Implementacja zabezpieczen w sieciach bezprzewodowych

1
Implementacja zabezpieczen w sieciach
bezprzewodowych

• Artur Mroczko
• MCT
• Computer Service Support S.A.

2
Session Prerequisites

• Hands-on experience with Microsoft Windows
  Server 2003 or Windows 2000 server and client
  operating systems and Active Directory
• Basic understanding of wireless LAN technology
• Basic understanding of Microsoft Certificate
  Services
• Basic understanding of RADIUS and remote-access
  protocols

Level 300
3
Agenda

• Zabezpieczanie sieci bezprzewodowej
• Implementacja sieci bezprzewodowej z
  uwierzytelnianiem haslem
• Usuwanie problemów

4
Zabezpieczanie sieci bezprzewodowej

• Zabezpieczanie sieci bezprzewodowej
• Implementacja sieci bezprzewodowej z
  uwierzytelnianiem haslem
• Usuwanie problemów

5
Obszary do zabezpieczenia
Przy projektowaniu sieci bezprzewodowej nalezy
zwrócic uwage na

• Sieciowe uwierzytelnianie i autoryzacje
• Ochrone danych
• Konfiguracje punktów dostepu
• Zarzadzanie zabezpieczeniami

6
Common Security Threats to Wireless Networks
Security Threats Include

• Disclosure of confidential information
• Unauthorized access to data
• Impersonation of an authorized client
• Interruption of the wireless service
• Unauthorized access to the Internet
• Accidental threats
• Unsecured home wireless setups
• Unauthorized WLAN implementations

7
Understanding Wireless Network Standards and
Technologies
802.1X - a standard that defines a port-based
access control mechanism of authenticating access
to a network and, as an option, for managing keys
used to protect traffic
8
Opcje implementacji sieci bezprzewodowych

• Wi-Fi Protected Access with Pre-Shared Keys
  (WPA-PSK)
• Protected Extensible Authentication Protocol
  (PEAP) and passwords
• Wireless network security using Certificate
  Services

9
Choosing the Appropriate Wireless Network Solution
10
Securing a Wireless Network

• Overview of Wireless Solutions
• Securing a Wireless Network
• Implementing a Wireless Network using Password
  Authentication
• Configuring Wireless Network Infrastructure
  Components
• Configuring Wireless Network Clients
• Troubleshooting Wireless Network Problems
• Best Practices

11
Understanding Elements of WLAN Security
To effectively secure a wireless network,
consider

• Authentication of the person or device connecting
  to the wireless network
• Authorization of the person or device to use the
  WLAN
• Protection of the data transmitted over the WLAN

Audit WLAN Access
12
Efektywne uwierzytelnianie i autoryzacja
13
Ochrona przesylanych danych

• Wired Equivalent Privacy (WEP)
• Dynamiczny WEP w polaczeniu z uwierzytelnianiem
  802.1X zapewnia wystarczajacy poziom szyfrowania
• Kompatybilny z wiekszoscia sprzetu
• Wi-Fi Protected Access (WPA/WPA2)
• Zmienia klucz szyfrujacy z kazdym pakietem
• Dluzszy wektor inicjalizacji
• Licznik pakietów
• WPA2 obsluguje szyfrowanie z AES. WPA korzysta z
  Temporal Key Integrity Protocol (TKIP)

14
Alternative Approaches to Protect WLAN Traffic
Alternatives used to protect WLAN traffic include
the use of

• Virtual Private Network (VPN)
• Internet Protocol Security (IPSec)

15
System Requirements for Implementing 802.1X
16
Guidelines for Securing Wireless Networks
Require data protection for all wireless
communications
ü
Require 802.1X authentication to help prevent
spoofing, freeloading, and accidental threats to
your network
ü
Use software scanning tools to locate and shut
down rogue WLANs on your corporate network
ü
17
Implementacja sieci bezprzewodowej z
uwierzytelnianiem haslem

• Zabezpieczanie sieci bezprzewodowej
• Implementacja sieci bezprzewodowej z
  uwierzytelnianiem haslem
• Usuwanie problemów

18
The Components Required to Implement PEAP-MS-CHAP
v2
19
Design Criteria for the PEAP-MS-CHAP vs Wireless
Solution
Security Requirements
ü
Scalability
ü
Availability
ü
Platform Support
ü
Extensibility
ü
Standards Conformance
ü
20
Jak dziala 802.1X z PEAP i Haslem
Wireless Access Point
Wireless Client
RADIUS (IAS)
1
Client Connect
2
Client Authentication
Server Authentication
Mutual Key Determination
3
Key Distribution
4
WLAN Encryption
Authorization
5
Internal Network
21
Identifying the Services for the PEAP WLAN Network
Domain Controller (DC) RADIUS (IAS) Certification
Authority (CA) DHCP Services (DHCP) DNS Services
(DNS)
Branch Office
IAS/DNS/DC
Headquarters
Primary
Secondary
Access Points
IAS/CA/DC
Secondary
Primary
WLAN Clients
IAS/DNS/DC
Access Points
DHCP
WLAN Clients
22
Configuring Wireless Network Infrastructure
Components

• Overview of Wireless Solutions
• Securing a Wireless Network
• Implementing a Wireless Network Using Password
  Authentication
• Configuring Wireless Network Infrastructure
  Components
• Configuring Wireless Network Clients
• Troubleshooting Wireless Network Problems
• Best Practices

23
Preparing the Environment

• Install the WLAN Scripts using
• Microsoft WLAN-PEAP.msi
• Install the additional tools on the IAS servers
• Group Policy Management Console
• CAPICOM
• DSACLs.exe

24
Demo Implementacja sieci bezprzewodowej z
uwierzytelnianiem haslem
25
Configuring the Network Certification Authority

• The CA is used to issue Computer Certificates to
  the IAS Servers
• To install Certificate Services, log on with an
  account that is a member of
• Enterprise Admins
• Domain Admins
• Consider that Certificate Services in Windows
  Server 2003 Standard Edition does not provide
• Auto enrollment of certificates to both computers
  and users
• Version 2 certificate templates
• Editable certificate templates
• Archival of keys

26
Reviewing the Certification Authority
Installation Parameters
Certificate Templates Available Computer
(Machine)
ü
Drive and path of CA request files C\CAConfig
ü
Length of CA Key 2048 bits
ü
Validity Period 25 years
ü
Validity Period of Issued Certificates 2 years
ü
CRL Publishing Interval 7 days
ü
CRL Overlap Period 4 days
ü
27
Installing the Certification Authority
Run MSSsetup CheckCAenvironment
1
Run MSSsetup InstallCA
2
Run MSSsetup VerifyCAInstall
3
Run MSSsetup ConfigureCA
4
Run MSSSetup ImportAutoenrollGPO
5
Run MSSsetup VerifyCAConfig
6
28
Demonstration 2 Configuring the Certification
Authority

• Configure the Certification Authority using the
  WLAN-PEAP scripts

29
Configuring Internet Authentication Services (IAS)
IAS uses Active Directory to verify and
authenticate client credentials and locally
configured policies to make authorization
decisions
IAS configuration categories include

• IAS Server Settings
• IAS Access Policies
• RADIUS Logging

30
Reviewing IAS Configuration Parameters
IAS parameters that are to be configured include
IAS Logging to Windows Event Log
ü
IAS RADIUS Logging
ü
Remote Access Policy
ü
Remote Access Policy Profile
ü
31
Installing the IAS Server
Run MSSsetup CheckIASEnvironment
1
Run MSSsetup InstallIAS
2
Register the IAS server into Active Directory
3
Restart server to automatically enroll the IAS
server certificate
4
Configure logging and the remote access policy
5
Export IAS settings to be imported to another
server
6
32
Demonstration 3 Configuring the IAS Server

• Configure the IAS Server for use with the
  WLAN-PEAP solution

33
Configuring Wireless Access Points
Run MssTools AddRadiusClient
1
Run MssTools AddSecRadiusClients
2
Configure the Wireless Access Points
3
34
Wireless Access Point Configuration Parameters
Configure the basic network settings such as

• IP configuration of the access point
• Friendly name of the access point
• Wireless network name (SSID)

Typical settings for a wireless access point
include

• Authentication parameters
• Encryption parameters
• RADIUS authentication
• RADIUS accounting

35
Demonstration 4 Wireless Access Point
Configuration

• Configure the wireless access point as a RADIUS
  client
• Simulate the configuration of an access point

36
Configuring Wireless Network Clients

• Overview of Wireless Solutions
• Securing a Wireless Network
• Implementing a Wireless Network Using Password
  Authentication
• Configuring Wireless Network Infrastructure
  Components
• Configuring Wireless Network Clients
• Troubleshooting Wireless Network Problems
• Best Practices

37
Controlling WLAN Access Using Security Groups
IAS enables you to control access to the wireless
network using Active Directory security groups
that are linked to a specific remote-access
policy
38
Configuring Windows XP WLAN Clients
Install required updates
1
Create the WLAN client GPO using GPMC
2
Deploy the WLAN settings
3
39
Reviewing WLAN Client Parameters
40
Demonstration 5 Creating the WLAN Client
Settings GPO

• Configure the WLAN client settings GPO

41
Usuwanie problemów

• Zabezpieczanie sieci bezprzewodowej
• Implementacja sieci bezprzewodowej z
  uwierzytelnianiem haslem
• Usuwanie problemów

42
Procedura usuwania problemu
Problem moze nalezec do jednej z nastepujacych
kategorii

• Problem z podlaczeniem klienta
• Wydajnosc
• Bledy uwierzytelniania komputera
• Bledy uwierzytelniania uzytkownika

43
Diagnosing Client Connection Problems
Check the user/computer account
ü
Check client computer
ü
Check the access point configuration settings
ü
Check Active Directory and network services
ü
Check the IAS servers
ü
Check WAN connectivity
ü
Check the Certification Authority
ü
44
Diagnosing Performance Problems
Performance problems can be diagnosed by
performing the following tasks

• Use Performance Monitor to identify heavily
  loaded IAS servers
• Verify that access points are configured to use
  the closest primary IAS server
• Revisit the WLAN network design for incorrect
  access point placement
• Client re-authentication may take up to 60 seconds

45
User or Computer Account Authentication Problems
Authentication problems may be the result of
IAS authentication issues
ü
The account is incorrect, disabled, or locked out
ü
The account is not a member of the WLAN access
group
ü
The remote-access permission is set to deny
ü
46
Troubleshooting Tools and Techniques
47
Best Practices

• Overview of Wireless Solutions
• Securing a Wireless Network
• Implementing a Wireless Network Using Password
  Authentication
• Configuring Wireless Network Infrastructure
  Components
• Configuring Wireless Network Clients
• Troubleshooting Wireless Network Problems
• Best Practices

48
Best Practices for Implementing Secure Wireless
Networks
Understand WLAN prerequisites
ü
Choose a client configuration strategy
ü
Determine traffic encryption requirements
ü
Determine software settings for 802.1X WLANs
ü
Determine availability requirements
ü
49
Session Summary
Determine your organizations wireless
requirements
ü
Require 802.1X authentication
ü
Implement the PEAP and Passwords solution for
organizations that do not utilize a PKI
infrastructure
ü
Use the scripts provided by the PEAP and
Passwords solution
ü
Use security groups and Group Policy to control
WLAN client access
ü
Use troubleshooting tools such as client and IAS
tracing
ü
50
Next Steps

• Find additional security training events
• The Microsoft Security Events and Webcasts Web
  site
• Sign up for security communications
• The Microsoft TechNet Web site
• Order the Security Guidance Kit
• The Microsoft TechNet Web site
• Get additional security tools and content
• The Microsoft Security Web site
• The Wi-Fi page on the Microsoft Web site

51
Pytania
52
Clinic Evaluation