Transcript Showcase: Secure Wireless LAN at Microsoft Technical Presentation

Showcase
Wireless LAN Deployment
at Microsoft
Supporting the
Mobile Knowledge Worker
Published January 2002
Agenda
 Wireless Local Area Network (WLAN) Description
 Information Technology Group (ITG) WLAN
Deployment Project










Drivers
Schedule and tasks
Requirements
Piloting
Results
Engineering Considerations
Security Considerations
Installation Approach – Concealed System
Lessons Learned
Reference Information
What is Wireless LAN
(WLAN)?
Global & Universal Area
Satellite Data Networks
Wide Area & Metro Area
Cellular-based mobile data (CDPD/ GPRS)
Fixed Microwave Wireless (LMDS/MMDS)
Wireless Local Loop (WLL)
Local Area
Wireless LAN (WLAN)
Personal Area
Bluetooth
Infrared Data Association (IrDA)
ITG WLAN
Deployment Project Drivers
 Executive Call to Action
 Microsoft is Developing Software for Wireless
Environments
 Multiple User Requests for WLAN Technology
Deployment to Increase User Mobility
 Standardization and Interoperability
 Pilot
 Puget Sound area buildings
 Deploy to worldwide subsidiary offices as budget
and local regulations permit
ITG WLAN Deployment Project
Schedule and Tasks
 150 user proof of concept (3 months)
 Submitted RFI for 802.11b products (1 month)
 Two RFI finalists selected and lab tested both.
 Pilot: four buildings, more than 600 users (2 months)
 Completed Engineering & Operations Standard
design documentation (1 month)
 63 building campus wireless deployment (8 months)
 1300+ Access Points (APs)
 Worldwide wireless deployments (on-going)
 1200+ APs
 802.1x enhanced wireless security deployment
(1 month)
 Covered 70 buildings in Puget Sound area and 23
remote locations
ITG WLAN RFI
Infrastructure Requirements
 Network Administration of APs
 Full support for
 Simple Network Management Protocol (SNMP)-II Management Information
Base (MIB)
 802.11 extended MIBs
 HP Openview integration
 Scalable, scripted AP firmware and configuration updates
 Little to no user account administration, but secured
 Enterprise Installation Considerations
 Low cost for all hardware
 Power supply configuration options
 Inexpensive plenum installation
 Variety of antenna solutions to increase or direct Radio Frequency
(RF) coverage
 Security
 Encryption and authentication of the wireless link
 Secured administrative access to wireless APs
 No removable cards from APs
ITG WLAN RFI
Infrastructure Requirements
 802.11b Installation with an Infrastructure Migration
Path to 802.11a
 Troubleshooting Tools for End User and Infrastructure
 Windows® Hardware Quality Labs (WHQL)-certified
Driver Support




Windows XP and Windows .NET Server
Windows CE 2.11 and Pocket PC
Windows NT® 4 and Windows 2000
Windows 98 and Windows 98 SE
 Adapter Types
 PC Card (primary choice)
 PCI and USB
 Mini-PCI or other integration in laptops
ITG WLAN RFI
Infrastructure Requirements
 Health and Safety Issues
 FCC approved
 Support to address health and safety issues
 Documentation, Web sites, Q&A sessions, contact information
 Wireless Home LAN Hardware Solution




Under $250
Easy to use and support
Must promote security – Wired Equivalent Privacy (WEP)
Provides Network Address Translation (NAT)/Dynamic Host
Configuration Protocol (DHCP) function
 Variety of products and accessories – hubs, routers, external
antennas, and wireless repeating
 Robust support for home users provided by vendor
ITG WLAN RFI
Infrastructure Requirements
 Installation Considerations
 Power supply configuration options
 Inexpensive plenum installation support
 Flexible antenna solutions to increase coverage area
 Worldwide Deployment
 Worldwide certification and support
 Manage differing RF and security requirements
across different countries
ITG Aironet/Cisco Pilot
 Pilot WLAN in Three Buildings and One Cafeteria
 More than 600 users participated
 PC Card adapters only
 112 Aironet 4800B 802.11b APs
 11 megabits per second (Mbps) shared connection
 128-bit shared WEP key
 Installed APs using existing wall power and network
connections
 Surveyed Users at the End of the Pilot
 Greater than 50% response rate
WLAN Pilot Survey Results
 50% saved .5 - 1.5 hours per day due to their WLAN




connection
10% used Windows CE devices
18% wanted PCI desktop support for testing, demos,
home networking
24% used WLAN for more than six hours per day
93% used their computer in new locations
 In conference rooms, hallways, or in other employee offices
 72% could work without a wired connection
 88% were interested in purchasing WLAN equipment for
use at home
 66% felt they could run any application or installation over
the WLAN connection
WLAN Pilot
Operational Recommendations
 Require concealed installations
 Reduces user RF health and safety concerns
 Require multicast application support
 Require client and infrastructure
troubleshooting tools
WLAN
Engineering Recommendations
 AP Placement (to minimize user/AP ratio)
 Decrease cell size (to 10 meter radius)
 Increase cell density
 Overlapping cells via channel configuration
 Force 5.5-11 Mbps connections only
 Mitigate possible Bluetooth interference
 Create a migration path to 802.11a
 Single Broadcast Service Set Identifier (SSID)
 Enhanced usability with Windows XP Zero
Configuration wireless client
 Client and Helpdesk Troubleshooting Tools
 AP Monitor in Windows XP
WLAN
Engineering Recommendations
 Each Separate Building Has a Dedicated
DHCP Subnet for WLAN
 Enables seamless roaming within building
 Reduces collision domain
 Restricts NetBIOS access to that building segment
 Utilize Windows 2000, Windows XP automatic
DHCP when changing subnets
 Enhances security
 Low Voltage Wiring or Inline Power
 To enable cold booting of APs from a centralized
or remote location
 Easy Client Setup – Plug and Play
 AP Load Balancing
802.11b Security Concerns
 WEP
 Unique key required across enterprise
 802.11b standard is only 40-bit
 128-bit is proprietary
 WEP keys are not dynamically changed and therefore vulnerable
to attack
 Using a PC-based tool and 802.11b antenna, a 128-bit WEP key can
be hacked within two hours, and a 40-bit key within 40 minutes
 Difficult to change or administer
 Media Access Control (MAC) Address Filtering
 Not scalable
 Exception list must be administrated and propagated to all APs
 The list may have a size limit
 MAC address must be associated to a user name
 User could neglect to report a lost or stolen card
 User could change the MAC address
The 802.1x Solution
 Client network access (link layer) is controlled by the AP
based on domain user and/or machine account
authentication
 Authentication process is secured via standard Public Key
Infrastructure (PKI) protocols available in Windows XP




Extensible Authentication Protocol over LAN (EAPoL)
Transport Layer Security (TLS)
Public / private keys, X.509 Certificates
Uses two factor authentication
 Client user and computers negotiate authentication against
Internet Authentication Server (IAS).
 IAS proxies authentication requests to Active Directory and
Certificate Authority
 IAS is the Microsoft implementation of the IETF Remote
Authentication Dial-In User Service (RADIUS) standard
 WEP keys are dynamic
 They are changed with each new connection session, when
roaming, or within a preset time interval
802.1x Security
The 802.1x solution
Domain User
Certificate
EAP/TLS
Connection
RADIUS
(IAS)
Certificate
Authority
Domain
Controller
Laptop
802.11/.1X
Access Point
Exchange
DHCP
Domain Controller
used to log onto domain
after obtaining an IP
address from DHCP
Peers
File
802.1x Deployment Challenges
 Operational Support
 Requires improved troubleshooting tools for both
client and infrastructure
 Integration of disparate support organizations for
end-to-end support
 Certificate Server, RADIUS server, Active Directory™,
AP, and client
802.1x Technical Challenges
 Certificates Issues
 Required to build a secure, Web-based tool to validate and / or
obtain computer / user certificates
 Certificate Revocation List (CRL) expiration issues must be managed
 Active Directory
 If Active Directory becomes overloaded; 802.1x authentication is
affected
 Client DHCP Response Timeouts
 Inconsistent across domains and platforms
 Poor RADIUS Server Failover Support in APs
 Can cause clients to fail authentication and lose connectivity
 Authentication Mechanisms Stresses Infrastructure
 Reauthentication required when roaming and at timeout
 Cross-forest and multi-domain authentication required
Concealed System Installation
Best Practices
 Pre-installation
 Develop AP location plan based on design guidelines
 Field verify proposed AP locations to check for physical
interferences
 Present final locations for approval prior to starting construction
 Installation
 Enclose AP units and antennas within “plenum-rated” enclosures
to meet building fire code requirements
 Central, low voltage power supply on uninterruptible power supply
(UPS)
 Delivery
 Spot check AP installation for conformance with commissioning
checklist
 Check RF coverage and network connectivity of each AP
 Deliver “as-built” documents
Sample Installation Architecture



Low Voltage Power
Supply
120 V
line
voltage
input
24 V
output


Low voltage power line;
plenum rated and routed
in existing cable trays

Two CAT5E data cables
(one for future use);
plenum rated wiring
Dual bisquit jack
assembly


Network and out of band
connector cable

12" x 12" x 6" NEMA
#1 rated enclosure
Step down
transformer
Step up transformer
110 VAC handy box
AP power supply
AP Unit
Lessons Learned
 Costs are Concentrated in Labor and Materials for
Building Infrastructure Installation and Construction
 AP installations should be concealed within the plenum
 Using Standardized Equipment Does Not Ensure
Interoperability
 Involve IT Operations and Help Desk Early
 Offer educational seminars and engineering reviews
 Develop and Communicate Security Policies
Around “Rogue” Wireless Implementations
 User Health and Safety Concerns Must Be
Addressed Appropriately
 Involve vendor and internal Risk Management and
Human Resource organizations
Reference Information
 Microsoft Corporation
 Enterprise Deployment of IEEE 802.11 Using Windows XP and Windows 2000 Internet
Authentication Service
 http://www.microsoft.com/windowsxp/pro/techinfo/deployment/wireless/default.asp
 802.1x (TechNet)
 http://www.microsoft.com/technet/prodtechnol/winxppro/reskit/prdc_mcc_corc.asp
 802.1x Authentication
 http://msdn.microsoft.com/library/en-us/wceddk40/htm/cmcon8021xauthentication.asp
 Wireless Network Security within 802.1x
 http://www.microsoft.com/WINDOWSXP/pro/evaluation/overviews/8021x.asp
 Set up 802.1x Authentication on Windows XP Client
 http://www.microsoft.com/windowsxp/home/using/productdoc/en/8021x_client_configure.asp
 Securing Wireless Networks Security Bulletin
 http://www.microsoft.com/windows2000/datacenter/evaluation/news/bulletins/secwireless.asp
 Wireless LAN Association
 http://www.wlana.org
 IEEE 802.11 & 802.1x
 http://www.ieee.org
 OSHA Health and Safety
 http://www.osha-slc.gov/sltc/radiofrequencyradiation
 Cisco Systems
 http://www.cisco.com/warp/public/44/jump/wireless.shtml
For More Information
 Additional IT Showcase white papers, case
studies, and presentations on ITG
deployments and best practices can be found
on
http://www.microsoft.com.
 Microsoft TechNet
http://www.microsoft.com/technet/itshowcase.
The Future of WLAN Technology
 802.11a
 New physical layer using 5 GHz band utilizing Orthogonal Frequency-
Division Multiplexing (OFDM) to provide speeds up to 54 Mbps
 Lower range and higher power requirements
 802.11b
 Existing implementation using 2.4 GHz band to provide speeds up to
11 Mbps
 High range and low power requirements
 802.11d
 AP specifies a client profile which includes channel set and power
 Allows for single AP and client product which would self-configure to
meet local RF regulations
 International roaming – “World Mode”
 802.11e




Quality of Service (QoS) support
Coupled with 802.1p (Class of Service) and 802.1q
Support for real-time applications like voice and streaming media
Dynamically-plumbed WEP keys
The Future of WLAN Technology
 802.11g
 New physical layer using 2.4 GHz band utilizing OFDM
 Max speed 22 Mbps, but cannot coexist with 802.11b
 802.11h
 Enhancement to MAC to support EU power and RF
requirements
 Recommended feature for any future implementations
 802.11i
 Enhanced Security
 Advanced Encryption Standard (AES) strong
contender for replacing WEP
 May be used with 802.1x
 802.1q
 Virtual LAN (VLAN) tagging
The information contained in this document represents the current view of
Microsoft Corporation on the issues discussed as of the date of publication.
Because Microsoft must respond to changing market conditions, it should
not be interpreted to be a commitment on the part of Microsoft, and
Microsoft cannot guarantee the accuracy of any information presented
after the date of publication.
This document is provided for informational purposes only.
MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS
DOCUMENT.
2002 Microsoft Corporation. All rights reserved.
Microsoft, Active Directory, Where to you want to go today?, Windows, and Windows
NT are either registered trademarks or trademarks of Microsoft Corporation in the
United States and/or other countries. Other product and company names
mentioned herein may be the trademarks of their respective owners.