How to Secure Your Wireless Network

Posted on September 24, 2009 by admin

Network Authentication Process

The process of a client associating and authenticating to an access point is standard. Should shared key authentication be selected at the client, there are additional packets sent confirming the keys authenticity.

The following describes EAP network authentication.

1. Client sends probe to all access points

2. Access point sends information frame with data rate etc

3. Client selects nearest matching access point

4. Client scans access point in order of 802.11a, 802.11b then 802.11g

5. Data rate is selected

6. Client associates to access point with SSID

7. With EAP network authentication the client authenticates with RADIUS server

Open Authentication

This type of security assigns a string to an access point or several access points defining a logical segmented wireless network known as a service set identifier (SSID). The client can’t associate with an access point unless it is configured with that SSID. Associating with the network is as easy as determining the SSID from any client on the network. The access point can be configured to not broadcast the SSID improving security somewhat. Most companies will implement static or dynamic keys to supplement security of SSID.

Static WEP keys

Configuring your client adapter with a static wired equivalency private (WEP) key improves the security of your wireless transmissions. The access point is configured with the same 40 bit or 128 bit WEP key and during association those encrypted keys are compared. The issue is hackers can intercept wireless packets and decode your WEP key.

Dynamic WEP keys (WPA)

The deployment of dynamic encrypted WEP keys per session strengthens security with a hash algorithm that generates new key pairs at specific intervals making spoofing much more difficult. The protocol standard includes 802.1x authentication methods with TKIP and MIC encryption. Authentication between the wireless client and authentication RADIUS server allows for dynamic administration of security. It should be mentioned that each authentication type will specify Windows platform support. An example is PEAP which requires Windows XP with service pack 2, Windows 2000 with SP4 or Windows 2003 at each client.

The 802.1x standard is an authentication standard with per user and per session encryption with these supported EAP types: EAP-TLS, LEAP, PEAP, EAP-FAST, EAP-TTLS and EAP-SIM. User network authentication credentials have nothing to do with the client computer configuration. Any loss of computer equipment doesn’t affect security. The encryption process is handled with TKIP an enhanced encryption standard improving WEP encryption with per packet key hashing (PPK), message integrity checking (MIC) and broadcast key rotation. The protocol uses 128 bit keys for encrypting data and 64 bit keys for authentication. The transmitter adds some bytes or MIC to a packet before encrypting it and the receiver decrypts and verifies the MIC. Broadcast key rotation will rotate unicast and broadcast keys at specific intervals. Fast reconnect is a WPA feature that is available allowing employees to roam without having to re-authenticate with the RADIUS server should they change floors or rooms. The client username and password is cached with the RADIUS server for a specified period.

EAP-FAST

• Implements symmetric key algorithm to build secure tunnel

• Client and RADIUS server side mutual authentication

• Client sends username and password credential in secure tunnel

EAP-TLS

• SSL v3 builds an encrypted tunnel

• Client side and RADIUS server side assigned PKI certificates with mutual authentication

• Dynamic per client per session keys used to encrypt data

Protected EAP (PEAP)

• Implemented at Windows clients with any EAP authentication method

• Server side RADIUS server authentication with root CA digital certificate

• Client side authentication with RADIUS server from Microsoft MS-CHAP v2 client with username and password encrypted credentials

Wireless Client EAP Network Authentication Process

1. Client associates with access point

2. Access point allows 802.1x traffic

3. Client authenticates RADIUS server certificate

4. RADIUS server sends username with password encrypted request to client

5. Client sends username with password encrypted to RADIUS server

6. RADIUS server and client derive WEP key. RADIUS server sends WEP key to access point

7. Access point encrypts 128 bit broadcast key with that dynamic session key. Sends to client.

8. Client and access point use session key to encrypt/decrypt packets

WPA-PSK

WPA pre-shared keys use some features of static WEP keys and dynamic key protocols. Each client and access point is configured with a specific static passcode. The passcode generates keys that TKIP uses to encrypt data per session. The passcode should be at least 27 characters to defend against dictionary attacks.

WPA2

The WPA2 standard implements the WPA authentication methods with Advanced Encryption Standard (AES). This encryption method is deployed with government implementations etc. where the most stringent security must be implemented.

Application Layer Passcode

SSG uses a passcode at the application layer. Client can’t authenticate unless they know the passcode. SSG is implemented in public places such as hotels where the client pays for the password allowing access to the network.

VLAN Assignments

As noted companies will deploy access points with SSID assignments that define logical wireless networks. The access point SSID will then be mapped to a VLAN on the wired network that segments traffic from specific groups as they would with the conventional wired network. Wireless deployments with multiple VLANs will then configure 802.1q or ISL Trunking between access point and Ethernet switch.

Miscellaneous Settings

Turn Microsoft File Sharing OFF
Implement AntiVirus Software and Firewall
Install your company VPN client
Turn OFF Auto Connect to any wireless network
Never use AdHoc Mode – this allows unknown laptops to connect
Avoid signal overrun with a good site survey
Use minimal transmit power setting

Anti Theft Option

Some access points have an anti theft option available using padlock and cabling to secure equipment while deployed in public places. This is a key feature with public implementations where access points can be stolen or there is some reason why they must be mounted below the ceiling.

Security Attacks

• Wireless packet sniffers will captures, decode and analyzes packets sent between the client computer and access points. The purpose is to decode security information.

• Dictionary attacks attempt to determine the decryption key configured on the wireless network using a list or dictionary with thousands of typical passcode phrases. The hacker captures information from the authentication process and scans each dictionary word against the password until a match is found.

• The specific mode assigned each wireless client affects security. Ad Hoc mode is the least secure option with no access point authentication. Each computer on the network can send information to an Ad Hoc neighbor computer. Select infrastructure mode where available.

• IP spoofing is a common network attack involving faking or replacing the source IP address of each packet. The network device thinks its communicating with an approved computer.

• SNMP is sometimes a source of compromised security. Implement SNMP v3 with complex community strings.

The book Cisco Wireless Network Design Guide is available at amazon.com

Shaun Hummel is an author of various technical books and has a web site focused on information technology job search solutions and certifications.

http://www.networkjobsolutions.com

Shaun Hummel, CCNP, is a Senior Network Engineer with 11 years experience in enterprise network planning, design, and implementation. He has worked for various private and public companies in Canada and the United States improving infrastructure, security, and management. He has written Network Planning and Design Guide, Cisco Wireless Network Design Guide and Network Assessment Guide. www.networkjobsolutions.com

Wireless Home Security Systems â Why They are Better

Posted on July 30, 2009 by admin

In todayâs economic climate, more and more people are turning to crime so it is foolish to neglect your home security. People are getting so desperate as they lose their jobs and need to put a meal on the table. Some security is better than no security so take action now before itâs too late. So many people install a home security system after they are burgled â donât let it happen to you first.

What is one of the most beneficial and cheapest methods of home security? Home security wireless systems provide a cost effective, easy to install solution that any DIYâer can install.

Wireless security systems offer considerable advantages over hardwired systems. With a hardwired system you ideally need a professional installation and this is often expensive. It is more expensive as there is not only the labor costs, but there are additional materials too, e.g. cabling, which you have no control how much you will be charged – from a professional company when they install the security system.

Although hardwired security provides a more permanent solution, this can be a disadvantage as the cameras and alarm systems cannot be easily re-located if you so require. When you move house your expensive hardwired security system will be left behind as it will simply cost too much to de-install it, then re-install it at your new home.

Permanent wired security systems will obviously have cables running to the peripherals, e.g. security cameras. Although a camera may be mounted high up and out of reach, the burglar can easily disable the device by cutting the cable going to the device.

With a wireless home security system these issues are not applicable. A wireless home security system is so straightforward to install, a typical DIYâer will have no problem. This will save you a substantial installation cost and you can install your system exactly where you want it. Any future problems, issues or maintenance with the wireless system can be carried out by the DIYâer too, thus saving costs in the future. You may want to add additional security devices to your system in the future and itâs so easy to do with a wireless system. No call out will be necessary as you simply install the devices and program it to your system.

If you are in rented accommodation, or are moving house then a wireless system is easily de-installed at zero cost. Of course you have the peace of mind that wireless security devices have no cables to cut so they will always carry on working. The only disadvantage of wireless security systems is that you will need to renew the batteries on a regular basis, based on the manufacturers recommendation.

If you are thinking of installing a monitored security system there are many wireless monitoring security systems available. The monitoring center is called via a transmitter by regular cell phone technology so if a burglar does cut the phone wire to your house, your alarm monitoring call will still get through. Also you donât need a land phone line for this system to work so this is great for rented properties.

For more great advice on wireless home security systems and for more help on home security go to Home Security Systems Advice.

Ensuring Security of Wireless Networks

Posted on July 24, 2009 by admin

Nowadays, implementation of wireless networks is very common. There are very less clutters in a wireless network, so it is a convenient way of network implementation and management. The troubleshooting of wireless network is easier than wired networks, so people prefer having wireless networks at workplace as well as at home.

However, wireless networks are more vulnerable to security flaws along with the convenience and easy approach of implementation. Even a person with less IT knowledge can easily access an unsecured wireless network and use unethically. Therefore, it is very important to restrict unauthorized access of wireless networks available at home or at your workplace. There are some standard security measures of securing your wireless networks from unauthorized access. In order to secure your wireless network, you can adopt following actions:

Restrict Wireless Network Broadcasting
The default setting of your Wi-Fi router allows automatic network broadcasting so that devices with wireless access feature can detect the wireless networks available in range. Choosing this default setting makes your wireless network open to everybody. To restrict automatic wireless network discovery you can disable this feature. Go through your wireless router manual to learn how to disable this feature.

Enable Data Encryption
Data Encryption is a well-accepted protocol to secure wireless networks. Nowadays, almost every Wi-Fi router or access points come with WEP (Wired Equivalent Privacy) or WPA (Wi-Fi protected access) encryption schemes. By enabling any of these two encryption schemes, you can restrict the access of your Wi-Fi network.

Choosing Strong Network Password
While enabling data encryption, you are required to set a password to allow access to your wireless network. Choosing a strong password is very important to achieve required level of security. An ideal password is combination of alphanumeric keys and comprise of several characters. Avoid using your name, Date of Birth, or other common things as a password for your wireless network.

Activating Firewall
All wireless access points come with an in-built firewall to stop unauthorized incoming and outgoing connections through your wireless network. Learn how to use and customize this firewall for maximum level of wireless network security.

By following above instructions, you can secure wireless networks at your home or at workplace and enjoy the benefits of going wireless without any worries.

Safe Harbour’s IT services are designed to dramatically reduce or eliminate computer problems in your business while maximizing your network’s speed, performance, and stability, without the expense of a full-time IT staff. For More Information Visit: – http://www.safe-harbour.ca/