Designing for a Secure Wireless Network

Wireless network technology is very beneficial in allowing employees to work from a number of different locations. People use cell phones to check their voicemail from their car or use a device like a Blackberry to check their e-mail on the golf course. Wireless technology allows people to connect notebooks and other portable devices to a network without the need to find a physical network port. In fact, we are taking advantage of the wireless technology as we work on this book at various locations to aid in research. But with all of these benefits, wireless technology poses a greater security risk to the data that is transferred because the information is broadcast to anyone within range of the signal.

Wireless networks are everywhere. The mobile phone networks, pager networks, and infrared devices all use wireless networking. But the common wireless network in business nowadays is known as wi-fi, which stands for wireless fidelity. There are three major wireless standards for wireless networking defined as wi-fi by the Institute of Electrical and Electronics Engineers (IEEE):

802.11a 802.11a can transmit data at speeds as fast as 54Mbps but at a shorter range than the other more popular standards. It also uses a different part of the electromagnetic spectrum and so is not compatible with either 802.11b or 802.11g. Its short range, and non-overlapping 12 channels means that it is a specification that is more appropriate for densely populated areas.

802.11b 802.11b is currently the most popular specification for wireless networking. It supports speeds up to 11Mbps over a longer range than 802.11a. Devices that support 802.11b tend to be less expensive, hence the popularity.

802.11g 802.11g supports speeds up to 54Mbps and is compatible with 802.11b because they both use the same part of the radio spectrum. It does have a shorter range than 802.11b to get the full 54Mbps speed.

The 802.11 standards support two methods or modes of communication: ad hoc mode and infrastructure mode. Ad hoc mode is a peer-to-peer communication mode in that clients communicate directly with each other. Clients can be configured to allow incoming connections and support ad hoc mode. With infrastructure mode, the clients connect to a wireless device that acts as a bridge between a wireless and wired network called an access point. Security for a wireless network is simple, but it can be a problem to manage the configuration.

Security Options in the 802.11 Standard

People search for unsecured wireless access points through a process called “war driving,” which consists of using a notebook computer or a PDA with a wireless network card and a utility like NetStumbler or MiniStumbler and driving around looking for unsecured access points. Once an access point is found they publish this information on the Internet or leave marks that indicate an insecure wireless point. This means that anybody could be using your wireless access point to access the Internet or your network. They can also capture packets that you may be sending over the wireless network to reveal passwords or confidential information. There are three security mechanisms that you can implement to guard against unauthorized use of your access point and eavesdropping on your wireless traffic.

The first security mechanism that the 802.11 standards use is a Service Set Identifier (SSID), which is an identification that uniquely identifies a wireless network. The SSID is used as a means of preventing clients from connecting. Only clients that have been configured with the same SSID as each other or the access point can connect. This is not very secure because most access points will broadcast the SSID to all the clients for ease of configuration. You can turn off this feature so that the access point runs in stealth mode, which means that the client would have to be configured with the correct SSID before it can connect.

You can also use MAC address filtering to control which MAC addresses can communicate with the access point. This would require you to set up MAC filtering to specify which clients you want to allow to connect. This can be a management headache if there are a large number of clients. Wireless packets can also be captured, revealing the MAC addresses that are allowed. An attacker can use MAC address spoofing to overcome this restriction.

The third security mechanism you can use in the wireless standard addresses security issues by using the Wireless Equivalent Privacy (WEP). WEP uses the RC4 symmetric key encryption to authenticate clients and provide for the encryption of transmitted data. WEP uses a symmetric key, which means that the client and the access point require the same shared secret key. There is no standard on providing the shared secret key to the client, and it usually must be done manually, as shown in Figure 3.10. The administrator will also have to rotate the keys on a regular basis to guard against unauthorized use, and as you can imagine, this will be a tedious process.

Figure 3.10: Configuring WEP keys in Windows Server 2003

Beyond the SSID, MAC filtering, and WEP keys, there is no additional form of authentication. Therefore, as you can see, the mechanisms provided by the 802.11 standards are insecure because you could figure out the SSID by capturing the broadcast wireless signal or socially engineering them. The packets also travel through the air and are susceptible to being read, spoofed, or altered.

Designing for a Secure Wireless Network Using the 802.1x

The 802.1x standard was developed to help administrators provide greater security to wireless networks (although it will work with wired networks as well). 802.1x uses EAP-TLS to authenticate the user and encrypt the connection between the client and the server. This authentication mechanism uses certificates on the client and server to provide for mutual authentication. This will require PKI to be put in place to manage the creation, distribution, and revocation of certificates (see Chapter 6 for more information). It will also provide for encryption of each connection using TLS. This means that the keys for encryption can be negotiated per session. 802.1x also allows for many means of authenticating the client on the network, such as smart cards, SecurID, or passwords.

You can configure the 802.1x through Group Policy Security Settings. You can use Group Policy Security Settings to manage many clients at once with Active Directory, which will solve some of the management problems with 802.11. You can get to the Group Policy Security Settings for 802.1x by following these steps:

1. Open the Security Settings section of Group Policy by navigating to the Domain Security Policy MMC. To do so, choose Start All Programs Administrative Tools Domain Security Policy, to reveal the screen shown in Figure 3.11.

   
   Figure 3.11: The wireless network policy settings container

   You can use the Wireless Network (IEEE 802.11) Policies node to configure 802.11 and 802.1x configuration settings.

2. Right-click on the Wireless Network (IEEE 802.11) Policies node and choose Create Wireless Network Policy from the context menu to configure a wireless policy.

3. This will launch a Wireless Network Policy Wizard that will ask you to enter the name of the wireless policy and then ask if you would like to edit the wireless policy. Give the policy a useful name and then click Next.

4. Click the Finish button to end the Wireless Network Policy Wizard and reveal the Wireless Network Policy Properties dialog box.

You can enable the client computer to use 802.1x without using Group Policy by following these steps:

1. Select Start Settings Control Panel Network Connections.

2. Right-click your wireless network connection and choose Properties from the context menu.

3. In the wireless connection’s Properties dialog box, click the Wireless Networks tab to reveal the property page for configuring wireless networks for the client, as shown in Figure 3.12.

   
   Figure 3.12: The Wireless Networks tab on the wireless network’s Properties dialog box

4. Choose the wireless network configuration in the Preferred Networks list box and click the Properties button.

5. In the preferred network’s Properties dialog box, click the Authentication tab.

6. Click the Enable IEEE 802.1x Authentication For This Network check box, as shown in Figure 3.13, to enable 802.1x for this client.

Figure 3.13: Enabling 802.1x on a client

Using Protected Extensible Authentication Protocol to Secure

For those who don’t have the extensive public key infrastructure, you can use a protocol called Protected Extensible Authentication Protocol (PEAP). This protocol is not as strong as smart card or some other form of certificates used on the clients, which is required with EAP-TLS. PEAP allows the client to use a password to authenticate the user on the wireless network. This makes it easier to set up 802.1x, but at a cost of degrading security. Remember, however, that you are always weighing the cost of a solution with the loss that would be incurred if security was breached. PEAP would need to be enabled on the client and the server to support this form of authentication for the network. You would use the EAP Type drop-down box on the Authentication tab in the preferred wireless network Properties dialog box to enable PEAP on the client side, as shown in Figure 3.14.

Figure 3.14: Enabling PEAP for 802.1x authentication

On the server you would need to navigate to the Wireless Network (IEEE 802.1x) Policies node and open up the Properties dialog box for the policy that you would like to enable PEAP and then click the IEEE 802.1x tab to find the EAP Type drop-down box.

The following steps describe how to get to this property page:

1. Open the Security Settings section of Group Policy.

2. Right-click the New Wireless Network Policy node in the right-hand pane and choose Properties from the context menu to configure a wireless policy.

3. In the New Wireless Network Policy Properties dialog box, click the Preferred Networks tab.

4. Click the Add… button to reveal the New Preferred Setting Properties.

5. Click the IEEE 802.1x tab to reveal the EAP type setting.

6. In the IEEE 802.1x Properties dialog box page, select Protected EAP (PEAP) from the EAP type drop-down box, as shown in Figure 3.15.

Figure 3.15: Enabling PEAP on Windows Server 2003

Regardless of whether you choose to use certificates or PEAP to authenticate with the wireless access point, 802.1x uses RADIUS to authenticate the requests to connect to an access point. The access point acts as a RADIUS client that will forward all requests to connect to the RADIUS server, which in Windows Server 2003’s case is called Internet Authentication Service (IAS). The RADIUS server will check to see if the client has been allowed access to the wireless access point, which ensures that the client is authenticated to gain access to the network and can prevent unauthorized access points. RADIUS also provides extensive auditing and accounting that can also be used to maintain security. These logs can be reviewed to verify the usage patterns of accounts and recognize if there has been a security violation.

Designing for an Open Access Point

Using the 802.1x, standard, you can create a secure private wireless network that will provide for data encryption and integrity but there are many times that you would want to provide open access to the Internet for clients, consultants, or the general public. This should be on a network that was shielded from your internal network by a firewall. You should also control the types of traffic that could be passed to the Internet on the open wireless access point by using a router, firewall, or an intrusion detection system to prevent abuse of the public system. In addition, you will need to make it clear to those using the open access point that their traffic is not secure and they should use it at their own risk. Figure 3.16 shows how you would lay out a wireless network with an open access point.

Figure 3.16: Network layout with an open access point

Identifying Wireless Network Vulnerabilities

Wireless networks by their very nature are vulnerable, so you should pay close attention to designing a secure network. The following list includes some of the vulnerabilities you need to consider:

• WEP keys must be manually configured in many devices and there is no standard to manage them. You have to usually set them up on the client manually.

• Packet checksums, which are the result of a mathematical calculation on the packet that is added to a packet to verify the integrity of the packet, are not encrypted, so an attacker could manipulate the packets in transit.

• The destination or source of a packet can be changed.

• Shared key authentication is all that is available without 802.1x.

• There is no user or machine authentication option with 802.11 protocols, so you only need to know the SSID to connect (if WEP is not enabled).

• Many access points have a well-known default setting. For example, a LinkSys wireless access point’s default SSID is LINKSYS. An attacker will guess the defaults on popular devices first to determine if they can gain access.

The following list includes the main threats to a wireless infrastructure:

• Attackers can eavesdrop on wireless packets because they are broadcast. You are broadcasting more or less to the world if you don’t use encryption.

• Employees or attackers can add unauthorized access points to a network to provide access to it. These access points normally will not be secure, opening up a vulnerability on your network.

• DoS attacks can be launched by broadcasting a stronger signal, jamming the air with noise, redirecting packets, or disconnecting clients.

• Attackers can figure out your SSID or valid MAC addresses by intercepting wireless packets even if you disable SSID broadcasting or enable MAC filtering.

Guarding Against Wireless Vulnerabilities on Windows Server 2003

You can secure wireless communications on a Windows Server 2003 network by implementing the following:

• Use the strongest security you possibly can. Try using 802.1x if your hardware is compatible. If it is not compatible with your company’s existing equipment and your company cannot afford to upgrade, use IPSec to maximize your protection against eavesdropping and manipulation of packets. At a minimum, use WEP for some protection.

• Don’t use the default SSID of an access point and disable SSID broadcasting on the access point. This will prevent attackers from discovering the SSID by simply coming within range of the access point or guessing the SSID from a known list of default SSIDs for the access point. They can still read it from the packets, but you are increasing the difficulty of accessing the network.

• You should adjust the range of the access point if possible. The access point should cover only the area necessary; otherwise, running at full power, it might cover the street below, additional floors in the building, or even the next building. You usually have to adjust the range through SNMP commands sent to the access point. You will need to use site surveys to verify the coverage of your access points. A site survey is similar to what we described as war driving earlier, only it’s obviously done for security purposes. A site survey can be accomplished by using a program like NetStumbler, available at www.netstumbler.org.

• You should also use site surveys from time to time to locate unauthorized access points on your network. Employees or even an attacker might sneak an access point onto the network. This access point will usually not be secure and will pose as a threat to the network.

• Use infrastructure mode to centralize the management of security on the access point. You can take advantage of 802.1x, centralized WEP keys, and SSID settings by disabling broadcasting of SSIDs.

In the next Design Scenario, you will design a wireless security strategy.

Design Scenario: Designing Wireless Security

You need to set up a wireless network for boardrooms in your company. There will be many types of presentations and other data transferred across this network. You have determined that it must be secure because some of the information passing over the network would be sensitive in nature.

1. Question: What would you do to secure these access points? Answer: First, you need to purchase access points that support 802.1x. You should install Internet Authentication Service (IAS) (Windows RADIUS server) and configure the wireless access point to act as a RADIUS client to the IAS server. Next, set up a public key infrastructure to enable certificates on the client and server, and then enable EAP-TLS for authentication and encryption of pack ets on the network. You disable SSID broadcasting and change the default SSID on the access points and configure the clients with these SSIDs through Active Directory Group Policy. Finally, enable access to the wireless network through Active Directory Group Policy.