Trying again. Didn't seem to go through the first time... Here is some info I've gleamed off this list. I can't credit all the authors as this info is from about 10 different people. I've also included the solution we are going to implement.
There are two general areas of wireless security: Authentication and Encryption. AUTHENTICATION: Authentication is what will keep evil humans from logging into your network. By far, the best way to do this is via 802.1x, which is an authentication standard that works with wireless networks. Basically a client computer runs a client program to connect to the network with a username and password (client comes built in on Windows XP or Mac OS X. Other operating systems will have limited support, but Cisco probably makes a client app). Once a user is authenticated they are assigned a WEP (wired equivalency protocol) key. This is where authentication bleeds into encryption. What the WEP key does is encrypt user's wireless transmissions on layer 2. Problem with WEP is that there is a flaw in the algorithm that allows an attacker to crack the key with a certain amount of data. This is overcame by rotating WEP keys. ENCRYPTION: The next step up is a quantum one. Use 802.1x for user to auth on the network, access points will forward auth requests to RADIUS server (I think FreeRADIUS will do the job. I think I saw somewhere that they had LEAP (Cisco's EAP) extensions in CVS). Link your RADIUS server to your LDAP server you use for your regular day to day network authentication (hopefully someday these access points will support authing against LDAP, anyways). Once authd, your users will receive a unique WEP key for that session only. Allow users to roam with their authentication using IAPP (inter access point protocol) for the access points to talk to each other. Well from what I know, setting up a RADIUS authentication server using 802.1x with a rotating encryption key is the only secure way to use wireless at all. WPA: MS has released WPA drivers for XP. For Win2K, I believe that one needs to obtain WPA drivers from the vendor. To support WPA, the AP, NIC and client all have to support WPA and all clients must run WPA. For more info on WPA, check out http://www.wi-fi.org and google for "Wireless WPA" (without quotes). DESIGN: I would suggest that you have all your AP's on the Outside or at least in the DMZ of your firewall and then the clients should use VPN to get into your network. Group access points on different VLANs, according to the rights users need. Require some kind of login to access out of the VLAN. This is clumsy and awkward and horrible; be aware that a few "wireless switch" products just use the user login to group clients into VLANs, and expect your core inter-VLAN routing access lists to do all policy enforcement... MISC NOTES: Specifying specific MAC addresses for access isn't really secure either as an attacker can spoof the MAC address specified in the access point. If you're going to do PEAP, you can't use Funk Steel Belted RADIUS. We recently deployed Funk's RADIUS server and, for wireless, they work best with their Odyssey client and EAP-TTLS. A) Establish policy and standards. 1) Implement WEP, which is broken but better than nothing. 2) Do not broadcast the SSID. 3) Do MAC or layer 2 filtering. 4) Enforce authentication 5) And if you are really paranoid, use a VPN. And oh yes, monitor your network! 1) OS specific. This thread has already shown the MS-centric option, using PEAP or EAP-TLS type solutions to overcome the scalability/compromise issues with static WEP. This is great if you have this ability to dictate OS and AP choices so the environment is totally supported 2) Hardware specific. I've had good success personally with Cisco-specific solutions, using LEAP+TKIP+Broadcast Key rotation. This gives you the authentication piece via a RADIUS back-end, dynamic keying and re-keying (and on an 802.11b network, setting your key lifetime below about 5 hours will significantly reduce the risk of compromise, since it takes ~5.5 hours for the AP to transmit the 1M packets at which a WEP flaw becomes statistically likely) and more. It does, however, require Cisco or other LEAP compliant (including some Intel) Wireless NICs and Cisco APs, plus a RADIUS server capable of passing the correct AV pairs. 3) VPN. Firewall of your wireless network, and require a VPN to access the internal network. This leaves you with a single point of entry that you can control. The flip side of this is that it IS a single point of entry, with all the issues therein, and the fact that users likely now have an additional login step to access the wireless LAN. There are also options such as Reefedge (http://www.reefedge.com) that will provide a distributed firewall/VPN/authentication solution that provide a very effective 'shim'. 4) Built in functionality, such as MAC filtering, static WEP, no broadcast SSID and so on. This is the least effective of the solutions, but should be built into any AP you choose to purchase and supported on any NIC. Some Links: http://www.iss.net/wireless/WLAN_FAQ.php http://www.drizzle.com/~aboba/IEEE/ http://www.internet.com/sections/wireless.html http://www.wirelessweek.com/ http://www.80211-planet.com/ http://www.cisco.com/en/US/netsol/ns110/ns170/ns171/ns128/networking_sol utions_white_paper09186a008009c8b3.shtml http://searchnetworking.techtarget.com/infoCenter/tip/0,294276,sid7_gci9 05077_tax293386,00.html?Offer=wlancross6.30 OUR SOLUTION: We are going to go with Cisco Aironet 1100 and maybe 1200 Access Points. We are going to implement 802.11b for now, but will upgrade to 802.11g when it becomes available. Due to issues we've heard about dual b/g environments, we will most likely cutt off b in the future and be strictly 802.11g. In our pilot we will be testing various wireless NIC's for range and performance. We are going to place our access points on a DMZ hanging off our PIX firewall. On our inside network, we will have our RADIUS server which is going to be Windows 2003 Enterprise with their IAS (RADIUS) server. We choose Enterprise because standard will only support up to 50 users. We are also going to implement PEAP. Microsoft offeres built in support for this. Cisco also supports this standard. We'll be rotating our encryptoin keys, but not sure of the frequency at this point. We will also disable SSID broadcasting and will implement MAC address filtering. Our computers will need to be approvied for wirless access, and at that time we will add the NIC's MAC address to the allowed list. We will also be disallowing Ad-hoc mode. We choose not to use a VPN solution because a client would have to be installed on each wireless computer. This would defeat the purpose of allowing visitors quick access to the Internet. Anyway, I hope this info is useful. I've learned a lot about Wirless Networking in the past few months - but still feel like I have a ways to go! Tim Potter, CCNP, CCDP WAN Administrator --------------------------------------------------------------------------- Evaluating SSL VPNs' Consider NEOTERIS, chosen as leader by top analysts! The Gartner Group just put Neoteris in the top of its Magic Quadrant, while InStat has confirmed Neoteris as the leader in marketshare. Find out why, and see how you can get plug-n-play secure remote access in about an hour, with no client, server changes, or ongoing maintenance. Visit us at: http://www.neoteris.com/promos/sf-6-9.htm ----------------------------------------------------------------------------
