SECURITY

Windows Server 2003 : Securing Network Communication - Securing a Wireless Network

5/16/2013 7:17:23 PM
Wireless networking has existed for many years, but it is only recently, with the publication of the 802.11 series of standards by the Institute of Electrical and Electronics Engineers (IEEE), that wireless local area networking (WLAN) technologies have become mainstream products. WLANs enable home and business users to set up computer networks between places that were previously inaccessible, and they enable portable computer users to roam freely while connected to the network. However, wireless networking creates unique security challenges that administrators must address.

Understanding Wireless Networking Standards

Until recently, wireless networking was based on standards defining physical layer technologies that, while reasonably effective, were much slower than the average network and not altogether reliable. These technologies were also expensive and difficult to implement. However, in 1999, the IEEE released the first standard in the 802.11 working group, called “Wireless LAN Medium Access Control (MAC) and Physical Layer (PHY) Specifications,” defining a new series of technologies for the WLAN physical layer. For the wireless networking industry, the key document in this series of standards was IEEE 802.11b, “Wireless LAN Medium Access Control (MAC) and Physical Layer (PHY) specifications—Amendment 2: Higher-Speed Physical Layer (PHY) Extension in the 2.4 GHz Band.”

The 802.11b standard defines a physical layer specification that enables WLANs to run at speeds up to 11 megabits per second (Mbps), slightly faster than a standard Ethernet network. When products conforming to this standard arrived on the market, they quickly became a popular solution, both for home and business use. Prices dropped accordingly and, for the first time, wireless networking became a major force in the industry.

Development continues on standards that are designed to provide even higher WLAN transmission speeds. The 802.11a standard, “Wireless LAN Medium Access Control (MAC) and Physical Layer (PHY) specifications: Amendment 1: High-speed Physical Layer in the 5 GHz band” defines a medium with speeds running up to 54 Mbps, while 802.11g, “Wireless LAN Medium Access Control (MAC) and Physical Layer (PHY) specifications—Amendment 4: Further Higher Data Rate Extension in the 2.4 GHz Band,” calls for higher transmission speeds using the same 2.4 GHz frequencies as 802.11b.

Wireless Networking Topologies

In computer networking, the term topology typically refers to the pattern of the cables used to connect the computers. Wireless networks do not use cables, but they still have a topology, which defines how the wireless devices interact at the physical layer. At the physical layer, IEEE 802.11b WLANs use direct sequence spread spectrum communications at a frequency of 2.4 GHz, and the devices can communicate with each other using two basic topologies: ad hoc and infrastructure.

Off the Record

Cabled networks are sometimes referred to as bounded media because their signals are confined to a given space—that is, the interior of the cable. Wireless networks are therefore called unbounded media because their signals are not physically restricted in this way.


An ad hoc network consists of two or more wireless devices communicating directly with each other. The signals generated by WLAN network interface adapters are omni-directional out to a range that is governed by environmental factors, as well as the nature of the equipment involved. This range is called a basic service area (BSA). When two wireless devices come within range of each other, as shown in Figure 1, they are able to connect and communicate, immediately forming a two-node network. Wireless devices within the same basic service area are called a basic service set (BSS).

Figure 1. An ad hoc network


Other wireless devices coming within the transmission range of the first two wireless devices can also participate in the network. Ad hoc networking is not transitive, however. A wireless device that comes within range of another device, but still lies outside the range of a third, can communicate only with the device in its range.

Note

The ad hoc topology is most often used on home networks or for very small businesses that have no cabled network components at all.


An infrastructure network uses a wireless device called an access point as a bridge between wireless devices and a standard cabled network. An access point is a small unit that connects to an Ethernet network (or other cabled network) by cable, but that also contains an 802.11b-compliant wireless transceiver. Other wireless devices coming within range of the access point are able to communicate with the cabled network, just as though they were connected by a cable themselves. (See Figure 2.) The access point functions as a transparent bridge, effectively extending the cabled local area network (LAN) to include the wireless devices.

Figure 2. An infrastructure network


Note

On an infrastructure network, wireless devices communicate only with the access point; they do not communicate with each other directly. Therefore, even if two wireless computers are within range of each other, they must still use the access point to communicate.


Most business networks use the infrastructure topology because it provides complete connectivity between wireless devices and the cabled network.

Understanding Wireless Network Security

Unlike bounded media, in which every device on the network must be physically connected to a cable for communication to occur, wireless networks transmit signals in all directions, and any compatible device coming within transmission range might be able to connect to the network. Depending on how many access points you have and where they are located, the boundary of your equipment’s effective range can easily fall outside a controllable area. For example, placing an access point near a building’s outer wall can enable an unauthorized user with a wireless-equipped laptop to access your network from a car parked outside the building.

For this reason, security should be a major concern for all wireless network installations. The two primary threats when it comes to wireless networking are as follows:

  • Unauthorized access An unauthorized user with a wireless workstation connects to the network and accesses network resources. This is the functional equivalent of a user connecting to a cabled network by plugging into an available jack or splicing into the cable, but on a wireless network, the process of making the network connection is much easier. On an infrastructure network, this type of attack compromises the entire network because the user might be able to access bounded as well as unbounded resources. To prevent unauthorized users from connecting to a wireless network, you must implement a system that authenticates and authorizes users before they receive significant access.

  • Data interception A user running a protocol analyzer with a wireless network interface adapter might be able to capture all the packets transmitted between the other wireless devices and the access point. In this case, the device can be as simple as a laptop running Microsoft Network Monitor with a network interface adapter that supports promiscuous mode operation. This type of attack endangers only the data transmitted over the air, but it also leaves no traces, so it is virtually undetectable. The only way to protect against this type of attack is to encrypt all packets transmitted over wireless connections. This does not prevent intruders from capturing the packets, but it does prevent them from reading the data inside.

Controlling Wireless Access Using Group Policies

Windows Server 2003 provides security capabilities for wireless networking in the form of group policies you can use to restrict users’ wireless access to the network. In the Group Policy Object Editor console, you can create a policy in the Computer Configuration\Windows Settings\Security Settings\Wireless Network (IEEE 802.11) Policies subheading that enables you to specify whether wireless-equipped computers can connect to ad hoc networks only, infrastructure networks only, or both. (See Figure 3.)

Figure 3. The New Wireless Network Policy Properties dialog box


In the Preferred Networks tab, you can specify the networks to which users can connect and set properties for the IEEE 802.1X security protocol, such as which authentication protocol to use (see Figure 4). Using these group policy settings, you can configure the wireless networking properties for all the computers on your WLAN.

Figure 4. The New Preferred Setting Properties dialog box


Authenticating Users

You can use several methods to authenticate users attempting to connect to your WLAN and to prevent unauthorized access by outsiders. The IEEE 802.11 standard itself defines two methods: Open System authentication and Shared Key authentication. Windows Server 2003 supports a third method, based on another standard called IEEE 802.1X.

Open System Authentication

Open System authentication is the default authentication method used by IEEE 802.11 devices, and it actually provides no authentication at all. Open System authentication is simply an exchange of messages in which one system identifies itself to another and the other system replies. There is no exchange of passwords, keys, or any other type of credential, and there is no way for a device configured to use Open System authentication to refuse authentication to another.

Shared Key Authentication

Shared Key authentication is a system by which wireless devices authenticate each other using a secret key that both possess. The key is assumed to have been shared before authentication using a secure channel independent of 802.11 communications to prevent it from being compromised during transmission. Shared Key authentication is not a particularly secure method because all the computers in the same BSS must possess the same key. Compromising the key on one system nullifies the authentication security for the entire BSS.

Important

Shared Key authentication requires the use of the Wired Equivalent Privacy (WEP) algorithm. If WEP is not implemented, Shared Key authentication is not available.


During a Shared Key authentication, messages are exchanged between the requester and the responder as follows:

  1. The system requesting authentication asserts its identity to the other system, using a message that contains a value that identifies the shared key (not the shared key itself) the system is using.

  2. The system receiving the authentication request responds with a message containing the authentication result. If the authentication is successful, the response message includes a 128-byte block of challenge text generated by the WEP pseudorandom number generator.

  3. The requester copies the challenge text from the response message to a new message and encrypts it with WEP, using the shared key as an encryption key.

  4. The responder decrypts the message and compares the decrypted challenge text with the text the system transmitted in step 2. If the values match, the responder grants the authentication.

IEEE 802.1X Authentication

The IEEE 802.1X standard, “Port Based Network Access Control,” defines a method of authenticating and authorizing users connecting to an IEEE 802 LAN, and blocking those users’ access to the LAN should the authentication fail. IEEE 802.1X can authenticate users connecting to any type of LAN, such as Ethernet or Token Ring, but in this case, it is particularly valuable for IEEE 802.11 wireless LANs.

Most IEEE 802.1X implementations function as clients of a server running a Remote Authentication Dial-In User Service (RADIUS), such as the Internet Authentication Service (IAS) included with Windows Server 2003. The RADIUS server provides centralized authentication and authorization services for the entire network. For WLAN authentication, RADIUS typically uses one of the following two authentication protocols:

  • Extensible Authentication Protocol-Transport Level Security (EAP-TLS)— EAP is an authentication protocol that is designed to be adaptable so that it can carry a variety of authentication mechanisms within a given packet framework. TLS is an authentication mechanism that transports its messages within EAP packets and provides mutual authentication, integrity-protected negotiation of cryptographic service providers, and secret key exchange between two systems that use public key cryptography. The networks that use EAP-TLS typically have a public key infrastructure (PKI) in place and use certificates for authentication that are stored on the computer or on smart cards.

  • Protected EAP-Microsoft Challenge-Handshake Authentication Protocol, version 2 (PEAP-MS-CHAP v2)— PEAP is a variation on EAP that is designed for use on wireless networks that do not have a PKI in place. With PEAP, you can use a password-based authentication method, such as MS-CHAP, to securely authenticate wireless connections. PEAP creates an encrypted channel before the password-based authentication occurs. Therefore, password-based authentication exchanges such as those that occur in MS-CHAP v2 are not subject to offline dictionary attacks. (Put simply, an offline dictionary attack uses a brute-force dictionary attack to make repeated attempts to decrypt captured packets that use an encryption key derived from a user’s password. This process is made easier for the intruder when the encryption key is derived from a weak password.)

Important

To use PEAP-MS-CHAP v2 for wireless network authentication, the wireless client must be running either Windows Server 2003 or Windows XP with SP1 installed.


With this system in place, an access point receiving a connection request from a wireless client forwards the request to the RADIUS server, which uses information in a data store, such as the Active Directory database, to determine whether the client should be granted access to the network.

Encrypting Wireless Traffic

To prevent data transmitted over a wireless network from being compromised through unauthorized packet captures, the IEEE 802.11 standard defines an encryption mechanism called Wired Equivalent Privacy (WEP). WEP is an encryption system that uses the RC4 cryptographic algorithm developed by RSA Security Inc. WEP depends on encryption keys that are generated by a mechanism external to WEP itself. In cases where WEP is used with IEEE 802.1X to create a comprehensive wireless security solution for the Windows operating system, WEP uses the keys generated by the EAP-TLS or PEAP-MS-CHAP v2 authentication protocol to encrypt the data in the packets.

Off the Record

Microsoft recommends using the WEP and IEEE 802.1X combination as a suitable security configuration for wireless clients running the Windows operating system.


The degree of protection that WEP provides is governed by configurable parameters that control the length of the keys used to encrypt the data and the frequency with which the systems generate new keys. Longer and more frequently changed keys produce better security.

Exam Tip

When preparing for the exam, be sure you are familiar with the security hazards inherent in wireless networking, and with the mechanisms that Windows operating systems can use to authenticate wireless clients and encrypt their traffic.

Other  
 
Top 10
Review : Sigma 24mm f/1.4 DG HSM Art
Review : Canon EF11-24mm f/4L USM
Review : Creative Sound Blaster Roar 2
Review : Philips Fidelio M2L
Review : Alienware 17 - Dell's Alienware laptops
Review Smartwatch : Wellograph
Review : Xiaomi Redmi 2
Extending LINQ to Objects : Writing a Single Element Operator (part 2) - Building the RandomElement Operator
Extending LINQ to Objects : Writing a Single Element Operator (part 1) - Building Our Own Last Operator
3 Tips for Maintaining Your Cell Phone Battery (part 2) - Discharge Smart, Use Smart
REVIEW
- First look: Apple Watch

- 3 Tips for Maintaining Your Cell Phone Battery (part 1)

- 3 Tips for Maintaining Your Cell Phone Battery (part 2)
VIDEO TUTORIAL
- How to create your first Swimlane Diagram or Cross-Functional Flowchart Diagram by using Microsoft Visio 2010 (Part 1)

- How to create your first Swimlane Diagram or Cross-Functional Flowchart Diagram by using Microsoft Visio 2010 (Part 2)

- How to create your first Swimlane Diagram or Cross-Functional Flowchart Diagram by using Microsoft Visio 2010 (Part 3)
Popular Tags
Microsoft Access Microsoft Excel Microsoft OneNote Microsoft PowerPoint Microsoft Project Microsoft Visio Microsoft Word Active Directory Biztalk Exchange Server Microsoft LynC Server Microsoft Dynamic Sharepoint Sql Server Windows Server 2008 Windows Server 2012 Windows 7 Windows 8 Adobe Indesign Adobe Flash Professional Dreamweaver Adobe Illustrator Adobe After Effects Adobe Photoshop Adobe Fireworks Adobe Flash Catalyst Corel Painter X CorelDRAW X5 CorelDraw 10 QuarkXPress 8 windows Phone 7 windows Phone 8