In this Chapter
BEST PRACTICES
The security issues that face companies that implement wireless networks are many. It’s like trying to secure a public network jack placed on the outside of your building. It just invites people to try and break into the network.
Trying to enforce the physical security that you’ve provided for your servers and backbone networking equipment isn’t possible. This chapter discusses the alternatives in a wireless environment so you can at least tell who’s accessing your network and from where.
You’re going to look at how Windows Server 2003, along with the features included with your wireless networking equipment, can make it more difficult for attackers to take advantage of your public network jack.
Radio Frequency (RF) waves travel well through most solid objects. This creates a complicated scenario when dealing with physical security on your network. The placement of access points and their antennas requires some careful planning and site surveys.
Moving Target
The industry standard for wireless security is a moving target at this time. The target standard is IEEE (Institute of Electrical and Electronics Engineers) 802.11i. As of the writing of this book this standard is still in draft. It outlines wireless security guidelines for hardware manufacturers and software developers.
When considering coverage and number of access points, physical placement is very important in a wireless network. Taking into account the surrounding building architecture, distances and possible sources of interference become critical. RF propagation patterns can be affected in many ways. You’re going to look at some of the points to take into consideration while creating your WLAN layout.
RF attenuation refers to the reduction of signal strength between the wireless AP and the client station. Attenuation is represented in decibels (dB). Decibels are 10 times the logarithm of the signal power at a particular input divided by the signal power at an output of a specified medium. An application of this formula is listed in Table 2.1.
Table 2.1. Sample Attenuation Results
RF Signal | Medium | Loss | Attenuation |
|---|---|---|---|
200mw | Office wall | 100mw | 3dB |
200mW | Office window | 100mW | 3dB |
200mW | Metal Door | 150mW | 6dB |
Inside a building structure attenuation is caused by common construction materials such as wood, metal, and concrete. Additional items that come into play when considering loss are metal storage shelves, partitions, and people.
Examples of some common objects that cause signal attenuation are listed in Table 2.2.
Table 2.2. Common Attenuation Causes and the Resulting Loss
Medium | Attenuation |
|---|---|
Plasterboard office wall | 3dB |
Office window | 3dB |
Cinder block wall | 4dB |
Glass wall (metal frame) | 6dB |
Metal door | 6dB |
Metal door (brick wall) | 12.4dB |
Outside the building structure attenuation is based on free space loss formulas. These formulas take into account the power of the transmitting station, distance, and the receiving station sensitivity. Other factors might be objects that might obstruct a portion of the RF propagation pattern.
Administrators need to take into account that RF signals between the client and the AP can be attenuated by various metal objects. These objects act like antennas and drown out the usable signal. When designing a WLAN layout make sure to be aware of building materials such as the following:
Metal studded walls
Steel I-beams
Rebar reinforced concrete
Heating and air-conditioning ducts
Wire mesh reinforcements in walls
Elevator shafts
Window coatings that contain metal
WLAN administrators can reduce the ease of the “man in the middle” attacks by placing access points near the middle of the building structure. Window coverings that contain metal coatings can reduce the signal emitted into the parking lot or surrounding areas. Grounding metal studded walls can also help create a barrier to signal propagation into unwanted areas.
Omni-directional antennas transmit the RF signals in all directions at basically the same level. Think of the shape of a doughnut surrounding the center of the antenna.
802.11b access points generally have greater transmission range than 802.11a. This is because of the wavelength of the RF signal. The 2.4GHz of 802.11b has a longer wavelength and loses less power over distance.
Access points available from enterprise class vendors enable users to set the radio transmission power level. The maximum transmit power level allowed by the Federal Communications Commission in the Unite States for an 802.11b transmitter is 1 watt (1,000 milliwatts).
Directional antennas transmit the RF signals in a single direction. This type of antenna is best used for narrow coverage requirements such as hallways. Another application of this type of device is for long distance point-to-point transmission.
Coverage of the desired areas can be increased by deploying multiple overlapping access points. By knowing the requirements of the network you can either give the end users constant signal levels, such as 11MB/sec or allow throughput down to 1MB/sec.
The SSIDs, power output, and overlapping channels are important. By mapping out your network application requirements you can place the appropriate antennas and number of access points in the correct areas.
Your wireless network signals are susceptible to multiple sources of interference. By keeping your access points higher in your room layout, such as above false ceilings and mounted to beams in warehouse structures, you should avoid most common sources of interference.
Rogue access points can create havoc on your wireless LAN design. You can avoid the rogue access point from hijacking your clients by removing the rogue from the desired connections within your client’s wireless network interface card (NIC).
Avoiding WLAN Conflicts
Knowing the frequencies of the WLAN can help avoid conflicts. IEEE 802.11 is the standard for WLANs. The frequency, or band, that 802.11b uses from 2.4 to 2.5GHz. 802.11a operates in the range of 5.725 through 5.875 GHz.
Appliances such as microwaves and portable phones operate at the same frequencies as 802.11b and 802.11g networks. By avoiding placing your access points too near these appliances you can reduce your likelihood of interference with such devices.
Indoor distances can be affected by physical obstructions and RF-producing appliances. The average maximum distances are about 300 feet, but can differ greatly depending on access point power and antenna placement. As mentioned previously, signal strength, and therefore distance, can be decreased due to interference and attenuation.
Outside applications can be much greater due to the lack of interference. The use of directional antennas and amplifiers can extend the distance to kilometers in range.
Although using the highest possible signal level gives the longest range, this might not always be desirable. By testing signal level tests and checking for overlapping channels, it might be necessary to lower the transmit power to reduce overlapping coverage.
Using the wireless AP configuration utilities, it might be prudent to lower the radio output. This approach would be best applied where access points are near the exterior of buildings or on the edge of desired WLAN RF coverage.
One of the last things people often think about when deciding where to place their access points is power. An important item to consider is how to get the proper power to any access points up above false ceilings or mounted to beams high above the warehouse floors.
The saving grace in scenarios where power isn’t readily accessible via an AC receptacle is called power over Ethernet (POE). POE is supported by most enterprise level access point vendors. Some are as simple as an in-line power injector. Other vendors have special network switches that support POE.
Wireless bridging devices can be used for temporary network links or where wiring is impractical. Bridging between two wireless devices lowers the ability of attackers from being able to associate with your wireless network. Using wireless bridges also allows for point-to-point or point-to-multipoint connections.
A popular use of wireless bridges is from building to building using directional antennas. This can either be a temporary or permanent installation. Using RF signal amplifiers and high gain antennas can transmit the signal for several miles.
Should you choose 802.11a, 802.11b, or 802.11g? Depending on your current investment and infrastructure you might be able to avoid brute force denial of service attacks just by “changing the channel.” This can be accomplished by using a lesser used frequency or compression scheme.
Keeping in mind that approved IEEE standards will have an affect on which implementation wireless technology manufacturers will roll out. These decisions also are going to be affected by market conditions and adoption rates. You should choose the most compatible wireless equipment that meets your company’s application needs.
802.11a uses 12 non-overlapping channels from 5.725 through 5.875 GHz. This might be a good alternative for reducing interference by devices such as cordless phones, Bluetooth devices, and microwaves. This would be recommended for smaller businesses that don’t require strong security.
IEEE 802.11a Not Yet Finalized
The IEEE 802.11a standard has not been finalized as of the writing of this book. Therefore, manufacturers have been slow to implement security or other add-ons to 802.11a-based equipment.
802.11b and 802.11g non-overlapping channels:
Channel 1 (2.412 GHz)
Channel 6 (2.437 GHz)
Channel 11 (2.462 GHz)
In larger wireless network deployments many of the interference and RF signal problems that arise come from internal sources. By knowing the physical layout of your buildings as well as the existing RF interference you can work around or reduce these problems down the road.
Conducting an RF site survey of your environment is critical to protecting your WLAN from interference and obstructions. After you map out the signal levels take note of both internal and external access points.
Keep an accurate inventory of authorized access points. Using the reports from your site survey software, you should document the location and MAC address of each of your access points. Performing ongoing site surveys will make you aware of new rogue access points.
Creating a company or organization operations policy concerning authorized wireless access points will greatly reduce your administrative nightmares. By creating a method in which to incorporate wireless access points where rogues are popping up you can keep your end users happy.
Keeping people from snooping around your network probably isn’t going to happen. What you can do is reduce the ability for them to successfully gain access to your network resources. This will need to take place on several fronts. You’ll need to lock down your systems as well as your wireless access points.
There are many vendors of wireless access points, bridges, and network cards. The amount of security features that they implement varies. Depending on your company’s budget and the age of the equipment in place you might want to start with the basics:
Ensure AP and NIC firmware is up to date
Mount AP out of reach to avoid “hard reset”
Change your AP’s default administrator password
Don’t allow remote management
Change your SSID name
Don’t broadcast your SSID
Use MAC layer filtering
Activate WEP (some older/entry level APs don’t support 802.11x)
Use 802.11x for dynamic key exchange (best security)
By taking these measures you will be able to keep the honest people honest. Those who have the time and tools might still be able to access the wireless network. That’s where the next layer of defense comes into play. To protect the company’s data, the internal networking equipment and operating systems need to have the same if not more security in place.
Windows Server 2003 has the capability to implement 802.1x port-level security. This security capability is comprised of several components and each of them needs to be configured to pass the appropriate information to the others. All of the components in this process need to be 802.1x-compliant.
802.1x is the IEEE standard that defines port-based network access control. It also defines the method for passing the Extensible Authentication Protocol (EAP) messages. There are three parts of a Windows Server 2003–based 802.1x-compliant system:
Supplicant. User or client that wants to be authenticated (Windows XP SP1 or later)
Authenticator. Access point that is 802.1x-compliant (be sure to check with the manufacturer’s documentation prior to choosing your equipment)
Authentication Server. Microsoft IAS Server (RADIUS) registered with Active Directory
RFC 2716
Microsoft introduced a Request for Comment (RFC) in 1999 called RFC 2716. This document describes EAP-TLS. Transport Level Security (TLS) provides for mutual authentication, encrypted negotiation, and key exchange between two end points. Combined, the two technologies are referred to as EAP-TLS.
Windows Server 2003 enables you a great deal of security and flexibility when it comes to the management of wireless networks and clients accessing them. By using Active Directory, DHCP, DNS, and Internet Authentication Services you can secure and audit remote computers as well as wireless users.
Group Policies are probably the primary tools for wireless network administrators. The ability to control most, if not all, of the wireless client’s settings is a great way to ensure security compliance.
Windows Server 2003 Active Directory domains support a new Wireless Network (IEEE 802.11) Policies Group Policy extension. This extension enables you to configure the wireless network settings that are part of the Computer Configuration Group Policy.
Wireless network settings in the Wireless Network (IEEE 802.11) Policies Group Policy extension include the global wireless settings, list of preferred networks, WEP settings, and IEEE 802.1x settings. All the settings that are available in the Association and Authentication tabs in the Properties dialog box for a wireless network on a Windows XP (SP1 and later) or Windows Server 2003 wireless client are included in this configuration tool.
Wireless Network (IEEE 802.11) Policies
The Wireless Network (IEEE 802.11) Policies do not apply to Windows XP clients prior to Service Pack 1. They also will not apply to the Microsoft 802.11x Authentication Client wireless clients.
Wireless Network (802.11) Policies Node
The Wireless Network (802.11) Policies node is not available from the Windows Server 2003 Administrators Pack. You must configure this directly on the server or via Terminal Services.
Single Wireless Network Policy
Only a single wireless network policy can be created for each Group Policy object.
You can configure wireless policies from the Computer Configuration/Windows Settings/Security Settings/Wireless Network (IEEE 802.11) Policies node in the Group Policy MMC snap-in. Figure 2.1 shows the location of the Wireless Network (IEEE 802.11) Policies node.
There are no Wireless Network (802.11) policies by default. To create a new policy you must right-click on Wireless Network (IEEE 802.11) Policies in the console tree of the Group Policy Object Editor and then click Create Wireless Network Policy. The Create Wireless Network Policy Wizard will start. The wizard enables you to configure the name and description for the new wireless network policy.
After creating the new wireless policy you need to double-click on the name of the new policy in the Details pane to make the necessary modifications to implement their desired settings.
Now that the new wireless network policy has been created you need to go through each of the options on the General and Preferred Networks tabs and choose the appropriate settings for the wireless network. Figure 2.2 shows the options available on the General tab.
Within the General tab you can configure the following properties:
Name. Enables you to specify a friendly name for the wireless network policy.
Description. Gives a description for the wireless network policy.
Check for Policy Changes Every. This setting specifies the interval, in minutes, after which clients check for changes to the wireless network policy.
Networks to Access. Enables you to choose which of the following networks the wireless client is allowed to create connections:
Any Available Network (Access Point Preferred)
Access Point (Infrastructure) Networks Only
Computer-to-Computer (Ad Hoc) Networks Only
Use Windows to Configure Wireless Network Settings for Clients—This check box enables the WZC service.
Automatically Connect to Non-preferred Networks—This check box enables the client to connect to wireless networks that are not configured in the Preferred Networks tab.
Within the Preferred Networks tab, shown in Figure 2.3, you can configure the following properties:
Networks. This box displays the list of preferred wireless networks
Add/Edit/Remove. These buttons enable you to create, delete, or modify the settings of a new or selected preferred wireless network.
Move Up/Move Down. These buttons enable you to move the selected preferred wireless network up or down in the Networks list.
By double-clicking on any of the preferred wireless networks listed in the Networks list you can edit the properties of that network. Figure 2.4 shows the options that are available for modification.
WPA
As of the writing of this book configuration for Wi-Fi Protected Access (WPA) was not available. Inclusion of WPA authentication and encryption settings is being considered by Microsoft in future Service Packs for Windows Server 2003 and Windows XP clients.
The first tab at the top of the dialog box is Network Properties. This tab has the following options:
Network name (SSID). This field specifies the wireless LAN network name, also known as the Service Set Identifier (SSID).
Description. This box enables you to give a short description of this wireless network.
Data Encryption (WEP Enabled). This check box specifies whether WEP is enabled for this wireless network.
Network Authentication (Shared Mode). This check box specifies whether 802.11 shared key authentication is used to authenticate the wireless client. If disabled, open system authentication is used.
The Key Is Provided Automatically. This check box specifies whether a WEP key is provided via some means other than manual configuration. Checked keys are provided either on the wireless network card or through 802.1x authentication provided by an IAS server.
This Is a Computer-to-Computer (Ad Hoc) Network. This check box specifies whether the client’s wireless LAN network is operating in ad hoc mode.
The other tab that is available for settings of the preferred wireless networks is the IEEE 802.1x tab. Figure 2.5 shows the available configuration options.
On the IEEE 802.1x tab you can configure the following settings:
Enable Network Access Control Using IEEE 802.1x. This check box specifies whether you want to use IEEE 802.1x to perform authentication for this wireless network. This box also enables all the other settings on this tab.
EAPOL-Start Message. This pulldown box enables you to select the transmission behavior of the EAPOL-Start message when authenticating. The following options are available:
Do Not Transmit. This option specifies that EAPOL-Start messages are not sent.
Transmit. This option sends, if needed, an EAPOL-Start message.
Transmit per 802.1x. This option sends an EAPOL-Start message, upon association, to initiate the 802.1x authentication process.
Max Start. This box specifies the number of successive EAPOL-Start messages that are transmitted when no response is received from the initial EAPOL-Start message.
Start Period. This box specifies, in seconds, the interval between the retransmission of EAPOL-Start messages when no response to the previously sent message is received.
Held Period. This box specifies, in seconds, the period that the authenticating client will not perform any 802.1x authentication activity after it has received an authentication failure indication from the authenticator.
Authentication Period. This box specifies, in seconds, the interval for which the authenticating client will wait before retransmitting any 802.1x after authentication has been initiated.
EAP Type. This pull-down box lists the EAP types that correspond to EAP DLLs installed on the client computer that are suitable for wireless access. The two main choices are Smart Card or Other Certificate or Protected EAP (PEAP).
Settings. This button enables you to configure the properties of the selected EAP type.
Authenticate as Guest When User or Computer Information Is Unavailable. This check box specifies whether the computer will attempt to authenticate as a guest when either user or computer credentials are unavailable.
Computer Authentication. This pull-down box enables you to specify the way in which computer authentication works with user authentication.
Under Computer authentication, the three possible settings are as follows:
With User Authentication. When users are not logged on to the computer, authentication is performed using the computer credentials. After a user logs on to the client computer authentication is maintained with the computer credentials. When the wireless client travels to a new wireless access point authentication is performed using the user’s credentials.
With User Re-authentication. When users are not logged on to the computer, authentication is performed using the computer credentials. After a user logs on to the client computer, authentication is performed using the user credentials. When a user logs off the computer, authentication is performed with the computer credentials. This is the recommended setting because it ensures that the connection to the wireless AP is always using the security credentials of the computer’s current security context (computer credentials when no user is logged on and user credentials when a user is logged on).
Computer Only. Authentication is always performed by using the computer credentials. User authentication is never performed.
One of the best ways to protect not only the WLAN, but also the whole network is called Private Key Infrastructure (PKI). On Windows Server 2003 this solution is also known as Certificate Services. Certificate Services can either be managed internally or outsourced to a trusted third party.
The computer and user certificates can be issued through Group Policies. This is best performed at an Organizational Unit (OU) level. It is recommended that an OU be created for the WLAN users.
Automatic computer certificate allocation can be performed. This might be desirable when a large number of users are going to be using your PKI infrastructure.
Administrators of medium to larger Windows 2000 or Windows Server 2003 environments will probably have already deployed a PKI infrastructure. There are several roles involved in a well-managed PKI architecture; they include the Enterprise root Certificate Authority (CA), Issuing CA, and Subordinate CA.
If this is the first instance of PKI in the Windows Server 2003 environment perform the following steps:
In the Control Panel, open Add or Remove Programs, and then click Add/Remove Windows Components.
In the Windows Components Wizard page, select Certificate Services, and then click Next.
On the next Windows Components Wizard page, select Enterprise root CA.
Click Next and then type the desired name in the Common Name for This CA field, and then click Next.
Accept the default Certificate Database Settings, and then click Next and finally Finish.
This will create the very base for the PKI architecture. In a truly secure environment the Enterprise root CA server is removed from the network and physically protected. This is to protect the integrity of the private key.
The network’s remote and wireless clients need to be authenticated to access the domain. This service is provided by the Remote Access Dial-In User Service (RADIUS) or IAS role in your network. The IAS server is registered with the Active Directory. By having the two services aware of each other, a single sign-on environment can be maintained.
The Microsoft IAS-based RADIUS Server provides centralized authentication, authorization, and accounting (AAA). IAS is also a RADIUS Proxy because it can forward RADIUS requests to other RADIUS Servers for AAA. IAS can also be used to authenticate VPN clients, wireless access points, and Ethernet switches that support 802.1x.
EAP-TLS is the method by which the wireless client and the IAS server exchange authentication and certification.
On your IAS server perform the following steps:
Open the Internet Authentication Service snap-in.
In the console tree, click Remote Access Policies.
In the details pane, double-click Wireless Access to Intranet. The Wireless Access to Intranet Properties dialog box is displayed.
Click Edit Profile, and then click the Authentication tab.
On the Authentication tab, click EAP Methods. The Select EAP Providers dialog box will be displayed.
Click Add. The Add EAP dialog box will be displayed.
Click Smart Card or Other Certificate, and then click OK. The smartcard or other certificate type will be added to the list of EAP providers.
Click Edit. The Smart Card or Other Certificate Properties dialog box will be displayed.
The properties of the computer certificate issued to the IAS computer will be displayed. Click OK.
Click OK to save changes to EAP providers. Click OK to save changes to the profile settings.
Windows XP (with SP1, or later) is the preferred client in a WLAN environment. 802.1x and automatic wireless configuration, also known as Wireless Zero Configuration (WZC), are included in Windows XP. WZC is enabled when you choose Use Windows to Configure My Wireless Network Settings check box in your Wireless Network Connection Properties dialog box. WZC really comes into play when you have group policies configured on your Windows Server 2003 domain controllers.
Customers Who Participate in Microsoft’s Premier Support
Microsoft provides the 802.1x Authentication Client for Windows 98 and Windows NT 4.0 Workstation to customers who participate in Microsoft’s Premier Support.
You’ve seen WZC in action when you see the “One or more wireless networks are available” message in the notification area of the desktop. If you don’t have group policies configured, the following defaults will apply:
The SSID is acquired from the wireless AP beacon
Network authentication is open
Data encryption is disabled
Shared key authentication is disabled
IEEE 802.1x authentication for this network is disabled
If the default settings don’t conform to your wireless network the user must manually configure each option to match the wireless AP and your Windows Server 2003 security settings.
Windows XP (Post SP1) clients can take advantage of a stronger encryption standard known as WPA. WPA is an interoperable interim standard that has been developed by the Wi-Fi Alliance. WPA is a replacement for WEP, which has many known and published vulnerabilities. To take advantage of this new standard you will need to make sure that all your WLAN components are compatible.
To implement WPA to protect your data you’ll need to verify or update the software/firmware at the following:
Wireless Access Point parameters includes WPA information element, WPA two-phase authentication, TKIP, Michael, and AES (optional).
Wireless Network Adapter options include WPA information element, WPA two-phase authentication, TKIP, Michael, and AES (optional).
Wireless Client Programs options include WPA client program (Windows XP SP1) and WPA-compliant configuration tool for wireless network adapter (Windows 2000).
WPA requires that 802.1x authentication be in place. This can be accomplished through the RADIUS (EAP-TLS) method. This is configured through the Windows Server 2003 Internet Authentication Server. In smaller organizations a preshared key can be used.
WPA requires the rekeying of both unicast and global encryption keys. Temporal Key Integrity Protocol (TKIP) is used to change the unicast encryption key for every frame and also synchronizes the changes between the AP and the wireless client.
TKIP is a replacement for WEP. It provides a new encryption algorithm that is stronger than WEP. TKIP uses the calculation facilities that are already present of existing wireless devices to perform the encryption operations. To be in compliance with the WPA standard TKIP is required.
WPA uses a new data integrity method called Michael. WEP relies upon a 32-bit integrity check value (ICV) to proved data integrity assurance. This method can be captured and manipulated with cryptanalysis tools to update the ICV without the client knowing about it.
Michael specifies an algorithm that calculates an 8-byte message integrity code (MIC) using facilities available on existing wireless devices. This MIC is located between the data portion of the 802.11 frame and the ICV. Both the MIC and the ICV are encrypted along with the data frame. Michael also implements a new frame counter to prevent replay protection.
WPA calls for AES to encrypt the traffic between the AP and wireless clients. AES is optional as a replacement to your current WEP encryption. This is because manufacturers need to update their firmware and drivers. This might not be feasible in all cases.
During the transition to a fully WPA-compliant environment it might be necessary to support pre-existing WEP clients. This is supported by the wireless AP after it has been upgraded. The AP determines which encryption method is being requested by the client. The WEP clients won’t take advantage of the dynamic global encryption keys because they cannot support them.
In some cases it might not be feasible to have all the components compliant with your security planning, such as older pre-existing equipment that doesn’t support 802.1x, RADIUS, or WPA. You also might not have control over portions of the WLAN to which your clients are connecting.
In these cases the best method for securing your network traffic would be a Virtual Private Network (VPN).
Public Access Points are popping up everywhere. It might be in your local coffee shop or bookstore. This convenience allows remote users and administrators access to their networks from almost anywhere. This convenience also creates challenges for the IT administrators.
Lack of WEP on the public access points means you’re exposing your wireless traffic. This makes the use of VPN that much more important.
By constantly reviewing the updates to IEEE standards and the application of new patches to wireless networks you can stay on top of your security.
Monitoring sites such as wardriving.com can keep you aware of whether or not your access points are on that list.
Make sure you are keeping track of security events such as failed login attempts. Although these might just be indications of users forgetting their passwords, it also could be signs of a break-in attempt. By being alert to such indicators you can keep your users happy and attackers frustrated.
Ensure that firewall logging is also being monitored. You can learn quite a bit from unsuccessful as well as successful traffic. Usage patterns and attacks can be traced just through periodic review of your logs.
Occasional access point discovery can make your job easier. By using tools such as Network Stumbler and utilities that come with the wireless card you can discover rouge access points. You can also find out whether your desired signal levels are being maintained in each region of WLAN coverage.
By knowing which standards are still in draft and which ones are approved you can make educated buying decisions. Make sure that you check with the IEEE Web site (http://standards.ieee.org/wireless/) regularly. Here are some of the standards that might have an affect on your future WLAN architecture:
802.11e—Quality of Service. The purpose of this standard is to enhance the current 802.11 Medium Access Control (MAC) to improve and manage Quality of Service and provide classes of service. The applications that could benefit from this standard include transport of voice, audio, and video over 802.11 wireless networks, video conferencing, and media stream distribution.
802.11f—Access Point Interoperability. This standard calls for recommended practices for Inter-Access Point Protocol (IAPP), which provides the necessary capabilities to achieve multivendor AP interoperability across a distributed system.
802.11h—Interference. This standard relates to the 802.11a (5GHz) range. It calls for network management and control extensions to allow for spectrum and transmit power management. This would enable regulatory acceptance of 802.11 5GHz products.
802.11i—Security. This standard proposes enhancing the Medium Access Control layer to enhance security and authentication mechanisms. 802.11x is a portion of this standard.
Using the wealth of information that’s available from the many vendors of wireless products, as well as software vendors such as Microsoft, is invaluable. There are many newsgroups focused on wireless security as well.
Communicating with other administrators who have implemented a similar wireless environment such as your company’s can be very helpful. User groups such as the Bay Area Wireless User Group provide great suggestions as to product configurations and modifications.
Some useful Web sites include the following:
IEEE 802.11 (http://grouper.ieee.org/groups/802/11/)
Wi-Fi Alliance (http://www.wi-fi.org/)
War Driving (http://www.wardriving.com)
WLAN Monitoring (http://www.airdefense.net)
Network Stumbler (http://www.netstumbler.com)
The key to a successful implementation of secured wireless technologies is to begin with the end in mind. Never use a wireless LAN without some type of encryption, and be mindful of the type of encryption you plan to use. The standard WEP encryption should be the minimum level of encryption considered with even higher levels of encryption like 802.1x as the recommended norm.
When planning a wireless LAN implementation, an RF site survey can validate the number of access points needed to achieve the appropriate coverage in the facilities being used. Look at end user requirements such as the ability to roam throughout the office while maintaining a signal versus the expectation of a static position of users working wireless from just an office or conference room. These are important factors when determining access point positioning and overlap coverage.
Because Windows Server 2003 has built-in 802.1x encrypted wireless support, it requires the client system to be running Windows XP Service Pack 1 or later. The existing system configurations become important in the implementation of a secured wireless environment. An organization has the choice of lowering security to the lowest common denominator, and thus increasing security risk; or the organization has the ability to require all client systems to meet a minimum system configuration standard to raise the level of supported wireless security on the network.
Lastly, creating wireless access policies and enforcing the policies becomes extremely important. Keep your network secure by keeping everyone informed of the security risks of setting up their own rogue access points. Perform periodic network audits by walking around with your laptop or pocket PC scanning for networks. Double-check each of the access points to ensure that they are configured and working correctly.
By designing a secure network, and then monitoring and managing the secured infrastructure, an organization can improve its level of security support throughout the organization.