Safety information for wireless network
Wireless network technology provides convenient and mobility, but also gives you a security risk to your network. For example, any user with a compatible wireless network card can access the network unless authenticated and authorized mechanisms. If no encryption is performed, wireless data is sent in a clear text, so that anyone within a certain wireless access point can detect and receive all data from the wireless access point.
The following security mechanism enhances the security of Wi-Fi:
802.11 Identification Verification and Authentication 802.11 Wired Equivalence (WEP) Encryption 802.1X Authentication 802.1X Authentication IAS Support
802.11 Identification verification and authentication
For identification verification and authentication, IEEE 802.11 defines an open system and shared key verification subtype:
Open system verification does not actually provide authentication, but only performs identification verification by message exchange between the sender (wireless client) and the recipient (wireless access point). Shared Key Authentication provides authentication by verifying whether the sender knows the shared secret. 802.11 The standard assumes that the shared secret is sent to the wireless access point through a secure channel independent of 802.11.
For information on how to specify the authentication subtypes to be used, see Defining a preferred wireless network in a group policy or defines a wireless network connection on a client computer.
Point
To enhance security and connectivity, please do not use shared keys authentication. The security of shared key authentication is not as possible as an open system authentication because it requires the exchange to share all wireless access points and clients, so it is easier to attack known text attacks. In addition, if a shared key authentication is used on a wireless network having a plurality of wireless access points, the network connection is lost when you move from a wireless access point to a new wireless access point. In this case, you will lose your connection because your network key no longer matches all wireless access points to use the shared key. To determine if the wireless network you are connected has multiple wireless access points, use Wireless Monitor. For more information on how to use the wireless monitor to view more information about the wireless access point, see Viewing Details about Wi-Fi Access Point.
802.11 WEP encryption
For encryption, 802.11 define a WEP algorithm. WEP provides data confidentiality by encrypting data transmitted between wireless clients and wireless access points.
To encrypt data transmitted through the wireless network, WEP uses a RC4 stream password with a standard 40-bit encryption key or (in some execution) 104-bit encrypted key. The stream password is a method of encrypting text (generated ciphertext), where encryption key and algorithm are applied in each binary number of the data stream, one bit. RSA Data Security Designed RC4 stream passwords accept keys with any length. Data integrity is provided by the integrity check value (ICV) in the wireless frame encryption section.
802.1x authentication
802.1X is an IEEE standard for authenticated network access to wired Ethernet and wireless 802.11 networks. IEEE 802.1x supports centralized user identity, authentication, dynamic key management, and billing. 802.1x standard By allowing computer and networks to verify identity, generate per user / per session key for wireless connection encrypted data and the ability to provide dynamically changing keys to improve security.
Point
In order to enhance
Windows XP Service Pack 1 and
The security in the Windows Server 2003 family, 802.1x authentication is only available for access points (infrastructure) networks that need to use the Network Key (WEP). It is highly recommended to use 802.1x authentication when connecting to 802.11 wireless network. If you connect to 802.11 wireless network, do not enable 802.1x, the sent data is easily attacked, for example, offline communication analysis, bit flip, and malicious packet injection.
EAP Authentication Method 802.1X Use Scalable Authentication Protocol (EAP) for message exchange during authentication. With eAP, any authentication method (eg, password, smart card or certificate verify wireless connection. 802.1X for EAP type support, allowing any of the following authentication methods:
EAP Transport Layer Security (EAP-TLS), which uses server authentication certificates or certificates or smart cards for users and client computer authentication. Protected EAP (PEAP with EAP-MS-MS-CHAPV2) with EAP-Microsoft Chaos Shampand Authentication Protocol Version 2, which authenticates the server authentication, using credentials (username and password). PEAP with EAP-TLS, which authenticates the server authentication, authenticate or use a smart card or use a certificate for users and client computers.
For more information, see EAP, MS-CHAP Version 2. Understanding 802.1x authentication of the wireless network and PEAP.
Security and easy deployment
When you choose an authentication method, you must balance between the required security level and the degree of deployment. To get the highest level of security, select the PEAP (EAP-TLS) with the certificate. PEAP uses TLS to enhance security of other EAP authentication protocols. With PEAP, TLS is used to create an end-to-end encryption channel between EAP clients (such as wireless computing devices) and EAP servers (such as Internet Authentication Service (IAS) servers. Although PEAP and individual EAP-TLS with EAP-TLS are enhanced by using server authentication certificates and client computers and user authentication certificates or smart cards, when using PEAP with EAP-TLS The client certificate information will be encrypted.
To get the easiest deployment, select PEAP (EAP-MS-CHAP V2) with password. PEAP with EAP-MS-CHAP V2 is most easily deployed because the client's authentication is based on a password, so there is no need to install a certificate or smart card on the client. Because the PEAP has created an end-to-end encryption channel before occurrence of EAP-MS-CHAP V2 verification, the authentication exchange is not easy to attack offline Dictionary attacks.
The session key generated during the PEAP authentication process provides a key material (the key used to encrypt data transmitted between the wireless client and the wireless access point). In addition, PEAP supports rapid reconnection. As long as each wireless access point is configured as a client of the same IAS (RADIUS) server, the PEAP fast reconnection allows roaming users to remain continuous wireless network connections when moving between different wireless access points of the same network.
For more information on certificate requirements for the 802.1x authentication method, see Network Access Authentication and Certificates. For information on deploying smart cards, see List: Deploying smart cards used to log in to Windows.
Point
When deploying PEAP and EAP protected by PEAP, please do not bring PEAP and no PEAP at the same EAP authentication type. For example, if you deploy a PEAP (PEAP-EAP-TLS) with EAP-TLS, don't deploy EAP-TLS without PEAP at the same time. Deploy authentication method with the same type - a protected PEAP protection, another no PEAP - will have safety defects.
802.1X authentication IAS support
To enhance the security and improvement of wireless networks, you can use 802.1x with IAS, IAS is a Microsoft implementation of remote authentication Dial-in User Services (RADIUS) servers and proxy servers. When performing RADIUS, configure the RADIUS client's wireless access point, send the connection request and billing message to a central RADIUS server using the RADIUS protocol. The RADIUS server accesses a user account database and a set of license rules, processing connection requests for wireless access points, and accepts or denies the connection request. For more information on 802.1x authentication, see the 802.1x authentication of the wireless network. For information on wireless network configuration, see Configuring Wireless Network Settings on the client computer. For information on configuring IAS for wireless access authentication, see Inventory: Configuring the IAS Server and Wireless Access Points for Wireless Accessions and Wireless Access.
