WindowsNetworking.com Monthly Newsletter of March 2008 Sponsored by: GFI
Welcome to the WindowsNetworking.com newsletter by Thomas W Shinder MD, MVP. Each month we will bring you interesting and helpful information on the world of Windows Networking. We want to know what all *you* are interested in hearing about. Please send your suggestions for future newsletter content to: firstname.lastname@example.org
Without a doubt, wireless networking has to be the number one computer technology advance in the last decade. No longer are we chained to our desks to connect to the network. Now we can lug our laptops around to virtually anywhere to connect to the Internet or even connect to our home or office networks over the wireless connection to the Internet. Our information is always with us with the help of wireless networking.
But with all the goodness that comes with wireless networking, there are some potential downsides too. The biggest downside is that malicious users can break into your wireless networks a lot more easily than they can break into your wired networks. While hackers and other malcontents would have to breach the physical security of your home or business to get into your wired network, the same person can sit outside, comfortably in his car, and work on breaking into your personal or business wireless network.
There are a lot of methods shared on the Internet, in magazines, on TV shows and on the radio on how to secure your wireless network. Some of them are useful, but there are a lot of misconceptions out there that are considered to be best practices when they are not.
First, let's look at several things that you should not do to secure your wireless network:
The SSID is your wireless network name. Some people recommend turning this off so that casual users will not be able to determine the name of your wireless network. The problem is that SSID suppression does not prevent anyone other than a newbie from connecting to your network because there are management frames broadcasted that include this information. It also causes problems with the Windows Wireless AutoConfiguration and can negatively impact performance.
MAC address filtering allows you to control what MAC addresses can connect to the WAP. The problem with MAC address filtering is that it adds a significant amount of administrative overhead to keep the MAC addressees current and does not stop the hacker from spoofing an allowed MAC address, which is relatively easy to do.
WEP is an outdated method of securing wireless network and should be banned from all wireless network deployments. If you are still using WEP, you need to change to WPA2 and if your WAP does not support it, then you need to upgrade all of your WAPs.
VPN connections to a VPN gateway through a wireless connection can secure the communications within the wireless network. While this is a secure configuration, VPN connections are not really needed to secure wireless frames and they add unneeded complexity and often cause problems with roving wireless users.
Now, what should you do to secure your wireless networks? Consider the following:
EAP/TLS is the most secure method you can use to protect your wireless networks. However, it does require that you put together a Public Key Infrastructure (PKI). If you do not want to put together a PKI, you can use Protected EAP-Microsoft Challenge Handshake Authentication Protocol Version 2 (PEAP-MS-CHAPv2). WPA2 is currently the standard wireless encryption protocol and should be the only version deployed on your networks at this time.
If you have older WAPs, you can use WPA instead of WPA2. While not as secure as WPA2, if you combine WPA with EAP/TLS or PEAP-MS-CHAPv2 and strong passwords, it can result in a reasonably secure solution that will protect you until you have the chance to upgrade your WAPs.
It takes some effort to create a secure solution, but the benefits of securing your wireless networks using these best practices will go a long way at protecting your home or business network from being compromised by a hacker across the street. For more information and details on implementing a secure wireless network using Windows servers and clients, check out the Microsoft Wireless Networking page.
See you next month. Thanks!
Quote of the Month - "We are an impossibility in an impossible universe"
I was setting up a new network last month and part of the project was to upgrade several machines to Windows Server 2008 and introduce completely new Windows Server 2008 machines. One of the reasons for introducing Windows Server 2008 into this new network was to take advantage of the new Network Access Protection (NAP). If you do not know about NAP, it is a new technology included with Windows Server 2008, Windows Vista and Windows XP SP3 that allows you to quarantine machines that do not meet your security configuration requirements.
When you set up NAP, you need to configure the policy enforcement client software. The enforcement client is responsible for implementing the method of enforcement you want to use for NAP. Examples of enforcement clients are the DHCP and IPsec enforcement clients. While you can enable the enforcement clients on each machine manually, this is not really a realistic scenario. What you want to do it create an OU for those machines, then create a GPO that configures the NAP client settings, and then use Group Policy security group filtering to apply those Group Policy settings. This makes it very easy to deploy your NAP client-side settings.
The problem is that when you apply the Group Policy settings for the NAP enforcement client by clicking Apply in the context menu, those settings do not seem to stick. If you open the GPMC.msc console again, you will see that the GPO setting still reads "disabled", even though it said enabled when you closed the console. The solution is to repeat the enable procedure. I found this to be a consistent finding and it is something you might want to consider when your NAP clients cannot log on to the network.
QUESTION: I have a small network in my home and home office where I have Cat 6 cable wired into every room in the house and have a central punch panel in my server room (I dedicate a room in my house to the server room). Sometimes I notice the lights on the central switch all blink at the same time, like the switch is having a seizure or something. This seems to happen most often when my Internet firewall goes offline. I'm just curious why this happens. Thanks! --Johnson.
When you see all the lights on the switch seeming to blink in unison is often an indication of an Ethernet broadcast storm. What is happening is that one or more machines connected to that switch are looking for the MAC address of a machine that is not on the network. It makes sense that this happens when your Internet gateway machine is offline, since all of the machines on your network are configured to use your Internet gateway to find a path to the Internet. These machines are all sending out an Ethernet broadcast message trying to find the MAC address of the default gateway's IP address. Since the gateway machine is offline, it cannot respond to your machines' requests for the MAC address and they continue to make requests until they find that MAC address.
You will also see this kind of behavior when you have worms on your network and they scan your network for ranges of IP addresses to infect. When they are scanning, they are quickly broadcasting for MAC addresses of IP addresses that they are trying to connect to, and will cause your switch to light up in the same way as the missing default gateway example above.
QUESTION: I am looking for a better way to secure my network's wireless access point. Right now our company is using WPA2 with a pre-shared key. While I am sure that the sessions are protected using WPA2, the pre-shared key method is not very scalable and when I discover that the key has been compromised, everyone has to go out and manually change their pre-shared keys. Is there a way to make my solution more secure without having to do too much. Thanks! -Richard J.
There are a number of options available to you. If you want to increase the security of your WiFi connection, then replace the shared key method by using EAP-TLS authentication. EAP-TLS is the most secure 802.1X method of securing your connection. You will need to put up a Public Key Infrastructure and deploy certificates to your machines. Machines without certificates will not be able to connect. If you do not want to put together a PKI, you can still use PEAP-MS-CHAPv2 with strong user passwords.
Another option that you can use that will help secure all the computers on your network and prevent rogue machines from compromising your assets is to use domain and server isolation using IPsec. You can control the IPsec settings by using Group Policy, so you do not have to worry about configuring each machine. When rogue machines connect to your network, they will not be able to connect to your clients and servers because they will not be able to set up the IPsec security associations. Only domain member machines will be able to connect to other domain members. This allows you to provide network access to machines that are not members so that they can connect to the Internet, but they will not be able to connect to any of your machines.
Got a question for Dr. Tom? Send it to email@example.com.