Hardening Communications - Secure Wireless Access
(Page 11 of 11 )
Wireless access points (WAPs, or sometimes simply APs) should be considered the equivalent of remote access servers when a policy for their use is designed. While many steps can be taken to make wireless networks more secure without these advanced techniques, these techniques can markedly improve wireless security. A general discussion of hardening the normal wireless network is described in Hardening Network Infrastructure by Wes Noonan (McGraw-Hill/Osborne, 2004), a companion book in this series.
Figure 11-5. Insist on the use of the Message Authenticator Attribute.
The measures described in the sections that follow should be used to secure wireless access using Windows RRAS.
Require APs to Be Sanctioned by IT A wireless security policy should dictate that APs are to be implemented only by IT and should specify enforcement consequences for setting up a rogue AP. Rogue APs should be disabled, and where security policy dictates, the employee who installs them should be terminated.
Require WPA and/or 802.1x Authentication The initial wireless APs did not provide for real authentication. Instead, the network identification of the network is typically all that is required. The identification, or SSID, can easily be discovered and provides no security at all. An alternative to this “open system” authentication mode, a shared key can be provided to clients and required for connection. To provide real authentication, and to resolve other security protocol issues, the new Wi-Fi Protected Access (WPA) standard, based on the upcoming 802.11i standard, is available. Unfortunately, device and software modifications are required to use WPA. You can implement 802.1x authentication, Protected EAP (PEAP) authentication, Temporal Key Integrity (TKIP) for key exchange methodologies, and Michael for integrity, all of which are parts of the standard, using IAS. You must add an upgrade to Windows XP Professional in order to use the new protocols. Windows 2000 IAS will also require an upgrade. You can find 802.1x client software for Windows 2000 and, with a support agreement, for Windows 98, Windows ME, and Windows NT 4.0.
When 802.1x authentication is added, a client requests a connection to the wireless access point, which acts as a RADIUS client. IAS can use Active Directory or its own account database for authentication and remote access policies to allow, deny, and restrict connections. Encryption keys can be automatically issued to authorized clients and changed frequently without client intervention.
To configure 802.1x authentication on IAS:
Establish the wireless access point as a RADIUS client in the IAS interface.
- Configure the wireless AP according to its manufacturer’s instructions.
- Create a Remote Access Policy for wireless clients.
- Use the Wireless-Other or Wireless 802.11 NAS-Port type Policy condition.
- Select the Wireless-Other or Wireless 802.11 media in the Allow Access Only Through These Media portion of the Dial-in Constraints.
- Edit the Remote Access profile, and on the Advanced page click Add, select Termination-Action, as shown here, and then click Add.
- On the Enumerate Attribute Information dialog, change the Attribute Value to RADIUS-Request as shown in the following illustration. Then click OK. This prevents disconnection when XP clients re-authenticate.
- Create a Connection Request Policy. Remote Access Policies restrict and manage connections from clients. Connection Request Policies manage RADIUS client. Use the policy to restrict wireless AP to time of day, days of week. Connection Request Policies are created by right-clicking the Connection Request Policies node in IAS. The policy is similar to a Remote Access Policy.
Configure 802.1x client authentication using Group Policy:
- Open the GPO for editing and right-click Computer Configuration. Then choose Windows Settings | Security Settings | Wireless Network (IEEE 802.11) Policies.
- Select Create Wireless Network Policy, and then click Next.
- On the General tab, in the Networks to Access, select Access Point (Infrastructure) Networks only. This will prevent connections to ad hoc networks, or to client-to-client wireless networks.
- Select Use Windows to Configure Wireless Networks Settings for Clients. This sets a preference for Windows configuration over a third-party wireless connection that may be installed on the client computer.
- Leave cleared: Automatically Connect to Non-Preferred Networks, as shown in the following illustration. (You do not want clients to connect to unknown and unapproved networks without user knowledge.)
- Select the Preferred Networks tab and select Add to define and configure 802.1xconfiguration. Restricting accessible networks protects clients from inadvertent connections to rogue networks.
- Enter the SSID of the network.
- Select the IEEE 802.1x tab.
- Select and configure the EAP type. Choices are Smart Card or Other Certificate, or Protected EAP (PEAP).
- Click the Settings button.
- Select the trusted root certificate for the server in the Trusted Root Certification Authority box.
- Select the authentication method in the Select Authentication drop-down box. In this example, as shown in the following illustration, Secured Password (EAP-MSCHAP v2) is selected. This method encrypts the authentication credentials, thus protecting them from a network-based attack. By default, Windows credentials of the logged-on user are used; however, the Configure button can be used to prevent that, and a dialog for entering a different user ID and password is provided.
- Click OK to return and review settings as shown here:
Use VPNs
A VPN can be established with the remote access server placed on the network between the AP and the network. Clients connect to the AP in the normal manner, but access to the rest of the network must be established through a VPN connection. This provides authentication, authorization, and confidentiality between the wireless client and the rest of the network.
Protect Web Communications with SSL Using SSL to protect web-based communications requires the use of certificates. Certificates are used to provide server authentication, proving the web server’s identity to the client browser or application. They are also used for secure exchange of secure keys to be used for encrypting communications between client and server. This is the basis for the secure exchange of data for e-commerce and other sensitive web communications.
Client authentication can also be required and is discussed in Chapter 12.
Server-side use of SSL is configured in this way:
- Use the IIS Administration tools to create a certificate request.
- Forward the request to a public or private certification authority (CA)
- Install the returned certificate on the web server.
- Configure site requirements for SSL authentication.
 This is from Hardening Windows Systems, by Roberta Bragg, (McGraw-Hill/Osborne, ISBN: 0072253541). Check it out at your favorite bookstore today. Buy this book now. |
| DISCLAIMER: The content provided in this article is not warranted or guaranteed by Developer Shed, Inc. The content provided is intended for entertainment and/or educational purposes in order to introduce to the reader key ideas, concepts, and/or product reviews. As such it is incumbent upon the reader to employ real-world tactics for security and implementation of best practices. We are not liable for any negative consequences that may result from implementing any information covered in our articles or tutorials. If this is a hardware review, it is not recommended to open and/or modify your hardware. |
/ 4 
