8.1. Network Location Profile A network location profile is a classification assigned to a network connection that identifies the connection type. Security settings, firewall settings, and enabled services can then be automatically configured on the connection based on the profile (or location) type. Both Windows Vista/7/10 and Windows Server 2008/2012/2016 support network profiles. The following table lists the network profile types. Location Description The Domain network location is used automatically when the Domain computer is connected to an Active Directory domain. Security settings are controlled through Group Policy. A Public network is an untrusted network (such as when you are in an airport or library). Default settings keep your computer from being visible (Network Discovery is turned off) or sharing files. When connecting to a public network, consider the following: To avoid viruses, malicious hackers, and unwanted software, you should have up‐to‐date firewall and antivirus software installed Public and running on your computer. When you connect to an unsecured wireless network, all that you do on the Internet can be monitored by someone with the correct equipment, including: o Web sites you visit. o Online documents you work on. o Usernames and passwords you use. A Private network is a trusted local area network, such as a home or office network. Network Discovery is enabled by default. Even in a Private private network situation you should have up‐to‐date firewall and antivirus software enabled on your computer. Windows automatically assigns the profile type for a connection, and you can manually specify the profile or control it through the local security policy or Group Policy. Configure profile settings manually for a connection through the Network and Sharing Center. Enforce settings in the local security policy or Group Policy through settings in the Network List Manager Policies. o Use the Identifying Networks setting to identify which profile is assigned to a connection while the operating system is still trying to classify the connection type. For example, you can apply Private or Public network settings to these networks until a classification has been assigned by Windows. o Use the Unidentified Networks setting to configure the location type to use when a network cannot be automatically classified. o Use the All Networks setting to configure whether users can manually change the network name, location designation, or network icon. o In addition to these global settings, each known network (such as a domain) will have an entry. You can control the name, and whether users can modify the name or the icon. © Sergey Gorokhod MCT/MCSE/MCITP/MCTS/MCSA/CCSE/CCSA/CCNA/A+® E‐mail: [email protected] Mob: (+972) 526848757 8.2. Wireless LAN Configuration When implementing a wireless LAN, you have two choices for designing the network topology: Configuration Description An infrastructure wireless network employs an access point (AP), also referred to as a wireless access point (WAP), that functions like a hub on an Ethernet network. With an infrastructure network: The network uses a physical star topology. You can easily add hosts without increasing administrative Infrastructure efforts (scalable). The AP can be easily connected to a wired network, allowing clients to access both wired and wireless hosts. The placement and configuration of APs require planning to implement effectively. You should implement an infrastructure network for all but the smallest of wireless networks. An ad hoc network works in peer‐to‐peer mode without an AP. Instead, the wireless NICs in each host communicate directly with one another. An ad hoc network: Uses a physical mesh topology. Ad Hoc Is cheap and easy to set up. Cannot handle more than four hosts. Requires special modifications to reach wired networks. You will typically only use an ad hoc network to create a direct, temporary connection between two hosts. You should be aware of the following identifiers used with wireless networks: Identifier Description The Service Set Identifier (SSID), also called the network name, groups wireless devices together into the same logical network. Service Set All devices on the same network must have the same SSID. Identifier Configure both the access point and each client computer (SSID) with the same SSID. The SSID is a 32‐bit value that is inserted into each frame. The Basic Service Set Identifier (BSSID) is a 48‐bit value that identifies an access point (AP) in an infrastructure network or a Basic Service host in an ad hoc network. The BSSID allows devices to find a Set Identifier specific AP on a network with multiple access points, and is used (BSSID) by computers to keep track of APs when roaming on a network with multiple access points. Most wireless networks can transmit on one of multiple channels. When configuring the channel: On the AP, accept the default channel or change it to one of your choice. Choose a channel that is not used by any other wireless transmitting devices (such as phones or other APs). When configuring multiple APs on a network, configure each AP to use a different channel but with the same SSID (Service Set Identifier). On the NIC, the channel is typically detected automatically and is configured to match the channel used by the AP. On some NICs you can also set the channel to a specific channel. When doing so, use the same channel on which the AP transmits. © Sergey Gorokhod MCT/MCSE/MCITP/MCTS/MCSA/CCSE/CCSA/CCNA/A+® E‐mail: [email protected] Mob: (+972) 526848757 8.3. Wireless Security Authentication on a wireless network is provided by one of the following methods. Method Description Open authentication requires that clients provide a MAC address to connect to the wireless network. Access can be controlled on a limited Open basis by performing MAC address filtering where devices whose addresses are listed can connect. Because MAC addresses are easily spoofed, this provides little practical security. Shared secret authentication, also called pre‐shared key Shared authentication, configures clients and access points with a shared key secret (or password). Only devices with the correct shared key can connect to the wireless network. 802.1x is an authentication standard for wired Ethernet networks that allows for user authentication. The 802.1x standards have been adapted for use in wireless networks to provide secure authentication. 802.1x authentication requires the following components: A RADIUS server to centralize user account and authentication information. A centralized database for user authentication is required to allow wireless clients to roam between cells but authenticate using the same account information. A PKI for issuing certificates. At a minimum, the RADIUS server 802.1x must have a server certificate. To support mutual authentication, each client must also have a certificate. 802.1x supports Extensible Authentication Protocols (EAP) that allow for a wide range of authentication options including: MD5 TLS (uses certificates for client authentication) MS‐CHAP v2 (uses passwords for client authentication) PEAP (Protected EAP) LEAP TTLS Note: When using PEAP, choose PEAP‐EAP‐TLS to use certificates, and PEAP‐EAP‐MSCHAP to use usernames and passwords for authentication. Security for wireless networking is provided from the following implementations: Method Description WEP is an optional component of the 802.11 specifications. WEP was designed to provide wireless connections with the same security as cable connections. WEP: Uses Rivest Cipher 4 (RC4) with a 40‐bit key and 24‐bit initialization vector (IV) for encryption. (Most implementations now use a 104‐bit key.) Uses CRC‐32 for data integrity applied to the data only (not the header). Supports open, shared key, and (recently) 802.1x authentication. Note: When configured for shared key authentication, WEP uses the WEP key as the shared secret. Wired Requires that keys be manually configured on each device. Equivalent Privacy (WEP) WEP has the following weaknesses: CRC‐32 is susceptible to bit‐flipping attacks, where modifications in the frame result in the same hash value. It uses a weak implementation of RC4 encryption. The short initialization vector results in quick reuse of the initialization vector. This allows hackers to easily crack the key. It is vulnerable to replay attacks. Using the WEP key for shared secret authentication exposes the shared key to attack, effectively decreasing the security of WEP. (Ironically, open authentication with WEP is more secure than shared key authentication.) WPA is the implementation name for wireless security based on initial 802.11i drafts. It was intended as an intermediate measure to take the place of WEP while a fully secured system named 802.11i (WPA2) was prepared. WPA: Uses the Temporal Key Integrity Protocol (TKIP) protocol. Uses RC4 with a 128‐bit key and a 48‐bit initialization vector (IV) for encryption. Uses the Message Integrity Check (MIC) algorithm (also called Michael) for data integrity applied to both the data and the header. Supports both Pre‐Shared Key (referred to as WPA‐PSK or WPA Personal) and 802.1x (referred to as WPA Enterprise) Wi‐Fi authentication. (Use WPA‐Personal for home or small Protected office networks that do not have a domain controller, Access (WPA) RADIUS server, or PKI required by 802.1x authentication. Use WPA when you have a domain controller and a RADIUS server that is a domain member.) Was designed such that it could be implemented on most existing wireless hardware through a firmware update. WPA attempts to address the weaknesses of WEP in the following ways: Encryption key and initialization vectors were increased. TKIP provides for dynamic key rotation which also helps protect against IV reuse. IVs are sequenced to prevent against replay attacks. WPA2 is the implementation name for wireless security that adheres to the 802.11i specifications.