Embed Size (px)
Citation preview
Securing Wireless LANsSecuring Wireless LANsA Windows Server 2003 A Windows Server 2003
Certificate Services SolutionCertificate Services Solution
Ian Hellen – Principal ConsultantIan Hellen – Principal ConsultantStirling Goetz – Principal Consultant Stirling Goetz – Principal Consultant
AgendaAgenda
Introduction to Solutions for SecurityIntroduction to Solutions for Security Wireless LAN Security – selecting the right Wireless LAN Security – selecting the right
optionoption Solution ArchitectureSolution Architecture RADIUS DesignRADIUS Design PKI DesignPKI Design Solution GuidanceSolution Guidance
Trustworthy ComputingTrustworthy Computing Microsoft is committed to Trustworthy Microsoft is committed to Trustworthy
Computing: Computing: SecuritySecurity PrivacyPrivacy Reliability Reliability Business IntegrityBusiness Integrity
Trustworthy computing can only be Trustworthy computing can only be achieved through partnership & teamworkachieved through partnership & teamwork
Trustworthy Computing is a journey with a Trustworthy Computing is a journey with a long term vision and highlights and long term vision and highlights and obstacles along the roadobstacles along the road
Trustworthy ComputingTrustworthy Computing
SecuritySecurity
PrivacyPrivacy
ReliabilityReliability
Business IntegrityBusiness Integrity
Resilient to attack Protects confidentiality, integrity,
availability and data
Dependable Available when needed Performs at expected levels
Individuals control personal data Products and Online Services adhere to
fair information principles
Vendors provide quality products Product support is appropriate
Microsoft Solutions for Microsoft Solutions for Security (MSS)Security (MSS) Aimed at complex or difficult problem Aimed at complex or difficult problem
areasareas Prescriptive guidance Prescriptive guidance
– “one good way”– “one good way” Based on experience in field and from Based on experience in field and from
MS internal deploymentsMS internal deployments Built and Tested in MS LabsBuilt and Tested in MS Labs Modular (PKI and RADIUS)Modular (PKI and RADIUS)
Wireless LANsWireless LANs
Benefits of WLANsBenefits of WLANs Increased staff productivityIncreased staff productivity Mobility and flexible workingMobility and flexible working Information access with lower costInformation access with lower cost
ProblemsProblems Early security standards had issuesEarly security standards had issues Some people don’t even take basic Some people don’t even take basic
precautionsprecautions Proliferation of solutions cause confusionProliferation of solutions cause confusion
Solution OptionsSolution Options
802.1X with WLAN protection802.1X with WLAN protection The native routeThe native route
VPN or IPsecVPN or IPsec Don’t deploy WLANsDon’t deploy WLANs
But prepare for rogue WLANsBut prepare for rogue WLANs Use basic 802.11 security Use basic 802.11 security
……and hope for the bestand hope for the best
802.1X with WLAN protection802.1X with WLAN protection
802.1X 802.1X Ratified by the IEEERatified by the IEEE Embraced by the WLAN vendor communityEmbraced by the WLAN vendor community
EAP-TLSEAP-TLS Strong credentialsStrong credentials Mutual authenticationMutual authentication WLAN encryption key generationWLAN encryption key generation
WLAN securityWLAN security WEP (128 bit) and WPA (TKIP)WEP (128 bit) and WPA (TKIP) Pending: TGi work on RSN (802.11i)Pending: TGi work on RSN (802.11i)
WLAN Component
WIRELESS CLIENT
WIRELESS ACCESS POINT
Client
Authenticate
WLAN Component
WIRELESS CLIENT
WIRELESS ACCESS POINT
Client
Authenticate
WLAN
Solution ArchitectureSolution ArchitectureRADIUS Component
IAS - RADIUSNetwork Authentication and
Authorization
Authenticate
Authenticate/Authorize
RADIUS
Infrastructure Services
ACTIVE DIRECTORYDNSName
Resolution
DHCPIP Address
Management
IP subnet DomainDNS
Management
Monitor
IISWeb Server
VLANCapableSwitch
Infrastructure Services
ACTIVE DIRECTORYDNSName
Resolution
DHCPIP Address
Management
IP subnet DomainDNS
Management
Monitor
IISWeb Server
VLANCapableSwitch
InfrastructureServices
PKI Component
CERTIFICATE SERVICESCertification Authority
Enroll Certificate
EnrollCertificate
CertificatePublishing
PKI Component
CERTIFICATE SERVICESCertification Authority
Enroll Certificate
EnrollCertificate
CertificatePublishing
PKI
Infrastructure Services
PKI ComponentRADIUS ComponentWLAN Component
WirelessLAN
Client Client
MicrosoftOperationsManager
IAS
SystemsManagement
Server
DNS DHCP
Issuing CA
Root CA
IAS
IIS DCWAN Router
WAP
WAP
Head Office
Infrastructure Services
RADIUS ComponentWLAN Component
WirelessLAN
Client Client
DC
WAN Router
IAS
WAP
WAPBranchOffice
Solution Solution DesignDesign
Scaling & ExtensionScaling & Extension
LARGE REMOTE OFFICE
HEADQUARTERS
Infrastructure Services
PKI ComponentRADIUS ComponentWLAN Component
WirelessLAN
Client
Root CA
Client
Infrastructure Services
RADIUS ComponentWLAN Component
WirelessLAN
Client Client
IAS Issuing CAIASProxy
DC
IAS
DC
IASProxy
IAS
WAN Router
WAN Router
WAP
WAP
WAP
WAP
LARGE REMOTE OFFICE
HEADQUARTERS
Infrastructure Services
PKI ComponentRADIUS ComponentWLAN Component
WirelessLAN
Client
Root CA
Client
Infrastructure Services
RADIUS ComponentWLAN Component
WirelessLAN
Client Client
IASServiceon DCIAS
Serviceon DC
IASServiceon DC
Issuing CA
DC & IAS
DC & IASDC & IAS
WAN Router
WAN Router
WAP
WAP
WAP
WAP
HEADQUARTERS
Internet
Infrastructure Services
PKI ComponentRADIUS ComponentVPN
IAS
Issuing CA
Root CA
IAS
Otherservices
DC
Client
RRAS
DMZ Network
IAS
VPNServers
RADIUSProxies
SD
CI SCO YS TEM SS
PIX Firewall SERIES
FirewallSD
C I SCO YS TEM SS
PIX Firewall SERIES
Firewall
SD
Smartcard
WAN Router
Scale Up
Scale Down
VPN
Wired 802.1X
RADIUS ArchitectureRADIUS Architecture
802.11Wireless Network
RADIUSServer
RADIUSServer
WirelessAccess Point
WirelessAccess Point
Wireless Client
802.11Wireless Network
RADIUSProxy
RADIUSProxy
RADIUSServer
WirelessAccess Point
WirelessAccess Point
Wireless Client
RADIUSServer
RADIUSServer
802.11Wireless Network
RADIUSProxy
RADIUSProxy
RADIUSServer Group
WirelessAccess Point
WirelessAccess Point
Wireless Client
RADIUSServer Group
Scale up or out
RADIUS PlacementRADIUS Placement
New York5,000 users
IAS servers support:6330 total users
257 RADIUS Clients
Tokyo500 users
IAS servers support:2042 total users (With Sydney IAS down)
86 RADIUS Clients (With Sydney IAS down)
London5,200 users
IAS server support:6742 total users (with Johannesburg IAS down)
274 RADIUS Clients (with Johannesburg IAS down)
IAS ServerW2K3 Enterprise Edition
IAS ServerW2K3 Enterprise Edition
IAS ServerW2K3 Enterprise Edition
IAS ServerW2K3 Enterprise Edition
IAS ServerW2K3 Enterprise Edition
IAS ServerW2K3 Enterprise Edition
200 WAPs
Secondary Sites1330 secondary site users(19 sites @ 70 users each)
WAN
57 WAPs
Secondary Sites1330 secondary site users(19 sites @ 70 users each)
57 WAPs
Secondary Sites1330 secondary site users(19 sites @ 70 users each)
57 WAPs
Johannesburg Site212 users
9 WAPs
208 WAPs
20 WAPs
IAS ServerW2K3 Standard Edition
Sydney Site212 users
9 WAPs
IAS ServerW2K3 Standard Edition
PKI ArchitecturePKI Architecture
Internet
InternalRoot CA
IntermediateCA 1
ExtranetIntermediate
CA 1
IssuingCAs
(Computer)
IssuingCAs
(User)
CustomerCA 1
PartnerCA 1
IntermediateCA 1
CommercialCSP
CrossCert
IssuingCAs
(Email)
EnterpriseRoot CA
VPNIPSec
802.1xServerAuth(SSL)
DomainController
EnrollmentAgent
Certificatetypes
Consumingapplication
VPN ClientVPN
Server
WLANClient
IAS ServerDomain
Controller
Non-domain
VPNclients
ImplementedCert Types
Out of scope functions
EFSSmartcard
LogonEmail
S/MIMEHigh Value
Cert
HighAssurance
Cert
Future CAPKI
PossibleCert Types
UnsupportedCert Types
Computer+
Low value usercerts
VPNIPSec
802.1xServerAuthn(SSL)
DomainController
ClientAuthn
Certificatetypes
Certificateapplication
VPN ClientVPN
Server
WLANClientServer
IASServer
DomainController
Web Client
Offline Root CA
Low-Med Value Certs High ValueCerts
Future CAs and Certificate Types
Computercerts
VPNIPSec
802.1xServerAuthn(SSL)
DomainController
ClientAuthn
Certificatetypes
Certificateapplication
VPN ClientVPN
Server
WLANClientServer
IASServer
DomainController
Web Client
EFSEmail
S/MIMESmartcard
Logon
$10kPurchaseApproval
CodeSign
Low ValueCerts
User certs- Employee
Offline Root CA
User certs- External
High Value CertsLow-Med Value Certs Med ValueCerts
Med Value Certs
Securing Wireless LANs GuidanceSecuring Wireless LANs Guidance
Planning guidePlanning guide Build guideBuild guide Operations guideOperations guide Test guideTest guide Delivery guideDelivery guide Tools and TemplatesTools and Templates
More Information… More Information… Download Download Securing Wireless LANs Securing Wireless LANs from:from:
http://go.microsoft.com/fwlink/?LinkId=14843http://go.microsoft.com/fwlink/?LinkId=14843 Microsoft Solutions:Microsoft Solutions:
http://www.microsoft.com/business/solutions/http://www.microsoft.com/business/solutions/ For a copy of this presentation visit: For a copy of this presentation visit:
http://www.microsoft.com/uk/securityhttp://www.microsoft.com/uk/security For regular information subscribe at:For regular information subscribe at:
http://register.microsoft.com/subscription/http://register.microsoft.com/subscription/subscribeMe.asp?lcid=1033&id=155subscribeMe.asp?lcid=1033&id=155
For the MS security resource toolkit visit:For the MS security resource toolkit visit: http://www.microsoft.com/uk/securityhttp://www.microsoft.com/uk/security
Additional URLsAdditional URLs
www.microsoft.com/management/www.microsoft.com/management/ www.microsoft.com/windows2000/windowsupdate/suswww.microsoft.com/windows2000/windowsupdate/sus www.microsoft.com/solutions/msmwww.microsoft.com/solutions/msm http://www.microsoft.com/technet/treeview/http://www.microsoft.com/technet/treeview/
default.asp?url=/technet/itsolutions/msm/swdist/default.asp?url=/technet/itsolutions/msm/swdist/pmsmsog.asppmsmsog.asp
Microsoft - Stand 670Microsoft - Stand 670 Firewall and VPNFirewall and VPN
Identity ManagementIdentity Management
Securing WindowsSecuring Windows
Windows Server 2003 SecurityWindows Server 2003 Security
Wireless LAN SecurityWireless LAN Security
Microsoft Security SeminarsMicrosoft Security SeminarsTIME APRIL 29 APRIL 30 MAY 110:15 Trustworthy Computing –
One Year LaterMicrosoft’s Security Roadmap Identity Management –
Strategy & Solution
11:00 Securing Wireless Networkswith Windows Server 2003
Securing Wireless Networkswith Windows Server 2003
Securing Wireless Networkswith Windows Server 2003
11:45 Application-layer Firewalling Application-layer Firewalling Application-layer Firewalling
12:30 Web Services Security Web Services Security Web Services Security
13:15 Best Practices for Securityand Patch Management
Best Practices for Security andPatch Management
Best Practices for Securityand Patch Management
14:00 Microsoft Security Productsand Features
Identity Management –Strategy & Solution
Microsoft Security Productsand Features
14:45 Microsoft Security Solutionsfor Small Business
Microsoft ISA Server – ‘Chalkand Talk’ Session
Microsoft Security Solutionsfor Small Business
15:30 Unisys Fujitsu Lynx
16:15 Aspelle DNS
Call to actionCall to action
1. 1. For a copy of this presentation visit:For a copy of this presentation visit:
www.microsoft.com/uk/securitywww.microsoft.com/uk/security
2. 2. For regular information subscribe at:For regular information subscribe at:
register.microsoft.com/subscription/subscribeMe.asp?lcid=1033&id=155register.microsoft.com/subscription/subscribeMe.asp?lcid=1033&id=155
3. 3. For the Microsoft security resource toolkit visit:For the Microsoft security resource toolkit visit:
www.microsoft.com/uk/securitywww.microsoft.com/uk/security
Questions?Questions?
Visit the Microsoft stand.Visit the Microsoft stand.
We’ll be there for 1 hour We’ll be there for 1 hour after this session.after this session.
Thank You!Thank You!
Trustworthy ComputingTrustworthy Computing
Stirling Goetz – Principal Consultant Stirling Goetz – Principal Consultant Ian Hellen – Principal ConsultantIan Hellen – Principal Consultant
