Deploying a Wireless LAN
Real Security Made Possible with Windows Server 2003 (and lots of planning)!
 

We all want to be mobile, and wireless connectivity offers users a high degree of mobility and provides another networking option when traditional wired networks are impractical. With Microsoft® Windows® Server 2003 operating system, the networking services needed to deploy a secure and manageable wireless local area network (WLAN) infrastructure within an enterprise environment now exist.

You Are Connected
In today’s enterprise, all you need to do is enable your WI-FI NIC and you can usually find at least a couple of hot spots in your building, and even more at home! More than likely, you will see that the wireless connection is insecure, not using authentication and wthl very few exceptions you will be able to connect. That presents a couple of problems and they are both security related. You are more than likely connecting to secure servers at your office when you are mobile and that data is being passed over an insecure network. Likewise, if you are connected with a laptop to an insecure network, it is a safe bet that you will need to have a firewall running locally on your machine. It is, after all, not very likely that the people who did not think enough of security to have any on their WAP (Wireless Access Point) will have a firewall at all. So you have the wireless world when you travel or telecommute, but not when you are at the office, but you want it. Your IT people are concerned about security. What can you do? You can use the tools and security provided by Windows Server 2003.

Overview of Deploying a Wireless LAN
To create and deploy a secure wireless LAN, you need to provide authorization and authentication, automatic IP address assignment, and name resolution for wireless users. To do this, your networking infrastructure should include the following services:

• Active Directory service
• Remote Authentication Dial-In User Service (RADIUS) servers and proxies
• A certificate infrastructure, also known as a public key infrastructure (PKI)
• Dynamic Host Configuration Protocol (DHCP) services
• Domain Name System (DNS) services

With these services running, you will be able to provide the security, availability, and scalability needed for an enterprise WLAN solution. All of the components required for the deployment of an enterprise WLAN solution are included with Windows Server 2003 (at the server side) and Windows XP (for the workstations). Windows Server 2003 provides (and includes) DHCP, DNS, and Certificate Services, and support for RADIUS (through the Internet Authentication Service [IAS]), the IEEE 802.1X standard, and certificate authentication. Windows XP with an available wireless network adapter provides support for wireless devices such as laptops and personal digital assistants (PDAs), the IEEE 802.1X standard, and certificate authentication.

Process for Deploying a Wireless LAN
When you are ready to deploy a wireless LAN, you can adapt your existing network infrastructure for a WLAN before designing the wireless solution. You decide where to locate wireless access points (APs) and how to deploy them; designing wireless security and unauthenticated access; optionally designing a public space WLAN for visitors, etc. and design for better manageability.
The WLAN solution provided by Windows XP and Windows Server 2003 is based on IEEE standards 802.11 and 802.1X. Those specifications are:

• IEEE 802.11 IEEE 802.11, the standard for WLANs, specifies a technology that operates in the 2.4 through 2.5 GHz Industrial, Scientific, and Medical (ISM) band and has a maximum bit rate of 2 megabits per second (Mbps). IEEE 802.11b supports two additional speeds, 5.5 Mbps and 11 Mbps, in the ISM band.

• IEEE 802.1X The 802.1X standard defines port-based network access control to provide authenticated network access for Ethernet networks. This port-based network access control uses the physical characteristics of the switched LAN infrastructure to authenticate devices attached to a LAN port. Access to the port can be denied if the authentication process fails. Although this standard is designed for wired Ethernet networks, it applies to 802.11 WLANs as well.

Adapting the Network Infrastructure for a WLAN
When you adapt your network infrastructure for a WLAN, verify you have the required components; eliminate any potential single points of failure; and define IP addressing and subnets needed to support your wireless clients. Active Directory contains the user and computer accounts that are used for authentication and authorization of wireless users. It also contains the Group Policy settings that govern wireless connections — for example, information regarding auto enrollment for the user and computer certificates that are installed on wireless clients, and the Wireless Network (IEEE 802.11) Policies settings that specify preferred networks, Wired Equivalent Privacy (WEP) settings, and IEEE 802.1X settings for wireless connections.

To plan for the configuration of Active Directory for your wireless clients, identify the user and computer accounts for wireless users, and add them to a group that will be used in conjunction with a remote access policy to manage wireless access. Then you need to determine how to set the remote access permission on the user and computer accounts.

Eliminating Single Points of Failure
To ensure that wireless clients can continue to be authenticated on the network and can access resources and applications, eliminate single points of failure in your network infrastructure by including:
• Redundant services (such as Active Directory domain controllers) on separate subnets.
• Clustered DHCP services, in the event that one of the cluster nodes fails.
• DNS on all domain controllers, in the event that a DNS server fails.
• Redundant RADIUS servers and proxies, to provide fault tolerance for RADIUS-based authentication.
• Redundant switches and routers, in the event that a switch or router fails.
• Redundant network paths between switches and routers.

You also need to determine how many additional IP addresses your wireless clients will require, and whether or not to define additional subnets. This can be accomplished by calculating the number of additional IP addresses that wireless users will require by determining the average number of wireless clients currently using your corporate network at any given time. You should also build for the future and have the capacity for the estimated number of additional concurrent wireless clients your network will need to support in the future. After you design and verify that the services needed for your network infrastructure to support an enterprise WLAN are in place, begin the design process for the location of the wireless APs. Placing them in the Plenum area is often best as once they are deployed, you can eliminate the ‘human’ factor when it comes to disconnects. You do need to make sure from a manageability standpoint that they are accessible in case there are issues with power, etc.

Other Considerations
You should identify the areas of coverage for wireless users and take into consideration possible sources of interference, You see, WI-FI operates in an unlicensed frequency spectrum. That means that there are devices that may cause interference or even loss of connectivity. These existing devices include but are not limited to:
• Existing Bluetooth-enabled devices
• Microwave ovens
• Some models of cordless telephones
• Wireless video cameras
• Medical equipment

You should all be aware of building layouts and construction
materials that can block signal propagation. These include:
• Support girders
• Elevator shafts
• Rebar reinforcement in concrete
• Heating and air-conditioning ventilation ducts
• Wire mesh that reinforces plaster or stucco in walls

How can I get more information about a Secure WLAN?
You can get more information about this subject? Microsoft has an in-depth web article) complete with pictures and diagrams) of the way this all works with Windows Server 2003. You can view that information at the following URL http://www.microsoft.com/resources/documentation/WindowsServ/2003/all/deployguide/en-us/Default.asp?url=/resources/documentation/WindowsServ/2003/all/deployguide/en-us/dnsbm_wir_overview.asp
If you have questions or comments about this article, contact me (JohnBoline@hagerman.com).
 

All product names / logos, company names / logos are copyrights of their respective holders. John Boline is an MCSE, CNE and a member of the Network Professional Association. The content herein is often based on late-breaking events. Much of the material is based on information from sources that are believed to be reliable. Hagerman & Company, Inc. disclaims all warranties as to the ultimate accuracy or completeness of the information. Hagerman & Company, Inc. and its employees shall have no liability for errors, omissions or inadequacies in the information contained within this article or for any interpretations thereof. The recommendations, positions and best practice policies outlined herein represent Hagerman & Company, Inc. initial analysis and therefore are subject to change as further information which may have bearing on these positions is made available. The reader assumes sole responsibility for the selection of these materials to achieve its intended results. The opinions expressed herein are subject to change without notice. Entire contents © 2005 Hagerman & Company, Inc. All rights reserved. Reproduction of this publication in any form without prior written permission is forbidden.