Building Secure Wireless Networks with 802.11 phần 8 pdf

Dynamic Host Configuration Protocol DHCP and Network Address Translation NAT Services VPN gateways act as a Dynamic Host Configuration Protocol DHCP server and assign each VPNpeer a clie

Data Privacy through Encryption

VPN gateways use cryptographic encryption algorithms and protocols to provide data security Themost commonly used protocol is known as Internet Protocol Security (IPSec), and the mostcommonly used encryption algorithm is known as Triple−Digital Encryption Standard (Triple−DES or3−DES)

Dynamic Host Configuration Protocol (DHCP) and Network Address Translation (NAT) Services

VPN gateways act as a Dynamic Host Configuration Protocol (DHCP) server and assign each VPNpeer (a client or another gateway) a unique IP address that does not belong to the protected LAN.When data is received from the VPN peer for the protected LAN or from the protected LAN for theVPN peer, VPN gateway performs the translation of the addresses and transmits the data to theintended party For example, let's assume that, upon successful authentication, a VPN gatewayassigns an IP address 192.168.0.10 to a VPN peer, and the LAN that the VPN gateway wasprotecting uses 100 IP addresses from 193.168.1.100 to 193.168.1.200 In this case, the VPNgateway may create an entry in a table, called a network address table, that consists of two IPaddresses, one that was assigned to the VPN peer and the other an unused IP address from theprotected LAN This entry could look like the one shown in Table 10.1

Table 10.1: A Sample Network Address Table with One Entry

PEER IP ADDRESS LAN IP ADDRESS

192.168.0.10 193.168.1.201

When the VPN gateway receives data from the VPN peer, it performs a network address tablelookup and an address translation (substitutes the address in the data packet from 192.168.0.10 to193.168.1.201) so that the data packet can be recognized and properly delivered in the protectedLAN The VPN gateway performs a reverse translation when data originate from a protected LANintended for the VPN peer This translation of the IP address is known as Network AddressTranslation (NAT)

VPN gateways authenticate users, provide data privacy, and act as routing agents by assigningvirtual IP addresses (IP addresses that are not part of the LAN) to the VPN clients and translatingthem to real addresses

VPN Clients

A VPN user's computer is normally equipped with a VPN client The VPN client software facilitatesVPN connectivity between a VPN gateway and the user's computer by providing the authenticationinformation to the VPN gateway, obtaining and assuming the IP address from the VPN gateway,and performing encryption and decryption operations on all TCP/IP data transmission between theclient computer and the VPN gateway For a VPN client to successfully establish and maintain aconnection, it must use encryption algorithms, authentication, and VPN protocols that arecompatible with the VPN gateway

Depending on the deployment nature, security, and performance requirements, a VPNimplementation may consist of all software, all hardware, or a mixed solution

VPN Gateway Software

Similar to the VPN client software, most server operating systems, for example Microsoft Windows

XP and Windows 2000 servers, come with VPN gateway software preinstalled and only requireproper configuration VPN gateway authenticates the remote VPN client and provides data privacy

by transmitting all data in encrypted form

Basic VPN Operation

The basic operation of VPN can be summarized as follows:

VPN client and gateway are properly installed and configured to use the same encryptionand authentication algorithms

•

A user account is created and allowed VPN connectivity The user is provided with properauthentication information, for example the user−name and password, and the gateway IPaddress information

•

Now that we are familiar with the two advanced security technologies, the 802.1X and the VPNtechnologies, let's use them to build a secure wireless LAN.

Building a Secure Wireless LAN with 802.1X and VPN Technology

In this example, we build a wireless LAN that consists of a wireless LAN user and an AP and thatcommunicates with a wired LAN using a software−based VPN solution The following are thenetwork components that are necessary to build this LAN:

A laptop computer equipped with ORiNOCO 802.11 Silver PC Card and Windows XP

Figure 10.1: A wireless LAN with 802.11 authentication support

Let's walk through the steps to build our secure wireless LAN that uses the robust 802.1X and VPNconnectivity We will first set up the LAN to use the 802.1X, and then we will add the VPN support tothe LAN

Setting Up the 802.1X for Wireless LAN

The 802.1X solution we are presenting here consists of a wireless LAN adapter with 802.1Xsoftware driver, an 802.11 AP with 802.1X support, and a wired LAN that is directly connected tothe AP and consists of a RADIUS server and a desktop computer In this example, we use MicrosoftWindows 2000's Internet Authentication Service as our RADIUS server, Cisco 350 Series AP as the

AP, and a client laptop computer equipped with ORiNOCO 802.11 Silver PC Card

Configuring the RADIUS Server for the Wireless Users

Configuring the Windows 2000 Server's RADIUS service for use with our example server requiresthe following steps to be performed:

Click Start, point to Administrative Tools, and then point to Internet Authentication Service.Figure 10.2 shows the Internet Authentication Service screen.

Figure 10.2: The Internet Authentication Service in Windows 2000

•

Click on Edit Profile and select the Authentication tab Figure 10.3 shows the authenticationtab Make sure Extensible Authentication Protocol (EAP) is selected Deselect otherauthentication methods listed Click OK

Figure 10.3: Windows 2000 Internet Authentication Service Authentication tab

•

Windows asks you if you wish to view the Help topic for EAP; select No if you just want toget on with the installation Click Finish

•

Enabling Remote Access Login for Wireless LAN Users

Click Start, point to Administrative Tools, and select Active Directory Users and Computers

•

Double−click on the user for which you want to enable authentication to bring up its accountproperties

•

Select the Dial−in tab, and select Allow Access Click OK

Configuring the Wireless LAN AP for 802.1X Authentication Protocol

You must configure the AP to use the RADIUS server We assume that you have already performedthe AP configuration using the Bob's desktop computer, which is connected to the AP via the wiredEthernet LAN

We assume that you have set the proper SSID and channel on which the access point will operateand that you have taken the proper steps to secure the access point itself These instructions usethe Web management interface, although the identical configuration options are available from theterminal connection It's important that you're running at least 11.08T firmware; as of this writing, thelatest 11.10T is best The following are the steps necessary to ensure proper setup of 802.1X:

CONFIGURING THE RADIUS SETUP

Log in to the AP Configuration setup using a Web browser

Under Server Name/IP, enter the IP address of the authentication server you've already set

up with the Internet Authentication Service

5

Server Type should be RADIUS, port 1812, and enter the shared secret that you set in step

5 of the server setup Timeout can probably remain at the default 20 seconds, and ensureEAP Authentication is selected Figure 10.4 shows the configuration screen of Cisco 350Series AP 802.1X setup

Figure 10.4: Cisco 350 Series AP 802.1X setup screen

6

Select OK

7

Enabling the 802.1X EAP Authentication

Go back to the Security screen Select Radio Data Encryption (WEP) Figure 10.5 shows theWEP setup screen for Cisco 350 Series AP where you enable EAP

Figure 10.5: Cisco 350 Series AP WEP setup screen for EAP

1

Deselect all authentication types except for the Open options of Accept Authentication Typeand Require EAP.

2

Select OK

3

ENABLING ENCRYPTION

The only way to ensure strong mutual authentication between Windows XP and the access point is

to enable dynamic WEP Without it, your machines are vulnerable to a man−in−the−middle attack.802.1X port access authentication isn't enough by itself

Go back to the Radio Data Encryption (WEP) page

Configuring the Wireless LAN Adapter Software for 802.1X Protocol

For this task you should already be familiar with the steps required to install a wireless LAN adapterand the necessary software drivers; thus, we will examine only the configuration steps that arerequired for the 802.1X authentication support

Enabling 802.1X Authentication for Wireless Card:

•

Open up the properties for your wireless connection, either by right−clicking on My NetworkPlaces on the desktop and selecting Properties, or open up the Control Panel and selectNetwork Connections (located under Network and Internet Connections if in Category View)

1

Right−click on the Wireless Network Connection, and select Properties Figure 10.7 showsthe wireless network connection properties

2

Figure 10.7: Wireless network connection properties under Windows XP.

Select the Authentication Tab, and ensure that Enable Network Access Control Using IEEE802.1X is selected, and username/password−based EAP−MD5 is selected from the EAPtype Figure 10.8 shows the wireless network authentication screen in Windows XP

Figure 10.8: Wireless network authentication screen in Windows XP

3

Adding VPN Connectivity to Provide Higher Security

The preceding steps described how to improve WEP support, as defined in the basic 802.11wireless LAN, by using the 802.1X authentication protocol Adding VPN connectivity provides anadditional layer of security that complements the security provided by the 802.1X protocol In thissection, we present an example of setting up VPN connectivity between a wireless LAN clientcomputer installed with Microsoft Windows 2000 OS and a computer on the wired LAN installed withMicrosoft Windows 2000 Server

Setting Up Windows 2000 VPN Gateway/Server

Configuring Windows 2000 server for using as a VPN server includes the following steps:

Install and enable VPN Most of the VPN server components are preinstalled on theWindows 2000 server; still, you need to install some components and enable the VPNserver

1

Configure the VPN Server You also have to configure the security parameters forPointưtoưPoint Tunneling Protocol (PPTP), which provides data encryption using MicrosoftPointưtoưPoint Encryption and the Layer Two Tunneling Protocol (L2TP) that provides thedata encryption, authentication, and integrity using IPSec protocol.

Installing and Enabling VPN

To install and enable a VPN server, follow these steps:

On the Microsoft Windows 2000 VPN Server, confirm that the connection to your local areanetwork (LAN) is correctly configured

Click Start, point to Administrative Tools, and then click Routing and Remote Access

a

Click the server name in the tree, and then click Configure and Enable Routing andRemote Access on the Action menu Figure 10.10 shows the Routing and RemoteAccess Screen in Windows 2000 Click Next

Figure 10.10: Routing and remote access screen in Windows 2000

Figure 10.11: Remote Client Protocols dialog box showing the client protocols

3

In the IP Address Assignment dialog box, select Automatically in order to use the DHCPserver on your subnet to assign IP addresses to dialưup clients and to the server

4

In the Managing Multiple Remote Access Servers dialog box, confirm that the No, I don'twant to set up this server to use RADIUS now check box is selected Click Next, and thenclick Finish.

10

Configuring the VPN Server

To configure the VPN server, follow the steps in the following paragraphs

Configuring the Remote Access Server as a Router

For the remote access server to forward traffic properly inside your network, you must configure it

as a router with either static routes or routing protocols so that all the locations in the virtual LAN arereachable from the remote access server Follow the steps that follow to configure the server as arouter

Click Start, point to Administrative Tools, and then click Routing and Remote Access

Rightưclick the server name, and then click Properties

Setting Up Addresses and Name Servers

The VPN server must have IP addresses available in order to assign them to the VPN server'svirtual interface and to VPN clients during the IP Control Protocol (IPCP) negotiation phase of theconnection process The IP address assigned to the VPN client is assigned to the virtual interface ofthe VPN client

For Windows 2000ưbased VPN servers, the IP addresses assigned to VPN clients are obtainedthrough DHCP by default You can also configure a static IP address pool The VPN server mustalso be configured with name resolution servers, typically DNS and WINS server addresses, toassign to the VPN client during IPCP negotiation

Setting Up Users for VPN Access

By default, users are denied access to dialưup Configure the dialưin properties on user accountsand remote access policies to manage access for dialưup networking and VPN connections

VPN Access by User Account

If you are managing remote access on a user basis, click Allow Access on the DialưIn tab of theuser's Properties dialog box for those user accounts that are allowed to create VPN connections.Delete the default remote access policy called "Allow Access If DialưIn Permission Is Enabled."Then create a new remote access policy with a descriptive name, such as "VPN Access If Allowed

By User Account." For more information, see Windows 2000 Help If the VPN server is also allowingdialưup remote access services, do not delete the default policy, but move it so that it is the lastpolicy to be evaluated

VPN Access by Group Membership

If you are managing remote access on a group basis, click Control Access through Remote AccessPolicy Radio on All User Accounts Create a Windows 2000 group with members who are allowed

to create VPN connections Delete the default remote access policy called Allow Access If DialưInPermission Is Enabled Next, create a new remote access policy with a descriptive name such as

"VPN Access If Member of VPNưAllowed" group, and then assign the Windows 2000 group to thepolicy If the VPN server also allows dialưup networking remote access services, do not delete thedefault policy; instead move it so that it is the last policy to be evaluated

Configuring the VPN Client

Follow these steps to set up a connection to a VPN:

Log in as the administrator on the client computer This option is available only if you arelogged on as a member of the Administrators group

7

Figure 10.13: VPN server identification settings screen.

Click to select For All Users if you want the connection to be available to anyone who logs

on to the computer, or click to select Only for Myself to make it available only when you logonto the computer Click Next

8

In Completing the Network Connection Wizard screen, type a descriptive name for theconnection, and then click Finish Completing the Network Connection Wizard screen isshown in Figure 10.14

Figure 10.14: Completing the Network Connection Wizard screen

9

Testing the VPN Connectivity

To test the VPN connectivity, follow these steps:

Click Start, point to Settings, and then click Network And DialưUp Connections

3