Security information for wireless networks

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

Security information for wireless networks

Wireless networking technologies provide convenience and mobility, but they also introduce security risks on your network. For example, unless authentication and authorization mechanisms are implemented, anyone who has a compatible wireless network adapter can access the network. Without encryption, wireless data is sent in plaintext, so anyone within sufficient distance of a wireless access point can detect and receive all data sent to and from a wireless access point.

The following security mechanisms enhance security over wireless networks:

  • Windows Firewall

  • 802.11 identity verification and authentication

  • 802.11 Wired Equivalent Privacy (WEP) encryption

  • Wi-Fi Protected Access (WPA)

  • 802.1X authentication

  • IAS support for 802.1X authentication

Windows Firewall

Windows Firewall runs on each of your clients and servers. It provides protection from network attacks that pass through your perimeter network or originate inside your organization, such as Trojan horse attacks, port-scanning attacks, and worms. Like many firewall technologies, Windows Firewall is a stateful firewall. It drops all incoming traffic unless it has been sent in response to a request from the computer or has been specified as allowed. With the exception of some Internet Control Message Protocol (ICMP) messages, Windows Firewall allows all outgoing traffic.

Windows Firewall is not included in the original release of the Windows Server 2003 operating systems.

In Windows Server 2003 with Service Pack 1 (SP1), Windows Firewall is disabled by default for all connections, including LAN (wired and wireless), dial-up, and virtual private network (VPN) connections. Windows Firewall is also disabled by default for new connections.

If your wireless computers do not already have a firewall installed and running, it is recommended that you turn on Windows Firewall. Right-click the wireless icon in the notification area, click Change Windows Firewall settings, and then select On.

For information about Windows Firewall, see Help: Turn Windows Firewall on or off for a specific connection, Help: Add a program to the Windows Firewall exceptions list, Help: Add a port to the Windows Firewall exceptions list, and Windows Firewall and Message Queuing.

802.11 identity verification and authentication

For identity verification and authentication, IEEE 802.11 defines the open system and shared key authentication subtypes:

  • Open system authentication does not actually provide authentication; it performs only identity verification through the exchange of messages between the initiator (wireless client) and the receiver (wireless access point).

  • Shared key authentication does provide authentication by verifying that the initiator has knowledge of a shared secret. Under the 802.11 standard, it is assumed that the shared secret is sent to the wireless access point over a secure channel that is independent of 802.11.

For information about how to specify the authentication subtype that you want to use, see Define preferred wireless networks in Group Policy or Define a wireless network connection on a client computer.

Important

  • To enhance security and connectivity, do not use shared key authentication. Shared key authentication is less secure than open system authentication because it requires the exchange of a secret key that is shared by all wireless access points and clients and therefore is more vulnerable to known-text attacks. In addition, if you use shared key authentication for a wireless network that has multiple wireless access points, you will lose network connectivity when you travel from one wireless access point to a new wireless access point. In this case, you will lose connectivity because your network key will no longer match the shared key used by all wireless access points. To determine whether a wireless network you are connecting to has multiple wireless access points, use Wireless Monitor. For information about how to use Wireless Monitor to view details about wireless access points, see View details about wireless network access points.

802.11 WEP encryption

For encryption, 802.11 defines the WEP algorithm. WEP provides data confidentiality by encrypting the data that is sent between wireless clients and wireless access points.

To encrypt the data that is sent over wireless networks, WEP uses the RC4 stream cipher with either a standard 40-bit encryption key or, in some implementations, a 104-bit encryption key. A stream cipher is a method of encrypting text (to produce ciphertext) in which a cryptographic key and algorithm are applied to each binary digit in a data stream, one bit at a time. The RC4 stream cipher, designed by RSA Data Security, Inc can accept keys of arbitrary length. Data integrity is provided through an integrity check value (ICV) in the encrypted portion of the wireless frame.

WPA

WPA is a new wireless network security technology developed by the Wi-Fi Alliance. Wi-Fi Protected Access strengthens existing cryptographic weaknesses of WEP, and introduces a method to generate and distribute encryption keys automatically. The solution also introduces an integrity check on the data so an attacker cannot modify packets of information being communicated. To improve enterprise-level user authentication, Wi-Fi Protected Access authenticates every user on the network while keeping those users from joining rogue networks. WPA presents a practical answer to dealing with the weaknesses of WEP, based on available technologies and offering forward compatibility with 802.11i and backward compatibility with existing 802.11 solutions.

802.1X authentication

802.1X is an IEEE standard for authenticated network access to wired Ethernet networks and wireless 802.11 networks. IEEE 802.1X provides support for centralized user identification, authentication, dynamic key management, and accounting. The 802.1X standard enhances security by allowing a computer and a network to authenticate each other, generating a per-user/per-session key to encrypt data over wireless connections and providing the ability to dynamically change keys.

Important

  • For enhanced security in Windows XP Service Pack 1 and the Windows Server 2003 family, 802.1X authentication is available only for access point (infrastructure) networks that require the use of a network key (WEP).

  • It is highly recommended that you use 802.1X authentication whenever you connect to an 802.11 wireless network. If you connect to an 802.11 wireless network, and you do not enable 802.1X, the data that you send is more vulnerable to attacks, such as offline traffic analysis, bit flipping, and malicious packet injection.

EAP authentication methods

802.1X uses Extensible Authentication Protocol (EAP) for message exchange during the authentication process. With EAP, an arbitrary authentication method, such as passwords, smart cards, or certificates, is used to authenticate the wireless connection. The support that 802.1X provides for EAP types allows you to use any of the following authentication methods:

  • EAP-Transport Level Security (EAP-TLS), which uses certificates for server authentication and either smart cards or certificates for user and client computer authentication.

  • Protected EAP with EAP-Microsoft Challenge Handshake Authentication Protocol version 2 (PEAP with EAP-MS-CHAPv2), which uses certificates for server authentication and credentials (user name and password) for user authentication.

  • PEAP with EAP-TLS, which uses certificates for server authentication and either smart cards or certificates for user and client computer authentication.

For more information, see EAP, MS-CHAP version 2, Understanding 802.1X authentication for wireless networks, and PEAP.

Security and ease of deployment

When choosing an authentication method, balance the level of security that you require with the effort that you want to devote to deployment. For the highest level of security, choose PEAP with certificates (EAP-TLS). PEAP uses TLS to enhance the security of other EAP authentication protocols. With PEAP, TLS is used to create an end-to-end encrypted channel between an EAP client (such as a wireless computing device) and an EAP server (such as an Internet Authentication Service (IAS) server). Although both PEAP with EAP-TLS and EAP-TLS alone provide strong security through the use of certificates for server authentication and either certificates or smart cards for client computer and user authentication, when PEAP with EAP-TLS is used, client certificate information is encrypted.

For the greatest ease of deployment, choose PEAP with passwords (EAP-MS-CHAP v2). PEAP with EAP-MS-CHAP v2 requires the least effort to deploy, because client authentication is password-based, so certificates or smart cards do not need to be installed on clients. Because PEAP creates an end-to-end encrypted channel before EAP-MS-CHAP v2 authentication occurs, the authentication exchange reduces the risk of offline dictionary attacks.

The session keys that are generated during the PEAP authentication process provide keying material for the WEP encryption keys that encrypt the data that is sent between wireless clients and wireless access points. In addition, PEAP supports fast reconnect. PEAP fast reconnect allows roaming users to maintain continuous wireless network connectivity when traveling between different wireless access points on the same network, as long as each wireless access point is configured as a client of the same IAS (RADIUS) server.

For information about certificate requirements for 802.1X authentication methods, see Network access authentication and certificates. For information about deploying smart cards, see Checklist: Deploying smart cards for logging on to Windows.

Important

  • When you deploy both PEAP and EAP unprotected by PEAP, do not use the same EAP authentication type with and without PEAP. For example, if you deploy PEAP with EAP-TLS (PEAP-EAP-TLS), do not also deploy EAP-TLS without PEAP. Deploying authentication methods with the same type--one with and the other without the protection of PEAP--creates a security vulnerability.

IAS support for 802.1X authentication

To enhance the security and deployment of wireless networks, you can use 802.1X with IAS, the Microsoft implementation of a Remote Authentication Dial-in User Service (RADIUS) server and proxy server. When RADIUS is implemented, wireless access points that are configured as RADIUS clients use the RADIUS protocol to send connection requests and accounting messages to a central RADIUS server. The RADIUS server accesses a user account database and set of rules for granting authorization, processes the wireless access point's connection request, and then either accepts or rejects the connection request.

For more information about 802.1X authentication, see Understanding 802.1X authentication for wireless networks. For information about wireless network client configuration, see Configuring wireless network settings on client computers. For information about configuring IAS for wireless access authentication, see Checklist: Configuring the IAS server and wireless access points for wireless access and Wireless access.