Security Consideration for a Windows Wireless Networks

Are you planning on implementing wireless in your environment? Read up on what to be aware of.

Most organizations have implemented some sort of Windows 2000 server and higher in their network environment. Many of you are now considering or planning and implementing wireless local area networks (WLANs) that require advanced authentication mechanisms. The authentication methods go beyond that which was required for wired networks in the past. Security is on the forefront of most network administrators and the wireless environment is suspect for attack. The data is literally transmitted as energy through the air. Attackers can use many different tools known as protocol analyzers to retrieve this data as it is transmitted from the organization’s clients to the access points (APs). For this reason, modern WLANs implement strong authentication and encryption technologies.

The built-in features that Windows Server provides the WLAN security infrastructure is often overlooked. In order to implement a secure enterprise-class WLAN, you will need an authentication infrastructure. This infrastructure includes authenticators and authentication servers. The authenticator (AP) acts as the mediator between a WLAN client station (STA) and an authentication server (AS). The AS stores or has access to the information that is used to validate the STAs as they authenticate using the AP with the network. So what roles can the Windows Server play? Two, actually. The first role is that of the AS and the second is that of the credential store. You can use Active Directory to store user names and passwords or you can use Certificate Services to store STA certificates for authentication purposes. Both Active Directory and Certificate Services come with Windows Server out-of-the-box. Another service that ships with Windows Server is the Internet Authentication Service (IAS). IAS is Microsoft’s implementation of a RADIUS server and, therefore, can play the role of the AS in a secure WLAN.

The parts and pieces that I’ve talked about so far come together to form what is known as an IEEE 802.1X framework. IEEE 802.1X defines a framework that involves a requestor (known as a supplicant), an authenticator and an authentication server. In a WLAN, the STA is the requester, the AP is the authenticator, and IAS is the authentication server – should you choose to use it. The reality is that this knowledge can benefit both large enterprises and smaller organizations.

Many small- and medium-sized businesses (SMBs) have Windows Servers installed that are not being fully utilized. For example, it is not uncommon to have a file server that is accessed only ten to fifteen times an hour in these smaller businesses. If this is the case for you, it would probably be more cost effective to use IAS on that server than to buy a network appliance – usually for a few thousand dollars, though I’ve seen a few for less than that – that does the same work of providing a RADIUS service to your network.

In order to implement this WLAN security infrastructure solution, you will need to do the proper planning. This means answering the following questions:

• What type of Extensible Authentication Protocol (EAP) will you implement?
• Will you be using network access control?
• Will all users be required to use the IEEE 802.1X implementation that you build?

The EAP type is very important because some EAP types require certificates for both the AS and the STAs and others only require certificates for the AS. If you want to reduce your certificate management overhead, you may want to select a secure EAP type (avoid LEAP as its weakness is well-documented) that only requires a certificate that the AS uses.

IAS supports remote access policies in Windows Server. These policies can be used to only allows authentication if the client STA has a certificate and, if not, place the STA on a virtual LAN (VLAN) that only contains a certificate server for certificate acquisition. This is just one example as the remote access policies allow you to perform actions based on group membership and other factors as well.

Finally, if you will not be requiring all users to use the IEEE 802.1X infrastructure, you will probably need to implement different APs (or at least APs with multiple virtual SSIDs) for each connection type. One for the secure connection (probably your internals users) and another for the open connections (probably guests). You could further configure your open network so that Internet access is provided, but the STAs associated with it cannot access any internal servers, services or data.

While this article presents an overview of these concepts, you can learn more about the various EAP types in the LearnKey Wireless Security eLearning program and you can learn more about Windows’ support for IAS, Active Directory and Certificate Services at the Microsoft website. You may also feel free to contact me with any questions you have as you attempt to implement a secure WLAN using Microsoft technologies. My email address is carpenter@sysedco.com and I’ll be glad to help.