Networking UPDATE, January 22, 2003
Ed Roth discusses security and the wireless LAN (WLAN).
January 21, 2003
********************
Networking UPDATE--brought to you by Windows & .NET Magazine, the leading publication for IT professionals deploying Windows and related technologies.
http://www.winnetmag.com
*********************
~~~~ THIS ISSUE SPONSORED BY ~~~~
FREE VoIP eBook
http://list.winnetmag.com/cgi-bin3/flo?y=eA0DRxWW0CXb07Qk0AC
~~~~~~~~~~~~~~~~~~~~
~~~~ SPONSOR: FREE VOIP EBOOK ~~~~
Register now to get on the path to VoIP success with NetIQ's free eBook, "The Essential Guide to VoIP Implementation and Management." You'll learn how to plan, implement and manage your VoIP network from industry experts, who provide valuable information on avoiding common mistakes and assessing your ROI. Let experts John Q. Walker II and Jeffrey T. Hicks take you beyond the basics, teach you how to build a business case for VoIP and separate the hype from reality. This free eBook provides in-depth chapters on planning and outsourcing, Quality of Service and ongoing VoIP management. Register now.
http://list.winnetmag.com/cgi-bin3/flo?y=eA0DRxWW0CXb07Qk0AC
********************
January 22, 2003--In this issue:
1. COMMENTARY
- WLAN Whack-a-Mole
2. ANNOUNCEMENT
- Windows Scripting Solutions for the Systems Administrator
3. RESOURCES
- Tip: Using Netshell to Administer Windows Systems
- Hot Thread: SPNEGO, Event 40960 40961
4. NEW AND IMPROVED
- Control Access to Network Resources - Network Protocol Map
5. CONTACT US
- See this section for a list of ways to contact us.
********************
1.
COMMENTARY
(contributed by Ed Roth, [email protected])
* WLAN WHACK-A-MOLE
Security concerns have plagued the wireless LAN (WLAN) since its inception. For many network administrators, trying to control the proliferation of wireless networks on the corporate network is like playing the Whack-a-Mole arcade game: As soon as you quash one, another springs up. Some administrators have found that the easiest way to deal with this headache is to implement a strong policy against WLANs in the name of security. But defending a no-WLAN policy is becoming increasingly difficult for several reasons. Stronger WLAN security standards present a good-news, bad-news proposition. The good news is that WLANs are becoming more secure; the bad news is that as users and managers become aware of these security improvements, they're more likely to challenge no-WLAN policies. Further challenges are likely as new devices such as Tablet PCs, wireless Palm handhelds, and Pocket PCs present fairly strong business reasons for maintaining a wireless network infrastructure.
Wireless security deficiencies stem from the authentication and encryption of traffic. The lack of physical connectivity to the network and the control such connectivity allows brings these problems to the forefront: Unauthorized clients within transmission distance have an opening to the LAN from which they can either attempt to gain access to network resources or eavesdrop on the wireless data transmissions. Another threat is the potential for authorized clients to connect to unauthorized Access Points (APs), thus creating a new hole through which the corporate network is vulnerable. You must implement a mutual authentication mechanism to ensure that only your clients authenticate to resources on your corporate network.
The key improvements to WLAN security result from stronger authentication protocols. Strengthening access control lets you more easily implement Wired Equivalent Privacy (WEP) for encrypting legitimate traffic, thus keeping the traffic safe from prying eyes. The IEEE 802.1x standard, which is based on the Extensible Authentication Protocol (EAP), defines a standard for WLAN authentication. The framework that the 802.1x standard establishes supports multiple authentication methods. However, to truly satisfy strong encryption and authentication requirements, you must use a method based on the Internet Engineering Task Force (IETF) Transport Layer Security (TLS) standard. Your choices, given these requirements, are EAP-Transport Layer Security (EAP-TLS), Tunneled Transport Layer Security (TTLS), and Protected Extensible Authentication Protocol (PEAP).
EAP-TLS is a workable and proven solution, but its requirement that you maintain digital certificates for each client makes EAP-TLS cumbersome to implement unless you have a public key infrastructure (PKI) in place. TTLS and PEAP emerged in part to help you get around EAP-TLS's certificate-management overhead. Both PEAP and TTLS use a two-stage process that first establishes a secure channel, then uses that channel to execute mutual authentication. (The nuts and bolts of how this process occurs is different within each standard.) Whether or not you have any desire to understand the inner workings of either standard, you should be aware of both while keeping a watchful eye on who's backing which standard.
PEAP and TTLS are similar enough that many people contend that you need to use only one of them. TTLS has been around longer than PEAP, and it enjoys support from more vendors, works on a variety of clients, and provides a modicum of interoperability between WLAN vendors. PEAP is a relatively new kid on the block, but it has backing from industry heavyweights Microsoft, Cisco Systems, and RSA Security. TTLS has flexibility that PEAP doesn't yet have for supporting future encryption mechanisms such as Wired Equivalent Privacy (WEP) 2 and Temporal Key Integrity Protocol (TKIP). Still, you can't discount the advantage PEAP enjoys from the presence of Microsoft's client and Cisco's infrastructure, and you can count on those companies to leverage that advantage and push their version of wireless security. It might take a while to shake out, but either PEAP or TTLS will emerge as "the standard" while the other fades into obscurity. I don't know which one will emerge on top, but wa! iting for a clear winner will give those of us playing WLAN Whack-a-Mole a new excuse to hold off a little longer.
~~~~~~~~~~~~~~~~~~~~
2.
ANNOUNCEMENT
(brought to you by Windows & .NET Magazine and its partners)
* WINDOWS SCRIPTING SOLUTIONS FOR THE SYSTEMS ADMINISTRATOR You might not be a programmer, but that doesn't mean you can't learn to create and deploy timesaving, problem-solving scripts. Discover Windows Scripting Solutions, the monthly print publication that helps you tackle common problems and automate everyday tasks with simple tools, tricks, and scripts. Try a sample issue today at http://list.winnetmag.com/cgi-bin3/flo?y=eA0DRxWW0CXb06ob0AW
3.
RESOURCES
* TIP: USING NETSHELL TO ADMINISTER WINDOWS SYSTEMS (contributed by Ed Roth, [email protected])
If you're a hardcore networking person, you might not appreciate the unscriptable and sometimes cumbersome network configuration interfaces on Windows servers and workstations. The good news is that command-line lovers and script writers can use the Netshell utility (netsh.exe) to simplify and automate network administration tasks on Windows XP and Windows 2000 systems.
To launch Netshell, go to a command prompt (or click Start, Run) and type
netsh
Netsh commands that let you manage interfaces, routing, and remote access are particularly useful to network administrators. And to save time and ensure consistency, you can use the Windows Task Scheduler to script and schedule repetitive or complex tasks.
Command-line options give you a lot of flexibility. To use an alias for Netsh commands, use Netsh -a from a command line. This option might be useful for those who are very familiar with the Cisco Systems Integrated Office System (IOS)and want to alias IOS syntax to perform Netsh operations. Netsh -c lets you specify a context in which to open and accept commands. For example if you want to alter routing parameters, you might run Netsh -c Routing. Interface, routing, and RAS are examples of contexts. Netsh -f lets you specify a script file for Netsh to process, and Netsh -r lets you specify a remote machine to which Netsh commands apply. You can use a question mark to obtain syntax help and descriptions for different commands.
* HOT THREAD: SPNEGO, EVENT 40960 40961
In this thread, Poomba1 describes attempts to log on to a server from another subnet. The logon process fails with Event IDs 40960 and 40961. Visit the following URL to join the discussion: http://www.winnetmag.com/forums/rd.cfm?cid=36&tid=52299
4.
NEW AND IMPROVED
(contributed by Jason Bovberg, [email protected])
* CONTROL ACCESS TO NETWORK RESOURCES
SmartLine released PortsLock, a security solution that lets you set permissions on TCP/IP connections exactly as you would for files and folders on NTFS partitions. PortsLock, which protects corporate networks against attacks from the inside, is a firewall with user-level access controls for Windows XP, Windows 2000, and Windows NT. You can control which users access which TCP/IP-based protocols (e.g., HTTP, FTP, SMTP, POP3, Telnet) on a local computer, and you can set allowed or denied TCP/UDP ports and IP addresses for incoming and outgoing connections. PortsLock is transparent to users. The software costs $50. For more information or to download a 30-day trial version, contact SmartLine on the Web. http://www.ntutility.com/pl
* NETWORK PROTOCOL MAP
Javvin announced Javvin's Map of Communication Protocols, a comprehensive reference guide for IT and network professionals. Providing an overall picture of data and telecommunications, the chart displays hundreds of active protocols. Printed on a high-quality poster for use in offices, labs, classrooms, and home offices, Javvin's Map of Communication Protocols measures 27" x 39". The map costs $19.95; volume discounts are available. http://www.javvin.com
5.
CONTACT US
Here's how to reach us with your comments and questions:
* ABOUT THE COMMENTARY -- [email protected]
* ABOUT THE NEWSLETTER IN GENERAL -- [email protected] (please mention the newsletter name in the subject line)
* TECHNICAL QUESTIONS -- http://www.winnetmag.com/forums
* PRODUCT NEWS -- [email protected]
* QUESTIONS ABOUT YOUR WINDOWS & .NET MAGAZINE UPDATE SUBSCRIPTION? Customer Support -- [email protected]
* WANT TO SPONSOR WINDOWS & .NET MAGAZINE UPDATE? [email protected]
******************** This email newsletter is brought to you by Windows & .NET Magazine, the leading publication for Windows professionals who want to learn more and perform better. Subscribe today. http://www.winnetmag.com/sub.cfm?code=wswi201x1z
Receive the latest information about the Windows and .NET topics of your choice. Subscribe to our other FREE email newsletters. http://www.winnetmag.com/email |-+-|-+-|-+-|-+-|-+-|
Thank you for reading Networking UPDATE.
You are subscribed as [email protected]
MANAGE YOUR ACCOUNT You can manage your entire Windows & .NET Magazine Network email newsletter account on our Web site. Simply log on, and you can change your email address, update your profile information, and subscribe or unsubscribe to any of our email newsletters all in one place. http://www.winnetmag.com/email
Thank you! _________________________________________________________ Copyright 2003, Penton Media, Inc.
About the Author
You May Also Like