Wireless Networks

Wireless Networking Concepts

Wireless networks have changed the way people use their computers.

Organizations can instantly network an entire building—including meeting rooms, common areas, and courtyards.

This can increase productivity and provide more flexible work spaces. For some buildings, including historical landmarks, this might be the only legal way to network a facility.

Business travellers can use their mobile computers to connect to the Internet from any place with a public wireless network (including hotels, airports, and coffee shops).

Use the buttons below to navigate through the lesson

Business travellers can use their mobile computers to connect to the Internet from any place with a public wireless network (including hotels, airports, and coffee shops).
They can use this Internet connection to establish a VPN connection to their organization’s internal network. People can network their homes in just a few minutes. Users with mobile computers can establish an ad hoc network while traveling and share resources without a network infrastructure.

Unfortunately, wireless networks have also introduced some problems:
■ Because a physical connection isn’t required, attackers can connect to wireless networks from outside your facility (such as from your car park, other offices in the same building, or even buildings hundreds of feet away).
■ By default, most wireless access points use neither authentication nor encryption. This allows any attacker who can send and receive a wireless signal to connect to your network. Additionally, attackers can capture data as it crosses the network.

Technologies such as Wired Equivalent Protection (WEP) and Wi-Fi Protected Access (WPA) provide both authentication and encryption for wireless networks.
However, they’re vulnerable to cracking attacks by attackers who can receive a wireless signal. Attackers with the right skill and equipment within a few hundred feet of a wireless access point can often identify the key used to connect to a WEP-protected wireless network.

Wireless Standards

802.11b The original and still most common wireless network type.
802.11b advertises a theoretical network throughput of 11 Mbps, but 3–4 Mbps is more realistic.
Because 802.11g and 802.11n are backward-compatible with 802.11b, an 802.11b client can connect to almost any network (albeit at the slower 802.11b speed).

802.11g – An update to 802.11b that advertises a theoretical network throughput of 54 Mbps (with 10–15 Mbps realistic bandwidth under good circumstances).
You can use 802.11g network access points in one of two modes: mixed (which supports 802.11b clients but reduces bandwidth for all clients) or 802.11g-only (which does not support 802.11b clients but offers optimal bandwidth).

802.11n An update to 802.11g and 802.11b that provides improved range and performance claims of 250 Mbps (with a much smaller realistic bandwidth).
In addition to providing backward compatibility with 802.11b and 802.11g, this standard is backward compatible with 802.11a.

Wireless Security Standards

No security
To grant guests easy access, you can choose to allow clients to connect to a wireless access point without authentication (or encryption).
To provide some level of protection, some wireless access points detect new clients and require the user to open a Web browser and acknowledge a usage agreement before the router grants the user access to the Internet.
Unfortunately, any communications sent across an unprotected wireless network can be intercepted by attackers who can receive the wireless signal (which typically broadcasts several hundred feet).

Because almost all public wireless networks are unprotected, ensure that your mobile users understand the risks.
If you allow users to connect to unprotected wireless networks, provide encryption at other layers whenever possible.
For example, use Secure Sockets Layer (SSL) to protect communications with your e-mail server, require users to connect using an encrypted VPN, or require IPsec communications with encryption.

Wired Equivalent Protection (WEP)
WEP, available using either 64-bit or 128-bit encryption, was the original wireless security standard.
Unfortunately, WEP has significant vulnerabilities because of weaknesses in the cryptography design.
Potential attackers can download freely available tools on the Internet and use the tools to crack the key required to connect to the WEP network—often within a few minutes.
Therefore, neither 64-bit nor 128-bit WEP can protect you against even unsophisticated attackers.
However, WEP is sufficient to deter casual users who might connect to an otherwise unprotected wireless network.
WEP is almost universally supported by wireless clients (including non-Windows operating systems and network devices, such as printers) and requires no additional infrastructure beyond the wireless access point.
When connecting to a WEP network, users must enter a key or passphrase (though this process can be automated).

Wi-Fi Protected Access (WPA)
Like WEP, WPA provides wireless authentication and encryption. WPA can offer significantly stronger cryptography than WEP, depending on how it is configured.
WPA is not as universally supported as WEP, however, so if you have non-Windows wireless clients or wireless devices that do not support WEP, you might need to upgrade them to support WPA. Computers running Windows support WPA-PSK and WPA-EAP.

WPA-PSK (for preshared key),
also known as WPA-Personal, uses a static key, similar to WEP. Unfortunately, this static key means it can be cracked using brute force techniques.
Additionally, static keys are extremely difficult to manage in enterprise environments.

WPA-EAP (Extensible Authentication Protocol),
also known as WPA-Enterprise, passes authentication requests to a back-end server, such as a Windows Server 2008 computer running RADIUS.
Network Policy Server (NPS) provides RADIUS authentication on Windows servers. NPS can pass authentication requests to a domain controller, allowing WPA-EAP protected wireless networks to authenticate domain computers without requiring users to type a key.
WPA-EAP enables very flexible authentication, and Windows Vista and Windows Server 2008 enable users to use a smart card to connect to a WPA-Enterprise protected network.
Because WPA-EAP does not use a static key, it’s easier to manage because you don’t need to change the key if an attacker discovers it and multiple wireless access points can use a single, central server for authentication. Additionally, it is much harder to crack than WEP or WPA-PSK.

WPA2 (also known as IEEE 802.11i) is an updated version of WPA, offering improved security and better protection from attacks. Like WPA, WPA2 is available as both WPA2-PSK and WPA2-EAP.
Windows Vista, Windows Server 2003, and Windows Server 2008 include built-in support for WEP, WPA, and WPA2. Windows XP can support both WPA and WPA2 by installing updates available from Microsoft.com.
Recent versions of Linux and the Mac OS are capable of supporting WEP, WPA, and WPA2.
Network devices, such as printers that connect to your wireless network, might not support WPA or WPA2.

When selecting a wireless security standard, choose the first standard on this list that all clients can support:
■ 128-bit WEP
■ 64-bit WEP
If all clients cannot support WPA-EAP or WPA2-EAP, consider upgrading those clients before deploying a wireless network.

Public Key Infrastructure

WEP and WPA-PSK rely on static keys for wireless authentication, and, as a result, they are both unsecure and unmanageable in enterprise environments.
For better security and manageability, you will need to use WPA-EAP.
The most straightforward approach to deploying WPA-EAP is to use a PKI (Public Key Infrastructure) to deploy certificates to both your RADIUS server and all wireless client computers.

Select Active Directory Certificate Services and Click Next…. Click Next.

Select Certification Authority and Click Next

Select Enterprise and Click Next.  Select Root CA and Click Next. Select Create a new private key and Click Next. Click Next to accept the default cryptography settings.

Click Next to accept the default CA Name. Set the Validity period 5 Years by default and Click Next. To accept the default Certificate Database and Log file locations. Click Next. To confirm installation selections Click Install. Certificate Authority is now installed  Click Close.

Auto Enrollment

The Certificate Authority is in place, you can now use a group policy object to enable auto enrollment. Ensuring that client computers have the necessary certificates to support WPA-EAP wireless authentication.
Click Group Policy Management. Select Default Domain Policy and Click Settings. Right Click Security Settings and select Edit.

Expand Computer Configuration>Policies. Expand security Settings. Click Public Key Policies and right click Certificate Services Client Auto-Enrollment, select Properties.  Select Enabled. Click OK to complete.