MCSA/MCSE Self-Paced Training Kit (Exam 70-214): Implementing and Administering Security in a Microsoft Windows 2000 Network (Pro-Certification)
Lesson 1: Setting Up a Wireless Network
Wireless local area networks (WLANs) allow client computers to connect to networks without physical connections. They are simple to set up and easy to use so their popularity has explodedat the cost of security. WLANs have often been deployed without any serious consideration for the security risks that are inherent to them. Because they can allow intruders who are physically near your network to connect to your network, WLANs now represent the second greatest threat to network security after the Internet.
In this lesson, you will connect a wireless access point to your network and configure a Windows XP client to connect to it using a wireless network adapter.
To complete this lesson, you will need
-
A wireless access point
-
A laptop computer running Windows XP with a wireless network adapter
After this lesson, you will be able to
-
Understand wireless technology and its security implications
-
Connect a wireless access point to your network and connect to it
Estimated lesson time: 20 minutes
Understanding Wireless Technology
Wireless network technology has been around for a long time. The University of Hawaii originally developed the prototype on which Ethernet is based in the early 1970s as a wireless broadcast protocol. Until the early 1990s, the radio equipment required for wireless networking was prohibitively expensive for general purpose use and kept wireless networking from being used for anything but bridging networks over spans where cable could not be used. These early wireless networks did not include any form of security as a rulesecurity was not necessary because the equipment to participate in the network was too expensive.
The Institute of Electrical and Electronics Engineers (IEEE) developed the 802.11 protocol in the early 1990s to standardize a few independent efforts at creating true WLANs. The original 802.11 protocol operated at 2 Mbps in its client/server (infrastructure) mode, and 1 Mbps in its peer-to-peer (ad hoc) mode.
In infrastructure mode, client network adapters talk only to special radio bridges called wireless access points (WAPs) that are connected directly to the wired network. Creating the association between the client and WAP requires that the client use the same Service Set Identifier (SSID) that's programmed into the WAP. SSIDs are not technically secure because they can be sniffed. Also, clients can specify the special "ANY" SSID that will allow them to connect to any WAP that isn't secured.
Building an Infrastructure WLAN
To build an infrastructure WLAN, administrators need only place WAPs throughout their enterprise. WLAN users can then connect from their laptops to the nearest WAP to connect to the network. In the much less commonly used ad hoc mode, clients with network adapters simply communicate among themselves. To reach the Internet or another network, one of the peers must act as a router and be wired to the network.
The 802.11 protocol includes a data link layer private key encryption protocol called Wired Equivalent Privacy (WEP) that uses a 40-bit key and RC4 stream encryption. The idea behind WEP is that, while not perfectly secure, it is at least as secure as a wired network. The original 802.11 protocol was moderately successful in enterprises, but it was prohibitively expensive so it was never widely deployed in the mass market.
WEP encryption is discussed in detail in Lesson 2.
That situation suddenly changed in 1999 with the release of the 802.11b protocol that operated at 11 Mbps. The much higher speed of 802.11b for basically the same price resonated with users, and 802.11b equipment sold very well even early in its product life cycle. Manufacturers were surprised at the adoption rate of 802.11bso much so that many manufacturers and OEMs began producing equipment. Competition drove down prices, and with lower prices the adoption rate increased dramatically. Within two years, wireless networking went from relative obscurity to very widespread adoption. It is used in the majority of large businesses today, and in a significant percentage of homes and small businesses.
Early in the life cycle of 802.11b, researchers discovered that the 40-bit WEP encryption was deeply flawed. The key exchange protocol could be easily spoofed, allowing anyone with the right hacking software to connect to a WLAN. But because attaching to the network required physical proximity to the network, threats from wireless intrusion did not concern users nearly as much as threats from Internet attack, and the security flaws of wireless networks did not slow the rate of adoption. This means that a large number of non-secure wireless networks are currently deployed.
Another fundamental security problem is caused by wireless networking technology: anyone who has physical access to your network can connect a hidden WAP to it and broadcast access outside your facilities. Even if you don't implement wireless networking in your network (especially if you don't), an intruder who has access to a wired port on your network can place a low-cost 802.11b WAP on your network, and then connect to it from outside your facilities at any time. This is a potential security problem whether you use wireless networking or not, and it's an extraordinarily difficult problem to solve.
Solutions to these problems are now becoming available along with the newer 802.11a protocol, which increases speeds to 54 Mbps and introduces support for the 802.1x port authentication protocol. Many 802.11b devices as well have been retrofitted with 802.1x compatibility through firmware upgrades. The 802.1x protocol is the topic of Lesson 3.
Common Attacks on Wireless Networks
Due to the popularity of wireless networks, even ethical computer users have begun the practice of "wardriving"searching for unsecured wireless networks that can be used for surfing the Web. In most downtown areas, users can find an unsecured wireless network within a few minutes, just by watching the signal strength meter in the Wireless Network Connections window.
The typical solution to wireless security has been to treat WAPs as if they were the Internetunsecured. By placing them outside network firewalls, you force valid users to authenticate with the firewall or use VPN connections to reach the interior of the network. This doesn't prevent unauthorized users from exploiting the WAP for Internet access, but it does prevent the internal network from being exploited. Treating WAPs as if they were the Internet is a baseline security requirement for using WAPs and should be used along with all other security measures you might implement.
Prevent hackers from stealing your Internet access through WAPs by placing the WAPs in their own perimeter network that does not have Internet access. Valid users who can authenticate with the VPN can then go through the private network to reach the Internet if necessary. When hackers can't reach the Internet and can't get to the internal network, they won't bother staying attached to your wireless networks.
Other clever tactics administrators use to secure wireless networks include
-
Closed networks. Some WAPs support a "closed network" mode in which the WAP does not broadcast its SSID. Users have to know the SSID or they won't know that the wireless network exists. Closed networks can go a long way towards defeating wardrivers.
-
SSID spoofing. Special software that generates numerous WAP packets advertising bogus SSIDs causes hackers to receive so many SSIDs when they scan for a wireless network that they can't separate the one valid SSID from the many bogus ones.
-
MAC address filtering. Most WAPs support MAC address restrictions that limit the clients that the WAP will communicate with by their media access control address. This works well in smaller environments, but creates excessive administrative overhead in larger environments.
In this practice, you connect a WAP to your test network and connect a client to it. These exercises set the stage for Lessons 2 and 3.
Exercise 1: Configuring a Wireless Access Point
For purposes of illustration, this exercise configures an Intel PRO/Wireless 5000 LAN Access Point. Follow the manufacturer's instructions for configuring your specific wireless access point. Begin this exercise after you have connected the WAP to the network and powered it on.
To configure a workstation to manage a new WAP
Perform this procedure on a workstation connected to the network. You need to change your workstation's IP address so it's in the same IP network range as the WAP's default IP address so that you can connect to it to change it. If you are using a different brand of WAP, make sure you use an IP address that is close to that WAP's default IP address. If your WAP has already been configured with an IP address, you can skip this procedure.
After you've changed the WAP IP address in the next procedure, repeat this exercise to restore the workstation's original TCP/IP address.
-
Log on to the workstation using any local or domain computer account.
-
Right-click My Network Places, and click Properties. The Network And Dial-up Connections window appears, as shown in Figure 10.1.
Figure 10-1. The Network And Dial-up Connections window
-
Right-click Local Area Connection, and click Properties. The Local Area Connection Properties dialog box appears, as shown in Figure 10.2.
Figure 10-2. The Local Area Connection Properties dialog box
-
Double-click Internet Protocol (TCP/IP). The Internet Protocol (TCP/IP) Properties dialog box appears, as shown in Figure 10.3.
Figure 10-3. The Internet Protocol (TCP/IP) Properties dialog box
-
Record the computer's current IP address settings so that you can restore them after you've configured the WAP.
-
Type 192.0.2.2 in the IP Address box. Leave the Subnet Mask as 255.255.255.0.
-
Clear the Default Gateway address box.
-
Click OK to close the Internet Protocol (TCP/IP) Properties dialog box.
-
Click OK to close the Local Area Connection Properties dialog box.
-
Close the Network And Dial-Up Connections window.
To configure a WAP device
-
Open Internet Explorer, and browse to http://192.0.2.1, the address of the Intel PRO/Wireless 5000 management Web site, as shown in Figure 10.4.
Figure 10-4. The management Web site for a typical WAP
-
Click Express Setup. The Enter Network Password dialog box appears.
-
Type Intel in both the User Name and the Password boxes, and click OK. The Express Setup page appears.
"Intel" is the preconfigured user name and password that you must enter before you can choose a new user name and password. Always ensure that you use secure passwords in your work environment.
-
Type 192.168.241.254 as the Default IP Address, or any other free valid IP address in your network range.
-
Type 255.255.255.0 as the Default Subnet Mask.
-
Type 192.168.241.1 as the Default Gateway or enter the default gateway for your network.
-
Type TestWLAN in the SSID 11A box. The Express Setup page now looks like Figure 10.5.
Figure 10-5. The Intel WAP Express Setup page
-
Click Apply.
-
In the approval message box, click OK.
-
Click Restart AP to re-initialize the access point using the new settings. The access point is now configured for non-secure wireless networking.
Exercise 2: Configuring a Client Computer to Connect to the Wireless Network
In this exercise, you configure a laptop computer and attach it to the network.
To configure a client computer to connect to the wireless network
-
Log on to the Windows XP Professional laptop as an administrator.
-
Insert your WLAN adapter into the laptop. The Found New Hardware Wizard appears.
-
Follow the steps of the wizard, as directed by the hardware's documentation, to install the driver for the adapter.
-
When the Completing The Found New Hardware Wizard page appears, click Finish. A Wireless Network Connection balloon appears, as shown in Figure 10.6.
Figure 10-6. The Wireless Network Connection
-
Click the network icon in the system tray indicated by the balloon. The Wireless Network Connection dialog box appears.
-
Select Allow Me To Connect To The Selected Wireless Network Even Though It Is Not Secure, and click Connect. A Wireless Network Connection balloon appears indicating that a wireless signal has been found, as shown in Figure 10.7.
If you cannot connect to a wireless access point, move closer to the active device until a connection balloon appears.
Figure 10-7. A balloon appears indicating that a wireless link is active
-
Your network adapter should now receive an IP address if your network has a DHCP server. Otherwise, manually assign an IP address in your network range and configure the default gateway and Domain Name System (DNS) server according to the values set on the other computers in your network.
The laptop computer is now attached to the network and can operate as if it were physically wired.
The following questions are intended to reinforce key information in this lesson. If you are unable to answer a question, review the lesson and try the question again. Answers to the questions can be found in the appendix.
-
What is the most common variant of the 802.11 protocol?
-
How does adding wireless capability to your network affect security?
-
What is WEP?
-
What is the most common method used to prevent WLANs from allowing access to a private network?
-
What is wardriving?
Lesson Summary
-
The 802.11 protocol is the IEEE standard for wireless networks. The 11 Mbps 802.11b variant is the most commonly used, and the new 802.11a protocol offers higher speed and improved security.
-
Security in 802.11 is implemented through the Wired Equivalent Privacy protocol, and through 802.1x port authentication.
-
It is common for administrators to place WAPs outside firewalls and treat them as Internet clients. This prevents access to the interior of the network, but allows hackers to exploit the WLAN to gain access to the Internet or to attempt to exploit the firewall.
-
Closed networks do not advertise the WAP's SSID, so clients must know what it is to authenticate with the WAP. This eliminates the ability of casual hackers to find the network and it can dramatically improve security.