Security

Security

When designing for secure wireless connectivity, use the following best practices:

• Use one of the following combinations of encryption and authentication for secure wireless in an organization network:

  • Wired Equivalent Privacy (WEP) and Extensible Authentication Protocol-Transport Layer Security (EAP-TLS)

  • WEP and Protected EAP (PEAP)-Microsoft Challenge Handshake Authentication Protocol version 2 (MS-CHAP v2)

  • Wi-Fi Protected Access (WPA)/Temporal Key Integrity Protocol (TKIP) and EAP-TLS

  • WPA/TKIP and PEAP-MS-CHAP v2

• For the Small Office/Home Office (SOHO) wireless network without a Remote Authentication Dial-In User Service (RADIUS) server, the following combinations of encryption and authentication are recommended:

  • WEP with a static WEP key and open system authentication

  • WPA/TKIP and WPA with pre-shared key

• For the strongest authentication configuration, wireless clients should have HKEY_LOCAL_MACHINE\Software\Microsoft\EAPOL\Parameters\General\Global\AuthMode set to 1. This setting enforces the use of a user certificate and user authentication after the user has successfully logged on. Computers running Windows XP (SP1 and later) and Windows Server 2003 have AuthMode set to 1 by default. Computers running Windows XP (prior to SP1) have AuthMode set to 0 by default.

• To prevent rogue wireless access points (APs) from being attached to your wired network, use Ethernet switches that support 802.1X authentication for network ports that are accessible to users.

• If you are using EAP-TLS authentication, do not also use PEAP-TLS. Allowing both protected and unprotected authentication traffic for the same type of network connection renders the protected authentication traffic susceptible to spoofing attacks.