Click Next to dismiss the initial screen.This will bring you to the Wireless Network Policy Name window (see Figure 9.10).The name that you specify for the Wireless Network Policy in this screen will appear in the right pane of the window shown previ- ously, in Figure 9.8. Because you can only specify one Wireless Network Policy for each Active Directory object, a fairly specific name would be helpful for distinguishing a partic- ular policy among multiple policies that have been assigned to other objects. In addition, adding a description is also a good practice so that you can record details about the policy for reference at a future date. Once you click Next, you have essentially completed the process.The completion screen for the wizard, shown in Figure 9.11, will appear.At this point, you have the option of clicking the Back button to change the name you specified for the newly created Wireless Network Policy. www.syngress.com Planning Security for a Wireless Network • Chapter 9 557 Figure 9.10 Choosing a Name for the Wireless Network Policy Figure 9.11 Completing the Wizard and Preparing to Edit the New Wireless Network Policy 272_70-296_09.qxd 9/26/03 2:17 PM Page 557 In order to configure the properties of your new Wireless Network Policy, be sure that you have selected the option Edit properties prior to clicking the Finish button. Once you click the Finish button the Properties window, your newly created Wireless Network (IEEE 802.11) Policy will open, as shown in Figure 9.12. In this window, you can: ■ Add the default SSID for you organization ■ Enable or disable WEP or Shared mode authentication ■ Specify if the WEP key is provided automatically or if the client will have to provide one ■ Disable Infrastructure mode There is a very high probability that your organization will only have one wireless net- work for each site and, therefore, will have only one default SSID to define for each loca- tion.The process for adding more network SSIDs to Group Policy is described in the “Defining Preferred Networks” section.You can also add a description for the default wire- less network in the text box. Open (WEP-enabled) and shared-key authentication were previously described in the “Authenticating with WEP” section. If possible, you should avoid shared-key authentication in favor of WEP-enabled authentication because if your wireless network is attacked, it can expose your organization’s WEP key and other net- worked resources. Finally, you can configure the wireless network mode to Infrastructure or Ad Hoc by leaving the box unchecked or checking it, respectively. Infrastructure mode is the default. The other tab in the Wireless Network Policy Properties window is for configuring IEEE 802.1X settings; it is shown in Figure 9.13.The 802.1X authentication process and www.syngress.com 558 Chapter 9 • Planning Security for a Wireless Network Figure 9.12 Defining the Default SSID, WEP Settings, and Network Mode 272_70-296_09.qxd 9/26/03 2:17 PM Page 558 the meaning of the settings for 802.1X are described in detail in a later section,“802.1X Authentication.”The Authenticate as guest when user or computer information is unavailable check box, when checked, is useful for providing a wireless client with “guest level” access to the corporate network, without providing access to network resources.The Authenticate as computer when computer information is available option provides for automatic 802.1X authentication when all the credentials and other associated data required for 802.1X authentication have been preconfigured on the wireless client. If you click on the Settings button under EAP Type, the window in Figure 9.14 opens. For networks that use certificate-based authentication, you can configure the most appropriate settings here.The “When connecting” section of the tab specifies where the client’s certificate is stored, either on a smart card in a card reader attached to the wireless client or on a local or removable hard drive. If Use a certificate on this computer is selected, the option to Validate server certificate is enabled.At this point you can specify the names or IP addresses of the certifi- cate servers that will provide proof of a positive identity and the type of server that acts as the Trusted Root Certification Authority. Clicking the View Certificate button displays the actual certificate and associated information in a separate window. If necessary, you can configure the system to use a different username for the connection, in case the name on the certificate is different from the one being used for the connection. If this is required, put a check mark in the Use a different user name for the connection check box. www.syngress.com Planning Security for a Wireless Network • Chapter 9 559 Figure 9.13 Configuring IEEE 802.1X Parameters 272_70-296_09.qxd 9/26/03 2:17 PM Page 559 Defining Preferred Networks The ability to define Preferred Networks makes life easier for wireless clients that connect to more than one wireless network. For example, an IT professional may have a laptop that is used to connect to a wireless network in the office and at home. Preferred Network set- tings make it possible to store a profile for the networks to which you commonly connect. There are two ways to define Preferred Networks: through the properties of the local wire- less network adapter and through Group Policy. To bring up the wireless network adapter properties, you can right-click the network connection in the system tray, left-click Status, and click the Properties button.The Preferred Networks settings are on the Wireless Networks tab. Available Networks and Preferred Networks are enabled by default because the Use Windows to configure my wireless settings check box is checked by default. As shown in Figure 9.15, the history of the wireless networks to which the system has connected can be configured in the Preferred Networks ordered list. Icons to the left of the network name (SSID) indicate whether the system is in range or out of range of the listed network. Networks that you connect with more frequently can be moved to the top of the list with the Move Up button, and you can edit the contents of the list with the Add and Remove buttons. www.syngress.com 560 Chapter 9 • Planning Security for a Wireless Network Figure 9.14 Establishing EAP Authentication Settings 272_70-296_09.qxd 9/26/03 2:17 PM Page 560 The Advanced button configures the preferred wireless network mode for the adapter. As shown in Figure 9.16, the adapter can be set to connect to APs that are in either Infrastructure or Ad Hoc mode using the first radio button.The other two radio buttons restrict the mode to either Infrastructure or Ad Hoc exclusively. By checking the Automatically connect to non-preferred networks check box, your system will automatically attempt to connect to and configure a connection for net- works that are not in the list of Preferred Networks.The box is unchecked by default, which means that you will need to manually configure the networks to which you want to connect.This gives you a greater degree of control over to what and how you connect to wireless networks that are in range. The second method of defining Preferred Networks is to configure the Wireless Network (IEEE 802.11) Policy that you created with the Wireless Network Policy wizard, www.syngress.com Planning Security for a Wireless Network • Chapter 9 561 Figure 9.15 Defining a Preferred Network in Network Properties Figure 9.16 Configuring Available Network Settings 272_70-296_09.qxd 9/26/03 2:17 PM Page 561 as shown in Figure 9.17. Using Group Policy facilitates centralized management of wireless network client settings.The cumulative impact of overlapping Group Policies can be assessed using the Resultant Set of Policy snap-in; this is described later in this chapter in the section,“Using RSoP.” Navigate to [Group Policy Target (Domain, Domain Controllers, Organizational Unit)] | Computer Configuration | Windows Settings | Security Settings | Wireless Network (IEEE 802.11) Policies in the left pane of the MMC window, and double-click the name of the wireless network policy for which you want to define a Preferred Network.The New Wireless Network Policy Properties window will open on the General tab; switch to the Preferred Networks tab (see Figure 9.18).The buttons for managing Preferred Networks settings are identical in appearance and function to those on the Wireless Networks tab of the local Wireless Connection Properties. www.syngress.com 562 Chapter 9 • Planning Security for a Wireless Network Figure 9.17 Defining a Preferred Network in Group Policy Figure 9.18 Defining a Preferred Network in Group Policy 272_70-296_09.qxd 9/26/03 2:17 PM Page 562 Preferred Networks that are defined in Group Policy override any configuration on all local systems that authenticate to Active Directory. If you choose to disable the Use Windows to configure my wireless settings check box on local systems through Group Policy, you can use Group Policy to define Preferred Network settings, and clients who log into affected systems will not be able to define their own settings. 802.1X Authentication The current IEEE 802.11b standard is severely limited because it is available only for open and shared-key authentication schemes that are non-extensible.To address the weaknesses in the authentication mechanisms we have discussed, several vendors (including Cisco and Microsoft) adopted the IEEE 802.1X authentication mechanism for wireless networks. The IEEE 802.1X standard was created for the purpose of providing a security frame- work for port-based access control that resides in the upper layers of the protocol stack.The most common method for port-based access control is to enable new authentication and key management methods without changing current network devices.The benefits that are the end result of this work include the following: ■ There is a significant decrease in hardware cost and complexity. ■ There are more options, allowing administrators to pick and choose their security solutions. ■ The latest and greatest security technology can be installed, and it should still work with the existing infrastructure. ■ You can respond quickly to security issues as they arise. EXAM WARNING The 802.1X standard typically is relevant to wireless networks due to the fact that it is quickly becoming the standard method of securely authenticating on a wire- less network. However, do not confuse 802.1X with 802.11X. When a client device connects to a port on an 802.1X capable AP, the AP port can determine the authenticity of the devices. Before discussing the workings of the 802.1X standard, we must define some terminology. In the context of 802.1X, the following terms have these meanings: ■ Port A port is a single point of connection to the network. ■ Port access entity (PAE) The PAE controls the algorithms and protocols that are associated with the authentication mechanisms for a port. ■ Authenticator PAE The authenticator PAE enforces authentication before it will allow access to resources located off that port. www.syngress.com Planning Security for a Wireless Network • Chapter 9 563 272_70-296_09.qxd 9/26/03 2:17 PM Page 563 ■ Supplicant PAE The supplicant PAE tries to access the services that are allowed by the authenticator. ■ Authentication server The authentication server is used to verify the suppli- cant PAE. It decides whether or not the supplicant is authorized to access the authenticator. ■ Extensible Authentication Protocol Over LAN (EAPOL) The 802.1X standard defines a standard for encapsulating Extensible Authentication Protocol (EAP) messages so that they can be handled directly by a LAN MAC service. 802.1X tries to make authentication more encompassing rather than enforcing specific mechanisms on the devices. For this reason, 802.11X uses EAP to receive authentication information. ■ Extensible Authentication Protocol over Wireless (EAPOW) When EAPOL messages are encapsulated over 802.11 wireless frames, they are known as EAPOW. The 802.1X works in a similar fashion for both EAPOL and EAPOW. As shown in Figure 9.19, the EAP supplicant (in this case, the wireless client) communicates with the AP over an uncontrolled port.The AP sends an EAP request/identity to the supplicant as well as a RADIUS access-request to the RADIUS access server.The supplicant responds with an identity packet, and the RADIUS server sends a challenge based on the identity packets sent from the supplicant.The supplicant provides its credentials in the EAP response that the AP forwards to the RADIUS server. If the response is valid and the credentials are vali- dated, the RADIUS server sends a RADIUS access-accept to the AP, which then allows the supplicant to communicate over a controlled port.This is communicated by the AP to the supplicant in the EAP-success packet. 564 Chapter 9 • Planning Security for a Wireless Network Figure 9.19 EAPOL Traffic Flow Ethernet Access Blocked Access Allowed EAPoL RADIUS EAPoL Start EAP-Response/Identity EAP-Response (credentials) EAP-Request/Identity EAP-Request EAP-Success RADIUS-Access-Request RADIUS-Access-Challenge RADIUS-Access-Accept RADIUS-Access-Request supplicant RADIUS server Access Point 272_70-296_09.qxd 9/26/03 2:17 PM Page 564 User Identification and Strong Authentication With the addition of the 802.1X standard, clients are identified by usernames, not by the MAC addresses of the devices.This design not only enhances security, it also streamlines the process for authentication, authorization, and accountability for the network.The 802.1X standard was designed so that it could support extended forms of authentication, using pass- word methods (such as one-time passwords, or GSS_API mechanisms such as Kerberos) and nonpassword methods (such as biometrics, Internet Key Exchange [IKE], and smart cards). Dynamic Key Derivation The 802.1X standard allows for the creation of per-user session keys.With 802.1X,WEP keys do not need to be kept at the client device or AP.These WEP keys will be dynamically created at the client for every session, thus making it more secure.The Global key, like a broadcast WEP key, can be encrypted using a Unicast session key and then sent from the AP to the client in a much more secure manner. Mutual Authentication The 802.1X standard and EAP provide for a mutual authentication capability.This capa- bility makes the clients and the authentication servers mutually authenticating end points and assists in the mitigation of attacks from man-in-the-middle types of devices. Any of the following EAP methods provides for mutual authentication: ■ TLS This requires that the server supply a certificate and establish that it has pos- session of the private key. ■ IKE This requires that the server show possession of a preshared key or private key. (This can be considered certificate authentication.) www.syngress.com Planning Security for a Wireless Network • Chapter 9 565 So What Are 802.1X and 802.11X, Exactly? Wireless technology provides convenience and mobility, but it also poses massive security challenges for network administrators, engineers, and security administra- tors. Security for 802.11 networks can be broken into three distinct components: ■ The authentication mechanism ■ The authentication algorithm ■ Data frame encryption Current authentication in the 802.11 IEEE standard is focused more on wire- less LAN connectivity than on verifying user or station identity. Since wireless can potentially scale so high in terms of the number of possible users, you might want to consider a way to centralize user authentication. This is where the IEEE 802.1X standard comes into play. Head of the Class… 272_70-296_09.qxd 9/26/03 2:17 PM Page 565 ■ GSS_API (Kerberos) This requires that the server can demonstrate knowledge of the session key. Per-Packet Authentication EAP can support per-packet authentication and integrity protection, but this authentication and integrity protection are not extended to all types of EAP messages. For example, nega- tive acknowledgment (NAK) and notification messages are not able to use per-packet authentication and integrity. Per-packet authentication and integrity protection work for the following (packet is encrypted unless otherwise noted): ■ TLS and IKE derived session key ■ TLS ciphersuite negotiations (not encrypted) ■ IKE ciphersuite negotiations ■ Kerberos tickets ■ Success and failure messages that use a derived session key (through WEP) T EST DAY TIP You might find it helpful to write out a table showing the various authentication methods used in 802.11 networks (such as open authentication, shared-key authentication, and 802.1X authentication) with the various properties that each of these authentication methods requires. This table will help keep them straight in your mind when you take the test. Using RSoP Resultant Set of Policy (RSoP) is an addition to Group Policy that you can use to view wireless network policy assignments for a computer or for members of a Group Policy con- tainer.This information can help you troubleshoot policy precedence issues and plan your deployment. To view wireless network policy assignments in RSoP, you must first open the RSoP MMC console and then run a query. RSoP provides two types of queries: Logging mode queries (for viewing wireless network policy assignments for a computer) and Planning mode queries (for viewing wireless network policy assignments for members of a Group Policy container). www.syngress.com 566 Chapter 9 • Planning Security for a Wireless Network 272_70-296_09.qxd 9/26/03 2:17 PM Page 566 [...]... WIRELESS ACCESS POINT Static IP 192.1 68. 1.129 255.255.255.1 28 DHCP Server IEEE 80 2.3 Network Dynamic IP Dynamic IP Dynamic IP 192.1 68. 1.20 192.1 68. 1.21 192.1 68. 1.22 255.255.255.1 28 255.255.255.1 28 255.255.255.1 28 IEEE 80 2.11 Network Static IP 192.1 68. 1.130 Static IP 255.255.255.1 28 192.1 68. 1.131 255.255.255.1 28 www.syngress.com 577 272 _70-296_ 09.qxd 5 78 9/26/03 2:17 PM Page 5 78 Chapter 9 • Planning Security... employ the 80 2.11 standard, specifically 80 2.11a, 80 2.11b, and 80 2.11g.The most common type of WLAN in use today is based on the IEEE 80 2.11b standard; however, with its increased transmission speed and backward compatibility to 80 2.11b, 80 2.11g may emerge as the most popular It also does not hurt that 80 2.11g devices are being introduced to the market at a lower price point than 80 2.11a and 80 2.11b levels... wireless clients to produce valid monitoring data www.syngress.com 587 272 _70-296_ 09.qxd 588 9/26/03 2:17 PM Page 588 Chapter 9 • Planning Security for a Wireless Network Exam Objectives Frequently Asked Questions The following Frequently Asked Questions, answered by the authors of this book, are designed to both measure your understanding of the Exam Objectives presented in this chapter, and to assist you... www.syngress.com 589 272 _70-296_ 09.qxd 590 9/26/03 2:17 PM Page 590 Chapter 9 • Planning Security for a Wireless Network A The new member of the management team has an 80 2.11a wireless network adapter and Company B’s wireless network is using 80 2.11g equipment B The new member of the management team has an 80 2.11b wireless network adapter and Company B’s wireless network is using 80 2.11g equipment... management team has an 80 2.11g wireless network adapter and Company B’s wireless network is using 80 2.11b equipment D The new member of the management team has an 80 2.11g wireless network adapter and Company B’s wireless network is using 80 2.11a equipment 3 What are the two WEP key sizes available in 80 2.11 networks? A 64-bit and 104-bit keys B 24-bit and 64-bit keys C 64-bit and 1 28- bit keys D 24-bit... which the event was generated I Description Provides a brief summary of the logged event (partially obscured in Figure 9.32) www.syngress.com 583 272 _70-296_ 09.qxd 584 9/26/03 2:17 PM Page 584 Chapter 9 • Planning Security for a Wireless Network Summary of Exam Objectives WLANs are attractive to many companies and home users due to the increased productivity that results from the convenience and flexibility... address range of 89 .0.0.1 to 89 .255.255.254 and a stub network with an address range of 89 .1.0.1 to 89 .1.255.254 For this reason, it is also called a stub subnetwork In the context of wireless networking and especially wireless network security, a stub network is a good way to centralize your wireless clients and isolate them from the rest of the network, as depicted in Figure 9. 28. The gateway between... Integrity Code (MIC) www.syngress.com 585 272 _70-296_ 09.qxd 586 9/26/03 2:17 PM Page 586 Chapter 9 • Planning Security for a Wireless Network Windows Server 2003 improved on the embedded wireless capability that was introduced with Windows XP One notable new feature in Windows Server 2003 is the integration of wireless network functionality with Group Policy.Wireless Network (80 2.11) Policy is available for... would be running NAT and will be in bridging mode As a bridge, the gateway will simply pass traffic between the two networks www.syngress.com 579 272 _70-296_ 09.qxd 580 9/26/03 2:17 PM Page 580 Chapter 9 • Planning Security for a Wireless Network Figure 9. 28 Setting Up a Stub Network Internet Internal Network PDA Gateway to Stub Network Laptop Wireless Network PDA Laptop Monitoring Wireless Activity Windows... connectivity in the past.This appears to be changing with Windows Server 2003 Exam Objectives Fast Track Wireless Concepts There are two types of 80 2.11 network modes: ad hoc and infrastructure Ad hoc 80 2.11 networks are peer to peer in design and can be implemented by two clients with wireless network cards.The Infrastructure mode of 80 2.11 uses APs to provide wireless connectivity to a wired network beyond . WEP Settings, and Network Mode 272 _70-296_ 09.qxd 9/26/03 2:17 PM Page 5 58 the meaning of the settings for 80 2.1X are described in detail in a later section, 80 2.1X Authentication.”The Authenticate. confuse 80 2.1X with 80 2.11X. When a client device connects to a port on an 80 2.1X capable AP, the AP port can determine the authenticity of the devices. Before discussing the workings of the 80 2.1X standard,. for a Wireless Network EXAM 70-296 OBJECTIVE 4.2 272 _70-296_ 09.qxd 9/26/03 2:17 PM Page 574 ■ At a minimum, wireless APs and adapters should support firmware updates, 1 28- bit WEP, MAC filtering,