Title: Lecture 6: Implementing Security for Wireless Networks with 2003
1Lecture 6 Implementing Security for Wireless
Networks with 2003
2Objectives
- Overview of Active Directory
- Overview of Certificate Services
- How 802.1X with PEAP and Passwords Works
- How 802.1X-EAP-TLS Authentication Works
- Remote Access policies
3What Is Active Directory?
Directory Service Functionality
Centralized Management
- Single point of administration
- Full user access to directory resources by a
single logon
Resources
4Active Directory Objects
- Objects Represent Network Resources
- Attributes Store Information About an Object
5Active Directory Logical Structure
- Domains
- Organizational Units
- Trees and Forests
- Global Catalog
6Domains
- A Domain Is a Security Boundary
- A domain administrator can administer only within
the domain, unless explicitly granted
administration rights in other domains - A Domain Is a Unit of Replication
- Domain controllers in a domain participate in
replication and contain a complete copy of the
directory information for their domain
Windows 2000Domain
Replication
User1 User2
7Organizational Units
Organizational Structure
Network Administrative Model
Vancouver
Sales
Sales
Users
Repair
Computers
- Use OUs to Group Objects into a Logical Hierarchy
That Best Suits the Needs of Your Organization - Delegate Administrative Control over the Objects
Within an OU by Assigning Specific Permissions to
Users and Groups
8Trees and Forests
9Global Catalog
Queries
Group membership when user logs on
10Domain Controllers
- Domain Controllers
- Participate in Active Directory replication
- Perform single master operations roles in a domain
A Writeable Copy of the Active Directory
Database
11Delegating Administrative Control
- Assign Permissions
- For specific OUs to other administrators
- To modify specific attributes of an object in a
single OU - To perform the same task in all OUs
- Customize Administrative Tools to
- Map to delegated administrative tasks
- Simplify interface design
12What Is a PKI?
The combination of software and encryption
technologies that helps to secure communication
and business transactions
Requirement PKI solutions
Confidentiality Data encryption
Integrity Digital signatures
Authenticity Hash algorithms, message digests, digital signatures
Nonrepudiation Digital signatures, audit logs
Availability Redundancy
13Components of a PKI
14What Is a Certification Authority?
15Roles in a Certification Authority Hierarchy
- A root CA is generally configured as a
stand-alone CA and kept offline
16Certification Authority Hierarchies
Type of hierarchy Description
Root Enhances security and scalability Provides flexible administration Supports commercial CAs Supports most applications
Cross Certification Provides interoperability between businesses and between products Joins disparate PKI organizations Assumes complete trust of a foreign CA hierarchy
17Offline Root CA Installation Settings
18Wireless Network Authentication Options for WPA
Wireless network authentication options include
- Wireless network security using Protected
Extensible Authentication Protocol (PEAP) and
passwords (802.1X with PEAP) - Wireless network security using Certificate
Services (802.1X with EAP-TLS) - Wi-Fi Protected Access with Pre-Shared Keys
(WPA-PSK)
19Guidelines for Choosing the Appropriate Wireless
Network Solution
Wireless Network Solution TypicalEnvironment Additional Infrastructure Components Required Certificates Used for Client Authentication Passwords Usedfor Client Authentication Typical Data- Encryption Method
Wi-Fi Protected Access with Pre-Shared Keys (WPA-PSK) Small Office/Home Office (SOHO) None NO YES Uses WPA preshared key to authenticate to network WPA
Password-based wireless network security Small to medium organization Internet Authentication Service (IAS) Certificate required for the IAS server NO However, a certificate is issued to validate the IAS server YES WPA or Dynamic WEP
Certificate-based wireless network security Medium to large organization Internet Authentication Service (IAS) Certificate Services YES NO Certificates used but may be modified to require passwords WPA or Dynamic WEP
20How 802.1X with PEAP and Passwords Works
Wireless Access Point
Wireless Client
RADIUS (IAS)
1
Client Connect
2
Client Authentication
Server Authentication
Mutual Key Determination
3
Key Distribution
4
WLAN Encryption
Authorization
5
Internal Network
21How 802.1X-EAP-TLS Authentication Works
Wireless Client
Certification Authority
1
Certificate Enrollment
Wireless Access Point
2
Client Authentication
Server Authentication
RADIUS (IAS)
Mutual Key Determination
4
Key Distribution
5
Authorization
WLAN Encryption
3
6
Internal Network
22Client, Server, and Hardware Requirements for
Implementing 802.1X
Components Requirements
Client computers Microsoft provides 802.1X clients for Windows 95, Windows 98, Windows NT 4.0, and Windows 2000 operating systems 802.1X is supported by default for Windows XP and Windows Server 2003 operating systems
RADIUS/IAS and certificate servers Dependent upon Windows Server 2003 Certificate Services and Windows Server 2003 IAS An IEEE-compliant 802.1X server can be used for RADIUS or Certificate Services
Wireless access points At a minimum, should support 802.1X and 128-bit WEP for encryption
23PKI Requirements for Wireless Network Security
To prepare the PKI for wireless security
- Define certificate requirements
- Design the certification authority hierarchy
- Configure certificates
- Create a certificate management plan
24Considerations for Creating Certificate Templates
To create the certificates required for wireless
security
- Define certificate parameters
- Define certificate and key lifetimes
- Define certificate clients and assurance level
for each certificate holder
25Remote Access Connection Policies
Specify connection criteria Specify
connection restrictions
- Remote access permission
- Group membership
- Type of connection
- Time of day
- Authentication methods
- Idle timeout time
- Maximum session time
- Encryption strength
- IP packet filters
26IAS Remote Access Policies
?
Conditions
Permissions
Profile
27Lab D Planning and Implementing Security for
Wireless Networks
- Exercise 1 Configuring Active Directory for
Wireless Networks - Exercise 2 Configuring Certificate Templates and
Certificate Autoenrollment - Exercise 3 Configuring Remote Access Policies
for Wireless Devices - Exercise 4 Configuring Group Policy for Wireless
Networks