Corporate Office
505 Sunset Court
Mt. Zion, IL  62549
ph (217) 864-2326
f (217) 864-2281
Contact us now
Home | CAD/CAM Solutions | CRM Solutions | Data Management | Design Automation | Hardware Solutions | e-Store | Upcoming Events | Newsletter | Search | Support | Training

Up
New Web Browser Coming
Advanced Web Protection: World Class Web filtering available now.
Cellphone Spam: How to Block It
IT Security: What to do in case of a Cyber Attack
Adware: Number one threat for first quarter 2008
64-Bit PC’s Take Off:  Have the applications caught up after two years?
Windows Server 2008: New Release Candidate Shows Promise.
Windows XP SP3: Now available as RC, but should I install it?
Spam: Is the problem getting better or worse?
Upgrading to Ethernet Switches
Direct3D vs. OpenGL: Moving away from the longtime CAD Standard
PC Security Guidelines
New Windows Coming: Codenamed ‘Windows 7’ is coming!
Windows Vista:  Autodesk Support for the current Windows platform arrives!
Native 64 Bit
Truth in Operating Systems
Public Wi-Fi Connections
Windows Vista / Autodesk 2008 Products
Windows Vista
Fake Spyware Removers
Disaster Recovery
Biometrics
SPAM
Windows Vista
Business IM
The case for a spam firewall
Malware
New Technology: Leading Edge or Bleeding Edge?
Security Certificates and the Web
Portability vs Performance
64-Bit PCs and operating systems
Firewalls
Optimizing Software Configurations
Backup Data on CD/DVD:
Software on DVD
PCI-Express Video
Spam Filtering Software
PCI-Express Video
A Brand New PC
Software Interaction
The Future of Wi-Fi and Broadband
Optimizing Network Performance
Deploying a Wireless LAN
Is Your Software Legal
Autodesk Clarifies Licensing
Securing Wireless LAN’s
When Malware turns...
Balancing Security and Technology
More Than Just Installing Patches
Windows XP SP2:  Just Say No
WI-FI Connectivity
Windows XP SP2: Extra
New Product Releases
Deploying a Wireless LAN

Deploying a Wireless LAN
Real Security Made Possible with Windows Server 2003 (and lots of planning)!
 

We all want to be mobile, and wireless connectivity offers users a high degree of mobility and provides another networking option when traditional wired networks are impractical. With Microsoft® Windows® Server 2003 operating system, the networking services needed to deploy a secure and manageable wireless local area network (WLAN) infrastructure within an enterprise environment now exist.

You Are Connected
In today’s enterprise, all you need to do is enable your WI-FI NIC and you can usually find at least a couple of hot spots in your building, and even more at home! More than likely, you will see that the wireless connection is insecure, not using authentication and wthl very few exceptions you will be able to connect. That presents a couple of problems and they are both security related. You are more than likely connecting to secure servers at your office when you are mobile and that data is being passed over an insecure network. Likewise, if you are connected with a laptop to an insecure network, it is a safe bet that you will need to have a firewall running locally on your machine. It is, after all, not very likely that the people who did not think enough of security to have any on their WAP (Wireless Access Point) will have a firewall at all. So you have the wireless world when you travel or telecommute, but not when you are at the office, but you want it. Your IT people are concerned about security. What can you do? You can use the tools and security provided by Windows Server 2003.

Overview of Deploying a Wireless LAN
To create and deploy a secure wireless LAN, you need to provide authorization and authentication, automatic IP address assignment, and name resolution for wireless users. To do this, your networking infrastructure should include the following services:

• Active Directory service
• Remote Authentication Dial-In User Service (RADIUS) servers and proxies
• A certificate infrastructure, also known as a public key infrastructure (PKI)
• Dynamic Host Configuration Protocol (DHCP) services
• Domain Name System (DNS) services

With these services running, you will be able to provide the security, availability, and scalability needed for an enterprise WLAN solution. All of the components required for the deployment of an enterprise WLAN solution are included with Windows Server 2003 (at the server side) and Windows XP (for the workstations). Windows Server 2003 provides (and includes) DHCP, DNS, and Certificate Services, and support for RADIUS (through the Internet Authentication Service [IAS]), the IEEE 802.1X standard, and certificate authentication. Windows XP with an available wireless network adapter provides support for wireless devices such as laptops and personal digital assistants (PDAs), the IEEE 802.1X standard, and certificate authentication.

Process for Deploying a Wireless LAN
When you are ready to deploy a wireless LAN, you can adapt your existing network infrastructure for a WLAN before designing the wireless solution. You decide where to locate wireless access points (APs) and how to deploy them; designing wireless security and unauthenticated access; optionally designing a public space WLAN for visitors, etc. and design for better manageability.
The WLAN solution provided by Windows XP and Windows Server 2003 is based on IEEE standards 802.11 and 802.1X. Those specifications are:

IEEE 802.11 IEEE 802.11, the standard for WLANs, specifies a technology that operates in the 2.4 through 2.5 GHz Industrial, Scientific, and Medical (ISM) band and has a maximum bit rate of 2 megabits per second (Mbps). IEEE 802.11b supports two additional speeds, 5.5 Mbps and 11 Mbps, in the ISM band.

IEEE 802.1X The 802.1X standard defines port-based network access control to provide authenticated network access for Ethernet networks. This port-based network access control uses the physical characteristics of the switched LAN infrastructure to authenticate devices attached to a LAN port. Access to the port can be denied if the authentication process fails. Although this standard is designed for wired Ethernet networks, it applies to 802.11 WLANs as well.

Adapting the Network Infrastructure for a WLAN
When you adapt your network infrastructure for a WLAN, verify you have the required components; eliminate any potential single points of failure; and define IP addressing and subnets needed to support your wireless clients. Active Directory contains the user and computer accounts that are used for authentication and authorization of wireless users. It also contains the Group Policy settings that govern wireless connections — for example, information regarding auto enrollment for the user and computer certificates that are installed on wireless clients, and the Wireless Network (IEEE 802.11) Policies settings that specify preferred networks, Wired Equivalent Privacy (WEP) settings, and IEEE 802.1X settings for wireless connections.

To plan for the configuration of Active Directory for your wireless clients, identify the user and computer accounts for wireless users, and add them to a group that will be used in conjunction with a remote access policy to manage wireless access. Then you need to determine how to set the remote access permission on the user and computer accounts.

Eliminating Single Points of Failure
To ensure that wireless clients can continue to be authenticated on the network and can access resources and applications, eliminate single points of failure in your network infrastructure by including:
• Redundant services (such as Active Directory domain controllers) on separate subnets.
• Clustered DHCP services, in the event that one of the cluster nodes fails.
• DNS on all domain controllers, in the event that a DNS server fails.
• Redundant RADIUS servers and proxies, to provide fault tolerance for RADIUS-based authentication.
• Redundant switches and routers, in the event that a switch or router fails.
• Redundant network paths between switches and routers.

You also need to determine how many additional IP addresses your wireless clients will require, and whether or not to define additional subnets. This can be accomplished by calculating the number of additional IP addresses that wireless users will require by determining the average number of wireless clients currently using your corporate network at any given time. You should also build for the future and have the capacity for the estimated number of additional concurrent wireless clients your network will need to support in the future. After you design and verify that the services needed for your network infrastructure to support an enterprise WLAN are in place, begin the design process for the location of the wireless APs. Placing them in the Plenum area is often best as once they are deployed, you can eliminate the ‘human’ factor when it comes to disconnects. You do need to make sure from a manageability standpoint that they are accessible in case there are issues with power, etc.

Other Considerations
You should identify the areas of coverage for wireless users and take into consideration possible sources of interference, You see, WI-FI operates in an unlicensed frequency spectrum. That means that there are devices that may cause interference or even loss of connectivity. These existing devices include but are not limited to:
• Existing Bluetooth-enabled devices
• Microwave ovens
• Some models of cordless telephones
• Wireless video cameras
• Medical equipment

You should all be aware of building layouts and construction
materials that can block signal propagation. These include:
• Support girders
• Elevator shafts
• Rebar reinforcement in concrete
• Heating and air-conditioning ventilation ducts
• Wire mesh that reinforces plaster or stucco in walls

How can I get more information about a Secure WLAN?
You can get more information about this subject? Microsoft has an in-depth web article) complete with pictures and diagrams) of the way this all works with Windows Server 2003. You can view that information at the following URL http://www.microsoft.com/resources/documentation/WindowsServ/2003/all/deployguide/en-us/Default.asp?url=/resources/documentation/WindowsServ/2003/all/deployguide/en-us/dnsbm_wir_overview.asp
If you have questions or comments about this article, contact me (JohnBoline@hagerman.com).
 

All product names / logos, company names / logos are copyrights of their respective holders. John Boline is an MCSE, CNE and a member of the Network Professional Association. The content herein is often based on late-breaking events. Much of the material is based on information from sources that are believed to be reliable. Hagerman & Company, Inc. disclaims all warranties as to the ultimate accuracy or completeness of the information. Hagerman & Company, Inc. and its employees shall have no liability for errors, omissions or inadequacies in the information contained within this article or for any interpretations thereof. The recommendations, positions and best practice policies outlined herein represent Hagerman & Company, Inc. initial analysis and therefore are subject to change as further information which may have bearing on these positions is made available. The reader assumes sole responsibility for the selection of these materials to achieve its intended results. The opinions expressed herein are subject to change without notice. Entire contents © 2005 Hagerman & Company, Inc. All rights reserved. Reproduction of this publication in any form without prior written permission is forbidden.

 

 

by John Boline
Service Manager, MCSE, CNE, USE

print version

 

 

 

 

Mt. Zion, IL | Schaumburg, IL | Chicago, IL |  Indianapolis, IN |  Mishawaka, IN | Placentia, CA |  San Jose, CA |  St. Louis, MO |  Nashville, TN  |  Memphis, TN  |  Knoxville, TN
 Home | About Us | Contact Info | Press | Careers

Copyright © 2006 Hagerman & Company, Inc.