Securing Wireless Networks

[December 18, 2001]
Securing Wireless Networks
By: John Howie
Feature
InstantDoc #23374
Web Exclusive from Windows IT Pro

SideBar Alternative Means of Securing WLAN Traffic, Using IPSec to Secure Communications, Communications That IPSec Doesn’t Secure

Use Win2K IPSec policies to protect your WLAN

Wireless LANs (WLANs) offer amazing flexibility and ease of use. WLANs let users move from office to conference room while keeping their laptops connected to the corporate IP-based network. These benefits come with a price, however. Current WLAN security standards are flawed, so many administrators must find alternative ways to secure their WLANS. Many security organizations and consultants recommend the use of VPNs to secure WLAN installations, but VPNs can be costly to deploy correctly and can create bottlenecks in your infrastructure. An easier and less expensive alternative exists—IP Security (IPSec) policies. If you administer or are planning to deploy a Windows 2000 WLAN, you can use IPSec and Win2K Group Policy to provide security without the added cost and potential bottlenecks of a VPN. (See the Web- exclusive sidebar "Alternative Means of Securing WLAN Traffic," http://secad ministrator.com, InstantDoc ID 23443, to determine whether IPSec is right for your WLAN environment.)

The Flaws in WLAN Standards
The most cited concerns about WLANs are unauthorized wireless stations' (i.e., wireless-enabled systems) ability to eavesdrop on traffic between legitimate stations and Access Points (APs) and the stations' ability to connect to the WLAN and send and receive data. The WLAN technologies that most corporate environments currently use conform to the IEEE 802.11 and 802.11b standards (which define how wireless NICs communicate with APs to establish and maintain a network) and to the Wired Equivalent Privacy (WEP) protocol. WEP uses the RC4 algorithm to encrypt and secure packets between stations and APs and prevent unauthorized stations from joining the WLAN. To provide additional security, many WLAN equipment vendors let you maintain a list of the legitimate station hardware media access control (MAC) addresses that can join your WLAN. However, researchers have investigated WEP's ability to secure WLAN communications and have found it lacking. (For information about WEP's flaws, see "Security of the WEP algorithm" at http://www.isaac.cs .berkeley.edu/isaac/wep-faq.html, and Mark Joseph Edwards' Security UPDATE article "802.11 Wireless Networks: Is Yours Really Safe?" http:// www.secadministrator.com, InstantDoc ID 22147.) Therefore, you might need an additional way to secure your WLAN—and implementing IPSec is a quick and effective method.

Preparing Your WLAN for IPSec
To ease the process of configuring IPSec and administering WLAN security, follow a few guidelines for the physical and logical organization of your Win2K WLAN. The purpose is to separate your systems so that you can use Group Policy to distribute and maintain IPSec policies instead of configuring each system manually.

Dedicate IP subnets for your wireless stations.
Dedicate a separate subnet or subnets for the servers in your network.
For each domain that contains wireless stations, create an organizational unit (OU) in Active Directory (AD), then place the stations' Computer accounts into the OU.
For each domain that contains servers with which the stations will connect, create an OU, then place the servers' Computer accounts into the OU. You might want to create an OU hierarchy (e.g., create second-level OUs to separate file and print servers, application and database servers, and domain controllers—DCs) to further categorize each domain's servers.

After you complete these steps, you need to create IPSec policies for your wireless stations and the servers with which those stations need to communicate. You must craft these policies to guarantee encrypted communications between the stations and servers. The simplest way to do so is to create a station policy that responds to requests for secure communications and a server policy that identifies the wireless stations' subnet.

Creating a Station Policy
Create the station policy first, especially if you plan to apply the server policy to your DCs. Otherwise, the server policy will prevent the DCs from communicating with the stations, and you won't be able to use Group Policy to distribute the station policy.

To create the station policy, open the Microsoft Management Console (MMC) Active Directory Users and Computers snap-in and select the OU that contains the stations' Computer accounts. Right-click the OU, select Properties from the context menu, then go to the Properties dialog box's Group Policy tab. You can modify an existing Group Policy Object (GPO), but I recommend you create a new one. After you do so, the Group Policy window, which Figure 1 shows, opens automatically.

Expand Computer Configuration, Windows Settings, Security Settings, and select the IP Security Policies on Active Directory object. This object contains three default IPSec policies. Microsoft recommends that you create a policy rather than modify one of these default policies. To create your station IPSec policy, right-click the IP Security Policies on Active Directory object (or right-click anywhere in the console's right-hand pane), then select Create IP Security Policy from the context menu. This action launches the IP Security Policy Wizard; click Next. The wizard's first step prompts you to name the new policy and provide a description for it. Figure 2 shows a sample name and description. Click Next.

Prev. page [1] 2 next page

You must log on before posting a comment.

If you don't have a username & password, please register now.

ADS BY GOOGLE SPONSORED LINKS

Order Your SharePoint Fundamentals CD!: Learn how to uncover rich information management capabilities with this free SharePoint CD.

Try Idera’s new SQL admin toolset!: 24 essential desktop tools for managing SQL Server for $495.

Simplify your data management: Affordable multi-database query and design tool-- free trial!

Virtualization Congress Oct. 14-16: Don't miss Virtualization Congress, the premiere EMEA conference dedicated to hardware, OS and application virtualization. Oct. 14-16 in London.

FEATURED LINKS

Master SharePoint with 3 eLearning Seminars: Learn how to customize field types, create scheduled services, and go further with the Content Query Web Part with MVP Andrew Connell. Register today!

Microsoft BI Conference – Oct. 6-8: Discover best practices and gain product insight from Microsoft’s product experts in the 2nd annual event in Seattle.

Attention User Groups & User Group Leaders...: Announcing the eNews Generator—a FREE HTML e-newsletter builder for user group leaders. Build your HTML and text e-newsletters in minutes. And add Windows IT Pro & SQL Server Mag articles alongside your own message!.

Get SQL Server 2008 at SQL Connections: Don’t miss SQL Server Magazine Connections Conference, the premier event for Microsoft developers and DBAs, in Las Vegas, November 10-13. Every attendee will receive a copy of SQL Server 2008 Standard Edition with one CAL.

SQL Server Magazine Master CD: Take the Experts with You!: Find the solutions you need in thousands of searchable articles, helpful bonus content, and loads of expert advice with the SQL Server Magazine Master CD. Order comes with a 1-year subscription to the new, online articles posted every day!

	SQL Server Magazine Register Subscribe FAQ for Windows WinInfoNews
	Contact Us / Customer Service Editorial Calendar Media Kit Affiliates / Licensing Technical Resources Directory
	Windows IT Pro Office & SharePoint Pro Windows Dev Pro IT Library Connected Home Windows Excavator SuperSite IT Job Hound ITTV

	Copyright © 2008 Penton Media, Inc. All rights reserved. Terms and Use Privacy Statement Reprints and Licensing

Search

Related Whitepapers

Related Events

Related eBooks

Related Essential Guides

Related Resources

vLabs Links

SQL Job Openings

ADS BY GOOGLE SPONSORED LINKS

FEATURED LINKS