Securing Your Wireless Network Ian Hellen Stirling Goetz Microsoft.

Securing Your Securing Your Wireless NetworkWireless Network

Ian HellenIan Hellen

Stirling GoetzStirling Goetz

MicrosoftMicrosoft

AgendaAgenda

Wireless LAN security explainedWireless LAN security explained

Secure wireless deployment components, Secure wireless deployment components, Microsoft offerings and benefitsMicrosoft offerings and benefits

Selecting the right WLAN optionsSelecting the right WLAN options

Microsoft wireless security solutionsMicrosoft wireless security solutions

Microsoft IT case studyMicrosoft IT case study

WLAN scalability and managementWLAN scalability and management

Wireless LAN SecurityWireless LAN Security

Many (most?) WLANs have no security or inadequate Many (most?) WLANs have no security or inadequate securitysecurity

1 in 3 WLANs in major cities unsecured (RSA)1 in 3 WLANs in major cities unsecured (RSA)

But number of WLANs growing by 66% each year (RSA)But number of WLANs growing by 66% each year (RSA)

Small businesses making most use of WLANsSmall businesses making most use of WLANs

Static WEP (Wired Equivalent Privacy) is easily broken:Static WEP (Wired Equivalent Privacy) is easily broken:

Tools to generate required trafficTools to generate required traffic

Statistical cryptanalysis breaks keys quicklyStatistical cryptanalysis breaks keys quickly

The world is not a nice place:The world is not a nice place:

Viruses, worms, trojans, spyware, botnetsViruses, worms, trojans, spyware, botnets

Hackers, spammers, criminalsHackers, spammers, criminals

WEP’s Fatal Flaw(s) WEP’s Fatal Flaw(s)

X7!g%k0j37**54bf(jv&8gF…X7!g%k0j37**54bf(jv&8gF…

X7!g%k0jX7!g%k0j37**54bf(jv37**54bf(jv&8gB)£F..&8gB)£F..

X7!gX7!g%k0j%k0j37**37**

54bf54bf(jv(jv

&8g&8gB)B)

£F..£F..

Thank goodness we use

encryption!

Har-Har!

Take that static WEP-man!

How an 802.1X WLAN WorksHow an 802.1X WLAN Works

Wireless Access PointWireless Client Radius (IAS)

Internal Network

WLAN Encryption44

55

11 Client Connect

33Key Distribution

Authorization

22 Client Authentication Server Authentication

Key Agreement

Anatomy of 802.1X solution

Authentication

Authorization

Data Protection

Audit

WirelessClient

WirelessAccess Point

RADIUSServer

802.1X & EAP

DynamicDynamicWEPWEP

WPAWPA

802.1X802.1X

EAPEAP

Auth

enti

cati

on &

A

uth

enti

cati

on &

K

ey M

anagem

ent

Key M

anagem

ent

Audit

Audit

EAP MethodEAP Method

Authentication

Authorization

Data Protection

Audit

Key Management

Encryption & Integrity

RADIUSRADIUSAccountingAccounting

Data

D

ata

Pro

tect

ion

Pro

tect

ion

Secure Wireless Deployment Components

Wireless Clients

Wireless Access Points

Radio Types: 802.11 a/b/gNetwork Authentication:

802.1X, WPA, WPA2/802.11i*Encryption: WEP, TKIP, AES

RADIUS Server

RADIUSEAP/TLS PEAP-MSCHAPv2Remote Access Policies

User account database

Remote Access permissionsCredentials = Passwords

Certificate Authority (optional)

Credentials = Certificates

Secure Wireless Deployment Technologies

Windows XP

Windows Wireless Zero ConfigNative 802.1X, WPA, and soon

WPA2*Certificates, Passwords,

Smartcards, RSAToken**Wireless group policy

Any Access Point supporting 802.11 and 802.1X standards

Server 2003 IAS

EAP/TLS (certificates/smartcard)PEAP (password)Remote access policiesRadius proxy functionsImproved scaling

Server 2003 Active

Directory

Wireless group policyUser and computer

authentication

Server 2003 Certificate Authority

User and computer auto-enrollment

Secure Wireless Deployment Benefits

Windows XP

Integrated Windows ClientStandards based securityEvolving with the industrySeamless sign-on experience

Interoperability

Server 2003 IAS

SecurityManageability

Policy-based access management

ScalabilityDeep and wide

Server 2003 Active

Directory

Centralized AdministrationClient configurationAccess management

Server 2003 Certificate Authority

Automated client updating

Hidden SSIDHidden SSIDDoes not provide any real securityDoes not provide any real security

Easily discoverable in well-used environmentsEasily discoverable in well-used environments

Windows client experience is impactedWindows client experience is impacted

MAC FilteringMAC FilteringDoes not scaleDoes not scale

NIC management issueNIC management issue

MAC is spoofableMAC is spoofable

““Shared” modeShared” modeSounds like more security but is actually worseSounds like more security but is actually worse

Not to be confused with Pre-Shared Key (PSK) which is more secureNot to be confused with Pre-Shared Key (PSK) which is more secure

Open networks and VPN’sOpen networks and VPN’sGrants Grants everyoneeveryone access to the wireless segment access to the wireless segment

Great for hotspots, not for your businessGreat for hotspots, not for your business

Security Best Practices Security Best Practices What What NOTNOT to do to do

Security Best Practices Security Best Practices What to doWhat to do

Chose an authentication type (EAP Type)Chose an authentication type (EAP Type)

EAP-TLS and both user and computer certificatesEAP-TLS and both user and computer certificates

PEAP-MS-CHAP v2 and enforce strong user PEAP-MS-CHAP v2 and enforce strong user passwordspasswords

Pre-Shared Key (only with WPA)Pre-Shared Key (only with WPA)

Chose a WLAN Data Protection MethodChose a WLAN Data Protection Method

WPA using TKIP or AES encryptionWPA using TKIP or AES encryption

Dynamic WEP using 802.1X, forcing periodic re-Dynamic WEP using 802.1X, forcing periodic re-authentication (10 mins) to renew keysauthentication (10 mins) to renew keys

Wireless Decision TreeWireless Decision TreeStartStart

SOHO

Network

?

Certificate

Authentication

?

WPAPre-Shared

Key

yes

EAP-TLSEAP-TLS

yes

PEAPPEAP

no

WPA or802.1X Dynamic WEP

for legacy devices

WPA or802.1X Dynamic WEP

for legacy devices

Configuring WPA-PSKConfiguring WPA-PSK

Demonstration

WPA Pre-Shared KeyWPA Pre-Shared Key

Wireless Access PointWireless Client

WLAN Encryption33

44

11 Client Connect

22 Client Authentication

Key Agreement

Factors Influencing Your ChoiceFactors Influencing Your Choice

EAP-TLSEAP-TLS PEAP + MSCHAPv2PEAP + MSCHAPv2More secureMore secure

Need to deploy certificatesNeed to deploy certificates

Better interopBetter interop

SimplerSimpler

Uses passwords (!)Uses passwords (!)

Less interoperableLess interoperable

WPAWPA Dynamic WEPDynamic WEPDefault choiceDefault choice

Better securityBetter security

May not be supported on older May not be supported on older devices and systems (3devices and systems (3rdrd party party WLAN client)WLAN client)

Option for legacy systems (incl. Option for legacy systems (incl. Windows 9x, Windows 2000)Windows 9x, Windows 2000)

Can coexist with WPACan coexist with WPA

Microsoft Wireless SolutionsTechnology + Prescriptive Guidance

StartStart

SOHO

Network

?

Certificate

Authentication

?

WPAPSK

yes

Securing Wireless LANswith Certificate Services

Securing Wireless LANswith Certificate Services

yes

Securing Wireless LANswith PEAP & Passwords

Securing Wireless LANswith PEAP & Passwords

no

WPA & WorksWPA & Works

Wireless Access PointWireless Client Radius (IAS)

Internal Network

WLAN Encryption

Certification Authority

Directory

RADIUS

Solution DesignSolution DesignHead OfficeHead Office

Head Office

Root CA

Issuing CA

AP

AP IAS

IASWLAN Clients

DNS DC DC

WLAN RADIUS PKI

InfrastructureServices

MOM DHCP

WANRouter

Large Branch/Regional Office

AP

AP IASWLAN Clients

DC

WLAN RADIUS

InfrastructureServices

WANRouter

Solution DesignSolution DesignLarge BranchLarge BranchOfficeOffice

Head Office

Root CA

Issuing CA

AP

AP IAS

IASWLAN Clients

DNS DC DC

WLAN RADIUS PKI

InfrastructureServices

MOM DHCP

WANRouter

Small Branch Office

AP

APWLAN Clients

WLAN

InfrastructureServices

WANRouter

Solution DesignSolution DesignSmall OfficeSmall Office

Head Office

Root CA

Issuing CA

AP

AP IAS

IASWLAN Clients

DNS DC DC

WLAN RADIUS PKI

InfrastructureServices

MOM DHCP

WANRouter

Scaling – Scale UpScaling – Scale Up

Head Office

Root CA

Issuing CA

AP

AP IAS

IAS

WLAN Clients

DNS DC DC

WLAN RADIUS PKI

InfrastructureServices

MOM DHCP

Large Branch/Regional Office

AP

APIAS

WLAN Clients

DC

WLAN RADIUS

InfrastructureServices

WANRouter

Text

IAS

Text

IAS

WANRouter

Scaling – Scale DownScaling – Scale Down

Head Office

Root CA

Issuing CA

AP

APWLAN Clients

DNS DC DC

WLAN RADIUS

InfrastructureServices

MOM DHCP

Large Branch/Regional Office

AP

APWLAN Clients

DC

WLAN RADIUS

InfrastructureServices

WANRouter

WANRouter

IAS IAS

IAS

Extending – Wired SecurityExtending – Wired Security

Head Office

Root CA

Issuing CAIAS

IAS

DC DC

RADIUS

InfrastructureServices

WANRouter

Secure Wired

LAN

802.1XSwitches

Server Server

PC PC

Extending – VPNExtending – VPN

Head Office

Root CA

Issuing CAIAS

IAS

DC DC

RADIUS

InfrastructureServices

WANRouter

VPN

Internet

EdgeRouter/Firewall

RRAS RRAS IAS IAS

DMZ-IntranetEdge Router

RemoteClient

RADIUSProxies

VPN Servers

Setting up IAS PoliciesSetting up IAS Policies

Demonstration

Microsoft’s Internal Wireless DeploymentMicrosoft’s Internal Wireless DeploymentWireless ClientsWireless Clients

Wireless Access Wireless Access

PointsPoints

23-30K per day23-30K per day

Network Authentication: 802.1XNetwork Authentication: 802.1X

300K authentications per day300K authentications per day

Encryption: dynamic WEPEncryption: dynamic WEP

~5000 802.11b Cisco APs~5000 802.11b Cisco APs

90 countries, 300+sites90 countries, 300+sites

Single SSIDSingle SSID

RADIUS ServerRADIUS Server Puget Sound 2 Proxy, 4 RADIUS Puget Sound 2 Proxy, 4 RADIUS serversservers

Worldwide 5 Proxy/RADIUS serversWorldwide 5 Proxy/RADIUS servers

EAP/TLS EAP/TLS

Remote Access Policies enforcedRemote Access Policies enforced

User account User account databasedatabase

Remote Access permissionsRemote Access permissions

Group Policies for configurationGroup Policies for configuration

Certificate Authority Certificate Authority User and Machine CertificatesUser and Machine Certificates

Autoenrolled Autoenrolled

Microsoft’s Future Wireless DeploymentMicrosoft’s Future Wireless DeploymentWireless ClientsWireless Clients

Wireless Access Wireless Access

PointsPoints

Migration to 802.11i (WPA2)Migration to 802.11i (WPA2)

Thin AP/Wireless Switch Architecture Thin AP/Wireless Switch Architecture

Single Hardware PlatformSingle Hardware Platform

Multiple SSIDs, Independent servicesMultiple SSIDs, Independent services

Voice, Guest and Corporate NetworkVoice, Guest and Corporate Network

RADIUS ServersRADIUS Servers Independent RADIUS servers for Independent RADIUS servers for each serviceeach service

Different Auth methods for each Different Auth methods for each serviceservice

Proxies to distribute loadProxies to distribute load

User account databaseUser account database Multiple ADs to support Guests and Multiple ADs to support Guests and Corporate users.Corporate users.

Certificate Authority Certificate Authority User and Machine Certificates for User and Machine Certificates for corporate servicescorporate services

Autoenrolled Autoenrolled

Install at least two IAS RADIUS serversInstall at least two IAS RADIUS servers

For best performance, install IAS on domain controllersFor best performance, install IAS on domain controllers

Use strong RADIUS shared secretsUse strong RADIUS shared secrets

Use as many different RADIUS shared secrets as Use as many different RADIUS shared secrets as possiblepossible

Use IAS RADIUS proxies to scale authentication trafficUse IAS RADIUS proxies to scale authentication traffic

Use IAS RADIUS proxies for separate account Use IAS RADIUS proxies for separate account databasesdatabases

Best Practices: ScalabilityBest Practices: ScalabilityMicrosoft RADIUS – Internet Authentication Service (IAS)Microsoft RADIUS – Internet Authentication Service (IAS)

IAS servers

WirelessAPs

IASRADIUSproxies

Using IAS RADIUS proxiesUsing IAS RADIUS proxiesLoad balancing of RADIUS trafficLoad balancing of RADIUS traffic

IAS serversIAS servers

Forest 1 Forest 2

WirelessAPs

IASRADIUSproxies

Using IAS RADIUS proxiesUsing IAS RADIUS proxiesCross-forest authenticationCross-forest authentication

Security Best Practices Security Best Practices

Preventing Rogue WLANsPreventing Rogue WLANs

User education and policyUser education and policy

Ongoing MonitoringOngoing Monitoring

Don’t use Hidden SSIDsDon’t use Hidden SSIDs

Do use Wireless Group Policy Do use Wireless Group Policy

Best Practices: ManagementBest Practices: Management

Use the Wireless Network (IEEE 802.11) Policies Group Use the Wireless Network (IEEE 802.11) Policies Group Policy settings to automatically configure wireless clients Policy settings to automatically configure wireless clients running Windows XP and Windows Server 2003 with running Windows XP and Windows Server 2003 with your SSID your SSID

If you have a native-mode domain, use universal groups If you have a native-mode domain, use universal groups and global groups to organize your wireless computer and global groups to organize your wireless computer and user accounts into a single group. and user accounts into a single group.

Use certificate auto-enrollment for computer certificatesUse certificate auto-enrollment for computer certificates

Use certificate auto-enrollment for user certificatesUse certificate auto-enrollment for user certificates

"Best Practices for Implementing a Microsoft Windows "Best Practices for Implementing a Microsoft Windows Server 2003 Public Key Infrastructure" on Server 2003 Public Key Infrastructure" on http://www.microsoft.com/http://www.microsoft.com/pkipki..

Wireless Group PolicyWireless Group Policy

Demonstration

SummarySummary

You cannot afford to leave your WLANs You cannot afford to leave your WLANs unprotectedunprotected

Protecting WLANs is simpleProtecting WLANs is simple

Chose the right options for you:Chose the right options for you:

SOHO – WPA PSKSOHO – WPA PSK

SMORG-Enterprise – WPA + PEAP (Passwords)SMORG-Enterprise – WPA + PEAP (Passwords)

LORG-Enterprise – WPA + EAP-TLS (Certs)LORG-Enterprise – WPA + EAP-TLS (Certs)

Securing Wireless LANs with CertificatesSecuring Wireless LANs with Certificateshttp://go.microsoft.com/fwlink/?LinkId=14843http://go.microsoft.com/fwlink/?LinkId=14843

Security Wireless LANs with PEAP and PasswordsSecurity Wireless LANs with PEAP and Passwordshttp://www.microsoft.com/technet/security/topics/cryptographyetc/peap_0.mspxhttp://www.microsoft.com/technet/security/topics/cryptographyetc/peap_0.mspx

Microsoft Wireless PortalMicrosoft Wireless Portalhttp://www.microsoft.com/wifihttp://www.microsoft.com/wifi

Microsoft Security SolutionsMicrosoft Security Solutionshttp://www.microsoft.com/technet/securityhttp://www.microsoft.com/technet/security

ResourcesResources

Microsoft Technical Roadshow 2005Microsoft Technical Roadshow 2005

2-days of in-depth technology information2-days of in-depth technology information

Birmingham – 24-25 MayBirmingham – 24-25 May

Harrogate – 1-2 JuneHarrogate – 1-2 June

London – 7-8 JuneLondon – 7-8 June

Register now at: Register now at: www.microsoft.com/uk/techroadshowwww.microsoft.com/uk/techroadshow

© 2005 Microsoft Corporation. All rights reserved. This presentation is for © 2005 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only.informational purposes only.MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS SUMMARY.SUMMARY.

www.microsoft.com/uk/security

www.microsoft.com/uk/technet/learning