{"id":886,"date":"2012-10-10T17:24:18","date_gmt":"2012-10-10T17:24:18","guid":{"rendered":"http:\/\/microsoftgeek.com\/?p=886"},"modified":"2012-10-10T17:24:18","modified_gmt":"2012-10-10T17:24:18","slug":"securing-wireless-network-traffic-part-6","status":"publish","type":"post","link":"https:\/\/microsoftgeek.com\/?p=886","title":{"rendered":"Securing Wireless Network Traffic (Part 6)"},"content":{"rendered":"<h2>Introduction<\/h2>\n<p>In my previous article, I explained that one of  the best things that you can do to secure your wireless network is to  avoid attaching wireless access points directly to segments of your  private network that carry sensitive information. Instead, it is better  to treat the wireless network as an untrusted medium and to require  clients to prove themselves to be trustworthy prior to providing them  with access to network resources.<\/p>\n<p>This is very similar to the approach used by VPN servers. VPN clients  attach to a network through the Internet. Like a wireless network, the  Internet is not a trustworthy medium, so VPN clients must be  authenticated before they are allowed to access network resources. Given  that both VPNs and wireless networks require users to establish a  connection from an untrusted medium, it is no wonder that the techniques  for securing these connections are so similar.<\/p>\n<h2>Your Options For Securing Wireless Networks<\/h2>\n<p>Microsoft  provides two main options for securing wireless networks (and there are  also third party solutions available). One option is to authenticate  wireless connections using PEAP-MS_CHAP v2 (which I will refer to as  PEAP for simplicity) and the other option is to use EAP-TLS.<\/p>\n<p>The primary difference between the two authentication methods is that  the PEAP method provides authentication through the use of passwords.  EAP-TLS uses digital certificates instead. These digital certificates  can exist on a smart card, or they can be issued directly to a Windows  client by an Enterprise Certificate Authority.<\/p>\n<p>Generally speaking, PEAP is better suited to small and medium sized  businesses because it is a little bit easier (and less costly) to  deploy. EAP-TLS authentication is generally used in enterprise  environments, but can be used in smaller organizations too. Both methods  do a good job of controlling access to the wireless network and both  allow you to centrally manage wireless client security.<\/p>\n<h2>Deploying an Enterprise Certificate Authority<\/h2>\n<p>Regardless of  whether you end up using PEAP or EAP-TLS to authenticate wireless  traffic, the authentication process is going to depend on the use of  digital certificates. In the case of PEAP authentication, you can either  deploy an Enterprise Certificate Authority, or you can purchase a  certificate from a commercial certificate authority such as VeriSign or  Go Daddy. If you choose to use EAP-TLS then you will need to have an  enterprise certificate authority because client authentication is based  on the use of certificates rather than passwords, and you have to be  able to issue the necessary certificates to network clients.<\/p>\n<p>Because both designs can make use of an enterprise certificate  authority (and an enterprise certificate authority is required for one  of the designs), I want to start out by showing you how to deploy and  configure your own Enterprise Certificate Authority.<\/p>\n<h2>A Few Words of Caution<\/h2>\n<p>Before I get started, I need to give  you a few words of caution. First, both of the designs that I am going  to be showing you require you to have an Active Directory in place.  These designs will not work if you have a workgroup network.<\/p>\n<p>Another thing that you need to know is that we will be installing the  Enterprise Certificate Authority onto a domain controller running  Windows Server 2008 R2. Once the Enterprise Certificate Authority is in  place, you will not be able to rename the domain controller.<\/p>\n<p>You must also make every effort to harden the server that is acting  as an enterprise certificate authority. Remember that if someone  compromises your certificate authority, then they essentially own your  network. Server hardening is beyond the scope of this article series,  but a good place to start is to run Microsoft\u2019s Security Configuration  Wizard.<\/p>\n<p>Most importantly, you must make sure that you back up the certificate  authority on a regular basis. If this server were to fail, then the  entire wireless authentication process will break down. If you have the  resources then you can provide some redundancy by deploying some  subordinate certificate authorities.<\/p>\n<h2>The Deployment Process<\/h2>\n<p>Begin the process by opening the Server Manager and selecting the Roles container. Click the <em>Add Roles<\/em> link and Windows will launch the <em>Add Roles Wizard<\/em>. Click <em>Next<\/em> to bypass the wizard\u2019s Welcome screen and you will see a screen asking you which roles you want to install. Select the <em>Active Directory Certificate Services<\/em> role, as shown in Figure A, and click <em>Next<\/em> to continue.<\/p>\n<p><em><img decoding=\"async\" src=\"http:\/\/www.windowsnetworking.com\/img\/upl\/image0021302206418918.jpg\" border=\"0\" alt=\"\" hspace=\"0\" align=\"bottom\" \/><br \/>\n<\/em><strong>Figure A: <\/strong>Select the Active Directory Certificate Services role.<\/p>\n<p>You should now see an introductory screen to the Active Directory Certificate Services. Click <em>Next<\/em> and Windows will ask you which components you want to install. For right now select the <em>Certification Authority<\/em> and the <em>Certification Authority Web Enrollment<\/em> options. Depending on how your server is configured you may see a  message telling you that you need to install some additional role  services. If you receive this message then click the <em>Add Required Role Services<\/em> button.<\/p>\n<p>Click <em>Next<\/em>, and Windows will ask you if you want to create a  Standalone Certificate Authority or an Enterprise Certificate Authority.  Choose the Enterprise option, and click Next.<\/p>\n<p>You should now see a message asking you if you want to create a Root  CA or a Subordinate CA. Since this is our first (and possibly only)  certificate authority, you must choose the <em>Root CA<\/em> option, as shown in Figure B.<\/p>\n<p><img decoding=\"async\" src=\"http:\/\/www.windowsnetworking.com\/img\/upl\/image0041302206418949.jpg\" border=\"0\" alt=\"\" hspace=\"0\" align=\"bottom\" \/><br \/>\n<strong>Figure B: <\/strong>Choose the Root CA option and click Next.<\/p>\n<p>The following screen asks you if you want to create a new private key  or if you want to use an existing private key. Since this is a brand  new deployment, go ahead and tell Windows to create a new private key.<\/p>\n<p>When you click <em>Next<\/em>, Windows will ask you to configure the cryptographic settings for the Certificate Authority. Go ahead and click <em>Next <\/em>to accept the defaults.<\/p>\n<p>You will now be promoted to provide a common name for the Certificate  Authority. Although you can go with the defaults, I recommend changing  the common name to something easy to remember. For example, you can see  in Figure C that I have named my Certificate Authority Lab2-CA.<\/p>\n<p><img decoding=\"async\" src=\"http:\/\/www.windowsnetworking.com\/img\/upl\/image0061302206446153.jpg\" border=\"0\" alt=\"\" hspace=\"0\" align=\"bottom\" \/><br \/>\n<strong>Figure C: <\/strong>You should pick a common name that is easy to remember.<\/p>\n<p>Click <em>Next<\/em>, and you will be prompted to choose a validity  period for the certificates issued by the Certificate Authority. The  default is five years, which is fine, but you can adjust this value if  you like.<\/p>\n<p>Click <em>Next<\/em>, and Windows will ask you to choose a location for  the certificate database. Keep in mind what I said earlier on about how  important it is to protect the certificate store. You should choose a  location that exists on a fault tolerant array if possible<strong>, <\/strong>and you should make note of the location so that you can back it up.<\/p>\n<p>Depending on whether or not you were required to add the IIS role  service to your server, the next screen that you see may be an  introduction to IIS. Click Next to move on to the next screen.<\/p>\n<p>You should now see a screen asking you if you want to install any  additional role services. Windows automatically picks all of the  required role services, so there is no need to add anything extra. Just  click Next to continue.<\/p>\n<p>You should now see a summary of the configuration options that you  have chosen, as shown in Figure D. Take a moment to verify that  everything appears to be correct, and then click Install. When the  installation process completes, click Close.<\/p>\n<p><img decoding=\"async\" src=\"http:\/\/www.windowsnetworking.com\/img\/upl\/image0081302206446168.jpg\" border=\"0\" alt=\"\" hspace=\"0\" align=\"bottom\" \/><br \/>\n<strong>Figure D:<\/strong> Read over the configuration summary to make sure that it is correct.<\/p>\n<h2>Conclusion<\/h2>\n<p>Now that I have shown you how to deploy an enterprise certificate  authority, it is time to begin building the rest of the infrastructure  required to secure our wireless network. In the next part of this  article series, I will begin showing you how to implement PEAP based  wireless security.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Introduction In my previous article, I explained that one of the best things that you can do to secure your wireless network is to avoid attaching wireless access points directly to segments of your private network that carry sensitive information. Instead, it is better to treat the wireless network as an untrusted medium and to [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[44],"tags":[],"class_list":["post-886","post","type-post","status-publish","format-standard","hentry","category-wireless-security"],"_links":{"self":[{"href":"https:\/\/microsoftgeek.com\/index.php?rest_route=\/wp\/v2\/posts\/886","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/microsoftgeek.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/microsoftgeek.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/microsoftgeek.com\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/microsoftgeek.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=886"}],"version-history":[{"count":1,"href":"https:\/\/microsoftgeek.com\/index.php?rest_route=\/wp\/v2\/posts\/886\/revisions"}],"predecessor-version":[{"id":887,"href":"https:\/\/microsoftgeek.com\/index.php?rest_route=\/wp\/v2\/posts\/886\/revisions\/887"}],"wp:attachment":[{"href":"https:\/\/microsoftgeek.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=886"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/microsoftgeek.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=886"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/microsoftgeek.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=886"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}