1 / 10

Windows 2003 and 802.1x Secure Wireless Deployments

Windows 2003 and 802.1x Secure Wireless Deployments. Challenge of Wireless. Impressions that wireless is insecure Early implementations lacked security WEP shared secret, mac address filtering Difficult to administer and manage Need to protect network integrity Need to secure data

merrill
Télécharger la présentation

Windows 2003 and 802.1x Secure Wireless Deployments

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Windows 2003 and 802.1x Secure Wireless Deployments

  2. Challenge of Wireless • Impressions that wireless is insecure • Early implementations lacked security • WEP shared secret, mac address filtering • Difficult to administer and manage • Need to protect network integrity • Need to secure data • Prevent unauthorized network access • Must be able to trust an access point • Prevent credential theft • Security without excess complexity

  3. Wireless Secure Wireless with Windows 2003 All connections are authenticated and secured: • Directory Enabled Networking • Secure 802.1x Wireless Support • Effortless PKI Services • Password or certificate-based access Active Directory IAS RADIUS Checks for valid x509 Certificate Via RADIUS to AD PKI PEAP EAP/TLS • PKI Deployment Optional • Passwords can be used w/ Trusted 3rd party Cert. • Integrated 802.1x Support • PKI integrated with Active Directory • Auto enrollment of certificates • Integrated 802.1x Support • Integrated EAP Security

  4. Why use 802.1X ? • Eases manageability by centralizing • Authentication decisions • Authorization decisions • Distributes keys for data encryption and integrity to the wireless client computer • Minimizes Access Point cost by moving expensive authentication to AD • Supports both WPA and WEP

  5. Why PEAP vs. EAP/TLS ? • Organizations may not ready for PKI • Managing user certificates stored on computer hard drives has challenges • Some personnel might roam among computers • Smartcards solve this • Technical and sociological issues can delay or prevent deployment • PEAP enables secure wireless now • Leverages existing domain credentials • Allows easy migration to certificates and smartcards later

  6. PEAP Security and Ease of Deployment Advantages • PEAP is an open standard • PEAP offers end-to-end negotiation protection. • PEAP uses mutual authentication. • PEAP offers highly secure keys for data encryption. • PEAP does not require the deployment of a full PKI or client certificates. • PEAP can be used efficiently with roaming wireless devices. • User's credentials are not exposed to brute force password attacks.

  7. Windows 2003 Wireless • Security • Native support for IEEE 802.1X • Complete with all required infrastructure • IAS: RADIUS Server and Proxy • Windows Certificate Server : PKI • AD: User and Computer account and Certificate repository • Same infrastructure used w/ RAS dial-up and VPN authentication • Native interop. w/ Windows XP Client: (WinXP SP-1) • Down-level client support (PPC2002, W2K, NT4, 9x)

  8. Windows 2003 Improvements • Windows 2003 Active Directory • Auto Certificate enrollment and renewal for machines and users • Performance enhancements when using certificate deployment • Group Policy support of Wireless settings • Internet Authentication Service • Enhanced logging • Allows easier deployment of multiple authentication types • Scaling up • Load Balancing • RADIUS Proxy • Configuration export and restore • Registering AP’s with RADIUS servers • Large number of AP’s in wireless deployment • Requires Server 2003 Enterprise Edition

  9. System Requirements • Client: Windows XP service pack 1 • Server: Windows Server 2003 IAS • Internet Authentication Service—our RADIUS server • Certificate on IAS computer • Backporting to Windows 2000 • Client and IAS must have SP3 • No zero-config support in the client • See KB article 313664 • Supports only TLS and MS-CHAPv2 • Future EAP methods in XP and 2003 might not be backported

  10. 802.1 x Setup • Build Windows Server 2003 IAS server • Join to domain • Enroll computer certificate • Register IAS in Active Directory • Configure RADIUS logging • Add AP as RADIUS client • Configure AP for RADIUS and 802.1x • Create wireless client access policy • Configure clients • Don’t forget to import CA root

More Related