Level 2: Small Business Wireless LAN Security
Little businesses must move on the far side Level 1 by incorporating authentication in to their Wireless LAN access controls. The similar method for doing this is 802.1x and PEAP or TTLS authentication. 802.1x limits access to the Datalink layer of a network through only allowing access to the network if a client demonstrates their personal identity by the EAP (Extensible Authentication Protocol) mechanism. There are a few forms of EAP, but the two forms of EAP are most suitable for Level 2 security system is PEAP (Protected EAP) and TTLS (Tunneled Transport Layer Security).
Little businesses must move on the far side Level 1 by incorporating authentication in to their Wireless LAN access controls. The similar method for doing this is 802.1x and PEAP or TTLS authentication. 802.1x limits access to the Datalink layer of a network through only allowing access to the network if a client demonstrates their personal identity by the EAP (Extensible Authentication Protocol) mechanism. There are a few forms of EAP, but the two forms of EAP are most suitable for Level 2 security system is PEAP (Protected EAP) and TTLS (Tunneled Transport Layer Security).
To implement PEAP or TTLS, the system needs to carry out a RADIUS Authentication Server. There are options for Microsoft Windows 2003 Server with IAS, third company applications program specified Funk Odyssey (needed for TTLS mode) that run on Windows, Open Source solutions with FreeRADIUS.
The easiest way by far if you are a Microsoft Windows 2003 Server shop is to use the built in RADIUS server of Windows 2003 known as IAS (Internet Authentication Server). For a small business, there is nothing incorrectly by adding the IAS service to an existing Windows 2003 server truely if it is their only server which in addition to chances to be the Active Directory server. You will be able to change over that server in to a Certificate Authority as well and allow yourself a digital certificate for the RADIUS server or simply Self Sign a digital certificate. With this in place, the Root Certificate (the public key of the Digital Certificate) for the RADIUS server must be installed in all of the client's computers. On Active Directory, these could be easy by pushed out via Group Policy. Each of the clients also take to configure their wireless settings on the WZC (Wireless Zero Configuration) service inherent to Windows XP SP1 or SP2. A protected wireless network could be deployed throughout an organization big or small in hours. If you do not have IAS, it comes with Windows 2003 Standard Edition which costs around $500 per copy. IAS in my experience is extremely rich, true, and secure.
For those who want to implement TTLS, they will need to either buy Funk Software's Odyssey server (in the $2000 range) or implement FreeRADIUS on Linux which is Open Source. Notice that Windows does not have a inherent TTLS client built in, you will need to buy a wireless Supplicant (also known as Client software) for your end users. MDC has an Open Source edition for Linux, but you will take to buy single for Windows which is what most people are using. You will either take to implement the Root Certificate on the Clients manually or you will take to buy a third party Digital certification which has its Root Certificate already preinstalled.
Although 802.1x and PEAP or TTLS addresses the authentication one-half by the equation while it concerns security system, encryption must too be addressed. Up until past months, it was thinking that "Dynamic WEP" wherever WEP keys are rotated frequently (usually 10 minutes) was considered to be "good enough" encryption. With the future generation of WEP cryptography tools, this is no more the case and TKIP is the new bare minimum. The WPA standard implements TKIP which are an rewrite by the WEP communications protocol which will hold against latest cryptanalysis techniques for now, but earlier methods of attacking TKIP are on the horizon. The true long term solution from the IEEE standards body is the 802.11i standard which authorizations AES. The recommendation for Level 2 done 3 is that you should be using WPA with TKIP at a lower limit and upgrade to AES as soon as possible.
From a exposure point of view, the simply method to break down this security system level is to steal a client certificate by either looking across somebody shoulders to find out what password they are typing, sweet talk them in to telling you what the password is (this is easier than you believe), or installing a key logger on to a user's computer so you will be able to record their key strokes when they type in the password. Blocking off password theft, it would be far easier to breaking and entering to your premise and beg in to a Wired LAN than to attempt to crack Level 2 Wireless LAN security. Level 2 is a good option for most small businesses but organizations wherever security system are a high-level priority had better seriously consider the next two levels because a individual lost password could compromise the whole system.
The easiest way by far if you are a Microsoft Windows 2003 Server shop is to use the built in RADIUS server of Windows 2003 known as IAS (Internet Authentication Server). For a small business, there is nothing incorrectly by adding the IAS service to an existing Windows 2003 server truely if it is their only server which in addition to chances to be the Active Directory server. You will be able to change over that server in to a Certificate Authority as well and allow yourself a digital certificate for the RADIUS server or simply Self Sign a digital certificate. With this in place, the Root Certificate (the public key of the Digital Certificate) for the RADIUS server must be installed in all of the client's computers. On Active Directory, these could be easy by pushed out via Group Policy. Each of the clients also take to configure their wireless settings on the WZC (Wireless Zero Configuration) service inherent to Windows XP SP1 or SP2. A protected wireless network could be deployed throughout an organization big or small in hours. If you do not have IAS, it comes with Windows 2003 Standard Edition which costs around $500 per copy. IAS in my experience is extremely rich, true, and secure.
For those who want to implement TTLS, they will need to either buy Funk Software's Odyssey server (in the $2000 range) or implement FreeRADIUS on Linux which is Open Source. Notice that Windows does not have a inherent TTLS client built in, you will need to buy a wireless Supplicant (also known as Client software) for your end users. MDC has an Open Source edition for Linux, but you will take to buy single for Windows which is what most people are using. You will either take to implement the Root Certificate on the Clients manually or you will take to buy a third party Digital certification which has its Root Certificate already preinstalled.
Although 802.1x and PEAP or TTLS addresses the authentication one-half by the equation while it concerns security system, encryption must too be addressed. Up until past months, it was thinking that "Dynamic WEP" wherever WEP keys are rotated frequently (usually 10 minutes) was considered to be "good enough" encryption. With the future generation of WEP cryptography tools, this is no more the case and TKIP is the new bare minimum. The WPA standard implements TKIP which are an rewrite by the WEP communications protocol which will hold against latest cryptanalysis techniques for now, but earlier methods of attacking TKIP are on the horizon. The true long term solution from the IEEE standards body is the 802.11i standard which authorizations AES. The recommendation for Level 2 done 3 is that you should be using WPA with TKIP at a lower limit and upgrade to AES as soon as possible.
From a exposure point of view, the simply method to break down this security system level is to steal a client certificate by either looking across somebody shoulders to find out what password they are typing, sweet talk them in to telling you what the password is (this is easier than you believe), or installing a key logger on to a user's computer so you will be able to record their key strokes when they type in the password. Blocking off password theft, it would be far easier to breaking and entering to your premise and beg in to a Wired LAN than to attempt to crack Level 2 Wireless LAN security. Level 2 is a good option for most small businesses but organizations wherever security system are a high-level priority had better seriously consider the next two levels because a individual lost password could compromise the whole system.
0 comments:
Post a Comment