Security information for wireless networks

 

Wireless networking technologies provide convenience and flexibility, but it causes your network to security risks. For example, authentication and authorization mechanisms do not apply, to any compatible wireless network adapter that can access the network. Without encryption, wireless data is sent as plain text, so that at sufficient distance from one wireless access point, wireless access points and wireless access point is sent to detect and receive all data sent.

The following security mechanism enhances security over wireless networks:

    * Windows Firewall
    * 802.11 to determine the identity and verification
    * 802.11 Wired Equivalent Privacy (WEP) encryption
    * Wi-Fi Protected Access (WPA)
    * 802.1X authentication
    * IAS support for 802.1X authentication

Windows Firewall

Windows Firewall on each of the client and the server runs. Your organization's perimeter network or originate inside your last Trojan horse attacks, port scanning attacks or provides protection against network attacks such as worms. Many technologies, such as firewall or Windows Firewall is a firewall with stateful. In response to a request sent from a computer or not allowed to drop all incoming traffic is specified as. Windows Firewall, some Internet Control Message Protocol (ICMP) messages to the outside allows all outgoing traffic.

Windows Firewall, Windows Server 2003 operating system is not included in the original version.

Service Pack 1 (SP1) installed Windows Server 2003, Windows Firewall, LAN (wired or wireless), dial-up and virtual private network (VPN) connections, including all links are disabled by default for. Windows Firewall also for all new connections are disabled by default.

A firewall is installed and running on your wireless computer is not available, it is recommended to enable the Windows Firewall. Right-click the wireless icon in the notification area, Change Windows Firewall settingsI click, and Open'Select.

For information about Windows Firewall: Help: For a specific connection on or off Windows Firewall, Help: Windows Firewall exception list, add to the program, Help: Windows Firewall exception list, add a port to and Windows Firewall and Message Queuing.
802.11 to determine the identity and verification

To identify and to verify identity, IEEE 802.11 open system and shared key authentication sub-types of definitions:

    * Open system authentication does not provide authentication, in fact, only the initiator (wireless client) and receiver (wireless access point) with a message exchange between the specified identity provides.
    * Shared key authentication, shared start by verifying authentication provides confidentiality know. In the 802.11 standard, shared confidentiality 802.11 from independent, secure wireless access point is sent through a channel is assumed.

You want to use sub-type of authentication mentioned for information on how, see In Group Policy Define preferred wireless networks or Defining the client computer, wireless network connection.

Important

    * To increase security and connectivity do not use shared key authentication. Shared key authentication, all wireless access points, and a secret key that is shared by clients require the exchange is due to weaker-known text attack is less secure than open system authentication. Moreover multiple wireless access point for a wireless network you are using shared key authentication, a wireless access point to another wireless access point, you may lose your network connection. In this case, your network switches that are used by all wireless access points will not match the shared key may lose your connection. You are connecting multiple wireless access point wireless network to determine whether the use Wireless Connection Monitor tool. Wireless access points used to display the Wireless Link Monitor For information about: Wireless network access points to view the details.

802.11 WEP encryption

802.11, WEP encryption algorithm for definitions. WEP, wireless access points is sent between wireless clients encrypt the data keeps the data confidential.

Encrypt the data sent over the wireless network to WEP, with a standard 40-bit encryption key, or in some applications with 104-bit encryption key, the code uses the RC4 stream. Flow password, encryption key and algorithm in the data stream to each binary digit (a bit at a time) is the encryption method is applied in a text (text encryption to produce). RSA Data Security, Inc., RC4 stream produced by the password, you can accept arbitrary long keys. Data integrity, an integrity check value in the wireless section of the frame with a scrambled (ICV) is provided.
WPA

WPA, Wi-Fi Alliance is developed by a new wireless security technology. Wi-Fi Protected Access, WEP encryption weakness strengthens existing and encryption keys automatically provides a method for producing and distributing. This solution is also in communication has been received and the information packets changed by an attacker on the data integrity checking for offers. Develop enterprise-level user authentication for Wi-Fi Protected Access authenticates every user on the network and this will prevent users from joining networks deceptive. WPA is based on existing technologies, and forward compatibility with 802.11i and backward compatibility with existing 802.11 solutions by offering a practical solution to allow WEP vulnerabilities related to.
802.1X authentication

802.1X wired Ethernet networks and wireless 802.11 networks to provide authenticated network access is used for an IEEE standard. IEEE 802.1X, centralized user identification, authentication, dynamic key management and accounting support. 802.1X standard, computer and network authenticate each other by allowing, through a wireless connection for data encryption on the basis of user or session keys and switches by creating a dynamically changing security by allowing develops.

Important

    * Windows XP Service Pack 1 and Windows Server 2003 family for enhanced security, 802.1X authentication, only the network key (WEP) that require the use of the access point (infrastructure) networks can be used.
    * When you connect to 802.11 wireless networks use 802.1X authentication is recommended. 802.11 wireless network, 802.1X i can enable you connect, the data you send online traffic analysis, bit flip and malicious packets, such as vaccination would be more open to attack.

EAP authentication methods

802.1X authentication for message exchange during the Extended Authentication Protocol (EAP) uses. To make a wireless connection authentication, EAP and passwords, smart cards or certificates as an authentication method is used at random. 802.1X EAP types provided for in the support, one of the following authentication methods are allowed to use.

    * Server certificate for authentication, user and client computer for authentication using a smart card or certificate, EAP-Transport Level Security (EAP-TLS).
    * Server certificates to authenticate the user for authentication credentials (user name and password), and EAP-Microsoft Challenge-Handshake Authentication Protocol version 2 containing protected EAP (EAP-MS-CHAP v2 and PEAP).
    * Certificate for server authentication and user authentication and client computers that use the smart cards or certificates with EAP-TLS PEAP.

For more information, see EAP, MS-CHAP version 2, Understanding 802.1X authentication for wireless networks and PEAP.
Security and ease of deployment

When choosing an authentication method with the security level you need, you can show for the effort to strike a balance between the distribution of dry. Highest level of security, with certificates PEAP'yi choose (EAP-TLS). PEAP, EAP authentication protocol other to improve the security of TLS uses. PEAP'de, an EAP client (for example, wireless computer device) an EAP server (for example, Internet Authentication Service (IAS) server) between the end-to-end TLS is used to create an encrypted channel. EAP-TLS and PEAP and stand-alone EAP-TLS, the server for authentication through the use of certificates, the client computer and user authentication for the certificate or a smart card using a solid even if the security provider, EAP-TLS and PEAP is used, the client certificate information is encrypted .

The easiest way for the realization of the distribution, along with a password, select PEAP'yi (EAP-MS-CHAP v2). PEAP with EAP-MS-CHAP v2, the client authentication certificate, and therefore is protected with a password or smart cards to clients do not have to install, requires minimum effort for distribution. EAP-MS-CHAP version 2 authentication performed before end-to-end PEAP creates an encrypted channel, the authentication exchange reduces the risk of offline dictionary attack.

PEAP authentication process generated in the session key, wireless clients sent between wireless access points, WEP encryption keys to encrypt data that provide key building materials. Also supports the PEAP fast reconnect feature. PEAP fast reconnect feature, mobile users, wireless access points, the same IAS (RADIUS) server is configured as a client, as long as the same network, different wireless access points in between changing continually have a wireless network connection allows.

802.1X authentication methods for more information about certification requirements, see Network access authentication and certificates. Information about deploying smart cards, see: Checklist: Deploying smart cards for logging on to Windows.

Important

    * And unprotected by PEAP and EAP you deploy PEAP, PEAP used and unused state, do not use the same EAP authentication type. PEAP'yi For example, EAP-TLS (PEAP-EAP-TLS) and distribute, you do not deploy EAP-TLS without PEAP. PEAP has one of protection, one does not have this protection of the same type of authentication method you can create vulnerability to deploy.

IAS support for 802.1X authentication

And deployment of wireless networks to improve security, IAS and 802.1X Remote Authentication Dial-in User Service (RADIUS) server and proxy server can use the Microsoft application. RADIUS is implemented, configured as RADIUS clients, wireless access points, connection requests and accounting messages to send to the central RADIUS server uses the RADIUS protocol. RADIUS server when a user account database and a set of rules to authorize access to the wireless access point connection requests and work, and then accepts or rejects the connection request.

For more information about 802.1x authentication, see Understanding 802.1X authentication for wireless networks. More information about the configuration of wireless network client, see Configuring wireless network settings on client computers. IAS to authenticate wireless access to get information about the configuration, see Checklist: IAS server and wireless access points for wireless access to their configuration and Wireless access.