Wireless networking has existed for many years, but
it is only recently, with the publication of the 802.11 series of
standards by the Institute of Electrical and Electronics Engineers
(IEEE), that wireless local area networking (WLAN)
technologies have become mainstream products. WLANs enable home and
business users to set up computer networks between places that were
previously inaccessible, and enable portable computer users to roam
freely while connected to the network. However, wireless networking
creates unique security challenges that administrators must address.
Understanding Wireless Networking Standards
Until recently,
wireless networking was based on standards defining physical layer
technologies that, while reasonably effective, were much slower than the
average network and not altogether reliable. These technologies were
also expensive and difficult to implement. However, in 1999, the Institute of Electrical and Electronics Engineers (IEEE)
released the first standard in the 802.11 working group, called
“Wireless LAN Medium Access Control (MAC) and Physical Layer (PHY)
Specifications,” defining a new series of technologies for the WLAN
physical layer. For the wireless networking industry, the key document
in this series of standards was IEEE 802.11b,
“Wireless LAN Medium Access Control (MAC) and Physical Layer (PHY)
specifications—Amendment 2: higher-speed Physical Layer (PHY) extension
in the 2.4 GHz band.”
The 802.11b standard defines a
physical layer specification that enables WLANs to run at speeds up to
11 megabits per second (Mbps), slightly faster than a standard Ethernet
network. When products conforming to this standard arrived on the
market, they quickly became a popular solution, both for home and
business use. Prices dropped accordingly and, for the first time,
wireless networking became a major force in the industry.
Development
continues on standards that are designed to provide even higher WLAN
transmission speeds. The 802.11a standard, “Wireless LAN Medium Access
Control (MAC) and Physical Layer (PHY) specifications: Amendment 1:
High-speed Physical Layer in the 5 GHz band” defines a medium with
speeds running up to 54 Mbps, while 802.11g, “Wireless LAN Medium Access
Control (MAC) and Physical Layer (PHY) specifications—Amendment 4:
Further Higher Data Rate Extension in the 2.4 GHz Band,” calls for
higher transmission speeds using the same 2.4 GHz frequencies as
802.11b.
See Also
For more information on IEEE standards, and to obtain the standards themselves, see the IEEE Web site at http://www.ieee.org. |
Wireless Networking Topologies
In computer networking, the term topology
typically refers to the pattern of the cables used to connect the
computers. Wireless networks do not use cables, but they still have a
topology, which defines how the wireless devices interact at the
physical layer. At the physical layer, IEEE 802.11b WLANs use direct
sequence spread spectrum communications at a frequency of 2.4 GHz, and
the devices can communicate with each other using two basic topologies:
ad hoc and infrastructure.
Off the Record
Cabled networks are sometimes referred to as bounded
media, because their signals are confined to a given space, that is,
the interior of the cable. Wireless networks are therefore called unbounded media, because their signals are not physically restricted in this way. |
An ad hoc network
consists of two or more wireless devices communicating directly with
each other. The signals generated by WLAN network interface adapters are
omnidirectional out to a range that is governed by environmental
factors, as well as the nature of the equipment involved. This range is
called a basic service area (BSA). When two wireless devices come within range of each other, as shown in Figure 1,
they are able to connect and communicate, immediately forming a
two-node network. Wireless devices within the same basic service area
are called a basic service set (BSS).
Other
wireless devices coming within the transmission range of the first two
can also participate in the network. Ad hoc networking is not
transitive, however. A wireless device that comes within range of
another device, but still lies outside the range of a third, can only
communicate with the device in its range.
Note
The
ad hoc topology is most often used on home networks, or for very small
business that have no cabled network components at all. |
An infrastructure network uses a wireless device called an access point as a bridge between wireless devices and a standard cabled network. An access point
is a small unit that connects to an Ethernet network (or other cabled
network) by cable, but that also contains an 802.11b-compliant wireless
transceiver. Other wireless devices coming within range of the access
point are able to communicate with the cabled network, just as though
they were connected by a cable themselves (see Figure 2).
The access point functions as a transparent bridge, effectively
extending the cabled local area network (LAN) to include the wireless
devices.
Note
On
an infrastructure network, wireless devices communicate only with the
access point; they do not communicate with each other directly.
Therefore, even if two wireless computers are within range of each
other, they must still use the access point to communicate. |
Most business
networks use the infrastructure topology because it provides complete
connectivity between wireless devices and the cabled network.
Understanding Wireless Network Security
Unlike
bounded media, in which every device on the network must be physically
connected to a cable for communication to occur, wireless networks
transmit signals in all directions, and any compatible device coming
within transmission range may be able to connect to the network.
Depending on how many access points you have and where they are located,
the boundary of your equipment’s effective range can easily fall
outside a controllable area. For example, placing an access point near a
building’s outer wall can enable an unauthorized user with a
wireless-equipped laptop to access your network from a car parked
outside the building.
For this reason, security
should be a major concern for all wireless network installations. The
two primary threats when it comes to wireless networking are as follows:
Unauthorized access
An unauthorized user with a wireless workstation connects to the
network and accesses network resources. This is the functional
equivalent of a user connecting to a cabled network by plugging into an
available jack or splicing into the cable, but on a wireless network,
the process of making the network connection is much easier. On an
infrastructure network, this type of attack compromises the entire
network because the user may be able to access bounded as well as
unbounded resources. To prevent unauthorized users from connecting to a
wireless network, you must implement a system that authenticates and
authorizes users before they receive significant access.
Data interception
A user running a protocol analyzer with a wireless network interface
adapter may be able to capture all the packets transmitted between the
other wireless devices and the access point. In this case, the device
can be as simple as a laptop running Microsoft Network Monitor with a
network interface adapter that supports promiscuous mode operation. This
type of attack endangers only the data transmitted over the air, but it
also leaves no traces, so it is virtually undetectable. The only way to
protect against this type of attack is to encrypt all packets
transmitted over wireless connections. This does not prevent intruders
from capturing the packets, but it does prevent them from reading the
data inside.
Controlling Wireless Access Using Group Policies
Windows Server
2003 provides security capabilities for wireless networking in the form
of group policies that you can use to restrict users’ wireless access to
the network. In the Group Policy Object Editor console, you can create a
policy in the Computer Configuration\Windows Settings\Security
Settings\Wireless Network (IEEE 802.11) Policies subheading that enables
you to specify whether wireless-equipped computers can connect to ad
hoc networks only, infrastructure networks only, or both (see Figure 3).
In
the Preferred Networks tab, you can specify the networks to which users
can connect and set properties for the IEEE 802.1X security protocol,
such as which authentication protocol to use (see Figure 4). Using these group policy settings, you can configure the wireless networking properties for all the computers on your WLAN.
Authenticating Users
You
can use several methods to authenticate users attempting to connect to
your WLAN and to prevent unauthorized access by outsiders. The IEEE
802.11 standard itself defines two methods: Open System authentication
and Shared Key authentication, and Windows Server 2003 supports a third
method, based on another standard called IEEE 802.1X.
Open System Authentication
Open System authentication
is the default authentication method used by IEEE 802.11 devices, and
it actually provides no authentication at all. Open System
authentication is simply an exchange of messages in which one system
identifies itself to another and the other system replies. There is no
exchange of passwords, keys, or any other type of credential, and there
is no way for a device configured to use Open System authentication to
refuse authentication to another.
Shared Key Authentication
Shared Key authentication
is a system by which wireless devices authenticate each other using a
secret key that both possess. The key is assumed to have been shared
before authentication using a secure channel independent of 802.11
communications to prevent it from being compromised during transmission.
Shared Key authentication is not a particularly secure method because
all the computers in the same BSS must possess the same key.
Compromising the key on one system nullifies the authentication security
for the entire BSS.
Important
Shared
Key authentication requires the use of the Wired Equivalent Privacy
(WEP) algorithm. If WEP is not implemented, Shared Key authentication is
not available. |
During a Shared Key authentication, messages are exchanged between the requester and the responder as follows:
The
system requesting authentication asserts its identity to the other
system, using a message that contains a value that identifies the shared
key (not the shared key itself) that the system is using.
The
system receiving the authentication request responds with a message
containing the authentication result. If the authentication is
successful, the response message includes a 128-byte block of challenge
text generated by the WEP pseudo-random number generator.
The
requester copies the challenge text from the response message to a new
message and encrypts it with WEP, using the shared key as an encryption
key.
The
responder decrypts the message and compares the decrypted challenge
text with the text the system transmitted in step 2. If the values
match, the responder grants the authentication.
IEEE 802.1X Authentication
The IEEE 802.1X
standard, “Port Based Network Access Control,” defines a method of
authenticating and authorizing users connecting to an IEEE 802 LAN, and
blocking those users’ access to the LAN should the authentication fail.
IEEE 802.1X can authenticate users connecting to any type of LAN, such
as Ethernet or Token Ring, but in this case, it is particularly valuable
in the case of IEEE 802.11 wireless LANs.
Most IEEE 802.1X implementations function as clients of a server running a Remote Authentication Dial-In User Service (RADIUS),
such as the Internet Authentication Service (IAS) included with Windows
Server 2003. The RADIUS server provides centralized authentication and
authorization services for the entire network; for WLAN authentication,
RADIUS typically uses one of the following two authentication protocols:
Extensible Authentication Protocol-Transport Level Security (EAP-TLS)— EAP is an authentication protocol that is designed to be adaptable, so that it can carry a variety of authentication mechanisms
within a given packet framework. TLS is an authentication mechanism
that transports its messages within EAP packets and provides mutual
authentication, integrity-protected negotiation of cryptographic service
providers, and secret key exchange between two systems that use public
key cryptography. The networks that use EAP-TLS typically have a public
key infrastructure (PKI) in place and use certificates for
authentication, that are stored on the computer or on smart cards.
Protected EAP-Microsoft Challenge Handshake Authentication Protocol, version 2 (PEAP-MS-CHAP v2)—
PEAP is a variation on EAP that is designed for use on wireless
networks that do not have a PKI in place. With PEAP, you can use a
password-based authentication method, such as MS-CHAP, to securely
authenticate wireless connections. PEAP creates an encrypted channel
before the password-based authentication occurs. Therefore,
password-based authentication exchanges such as those that occur in
MS-CHAP v2 are not subject to offline dictionary attacks. (Put simply,
an offline dictionary attack uses a brute force dictionary attack to
make repeated attempts to decrypt captured packets that use an
encryption key derived from a user’s password. This process is made
easier for the intruder when the encryption key is derived from a weak
password.)
Important
To
use PEAP-MS-CHAP v2 for wireless network authentication, the wireless
client must be running either Windows Server 2003 or Windows XP with SP1
installed. |
With
this system in place, an access point receiving a connection request
from a wireless client forwards the request to the RADIUS server, which
uses information in a data store, such as the Active Directory database,
to determine whether the client should be granted access to the
network.
Encrypting Wireless Traffic
To prevent data transmitted
over a wireless network from being compromised through unauthorized
packet captures, the IEEE 802.11 standard defines an encryption
mechanism called Wired Equivalent Privacy (WEP).
WEP is an encryption system that uses the RC4 cryptographic algorithm
developed by RSA Security Inc. WEP depends on encryption keys that are
generated by a mechanism external to WEP itself. In cases where WEP is
used with IEEE 802.1X to create a comprehensive wireless security
solution for the Windows operating system, WEP uses the keys generated
by the EAP-TLS or PEAP-MS-CHAP v2 authentication protocol to encrypt the
data in the packets.
Off the Record
Microsoft
recommends using the WEP and IEEE 802.1X combination as a suitable
security configuration for wireless clients running the Windows
operating system. |
The degree of
protection that WEP provides is governed by configurable parameters that
control the length of the keys used to encrypt the data and the
frequency with which the systems generate new keys. Longer and more
frequently changed keys produce better security.
Tip
Be
sure you are familiar with the security hazards inherent in wireless
networking, and with the mechanisms that Windows operating systems can
use to authenticate wireless clients and encrypt their traffic. |
