Lesson 2: Configuring Wireless Security
Although almost anyone can set up a wireless network in a few minutes, configuring a wireless network with security features is significantly more complex. Fortunately, Windows Server 2003 provides all of the software you need to deploy a wireless infrastructure with authentication, encryption, message integrity, and dynamically changing WEP shared secrets. At a high level, you will follow these steps to configure a wireless network infrastructure:
1. Plan wireless access policies.
2. Create a structure for authorizing users and computers to access the wireless network.
3. Plan the certificate infrastructure, and optionally deploy a PKI.
4. Configure IAS servers, including assigning a certificate and creating remote access policies (RAPs).
5. Update and configure wireless clients with the SSID and security settings.
6. Configure WAPs with security settings and the IP addresses of the IAS servers.
Planning Wireless Access Policies :
There are several aspects to planning wireless access policies. First, it is important to plan wireless access policies to help prevent WAPs from being installed in your organization with insufficient security. You should draft a policy that, at a minimum, defines the following requirements for new WAPs:
■ Authentication requirements. Generally, you should require that all wireless users are authenticated and specify whether PEAP or EAP-TLS will be used. If you plan to allow guests to access your wireless network, you should make provisions for creating WAPs providing limited access to your internal network that will be used only by guests.
■ Encryption. Some level of encryption should always be required. Unless you have wireless devices that do not support it, your policy should mandate the highest level of encryption available.
■ Physical security. Just like any other piece of network equipment, WAPs should be protected by lock and key to prevent attackers from tampering with the hardware.
■ SSID broadcast and naming conventions. Your policy should specify whether WAPs are configured to broadcast the SSID, and it should detail naming conventions for SSIDs.
■ Actively maintained list of WAPs. You must maintain a list of all WAPs on your network that at a minimum includes the SSID, the security settings, the administrator’s name, and patching equirements.
■ Auditing requirements. You should specify how usage information is gathered and how logs are archived.
Although almost anyone can set up a wireless network in a few minutes, configuring a wireless network with security features is significantly more complex. Fortunately, Windows Server 2003 provides all of the software you need to deploy a wireless infrastructure with authentication, encryption, message integrity, and dynamically changing WEP shared secrets. At a high level, you will follow these steps to configure a wireless network infrastructure:
1. Plan wireless access policies.
2. Create a structure for authorizing users and computers to access the wireless network.
3. Plan the certificate infrastructure, and optionally deploy a PKI.
4. Configure IAS servers, including assigning a certificate and creating remote access policies (RAPs).
5. Update and configure wireless clients with the SSID and security settings.
6. Configure WAPs with security settings and the IP addresses of the IAS servers.
Planning Wireless Access Policies :
There are several aspects to planning wireless access policies. First, it is important to plan wireless access policies to help prevent WAPs from being installed in your organization with insufficient security. You should draft a policy that, at a minimum, defines the following requirements for new WAPs:
■ Authentication requirements. Generally, you should require that all wireless users are authenticated and specify whether PEAP or EAP-TLS will be used. If you plan to allow guests to access your wireless network, you should make provisions for creating WAPs providing limited access to your internal network that will be used only by guests.
■ Encryption. Some level of encryption should always be required. Unless you have wireless devices that do not support it, your policy should mandate the highest level of encryption available.
■ Physical security. Just like any other piece of network equipment, WAPs should be protected by lock and key to prevent attackers from tampering with the hardware.
■ SSID broadcast and naming conventions. Your policy should specify whether WAPs are configured to broadcast the SSID, and it should detail naming conventions for SSIDs.
■ Actively maintained list of WAPs. You must maintain a list of all WAPs on your network that at a minimum includes the SSID, the security settings, the administrator’s name, and patching equirements.
■ Auditing requirements. You should specify how usage information is gathered and how logs are archived.
