A couple weeks ago I wrote and told you about how 802.1x based Network Access Protection (NAP) works. This week I wanted to follow-up and tell you about Secure Wireless based on the same technologies that make NAP work.
What does secure wireless mean? There is really no one answer to this question but you can certainly start with the basics. For example, using a combination of IEEE 802.1X and WPA, dynamic WEP or WPA2 you can get the following security properties:
· Authentication: Before being allowed to exchange data traffic with the wireless network, the wireless machine and user should both be authenticated.
· Authorization: Before being allowed to exchange data traffic with the wireless network, authenticated peer must be checked to ensure it is entitled to access the network (using, time, location, group membership, etc.).
· Encryption/Data Integrity: All data exchanged over the wireless network should be protected from eavesdropping and tampering.
All of the above can be accomplished with Windows 2003 and XP today using certificates, smartcards or passwords. If you already have a Windows 2003 infrastructure, you can easily use it to deploy a secure wireless network. The following white paper explains how (http://www.microsoft.com/technet/prodtechnol/winxppro/deploy/ed80211.mspx).
There are some great benefits to deploying a wireless solution based on Windows infrastructure. For starters, the wireless client is cheap to deploy since it is already present on all Windows clients. The Network Policy Server is also a standard Windows Server role. These clients and servers work with just about any network infrastructure.
Here at Microsoft, we have a global deployment of secure wireless based on Windows 2003. Last December, we upgraded the servers that the Windows division uses for wireless authentication to be running Longhorn Server pre-beta code. These servers are processing hundreds of thousands of transactions a day. So far so good.
Once you have a secure wireless deployment, you will be able to add NAP functionality to it when Vista, Longhorn Server and our XP NAP client are released.
· Health Policy Validation: All hosts that come onto your network should conform to your minimum criteria for health (patched, running antivirus, not sharing their network connection, etc.)
For more information on how 802.1x based Network Access Protection (NAP) works in VISTA take a look at my post from May 31st (http://blogs.msdn.com/nap/archive/2006/05/31/612518.aspx).
Ryan M. HurstLead Program ManagerLayer 2 Authentication and AuthorizationWindows Enterprise Networking