Get a glimpse inside Roberta Bragg's book "Hardening Windows Systems" with this series of book excerpts. Below is the introductory excerpt from Chapter 11, "Harden Communications." Click for the complete book excerpt series or purchase the book.
Secure Wireless Access
Wireless access points (WAPs, or sometimes simply APs) should be considered the equivalent of remote access servers when a policy for their use is designed. While many steps can be taken to make wireless networks more secure without these advanced techniques, these techniques can markedly improve wireless security. A general discussion of hardening the normal wireless network is described in Hardening Network Infrastructure by Wes Noonan (McGraw-Hill/Osborne, 2004), a companion book in this series.
Figure 11-5. Insist on the use of the Message Authenticator Attribute.
The measures described in the sections that follow should be used to secure wireless access using Windows RRAS.
Require APs to Be Sanctioned by IT
A wireless security policy should dictate that APs are to be implemented only by IT and should specify enforcement consequences for setting up a rogue AP. Rogue APs should be disabled, and where security policy dictates, the employee who installs them should be terminated.
Require WPA and/or 802.1x Authentication
The initial wireless APs did not provide for real authentication. Instead, the network identification of the network is typically all that is required. The identification, or SSID, can easily be discovered and provides no security at all. An alternative to this "open system" authentication mode, a shared key can be provided to clients and required for connection. To provide real authentication, and to resolve other security protocol issues, the new Wi-Fi Protected Access (WPA) standard, based on the upcoming 802.11i standard, is available. Unfortunately, device and software modifications are required to use WPA. You can implement 802.1x authentication, Protected EAP (PEAP) authentication, Temporal Key Integrity (TKIP) for key exchange methodologies, and Michael for integrity, all of which are parts of the standard, using IAS. You must add an upgrade to Windows XP Professional in order to use the new protocols. Windows 2000 IAS will also require an upgrade. You can find 802.1x client software for Windows 2000 and, with a support agreement, for Windows 98, Windows ME, and Windows NT 4.0.
When 802.1x authentication is added, a client requests a connection to the wireless access point, which acts as a RADIUS client. IAS can use Active Directory or its own account database for authentication and remote access policies to allow, deny, and restrict connections. Encryption keys can be automatically issued to authorized clients and changed frequently without client intervention.
To configure 802.1x authentication on IAS:
1. Establish the wireless access point as a RADIUS client in the IAS interface.
2. Configure the wireless AP according to its manufacturer's instructions.
3. Create a Remote Access Policy for wireless clients.
4. Use the Wireless-Other or Wireless 802.11 NAS-Port type Policy condition.
5. Select the Wireless-Other or Wireless 802.11 media in the Allow Access Only Through These Media portion of the Dial-in Constraints.
6. Edit the Remote Access profile, and on the Advanced page click Add, select Termination-Action, as shown here, and then click Add.
7. On the Enumerate Attribute Information dialog, change the Attribute Value to RADIUS-Request as shown in the following illustration. Then click OK. This prevents disconnection when XP clients re-authenticate.
8. Create a Connection Request Policy. Remote Access Policies restrict and manage connections from clients. Connection Request Policies manage RADIUS client. Use the policy to restrict wireless AP to time of day, days of week. Connection Request Policies are created by right-clicking the Connection Request Policies node in IAS. The policy is similar to a Remote Access Policy.
Configure 802.1x client authentication using Group Policy:
1. Open the GPO for editing and right-click Computer Configuration. Then choose Windows Settings | Security Settings | Wireless Network (IEEE 802.11) Policies.
2. Select Create Wireless Network Policy, and then click Next.
3. On the General tab, in the Networks to Access, select Access Point (Infrastructure) Networks only. This will prevent connections to ad hoc networks, or to client-toclient wireless networks.
4. Select Use Windows to Configure Wireless Networks Settings for Clients. This sets a preference for Windows configuration over a third-party wireless connection that may be installed on the client computer.
5. Leave cleared: Automatically Connect to Non-Preferred Networks, as shown in the following illustration. (You do not want clients to connect to unknown and unapproved networks without user knowledge.)
6. Select the Preferred Networks tab and select Add to define and configure 802.1xconfiguration. Restricting accessible networks protects clients from inadvertent connections to rogue networks.
7. Enter the SSID of the network.
8. Select the IEEE 802.1x tab.
9. Select and configure the EAP type. Choices are Smart Card or Other Certificate, or Protected EAP (PEAP).
10. Click the Settings button.
11. Select the trusted root certificate for the server in the Trusted Root Certification Authority box.
12. Select the authentication method in the Select Authentication drop-down box. In this example, as shown in the following illustration, Secured Password (EAP-MSCHAP v2) is selected. This method encrypts the authentication credentials, thus protecting them from a network-based attack. By default, Windows credentials of the logged-on user are used; however, the Configure button can be used to prevent that, and a dialog for entering a different user ID and password is provided.
13. Click OK to return and review settings as shown here:
A VPN can be established with the remote access server placed on the network between the AP and the network. Clients connect to the AP in the normal manner, but access to the rest of the network must be established through a VPN connection. This provides authentication, authorization, and confidentiality between the wireless client and the rest of the network.
Click for the next excerpt in this series: Protect Web Communications with SSL.