SecureWirelessLANTPr esentation

Views:
 
Category: Education
     
 

Presentation Description

No description available.

Comments

By: saajanpreet (125 month(s) ago)

hey man can u pls send me this ppt to preet_saajan05@yahoo.com i really require this for my project. it will help me a lot pls thank u

Presentation Transcript

Wireless LAN Deployment at Microsoft: 

Wireless LAN Deployment at Microsoft Supporting the Mobile Knowledge Worker Published January 2002

Agenda: 

Agenda Wireless Local Area Network (WLAN) Description Information Technology Group (ITG) WLAN Deployment Project Drivers Schedule and tasks Requirements Piloting Results Engineering Considerations Security Considerations Installation Approach – Concealed System Lessons Learned Reference Information

What is Wireless LAN (WLAN)?: 

What is Wireless LAN (WLAN)?

ITG WLAN Deployment Project Drivers: 

ITG WLAN Deployment Project Drivers Executive Call to Action Microsoft is Developing Software for Wireless Environments Multiple User Requests for WLAN Technology Deployment to Increase User Mobility Standardization and Interoperability Pilot Puget Sound area buildings Deploy to worldwide subsidiary offices as budget and local regulations permit

ITG WLAN Deployment Project Schedule and Tasks: 

ITG WLAN Deployment Project Schedule and Tasks 150 user proof of concept (3 months) Submitted RFI for 802.11b products (1 month) Two RFI finalists selected and lab tested both. Pilot: four buildings, more than 600 users (2 months) Completed Engineering & Operations Standard design documentation (1 month) 63 building campus wireless deployment (8 months) 1300+ Access Points (APs) Worldwide wireless deployments (on-going) 1200+ APs 802.1x enhanced wireless security deployment (1 month) Covered 70 buildings in Puget Sound area and 23 remote locations

ITG WLAN RFI Infrastructure Requirements: 

ITG WLAN RFI Infrastructure Requirements Network Administration of APs Full support for Simple Network Management Protocol (SNMP)-II Management Information Base (MIB) 802.11 extended MIBs HP Openview integration Scalable, scripted AP firmware and configuration updates Little to no user account administration, but secured Enterprise Installation Considerations Low cost for all hardware Power supply configuration options Inexpensive plenum installation Variety of antenna solutions to increase or direct Radio Frequency (RF) coverage Security Encryption and authentication of the wireless link Secured administrative access to wireless APs No removable cards from APs

ITG WLAN RFI Infrastructure Requirements: 

ITG WLAN RFI Infrastructure Requirements 802.11b Installation with an Infrastructure Migration Path to 802.11a Troubleshooting Tools for End User and Infrastructure Windows® Hardware Quality Labs (WHQL)-certified Driver Support Windows XP and Windows .NET Server Windows CE 2.11 and Pocket PC Windows NT® 4 and Windows 2000 Windows 98 and Windows 98 SE Adapter Types PC Card (primary choice) PCI and USB Mini-PCI or other integration in laptops

ITG WLAN RFI Infrastructure Requirements: 

ITG WLAN RFI Infrastructure Requirements Health and Safety Issues FCC approved Support to address health and safety issues Documentation, Web sites, Q&A sessions, contact information Wireless Home LAN Hardware Solution Under $250 Easy to use and support Must promote security – Wired Equivalent Privacy (WEP) Provides Network Address Translation (NAT)/Dynamic Host Configuration Protocol (DHCP) function Variety of products and accessories – hubs, routers, external antennas, and wireless repeating Robust support for home users provided by vendor

ITG WLAN RFI Infrastructure Requirements: 

ITG WLAN RFI Infrastructure Requirements Installation Considerations Power supply configuration options Inexpensive plenum installation support Flexible antenna solutions to increase coverage area Worldwide Deployment Worldwide certification and support Manage differing RF and security requirements across different countries

ITG Aironet/Cisco Pilot: 

ITG Aironet/Cisco Pilot Pilot WLAN in Three Buildings and One Cafeteria More than 600 users participated PC Card adapters only 112 Aironet 4800B 802.11b APs 11 megabits per second (Mbps) shared connection 128-bit shared WEP key Installed APs using existing wall power and network connections Surveyed Users at the End of the Pilot Greater than 50% response rate

WLAN Pilot Survey Results: 

WLAN Pilot Survey Results 50% saved .5 - 1.5 hours per day due to their WLAN connection 10% used Windows CE devices 18% wanted PCI desktop support for testing, demos, home networking 24% used WLAN for more than six hours per day 93% used their computer in new locations In conference rooms, hallways, or in other employee offices 72% could work without a wired connection 88% were interested in purchasing WLAN equipment for use at home 66% felt they could run any application or installation over the WLAN connection

WLAN Pilot Operational Recommendations: 

WLAN Pilot Operational Recommendations Require concealed installations Reduces user RF health and safety concerns Require multicast application support Require client and infrastructure troubleshooting tools

WLAN Engineering Recommendations: 

WLAN Engineering Recommendations AP Placement (to minimize user/AP ratio) Decrease cell size (to 10 meter radius) Increase cell density Overlapping cells via channel configuration Force 5.5-11 Mbps connections only Mitigate possible Bluetooth interference Create a migration path to 802.11a Single Broadcast Service Set Identifier (SSID) Enhanced usability with Windows XP Zero Configuration wireless client Client and Helpdesk Troubleshooting Tools AP Monitor in Windows XP

WLAN Engineering Recommendations: 

WLAN Engineering Recommendations Each Separate Building Has a Dedicated DHCP Subnet for WLAN Enables seamless roaming within building Reduces collision domain Restricts NetBIOS access to that building segment Utilize Windows 2000, Windows XP automatic DHCP when changing subnets Enhances security Low Voltage Wiring or Inline Power To enable cold booting of APs from a centralized or remote location Easy Client Setup – Plug and Play AP Load Balancing

802.11b Security Concerns: 

802.11b Security Concerns WEP Unique key required across enterprise 802.11b standard is only 40-bit 128-bit is proprietary WEP keys are not dynamically changed and therefore vulnerable to attack Using a PC-based tool and 802.11b antenna, a 128-bit WEP key can be hacked within two hours, and a 40-bit key within 40 minutes Difficult to change or administer Media Access Control (MAC) Address Filtering Not scalable Exception list must be administrated and propagated to all APs The list may have a size limit MAC address must be associated to a user name User could neglect to report a lost or stolen card User could change the MAC address

The 802.1x Solution: 

The 802.1x Solution Client network access (link layer) is controlled by the AP based on domain user and/or machine account authentication Authentication process is secured via standard Public Key Infrastructure (PKI) protocols available in Windows XP Extensible Authentication Protocol over LAN (EAPoL) Transport Layer Security (TLS) Public / private keys, X.509 Certificates Uses two factor authentication Client user and computers negotiate authentication against Internet Authentication Server (IAS). IAS proxies authentication requests to Active Directory and Certificate Authority IAS is the Microsoft implementation of the IETF Remote Authentication Dial-In User Service (RADIUS) standard WEP keys are dynamic They are changed with each new connection session, when roaming, or within a preset time interval

802.1x Security The 802.1x solution: 

802.1x Security The 802.1x solution 802.11/.1X Access Point Controlled Port Uncontrolled Port RADIUS (IAS) Domain Controller Certificate Authority DHCP Exchange File Peers Domain Controller used to log onto domain after obtaining an IP address from DHCP EAP/TLS Connection

802.1x Deployment Challenges: 

802.1x Deployment Challenges Operational Support Requires improved troubleshooting tools for both client and infrastructure Integration of disparate support organizations for end-to-end support Certificate Server, RADIUS server, Active Directory™, AP, and client

802.1x Technical Challenges: 

802.1x Technical Challenges Certificates Issues Required to build a secure, Web-based tool to validate and / or obtain computer / user certificates Certificate Revocation List (CRL) expiration issues must be managed Active Directory If Active Directory becomes overloaded; 802.1x authentication is affected Client DHCP Response Timeouts Inconsistent across domains and platforms Poor RADIUS Server Failover Support in APs Can cause clients to fail authentication and lose connectivity Authentication Mechanisms Stresses Infrastructure Reauthentication required when roaming and at timeout Cross-forest and multi-domain authentication required

Concealed System Installation Best Practices : 

Concealed System Installation Best Practices Pre-installation Develop AP location plan based on design guidelines Field verify proposed AP locations to check for physical interferences Present final locations for approval prior to starting construction Installation Enclose AP units and antennas within “plenum-rated” enclosures to meet building fire code requirements Central, low voltage power supply on uninterruptible power supply (UPS) Delivery Spot check AP installation for conformance with commissioning checklist Check RF coverage and network connectivity of each AP Deliver “as-built” documents

Sample Installation Architecture: 

Sample Installation Architecture

Lessons Learned: 

Lessons Learned Costs are Concentrated in Labor and Materials for Building Infrastructure Installation and Construction AP installations should be concealed within the plenum Using Standardized Equipment Does Not Ensure Interoperability Involve IT Operations and Help Desk Early Offer educational seminars and engineering reviews Develop and Communicate Security Policies Around “Rogue” Wireless Implementations User Health and Safety Concerns Must Be Addressed Appropriately Involve vendor and internal Risk Management and Human Resource organizations

Reference Information: 

Reference Information Microsoft Corporation Enterprise Deployment of IEEE 802.11 Using Windows XP and Windows 2000 Internet Authentication Service http://www.microsoft.com/windowsxp/pro/techinfo/deployment/wireless/default.asp 802.1x (TechNet) http://www.microsoft.com/technet/prodtechnol/winxppro/reskit/prdc_mcc_corc.asp 802.1x Authentication http://msdn.microsoft.com/library/en-us/wceddk40/htm/cmcon8021xauthentication.asp Wireless Network Security within 802.1x http://www.microsoft.com/WINDOWSXP/pro/evaluation/overviews/8021x.asp Set up 802.1x Authentication on Windows XP Client http://www.microsoft.com/windowsxp/home/using/productdoc/en/8021x_client_configure.asp Securing Wireless Networks Security Bulletin http://www.microsoft.com/windows2000/datacenter/evaluation/news/bulletins/secwireless.asp Wireless LAN Association http://www.wlana.org IEEE 802.11 & 802.1x http://www.ieee.org OSHA Health and Safety http://www.osha-slc.gov/sltc/radiofrequencyradiation Cisco Systems http://www.cisco.com/warp/public/44/jump/wireless.shtml

For More Information: 

For More Information Additional IT Showcase white papers, case studies, and presentations on ITG deployments and best practices can be found on http://www.microsoft.com. Microsoft TechNet http://www.microsoft.com/technet/itshowcase.

The Future of WLAN Technology: 

The Future of WLAN Technology 802.11a New physical layer using 5 GHz band utilizing Orthogonal Frequency-Division Multiplexing (OFDM) to provide speeds up to 54 Mbps Lower range and higher power requirements 802.11b Existing implementation using 2.4 GHz band to provide speeds up to 11 Mbps High range and low power requirements 802.11d AP specifies a client profile which includes channel set and power Allows for single AP and client product which would self-configure to meet local RF regulations International roaming – “World Mode” 802.11e Quality of Service (QoS) support Coupled with 802.1p (Class of Service) and 802.1q Support for real-time applications like voice and streaming media Dynamically-plumbed WEP keys

The Future of WLAN Technology: 

The Future of WLAN Technology 802.11g New physical layer using 2.4 GHz band utilizing OFDM Max speed 22 Mbps, but cannot coexist with 802.11b 802.11h Enhancement to MAC to support EU power and RF requirements Recommended feature for any future implementations 802.11i Enhanced Security Advanced Encryption Standard (AES) strong contender for replacing WEP May be used with 802.1x 802.1q Virtual LAN (VLAN) tagging

Slide28: 

The information contained in this document represents the current view of Microsoft Corporation on the issues discussed as of the date of publication. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information presented after the date of publication. This document is provided for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS DOCUMENT. Ó2002 Microsoft Corporation. All rights reserved. Microsoft, Active Directory, Where to you want to go today?, Windows, and Windows NT are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries. Other product and company names mentioned herein may be the trademarks of their respective owners.

authorStream Live Help