Introduction
Many organizations have tested the use of wireless LANs (WLANs) but have shied away from large deployments or banned their use altogether. Despite the many productivity and technology benefits of wireless technology, its poor security record has prevented many organizations from deploying WLANs.Securing Wireless LANs with Certificate Services is aimed at those organizations that want to deploy wireless networks in a secure manner.
As detailed in later sections, the solution shown in this article is based on the Institute of Electrical and Electronic Engineers (IEEE) 802.1X and requires a RADIUS (Remote Authentication Dial-In User Service) infrastructure and a public key infrastructure (PKI). It uses a flexible design and is suited for organizations of several hundred to many thousands of wireless network users. The RADIUS and PKI components were intentionally designed to be reusable in other network applications (for example, remote access VPN) and other security applications.
Overview of Securing Wireless LANs with Certificate Services
Design Decisions
This article will focus on the building and deployment of the wireless network infrastructure. Several design assumptions have been made to more rapidly illustrate a secure solution. Those decisions are to emphasize the following:
Security. The solution design includes robust authentication, authorization, and access control. Strong (128 bit) encryption is a function of the network hardware and is supported on most currently available devices. Secure management of the encryption keys is provided by a combination of the Microsoft 802.1X client, the 802.1X–enabled wireless AP and the wireless network cards, and the RADIUS server. Achieving resiliency in the face of DoS attacks remains an area where there is still work to do — current industry standards (until the advent of 802.11i) are still vulnerable to a variety of DoS attacks.
Scalability. The basic design accommodates a wide range of organizations in a cost-effective manner from a few hundred to many thousands of users. The design is also flexible with regard to geographic and network layout. Small offices without a local domain controller are dependent on WAN reliability or a lower grade security solution.
Component reuse (use of existing infrastructure). The design uses Active Directory and many existing network services, such as Dynamic Host Configuration Protocol (DHCP) and Domain Name System (DNS).
Component reuse by future applications. The RADIUS design, implemented using IAS, can be used by or easily extended to support other network access applications (such as VPN, 802.1X wired network access, and remote access dial-up). The PKI is also capable of
supporting simple public key applications, such as EFS, and provides the environment to work with more complex applications that can perform such things as smart card logon. This item also meets the design criterion — Extensibility.
Availability. The solution design is resilient to a single component or network link failure at the head office, and for all outlying offices where a RADIUS server can be deployed. Small offices without a local RADIUS server are vulnerable to a WAN failure.
Manageability. The ability to manage the solution is not apparent from the design, but this requirement is accounted for in the design of the operational framework
IT organization structure. Some level of specialization with WLANs in the organization's IT department is essential for deploying and managing a solution of this type.
Standards compliance. The solution adheres to current official and industry standards. This is most relevant in the area of WLAN security where the solution is based on the 802.1X protocol, EAP – TLS, and 128-bit dynamic WEP or WPA. Microsoft recently announced product support for WPA for Windows XP, approving the highest available standards of native WLAN security. The design will support either WPA or dynamic WEP.