Windows on wireless: windows and wireless are rapidly converging on devices, desktops, and servers.
Windows Zero-Configuration (WZC) is a key software technology that makes the process of connecting to a local wireless Wi-Fi network nearly automatic. For example, Windows can now automatically poll an installed 802.11 network card for available Wi-Fi access points. If it detects an access point, Windows automatically attempts to connect to it. In cases where it detects multiple access points, the user can configure Windows to use a preferred list of connections. This user-defined list can also include settings to control encryption and IEEE 802.1X authentication.
To promote support for WZC, Microsoft partnered with 802.11 network card vendors to further automate the steps a Wi-Fi network card follows when it associates with an access point. With this streamlined association process, the wireless network adapter and companion Network Device Interface Specification (NDIS) driver software only have to supply a few key device parameters to configure how the network device should work. Following this initial configuration phase, the wireless network adapter scans for available networks and passes the list to the higher-level WZC software layer.
Upon receiving this list, the WZC service automatically configures the wireless adapter with the access point the user defined as the preferred connection. Properties such as the IP address, subnet mask, and DNS addresses come into play at this phase in the connection process. If you configured and enabled 802.1X, the WZC service also applies properties for Internet Authentication Service (IAS) and Remote Access Dial-up User Service (RADIUS) access.
Although the current implementation of WZC is primarily focused on Wi-Fi, support for 802.11 isn't the only type of wireless technology the latest versions of Windows make available. Windows XP service pack 1 (and later), along with Windows CE .NET, integrates native Bluetooth 1.1 support at the operating system level.
A principle theme in the Bluetooth wireless specification is the concept of profiles. A profile describes the implementation details of the Bluetooth protocol stack to support a particular user application; for example, remote dial-up access, LAN access, or file transfer. Several profiles have been defined in the Bluetooth 1.x specification including Dial-Up Networking, Fax, Headset, and Synchronization. Both Windows XP and Windows CE .NET support a subset of these profiles, which include the following:
* Dial-Up Networking Profile (DUN)
* LAN Access Profile (LAP)
* Object Push Profile (OPP)
* File Transfer Profile (FTP)
It's important to note that Microsoft's Windows XP LAN Access Profile is based on Internet Protocol, version 6 (IP v6), which supports 128-bit addresses. In addition to 128-bit addressing, other benefits of IP v6 include a revised IP mobility layer that makes session management more dependable for wireless users moving between different IP networks.
Windows authorizes a Bluetooth service resource based on whether the device is Bluetooth-enabled, whether the system requires manual authorization, and whether the user has configured a passkey to support secure connections. The passkey is combined with a unique Bluetooth address and pseudo-random number to generate a link key. This key is a special code two Bluetooth devices exchange to connect to each other.
The Bluetooth profiles I mentioned earlier enable the following user applications in a Windows environment:
* File transfer over a Bluetooth wireless link
* Dial-up data functionality over Bluetooth-capable cell phone handsets
* Support for wireless input devices such as mice and keyboards that exist on the "wireless desktop" (this is covered under the Human Interface Design Profile)
* Virtual COM port for serial port emulation required to support serial-based devices over Bluetooth wireless links
* Internet applications such as Web browsers, e-mail clients, chat programs and other software that utilize the WinSock communication model.
Although Microsoft has focused its Bluetooth efforts on Windows XP and Windows CE .NET, several third-party companies have stepped up to help support earlier versions of Windows, such as Windows 2000. For example, 3COM, Compaq, IBM, Motorola, TDK, and Toshiba have all developed software-based Bluetooth protocol stacks, usually to support their own Bluetooth-enabled devices and products.
Connection management on the Windows desktop or server, whether it's Windows XP or Windows 2003, is primarily an extension of network facilities that have evolved over the last several releases of Windows. In the Windows CE operating system, the NDIS model, along with the higher-level UI control panel applets, exists in a different organization and structure. In CE, these facilities have been compartmentalized into a Connection Manager, a set of Connection Services, and Connection Service Providers (CSPs). The Connection Manager and the service and provider participants help automate how a user configures, establishes, and manages both wired and wireless network connections for Windows CE (figure 1).
[FIGURE 1 OMITTED]
The base Windows 2003 Server operating system software includes a Wireless Monitor control panel applet that lets network administrators configure a host of Wi-Fi network properties (figure 2). For example, they can view and log the network activity generated by wireless access points and clients. They can also configure the system to generate alerts when certain events occur; for example, when the network is scanned, when someone associates with an access point, or when a wireless interface is added to or removed from the Windows system.
[FIGURE 2 OMITTED]
The list of wireless access point properties that can be captured includes the network name, network type, MAC address, signal strength level, and the radio channel. Administrators can also track details about wireless clients; for example, a security administrator could use properties such as the MAC address, associated SSID, and timestamp to monitor wireless client activity.
Wi-Fi security for the enterprise
The new wireless security features in the latest round of Windows operating systems are significant. Microsoft has taken much effort to leverage existing Windows server technologies such as Certificate Services, Internet Authentication Server (IAS), and Active Directory facilities along with newer software components, such as Microsoft 802.1X Authentication Client to establish a solid wireless security architecture for enterprise networks.
Because deploying the 802.1X Authentication Client requires a substantial Windows Server infrastructure, this software client isn't intended for casual home wireless users; instead, it's for enterprise wireless adopters wanting to deploy Windows systems that access corporate computing resources via a wireless link. Supporting 802.1X requires a RADIUS-based authentication server as well as an internal Certificate Authority (CA). Internet Authentication Service, available for Windows 2000 Server and Windows 2003 Server, satisfies the RADIUS service requirement. For network redundancy, Microsoft recommends deploying a primary and secondary 1AS system. The Domain Controller maintains the Active Directory database, which includes user accounts, computer accounts, and dial-in properties that each IAS server requires to properly authenticate credentials and evaluate authorization. The use of digital certificates always involves a Certificate Authority; and, for this, Microsoft recommends using Certificate Services available in Windows 2000 and Windows 2003 Server editions.
Although 802.1X has been promoted as a security solution for Wi-Fi wireless networks, this technology was developed for wired Ethernet networks. Several third parties have implemented their own versions of the Extensible Authentication Protocol (EAP), which is at the core of the 802.1X framework. These variations include EAP-MD5 (Message Digest, version 5), EAP Cisco (Cisco's Lightweight EAP implementation), EAP-TLS (Transport Layer Security), and EAP-TTLS (Tunneled Transport Layer Security). Microsoft's attention to EAP has been concentrated on supporting the EAP Transaction Layer Security (EAP-TLS) and Protected Extensible Authentication Protocol (PEAP) variations. Microsoft has added these EAP implementations to Windows 2000, Windows Server 2003, Windows XP, and Windows Mobile 2003 operating systems.
EAP-TLS is a dual-certificate model, with one certificate assigned to fine wireless client and the other to the authentication server. This type of mutual authentication gives security-minded enterprise adopters a more secure deployment because both the client and server are being authenticated prior to the normal 802.1X key exchange process. However, this added security level requires more administrative effort by IT staff because they have to deploy a digital certificate to each wireless client.
PEAP is a computer-based certificate model that uses Microsoft Challenge Handshake Authentication Protocol version 2 (MS-CHAP v2), for authentication. The primary advantage of PEAP over EAP-TLS is the ease of deployment because it doesn't require you to deploy each wireless client with a certificate. Furthermore, you can configure PEAP to use other EAP security authentication methods, including methods that utilize smart cards. This is particularly important because transmitting credentials, which normally occurs when a network connection is first established, shouldn't be handled via clear text across a Wi-Fi network. Doing so leaves the security information highly susceptible to war-driving exploits.
EAP and wireless network policies
To automate the configuration of wireless network settings for Windows XP (service pack 1 and later) and Windows Server 2003 wireless client computers, Windows Server 2003 Active Directory domains now support a new Wireless Network (IEEE 802.11) Group Policy extension that lets network administrators configure wireless network settings that are part of Computer Configuration Group Policy for a domain-based Group Policy object. This remote access policy lets employees wirelessly access the organization's intranet.
Windows and Wi-Fi Protected Access (WPA)
Wi-Fi Protected Access (WPA) is complementary to the wireless security model Microsoft introduced in the latest generation of Windows operating systems for desktops, servers, and devices. The WPA technical specification includes provisions for a RADIUS server (such as an Internet/ Authentication Service or any third-party RADIUS-compliant server, such as the Funk Software Steel-Belted Radius product line). In addition, WPA is backward-compatible with WEP, so you can configure it to support clients that work with either WPA or WEP.
You can also implement WPA for home networks. This doesn't normally include a RADIUS server. You can configure wireless network cards and access points with a shared, private key. WPA support is available for Windows XP and Windows Server 2003 in the form of a client program.
Short Message Service (SMS)
SMS appeared commercially in the Windows Mobile OS environment starting with the Pocket PC 2002 Phone Edition and Smartphone 2002 devices. Support for SMS was carried forward with the introduction of the Windows Mobile 2003 and Smartphone 2003 mobile operating systems. In the Windows CE environment, managing SMS messages is nearly the same as managing standard e-mail messages. The SMS Messaging component is integrated with the standard Windows CE Inbox application; the interface and feature set for managing SMS is the same as for e-mail. This includes functions such as forward and reply. Also, if the device is turned off, offline, or outside a coverage area, the SMS message is store(1 at the wireless operator and forwarded when the user reconnects. Microsoft also includes a set of API calls for SMS messaging that third-party applications can use.
Wide area cellular connections now and on the horizon
Microsoft's first serious foray into the world of wireless focuses on local and personal area networks via Wi-Fi and Bluetooth support. The exception to this in Windows CE .NET, which has a Cellcore component that offers basic support for CDMA and GPRS. Longhorn, the follow-up to Windows XP, will bring wireless networking for cellular Wireless Wide Area Networks (WWANs) to the desktop and server platforms.
The best example of this new support is WZC, which in Longhorn will include a GPRS Auto-Configuration Service. As I explained earlier, WZC dynamically connects to a wireless network, based either on a user's preferences or default settings. In the same way WZC automatically selects and configures a wireless connection based on a list of available Wi-Fi access points, the GPRS Auto-Configuration Service will help users configure a GPRS handset or data modem that has been detected by Windows. In addition, other support scenarios exist which may include the capability to detect and utilize the Bluetooth capability of a GSM/GPRS handset for wireless Internet connectivity.
This expansion of wireless network integration will help users more easily manage connections in areas where they're! dealing with wireless coverage tiers. For example, in the case where both Wi-Fi and GPRS network service is available to the wireless Windows user.
Table 1: Making sense of your mobile options--Wireless features available in Pocket PC 2002 Phone Edition, Windows CE .NET, and Windows Mobile 2003. Wireless Windows CE Pocket PC 2002 Windows Feature .NET 4.2 Phone Edition Mobile 2003 Cell Phone No Yes Yes Integration (i.e., call forward) SMS No Yes Yes GSM/GPRS No Yes Yes CDMA No Yes lYes Cellcore No Yes Yes API layer SIM Card No Yes Yes Contact Manager 802.11bWi-Fi Yes Yes Yes 802.1X Yes No Yes Authentication Windows Zero Yes Yes Yes Configuration (via download) IrDA Yes Yes Yes Bluetooth Yes No Yes (OEM option)
MOBILE BUSINESS BENEFITS
Although Wi-Fi has caught on like wildfire with consumers, enterprise adoption has been slower due to Issues of security and a lack of administration tools. Microsoft hopes to remedy this with enhancements to its device, desktop, and server operating systems.
IEEE 802.1X addresses authentication, authorization, and auditing of computers and users in a Wi-Fi enterprise network environment. The802.1X security framework was developed by the Institute of Electrical and Electronics Engineers (IEEE) to address many Wi-Fi security issues, including protection of user authentication credentials, particularly in the early stages of the network authentication process. Aspects of the IEEE 802.1X security specification include user identification, authentication, dynamic key management, and accounting facilities. One important benefit of the 802.1X security framework is that it lets organizations reuse much of their existing network server and VPN infrastructure.
Windows Zero-Configuration In a Nutshell
Here are a few of the key features of WZC:
* Systems can automatically retrieve several network connection properties such as the IP address, gateway, and DNS servers. If you're using the 802.1X authentication client, WZC automatically configures the RADIUS and IAS addresses.
* WZC is integrated into the Windows XP network configuration and management control panels.
* WZC supports key management for IEEE 802.1X, WEP, and WPA.
* If several access points are available, the user can pre-define an ordered list of preferred wireless LANs WZC will select for association. This capability lets administrators or users determine which access points a Windows client can roam to.
Oss for Mobile Devices Redux
Windows CE .NET is a component-based, real time embedded operating system. Many of its key components originated in the desktop version of Windows, which Microsoft ported to CE over many releases. Windows Mobile 2003 is based on Windows CE .NET version 4.2, whereas Pocket PC 2002 (along with the Phone Edition) was built based on Windows (TE 3.0 (figure 3). The Smartphone operating system shares code and components with Windows CE, but it's specifically designed for cellular handsets.
[FIGURE 3 OMITTED]
Microsoft has introduced new connection services to support Wt-Fl, 802.1X, and Bluetooth in Windows CE .NET 4.2. windows Mobile 2003, which is based on Windows CE .NET, expands the array of wireless support to include GPRS and CDMA radio protocol stacks. Table 1 shows a complete list of wireless technologies available in Pocket PC 2002 Phone Edition, Windows CE .NET, and Windows Mobile 2003.
Certificate Services--Microsoft Certificate Services offer a public key infrastructure (PKI) subsystem that has been integrated into the Windows 2003 and Windows 2003 Server editions. This PKI infrastructure enables the secure exchange of information between systems on a network. You can deploy Certificate Services to an enterprise environment to verify and authenticate the validity of each user connecting to a given network resource.
Internet Authentication Server (IAS)--This is Microsoft's implementation of a Remote Authentication Dial-In User Service (RADIUS) server. IAS, which is a member of the Windows Server family, offers authentication, authorization, and accounting services for various types of clients, including wireless, VPN, and dial-up.
Active Directory--A hierarchical repository of users, servers, printers, and other network objects that serves as a directory service in an enterprise Windows network.
802.1X Authentication Client--The 802.1X client software is available for Windows XP service pack 1 and Windows 2000 service pack 3, and Windows Mobile 2003. Pocket PC 2002 support is different from Windows Mobile 2003 in that it only supports PEAP.
Kevin Wittmer works as a senior software engineer for SmartSignal Corporation, headquartered just outside Chicago. SmartSignal is a leader in early-warning predictive technology utilized in the aviation, electricity, and transportation sectors, http://www.smartsignal.com.
|Printer friendly Cite/link Email Feedback|
|Title Annotation:||Wireless Networking|
|Publication:||Mobile Business Advisor|
|Date:||May 1, 2004|
|Previous Article:||PDA security: vulnerabilities & solution: is your company one lost device away from disaster?|
|Next Article:||Get the most out of your palm device: tips and tricks for connecting, adjusting power usage, and finding the right applications.|