Logo
CAR REVIEW
Windows Vista
Windows 7
Windows Azure
Windows Server
Windows Phone
PREGNANCY
 
 
Windows Vista

Configure and Troubleshoot Wireless Networking (part 2) - Wireless Security

3/18/2011 5:45:26 PM

Wireless Security

Microsoft Windows Vista offers the full complement of wireless security. Wireless security presents the most troublesome aspect of wireless network configuration because the WCN wizards, along with a host of other wizards in the Network and Sharing Center, allow easy creation of a wireless connection.

Several security features offer a thin layer of security to wireless communication. The following sections look at these before proceeding into the two major aspects of securing wireless communication: authentication and encryption.

To Broadcast or Not Broadcast the SSID: That Is the Question

Many previous works on wireless security describe one way to make it harder to hack a wireless network: disable the broadcast of the SSID. This is a nonissue anymore because a plethora of tools can easily discover access points that are not broadcasting the SSID as well as prompt the APs to give up the SSID. Although this may seem like a good idea because it hides the AP from the casual bad guy, in reality it is probably more of a nuisance not broadcasting the SSID to the network administrator than it is to the bad guys attempting to crack into your wireless network. In addition, considering that even Windows Vista now supports the ability to “see” APs that are not broadcasting their SSID also makes this security mechanism fairly useless when you are trying to hide its presence.

MAC Address Filtering

Wireless access points usually contain a feature referred to as MAC ID filtering. This allows you to select which MAC addresses are allowed to associate with the AP for a wireless connection. This is a tedious process because you must acquire the MAC IDs of all wireless adapters within the environment. In addition, you must manually update this list as MAC IDs are added or subtracted in the environment due to new devices being added or older devices being discarded.

One obvious downside to relying on MAC ID filtering is that MAC IDs can be easily faked because the MAC address is unencrypted by wireless encryption schemes. Tools such as SMAC can adjust the MAC ID used by a network device without modifying the burned-in address. SMAC is one of many widely available security or cracking utilities for this purpose. An additional downside to this thin layer of added security is that MAC IDs within the BIOS of many computers can also be adjusted, thus making it harder to manage which MAC IDs are allowed on the network.

With that being said, using this approach is still a decent first start because it does make the casual cracker look elsewhere. On the other hand, you should not consider this feature to be anything more than a casual nuisance to a true bad guy intent on entering your wireless network.

Static IP Addressing

Static IP addressing ups the ante a bit when attempting an illicit entry into a wireless network. Because most APs offer a DHCP service within their configuration, disabling this feature and manually assigning IP addresses would make it one step harder to gain entry into the wireless network beyond an association to the AP. If the subnet size used for the wireless portion of the network is sized according to only the desired need of that subnet, a would-be hacker would have a more difficult time picking up the use of an additional IP address and going unnoticed. Using this approach definitely stops the casual hacker and requires a bit more sophistication. But once again, there are tools available that aid a bad guy in working around this issue.

Another downside of this approach to wireless security is, once again, the tedious nature of managing the wireless network. Manual IP addressing in IPv4 is bad enough; it is inconceivable when discussing IPv6 networks. Also, using this method may not stop a wireless cracker because there are Man-in-the-Middle attacks and many others around this approach to wireless security.

Authentication and Encryption Methods to Wireless Security

The preceding methods may offer an initial starting point to securing your wireless network, but they also have trade-offs when you’re attempting to manage the networks employing those methods. Windows Vista supports several wireless standards when it comes to authentication and encryption. Table 2 offers a snapshot of the protocols that are available to use within Windows Vista itself.

Table 2. Wireless Authentication and Encryption Protocols
Security FeatureAuthentication OfferedEncryption Type
Wired Equivalency Privacy (WEP)Open (none)WEP
Wired Equivalency Privacy (WEP)Shared KeyWEP
Wi-Fi Protected Access (WPA)-Preshared Key (PSK)NoneWPA-PSK with either Temporal Key Integrity Protocol (TKIP) or Advanced Encryption Standard (AES)
WPA-EnterpriseIEEE 802.1xWPA with TKIP or AES
WPA2-Personal (PSK)NoneWPA (PSK) with TKIP or AES
WPA2-EnterpriseIEEE 802.1xWPA2 with TKIP or AES
OpenNoneNone
802.1x802.1xNone

The following sections disregard the last two security feature types from Table 2, focusing the discussion on the more useful settings. Using these two security features by themselves presents a flawed approach to wireless security:

  • Using Open as the only security feature is using no security feature at all. This is fine for publicly accessible APs but not for corporate use.

  • The 802.1x authentication protocol is highly secure, but it does not provide any encryption. Therefore, using 802.1x alone provides no security for the actual data that is communicated after authentication.

WEP

WEP was the original encryption scheme when 802.11 wireless standards were first created. It was soon discovered to have severe flaws in the way it employed the use of the RC4 algorithm for its encryption services. It is considered to be better than nothing and may be the only choice if you are using legacy devices or software. WEP, as defined by the IEEE, comes in 64-bit and 128-bit sizes as well as a newer 256-bit flavor. Using Shared for the authentication means that the Pre-shared key used for the encryption process by WEP is also used to authenticate the connection. This is actually considered to be less secure than the Open setting for authentication. Figure 9 shows how to reconfigure a wireless connection for WEP with Shared key authentication.

Figure 9. Configuring WEP security.


Using the dialog box in Figure 9 as a guide, you can change the security type to any of the listed security types in Table 4.7.

WPA-Personal

Wi-Fi Protected Access (WPA) was a standardized update to the encryption scheme used by WEP. Essentially, WPA was the first step toward IEEE’s 802.11i specification. WPA-Personal is also known as WPA-Preshared Key (PSK). In addition to using a PSK, WPA is required to use Temporal Key Integrity Protocol (TKIP). TKIP still uses RC4 but adds a message integrity check, providers for per-packet keying, among other items. It was designed to be backward-compatible with most WEP-enabled products at the time so that only a software update was necessary. WPA-PSK may also provide for the use of the Advanced Encryption Standard (AES) that uses the newer Rijndael algorithm. AES is a much stronger block cipher that allows the use of up to 256-bit keys. This is built for small office/home office (SOHO) use.

WPA-Enterprise

WPA-Enterprise adds the use of a centralized authentication server (called an authenticator) such as a Remote Authentication Dial-in User Service (RADIUS) server and employs the use of the IEEE 802.1x authentication protocol. The client (known as the supplicant) is required to authenticate prior to unrestricted access through the wireless AP to the wireless network. WPA-Enterprise uses the same encryption services as described for WPA-PSK. This protocol is built, as its name suggests, for an enterprise network. This security model requires a Public Key Infrastructure (PKI) to hand out certificates because the certificate takes the place of the PSK used in WPA-PSK. The certificate also provides for additional authentication encryption services for the wireless clients.

WPA2-Personal

WPA2-Personal provides the same security services as WPA except that the WPA2-Personal protocol is required to support AES as the default protocol of choice. This essentially ensures that legacy wireless adapters need to be replaced or upgraded. A PSK is also used instead of a certificate.

WPA2-Enterprise

WPA2-Enterprise is the true implementation of 802.11i, where the IEEE 802.1x authentication protocol is used along with a centralized authenticator service running RADIUS. Windows Vista inherently supports WPA2-Enterprise, whereas Windows XP required an update. This security model also requires a Public Key Infrastructure to hand out certificates for the same reasons described for WPA-Enterprise.

Exam Alert

When determining which security feature to employ for a given scenario, consider the following ideals:

  • If a centralized authentication server is available and all clients are Windows Vista, use WPA2-Enterprise.

  • If a centralized authentication server is unavailable for use, and a Public Key Infrastructure is not available, the highest level of security that you can use is WPA-Personal or possibly WPA2-Personal if available.

Other -----------------
- Troubleshoot Resource Access and Connectivity Issues (part 2)
- Troubleshoot Resource Access and Connectivity Issues (part 1) - Troubleshooting TCP/IP Configuration
- Configure and Troubleshoot Network Services at the Client Level
- Configure and Troubleshoot Network Protocols (part 3) - Configuring TCP/IP Version 6
- Configure and Troubleshoot Network Protocols (part 2) - WINS & NAT
- Configure and Troubleshoot Network Protocols (part 1) - Configuring Internet Protocol Version 4
- Reliability and Performance Monitor
- Event Viewer and Event Forwarding
- Scheduling Tasks
- Troubleshooting Policy Settings
- Group Policy Settings (part 5) - Point and Print Restrictions & Digital Certificates and Authenticode
- Group Policy Settings (part 4) - The Audit Policy
- Group Policy Settings (part 3) - Managing Device Installation
- Group Policy Settings (part 2) - Software Restrictions
- Group Policy Settings (part 1) - Desktop Settings & Software Deployment by GPO
- Group Policy Object Overview (part 2) - Applying GPOs to a Computer and User in an AD Environment
- Group Policy Object Overview (part 1) - Building a Local Computer Policy & The Domain Member Computer
- User Account Control (UAC)
- Troubleshoot Authentication Issues - SmartCards
- Configure and Troubleshoot Access to Resources (part 4) - Securing Network Traffic for Remote Desktop Protocol (RDP) Access
 
 
Most view of day
- Editing Digital Video with Windows Live Movie Maker (part 9) - Sharing Your Videos - Outputting to the PC
- Sharepoint 2013 : Managing Site Security - Create a SharePoint Group for a Site
- Participating in Internet Newsgroups : Setting News Options - Options for Newsgroups and Messages, Options for Individual Newsgroups
- Understanding IPv6 (part 3) - Understanding Address Autoconfiguration, Understanding Name Resolution
- Nginx HTTP Server : Basic Nginx Configuration - Base module directives
- SQL Server 2008 R2 : Performance Monitoring Tools (part 6) - SQL Server Utility
- Communicating with Internet Email : Filtering Incoming Messages - Blocking Senders, Creating a Mail Rule
- Microsoft Visio 2010 : Importing Graphics (part 2) - Using Images as Shapes in Visio - Handling Bitmaps and Jaggies
- Windows Server 2012 Requirements and Installation : Installing Server 2012 (part 1) - Server Core Install
- Preparing Windows PE : Setting up the Environment
Top 10
- Microsoft Lync Server 2013 : Director Troubleshooting (part 3) - Synthetic Transactions,Telnet
- Microsoft Lync Server 2013 : Director Troubleshooting (part 2) - DNS Records, Logs
- Microsoft Lync Server 2013 : Director Troubleshooting (part 1) - Redirects, Certificates
- Microsoft Lync Server 2013 : Administration of the Director Role (part 4) - Services Management, Client Version Filter
- Microsoft Lync Server 2013 : Administration of the Director Role (part 3) - Topology Status
- Microsoft Lync Server 2013 : Administration of the Director Role (part 2) - Ports,Firewall Rules
- Microsoft Lync Server 2013 : Administration of the Director Role (part 1) - Services
- Microsoft Lync Server 2013 : Configuring the Director (part 2) - Web Services Ports,Reverse Proxy
- Microsoft Lync Server 2013 : Configuring the Director (part 1) - SRV Records, Web Services FQDN Overrides
- Sharepoint 2013 : SharePoint Designer 2013 (part 2) - Locking Down SharePoint Designer
 
 
Windows XP
Windows Vista
Windows 7
Windows Azure
Windows Server
Windows Phone
2015 Camaro