Designing for Wireless Security

Article
10/08/2009

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

In designing security for your wireless LAN, choose the appropriate level of basic security available under IEEE 802.11 and 802.1X. Then, to close inherent security risks associated with wireless networking, require authorization and authentication of wireless clients before they exchange data with the network attached to the wireless APs, and encrypt the data sent between wireless clients and APs.

Choosing the Right Basic Security for Your WLAN

IEEE 802.11 open system or shared key authentication does not scale appropriately for a large, infrastructure mode wireless network (corporate offices and public places, such as airports and malls). In a large enterprise environment, you should not deploy 802.11 without also deploying 802.1X and RADIUS support.

To ensure the highest level of security for a WLAN in a corporate enterprise environment, use 802.1X with EAP-TLS authentication, a PKI, and RADIUS. The wireless clients must support 802.1X in a WLAN deployment using EAP-TLS.

Microsoft 802.1X Authentication Client provides 802.1X support for computers running any of the following Windows operating systems: Microsoft® Windows® 2000, Windows® 98, and Windows NT® version 4.0 Workstation.

Note

The Microsoft 802.1X Authentication Client is only available for Windows® 98 and Windows NT® version 4.0 Workstation to customers who have Microsoft Premier Support.

Windows XP provides 802.1X support and additional wireless support, including automatic wireless configuration.

Closing Inherent Security Risks for WLANs

While providing convenience, wireless networking technologies and wireless APs present security risks. In wireless networks, the signals can be intercepted because the data is broadcast using an antenna. Furthermore, if the signals are not encrypted, an eavesdropper outside the premises can view the packets sent on a wireless network.

Wireless networking technologies and wireless APs present two security risks:

Any person with a compatible wireless network adapter can associate with your wireless APs and attach to your network.
Because wireless networking signals use radio waves to send and receive information, anyone within a certain distance of a wireless AP can detect and receive all data sent to and from the wireless AP.

Enforcing authorization and authentication

To counter the first security risk, wireless APs must require authentication and authorization of the wireless client before data can be sent to, and received from, the network attached to the wireless AP.

The solution is to use the combination of an 802.1X-enabled wireless client, such as Windows XP; an IEEE 802.1X-enabled and RADIUS-capable wireless AP; and EAP-capable RADIUS servers such as Windows Server 2003 IAS.

With this combination, wireless APs can send connection requests and accounting messages to central RADIUS servers. The RADIUS servers have access to a user accounts database, such as Active Directory, and a set of rules for granting authorization, such as IAS remote access policies. The RADIUS server processes the wireless AP connection request, and either accepts or rejects it.

Encrypting data

To counter the second security risk, encrypt the data sent between the wireless clients and the wireless APs. The method of encryption defined by the IEEE 802.11b standard is Wired Equivalent Privacy (WEP). To provide per-session strong cryptographic keys for WEP encryption, use EAP-TLS, PEAP-TLS, or PEAP-MS-CHAP v2 as the authentication method. IAS has been enhanced to support both PEAP-MS-CHAP v2 and EAP-TLS.

EAP-TLS, as defined in RFC 2716, is the TLS authentication scheme as an EAP type. TLS is used in certificate-based security environments. EAP-TLS is a secure channel (SChannel) authentication protocol that provides for mutual authentication, integrity-protected cipher-suite negotiation, and key exchange between the two endpoints by means of public key cryptography.

PEAP-MS-CHAP v2 provides a secure wireless authentication solution for small businesses without requiring a certificate infrastructure (PKI) and the installation of a user or computer certificate on each wireless client. With PEAP, you can use a password-based authentication method to securely authenticate wireless connections. PEAP creates an encrypted channel before the password-based authentication occurs. Therefore, password-based authentication exchanges such as occur in MS-CHAP v2 are not subject to offline dictionary attacks.