Wireless networking has existed for many
years, but it is only recently, with the publication of the 802.11
series of standards by the Institute of Electrical and Electronics
Engineers (IEEE), that wireless local area networking (WLAN)
technologies have become mainstream products. WLANs enable home and
business users to set up computer networks between places that were
previously inaccessible, and they enable portable computer users to roam
freely while connected to the network. However, wireless networking
creates unique security challenges that administrators must address.
Understanding Wireless Networking Standards
Until recently, wireless networking was based on
standards defining physical layer technologies that, while reasonably
effective, were much slower than the average network and not altogether
reliable. These technologies were also expensive and difficult to
implement. However, in 1999, the IEEE released the first standard in the
802.11 working group, called “Wireless LAN Medium Access Control (MAC)
and Physical Layer (PHY) Specifications,” defining a new series of
technologies for the WLAN physical layer. For the wireless networking
industry, the key document in this series of standards was IEEE 802.11b,
“Wireless LAN Medium Access Control (MAC) and Physical Layer (PHY)
specifications—Amendment 2: Higher-Speed Physical Layer (PHY) Extension
in the 2.4 GHz Band.”
The 802.11b standard defines a physical layer
specification that enables WLANs to run at speeds up to 11 megabits per
second (Mbps), slightly faster than a standard Ethernet network. When
products conforming to this standard arrived on the market, they quickly
became a popular solution, both for home and business use. Prices
dropped accordingly and, for the first time, wireless networking became a
major force in the industry.
Development
continues on standards that are designed to provide even higher WLAN
transmission speeds. The 802.11a standard, “Wireless LAN Medium Access
Control (MAC) and Physical Layer (PHY) specifications: Amendment 1:
High-speed Physical Layer in the 5 GHz band” defines a medium with
speeds running up to 54 Mbps, while 802.11g, “Wireless LAN Medium Access
Control (MAC) and Physical Layer (PHY) specifications—Amendment 4:
Further Higher Data Rate Extension in the 2.4 GHz Band,” calls for
higher transmission speeds using the same 2.4 GHz frequencies as
802.11b.
Wireless Networking Topologies
In computer networking, the term topology
typically refers to the pattern of the cables used to connect the
computers. Wireless networks do not use cables, but they still have a
topology, which defines how the wireless devices interact at the
physical layer. At the physical layer, IEEE 802.11b WLANs use direct
sequence spread spectrum communications at a frequency of 2.4 GHz, and
the devices can communicate with each other using two basic topologies:
ad hoc and infrastructure.
Off the Record
Cabled networks are sometimes referred to as bounded
media because their signals are confined to a given space—that is, the
interior of the cable. Wireless networks are therefore called unbounded media because their signals are not physically restricted in this way. |
An ad hoc network
consists of two or more wireless devices communicating directly with
each other. The signals generated by WLAN network interface adapters are
omni-directional out to a range that is governed by environmental
factors, as well as the nature of the equipment involved. This range is
called a basic service area (BSA). When two wireless devices come within range of each other, as shown in Figure 1,
they are able to connect and communicate, immediately forming a
two-node network. Wireless devices within the same basic service area
are called a basic service set (BSS).
Other
wireless devices coming within the transmission range of the first two
wireless devices can also participate in the network. Ad hoc networking
is not transitive, however. A wireless device that comes within range of
another device, but still lies outside the range of a third, can
communicate only with the device in its range.
Note
The
ad hoc topology is most often used on home networks or for very small
businesses that have no cabled network components at all. |
An infrastructure network uses a wireless device called an access point as a bridge between wireless devices and a standard cabled network. An access point
is a small unit that connects to an Ethernet network (or other cabled
network) by cable, but that also contains an 802.11b-compliant wireless
transceiver. Other wireless devices coming within range of the access
point are able to communicate with the cabled network, just as though
they were connected by a cable themselves. (See Figure 2.)
The access point functions as a transparent bridge, effectively
extending the cabled local area network (LAN) to include the wireless
devices.
Note
On
an infrastructure network, wireless devices communicate only with the
access point; they do not communicate with each other directly.
Therefore, even if two wireless computers are within range of each
other, they must still use the access point to communicate. |
Most business networks use the infrastructure
topology because it provides complete connectivity between wireless
devices and the cabled network.
Understanding Wireless Network Security
Unlike bounded media, in which every device on
the network must be physically connected to a cable for communication to
occur, wireless networks transmit signals in all directions, and any
compatible device coming within transmission range might be able to
connect to the network. Depending on how many access points you have and
where they are located, the boundary of your equipment’s effective
range can easily fall outside a controllable area. For example, placing
an access point near a building’s outer wall can enable an unauthorized
user with a wireless-equipped laptop to access your network from a car
parked outside the building.
For this reason, security should be a major
concern for all wireless network installations. The two primary threats
when it comes to wireless networking are as follows:
Unauthorized access An
unauthorized user with a wireless workstation connects to the network
and accesses network resources. This is the functional equivalent of a
user connecting to a cabled network by plugging into an available jack
or splicing into the cable, but on a wireless network, the process of
making the network connection is much easier. On an infrastructure
network, this type of attack compromises the entire network because the
user might be able to access bounded as well as unbounded resources. To
prevent unauthorized users from connecting to a wireless network, you
must implement a system that authenticates and authorizes users before
they receive significant access.
Data interception
A user running a protocol analyzer with a wireless network interface
adapter might be able to capture all the packets transmitted between the
other wireless devices and the access point. In this case, the device
can be as simple as a laptop running Microsoft Network Monitor with a
network interface adapter that supports promiscuous mode operation. This
type of attack endangers only the data transmitted over the air, but it
also leaves no traces, so it is virtually undetectable. The only way to
protect against this type of attack is to encrypt all packets
transmitted over wireless connections. This does not prevent intruders
from capturing the packets, but it does prevent them from reading the
data inside.
Controlling Wireless Access Using Group Policies
Windows Server 2003 provides security
capabilities for wireless networking in the form of group policies you
can use to restrict users’ wireless access to the network. In the Group
Policy Object Editor console, you can create a policy in the Computer
Configuration\Windows Settings\Security Settings\Wireless Network (IEEE
802.11) Policies subheading that enables you to specify whether
wireless-equipped computers can connect to ad hoc networks only,
infrastructure networks only, or both. (See Figure 3.)
In
the Preferred Networks tab, you can specify the networks to which users
can connect and set properties for the IEEE 802.1X security protocol,
such as which authentication protocol to use (see Figure 4). Using these group policy settings, you can configure the wireless networking properties for all the computers on your WLAN.
Authenticating Users
You can use several methods to authenticate
users attempting to connect to your WLAN and to prevent unauthorized
access by outsiders. The IEEE 802.11 standard itself defines two
methods: Open System authentication and Shared Key authentication.
Windows Server 2003 supports a third method, based on another standard
called IEEE 802.1X.
Open System Authentication
Open System authentication
is the default authentication method used by IEEE 802.11 devices, and
it actually provides no authentication at all. Open System
authentication is simply an exchange of messages in which one system
identifies itself to another and the other system replies. There is no
exchange of passwords, keys, or any other type of credential, and there
is no way for a device configured to use Open System authentication to
refuse authentication to another.
Shared Key Authentication
Shared Key authentication
is a system by which wireless devices authenticate each other using a
secret key that both possess. The key is assumed to have been shared
before authentication using a secure channel independent of 802.11
communications to prevent it from being compromised during transmission.
Shared Key authentication is not a particularly secure method because
all the computers in the same BSS must possess the same key.
Compromising the key on one system nullifies the authentication security
for the entire BSS.
Important
Shared
Key authentication requires the use of the Wired Equivalent Privacy
(WEP) algorithm. If WEP is not implemented, Shared Key authentication is
not available. |
During a Shared Key authentication, messages are exchanged between the requester and the responder as follows:
The
system requesting authentication asserts its identity to the other
system, using a message that contains a value that identifies the shared
key (not the shared key itself) the system is using.
The
system receiving the authentication request responds with a message
containing the authentication result. If the authentication is
successful, the response message includes a 128-byte block of challenge
text generated by the WEP pseudorandom number generator.
The
requester copies the challenge text from the response message to a new
message and encrypts it with WEP, using the shared key as an encryption
key.
The
responder decrypts the message and compares the decrypted challenge
text with the text the system transmitted in step 2. If the values
match, the responder grants the authentication.
IEEE 802.1X Authentication
The IEEE 802.1X
standard, “Port Based Network Access Control,” defines a method of
authenticating and authorizing users connecting to an IEEE 802 LAN, and
blocking those users’ access to the LAN should the authentication fail.
IEEE 802.1X can authenticate users connecting to any type of LAN, such
as Ethernet or Token Ring, but in this case, it is particularly valuable
for IEEE 802.11 wireless LANs.
Most IEEE 802.1X implementations function as clients of a server running a Remote Authentication Dial-In User Service (RADIUS),
such as the Internet Authentication Service (IAS) included with Windows
Server 2003. The RADIUS server provides centralized authentication and
authorization services for the entire network. For WLAN authentication,
RADIUS typically uses one of the following two authentication protocols:
Extensible Authentication Protocol-Transport Level Security (EAP-TLS)— EAP is an authentication protocol that is designed to be adaptable so that it can carry a variety of authentication mechanisms
within a given packet framework. TLS is an authentication mechanism
that transports its messages within EAP packets and provides mutual
authentication, integrity-protected negotiation of cryptographic service
providers, and secret key exchange between two systems that use public
key cryptography. The networks that use EAP-TLS typically have a public
key infrastructure (PKI) in place and use certificates for
authentication that are stored on the computer or on smart cards.
Protected EAP-Microsoft Challenge-Handshake Authentication Protocol, version 2 (PEAP-MS-CHAP v2)—
PEAP is a variation on EAP that is designed for use on wireless
networks that do not have a PKI in place. With PEAP, you can use a
password-based authentication method, such as MS-CHAP, to securely
authenticate wireless connections. PEAP creates an encrypted channel
before the password-based authentication occurs. Therefore,
password-based authentication exchanges such as those that occur in
MS-CHAP v2 are not subject to offline dictionary attacks. (Put simply,
an offline dictionary attack uses a brute-force dictionary attack to
make repeated attempts to decrypt captured packets that use an
encryption key derived from a user’s password. This process is made
easier for the intruder when the encryption key is derived from a weak
password.)
Important
To
use PEAP-MS-CHAP v2 for wireless network authentication, the wireless
client must be running either Windows Server 2003 or Windows XP with SP1
installed. |
With this system in place, an access point
receiving a connection request from a wireless client forwards the
request to the RADIUS server, which uses information in a data store,
such as the Active Directory database, to determine whether the client
should be granted access to the network.
Encrypting Wireless Traffic
To prevent data transmitted over a wireless
network from being compromised through unauthorized packet captures, the
IEEE 802.11 standard defines an encryption mechanism called Wired Equivalent Privacy (WEP).
WEP is an encryption system that uses the RC4 cryptographic algorithm
developed by RSA Security Inc. WEP depends on encryption keys that are
generated by a mechanism external to WEP itself. In cases where WEP is
used with IEEE 802.1X to create a comprehensive wireless security
solution for the Windows operating system, WEP uses the keys generated
by the EAP-TLS or PEAP-MS-CHAP v2 authentication protocol to encrypt the
data in the packets.
Off the Record
Microsoft
recommends using the WEP and IEEE 802.1X combination as a suitable
security configuration for wireless clients running the Windows
operating system. |
The
degree of protection that WEP provides is governed by configurable
parameters that control the length of the keys used to encrypt the data
and the frequency with which the systems generate new keys. Longer and
more frequently changed keys produce better security.
Exam Tip
When
preparing for the exam, be sure you are familiar with the security
hazards inherent in wireless networking, and with the mechanisms that
Windows operating systems can use to authenticate wireless clients and
encrypt their traffic. |