices Security Best Practices What What NOTNOT to do to do
Security Best Practices Security Best Practices What to doWhat to do
Chose an authentication type (EAP Type)Chose an authentication type (EAP Type)
EAP-TLS and both user and computer certificatesEAP-TLS and both user and computer certificates
PEAP-MS-CHAP v2 and enforce strong user PEAP-MS-CHAP v2 and enforce strong user passwordspasswords
Pre-Shared Key (only with WPA)Pre-Shared Key (only with WPA)
Chose a WLAN Data Protection MethodChose a WLAN Data Protection Method
WPA using TKIP or AES encryptionWPA using TKIP or AES encryption
Dynamic WEP using 802.1X, forcing periodic re-Dynamic WEP using 802.1X, forcing periodic re-authentication (10 mins) to renew keysauthentication (10 mins) to renew keys
Wireless Decision TreeWireless Decision TreeStartStart
SOHO
Network
?
Certificate
Authentication
?
WPAPre-Shared
Key
yes
EAP-TLSEAP-TLS
yes
PEAPPEAP
no
WPA or802.1X Dynamic WEP
for legacy devices
WPA or802.1X Dynamic WEP
for legacy devices
Configuring WPA-PSKConfiguring WPA-PSK
Demonstration
WPA Pre-Shared KeyWPA Pre-Shared Key
Wireless Access PointWireless Client
WLAN Encryption33
44
11 Client Connect
22 Client Authentication
Key Agreement
Factors Influencing Your ChoiceFactors Influencing Your Choice
EAP-TLSEAP-TLS PEAP + MSCHAPv2PEAP + MSCHAPv2More secureMore secure
Need to deploy certificatesNeed to deploy certificates
Better interopBetter interop
SimplerSimpler
Uses passwords (!)Uses passwords (!)
Less interoperableLess interoperable
WPAWPA Dynamic WEPDynamic WEPDefault choiceDefault choice
Better securityBetter security
May not be supported on older May not be supported on older devices and systems (3devices and systems (3rdrd party party WLAN client)WLAN client)
Option for legacy systems (incl. Option for legacy systems (incl. Windows 9x, Windows 2000)Windows 9x, Windows 2000)
Can coexist with WPACan coexist with WPA
Microsoft Wireless SolutionsTechnology + Prescriptive Guidance
StartStart
SOHO
Network
?
Certificate
Authentication
?
WPAPSK
yes
Securing Wireless LANswith Certificate Services
Securing Wireless LANswith Certificate Services
yes
Securing Wireless LANswith PEAP & Passwords
Securing Wireless LANswith PEAP & Passwords
no
WPA & WorksWPA & Works
Wireless Access PointWireless Client Radius (IAS)
Internal Network
WLAN Encryption
Certification Authority
Directory
RADIUS
Solution DesignSolution DesignHead OfficeHead Office
Head Office
Root CA
Issuing CA
AP
AP IAS
IASWLAN Clients
DNS DC DC
WLAN RADIUS PKI
InfrastructureServices
MOM DHCP
WANRouter
Large Branch/Regional Office
AP
AP IASWLAN Clients
DC
WLAN RADIUS
InfrastructureServices
WANRouter
Solution DesignSolution DesignLarge BranchLarge BranchOfficeOffice
Head Office
Root CA
Issuing CA
AP
AP IAS
IASWLAN Clients
DNS DC DC
WLAN RADIUS PKI
InfrastructureServices
MOM DHCP
WANRouter
Small Branch Office
AP
APWLAN Clients
WLAN
InfrastructureServices
WANRouter
Solution DesignSolution DesignSmall OfficeSmall Office
Head Office
Root CA
Issuing CA
AP
AP IAS
IASWLAN Clients
DNS DC DC
WLAN RADIUS PKI
InfrastructureServices
MOM DHCP
WANRouter
Scaling – Scale UpScaling – Scale Up
Head Office
Root CA
Issuing CA
AP
AP IAS
IAS
WLAN Clients
DNS DC DC
WLAN RADIUS PKI
InfrastructureServices
MOM DHCP
Large Branch/Regional Office
AP
APIAS
WLAN Clients
DC
WLAN RADIUS
InfrastructureServices
WANRouter
Text
IAS
Text
IAS
WANRouter
Scaling – Scale DownScaling – Scale Down
Head Office
Root CA
Issuing CA
AP
APWLAN Clients
DNS DC DC
WLAN RADIUS
InfrastructureServices
MOM DHCP
Large Branch/Regional Office
AP
APWLAN Clients
DC
WLAN RADIUS
InfrastructureServices
WANRouter
WANRouter
IAS IAS
IAS
Extending – Wired SecurityExtending – Wired Security
Head Office
Root CA
Issuing CAIAS
IAS
DC DC
RADIUS
InfrastructureServices
WANRouter
Secure Wired
LAN
802.1XSwitches
Server Server
PC PC
Extending – VPNExtending – VPN
Head Office
Root CA
Issuing CAIAS
IAS
DC DC
RADIUS
InfrastructureServices
WANRouter
VPN
Internet
EdgeRouter/Firewall
RRAS RRAS IAS IAS
DMZ-IntranetEdge Router
RemoteClient
RADIUSProxies
VPN Servers
Setting up IAS PoliciesSetting up IAS Policies
Demonstration
Microsoft’s Internal Wireless DeploymentMicrosoft’s Internal Wireless DeploymentWireless ClientsWireless Clients
Wireless Access Wireless Access
PointsPoints
23-30K per day23-30K per day
Network Authentication: 802.1XNetwork Authentication: 802.1X
300K authentications per day300K authentications per day
Encryption: dynamic WEPEncryption: dynamic WEP
~5000 802.11b Cisco APs~5000 802.11b Cisco APs
90 countries, 300+sites90 countries, 300+sites
Single SSIDSingle SSID
RADIUS ServerRADIUS Server Puget Sound 2 Proxy, 4 RADIUS Puget Sound 2 Proxy, 4 RADIUS serversservers
Worldwide 5 Proxy/RADIUS serversWorldwide 5 Proxy/RADIUS servers
EAP/TLS EAP/TLS
Remote Access Policies enforcedRemote Access Policies enforced
User account User account databasedatabase
Remote Access permissionsRemote Access permissions
Group Policies for configurationGroup Policies for configuration
Certificate Authority Certificate Authority User and Machine CertificatesUser and Machine Certificates
Autoenrolled Autoenrolled
Microsoft’s Future Wireless DeploymentMicrosoft’s Future Wireless DeploymentWireless ClientsWireless Clients
Wireless Access Wireless Access
PointsPoints
Migration to 802.11i (WPA2)Migration to 802.11i (WPA2)
Thin AP/Wireless Switch Architecture Thin AP/Wireless Switch Architecture
Single Hardware PlatformSingle Hardware Platform
Multiple SSIDs, Independent servicesMultiple SSIDs, Independent services
Voice, Guest and Corporate NetworkVoice, Guest and Corporate Network
RADIUS ServersRADIUS Servers Independent RADIUS servers for Independent RADIUS servers for each serviceeach service
Different Auth methods for each Different Auth methods for each serviceservice
Proxies to distribute loadProxies to distribute load
User account databaseUser account database Multiple ADs to support Guests and Multiple ADs to support Guests and Corporate users.Corporate users.
Certificate Authority Certificate Authority User and Machine Certificates for User and Machine Certificates for corporate servicescorporate services
Autoenrolled Autoenrolled
Install at least two IAS RADIUS serversInstall at least two IAS RADIUS servers
For best performance, install IAS on domain controllersFor best performance, install IAS on domain controllers
Use strong RADIUS shared secretsUse strong RADIUS shared secrets
Use as many different RADIUS shared secrets as Use as many different RADIUS shared secrets as possiblepossible
Use IAS RADIUS proxies to scale authentication trafficUse IAS RADIUS proxies to scale authentication traffic
Use IAS RADIUS proxies for separate account Use IAS RADIUS proxies for separate account databasesdatabases
Best Practices: ScalabilityBest Practices: ScalabilityMicrosoft RADIUS – Internet Authentication Service (IAS)Microsoft RADIUS – Internet Authentication Service (IAS)
IAS servers
WirelessAPs
IASRADIUSproxies
Using IAS RADIUS proxiesUsing IAS RADIUS proxiesLoad balancing of RADIUS trafficLoad balancing of RADIUS traffic
IAS serversIAS servers
Forest 1 Forest 2
WirelessAPs
IASRADIUSproxies
Using IAS RADIUS proxiesUsing IAS RADIUS proxiesCross-forest authenticationCross-forest authentication
Security Best Practices Security Best Practices
Preventing Rogue WLANsPreventing Rogue WLANs
User education and policyUser education and policy
Ongoing MonitoringOngoing Monitoring
Don’t use Hidden SSIDsDon’t use Hidden SSIDs
Do use Wireless Group Policy Do use Wireless Group Policy
Best Practices: ManagementBest Practices: Management
Use the Wireless Network (IEEE 802.11) Policies Group Use the Wireless Network (IEEE 802.11) Policies Group Policy settings to automatically configure wireless clients Policy settings to automatically configure wireless clients running Windows XP and Windows Server 2003 with running Windows XP and Windows Server 2003 with your SSID your SSID
If you have a native-mode domain, use universal groups If you have a native-mode domain, use universal groups and global groups to organize your wireless computer and global groups to organize your wireless computer and user accounts into a single group. and user accounts into a single group.
Use certificate auto-enrollment for computer certificatesUse certificate auto-enrollment for computer certificates
Use certificate auto-enrollment for user certificatesUse certificate auto-enrollment for user certificates
"Best Practices for Implementing a Microsoft Windows "Best Practices for Implementing a Microsoft Windows Server 2003 Public Key Infrastructure" on Server 2003 Public Key Infrastructure" on http://www.microsoft.com/http://www.microsoft.com/pkipki..
Wireless Group PolicyWireless Group Policy
Demonstration
SummarySummary
You cannot afford to leave your WLANs You cannot afford to leave your WLANs unprotectedunprotected
Protecting WLANs is simpleProtecting WLANs is simple
Chose the right options for you:Chose the right options for you:
SOHO – WPA PSKSOHO – WPA PSK
SMORG-Enterprise – WPA + PEAP (Passwords)SMORG-Enterprise – WPA + PEAP (Passwords)
LORG-Enterprise – WPA + EAP-TLS (Certs)LORG-Enterprise – WPA + EAP-TLS (Certs)
Securing Wireless LANs with CertificatesSecuring Wireless LANs with Certificateshttp://go.microsoft.com/fwlink/?LinkId=14843http://go.microsoft.com/fwlink/?LinkId=14843
Security Wireless LANs with PEAP and PasswordsSecurity Wireless LANs with PEAP and Passwordshttp://www.microsoft.com/technet/security/topics/cryptographyetc/peap_0.mspxhttp://www.microsoft.com/technet/security/topics/cryptographyetc/peap_0.mspx
Microsoft Wireless PortalMicrosoft Wireless Portalhttp://www.microsoft.com/wifihttp://www.microsoft.com/wifi
Microsoft Security SolutionsMicrosoft Security Solutionshttp://www.microsoft.com/technet/securityhttp://www.microsoft.com/technet/security
ResourcesResources
Microsoft Technical Roadshow 2005Microsoft Technical Roadshow 2005
2-days of in-depth technology information2-days of in-depth technology information
Birmingham – 24-25 MayBirmingham – 24-25 May
Harrogate – 1-2 JuneHarrogate – 1-2 June
London – 7-8 JuneLondon – 7-8 June
Register now at: Register now at: www.microsoft.com/uk/techroadshowwww.microsoft.com/uk/techroadshow
© 2005 Microsoft Corporation. All rights reserved. This presentation is for © 2005 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only.informational purposes only.MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS SUMMARY.SUMMARY.
www.microsoft.com/uk/security
www.microsoft.com/uk/technet/learning