While there are various ways to accomplish enterprise wireless security, here I am going to outline my chosen process, one I’ve repeatedly used and I haven’t had any complaints so far.
When dealing with various industries the ability to secure your data traffic is a key factor in the business’ IT decision making process. While this is nice, functionality is always the cause of compromise when it comes to security, and the current push for BYOD (Bring Your Own Device) and mobile computing in general brings the requirement to have a wireless segment of your network into the forefront.
Enterprise Wireless Security – Network Policy Server (NPS)
Wireless infrastructure overview
The way I typically like to setup wireless in the Enterprise is to have at a minimum two SSIDs, or wireless networks. The first dumps guests who are given a Preshared Key upon request into a VLAN which is segmented off from the rest of the network via VACLS or better yet a port on your corporate firewall, allowing access only to the Internet and maybe a printer. This network is WPA2 using TKIP encryption and is broadcasting its SSID to allow virtually any device made in the past decade access.
The second wireless network or SSID is used to connect domain computers for employees into the corporate VLAN. Access to any company resources is available here. This network’s SSID will not be broadcast, making it difficult and requiring specialized tools for anybody who doesn’t have it to know it exists. Further it will link back to our Network Policy Server (NPS) for authenticating users or computers against active directory.
Finally the NPS server will utilize a certificate to authenticate the server to the client. Interestingly enough what I’ve found is you can use any SSL certificate, including Wildcard certificates for most mobile devices, but to do this setup with laptops running various versions of Windows you pretty much have to use Active Directory Certificate Services.
Network Policy Server
The Network Policy Server role in Windows Server 2008 R2 has the capability to function as a RADIUS server for your wireless or other 802.1x network devices, utilizing Active Directory as it’s authentication base. With NPS you configure Policies that define who can access it, what authentication methods are supported, the type of device that can use it, and certificate services that will be used.
Network Policy Server also has the ability to actively maintain the health of your network by running clients attempting through something called the Windows Security Health Validator. This is a definable policy also within NPS that can check for things like up-to-date antivirus and antimalware applications, the firewall being enabled or the patch status of the client computer. This only works for Windows hosts, but is very nice all the same. It even give you the ability to provide Remediation Servers to supply the updates, antivirus or antimalware software your clients may need to be able to connect.
While nothing related to wireless, not to mention any other network, is perfect it is possible to make a wireless network with reasonable security.