Although better known for her Silver Screen exploits, Austrian actress Hedy Lamarr (born Hedwig Eva Maria Kiesler) also became a pioneer in the field of wireless communications following her emigration to the United States. The international beauty icon, along with co-inventor George Anthiel, developed a "Secret Communications System" to help combat the Nazis in World War II. By manipulating radio frequencies at irregular intervals between transmission and reception, the invention formed an unbreakable code to prevent classified messages from being intercepted by enemy personnel and possibly control torpedoes.
Hedy, definitely dispelled the myth that beauty and brains are mutually exclusive. However, there are more myths surrounding the wireless discipline that Wasabi thought should also be dispelled. Especially in light of core perceptions about securing these infrastructures.
For those who already have to address
wireless as a part of the internal infrastructure, here are some security Myths
to avoid when trying to secure the air.
Myth #1: My wireless LAN (WLAN) is safe because I have a firewall
securing my wired corporate LAN from the Internet.
Security solutions such as
firewall and intrusion detection systems operate at layer 3 (i.e., network
layer) and above. A WLAN presents a potential entry point into your wired
corporate LAN at layers 1 and 2 (i.e., physical and link layers), circumventing
all wired security measures. Your authorized users can bypass your firewall
policies and content filters using wireless access and connect to potentially
dangerous external WLANs. In short, wireless has made the traditional
“harden-the-network-perimeter” approach obsolete.
Myth No. 2: Don't broadcast your SSID
Every wireless router (or
wireless access point) has a network name assigned to it. The technical term is
a Service Set Identifier (SSID). By default, a router will broadcast its SSID
in beacons, so all users within its range can see the network on their PC or
other device.
It is a common misconception that
turning off SSID broadcast on a wireless AP will not allow
unauthorized users
to discover the AP. Freely available software tools exist that actively probe
and discover APs that respond to these probes. Passive sniffing of wireless
traffic can also allow hackers to discover wireless APs in the vicinity.
Turning off SSID broadcast is not only ineffective, but it in fact leads to
another severe vulnerability. Authorized clients that usually connect to
enterprise APs, probe for the hidden SSID. A hacker can sniff this information
and use it to launch a honeypot attack. You can prevent your router from
including its SSID in its beacon, but you can't stop it from including that
information in its data packets, its association/reassociation requests, and
its probe requests/responses. A wireless network analyzer like Kismet or
CommView for WiFi, can snatch an SSID out of the airwaves in no time.
Disabling SSID broadcasting will
hide your network name from the average Joe, but it's no roadblock for anyone
intent on hacking into your network, be they an experienced blackhat or a
neighborhood kid just goofing around.
Myth No. 3: MAC address filtering on wireless access points is
effective in securing WLANs.
Myth No. 4: Limit your router's IP address pool
Every device on your network must
also be identified by a unique Internet Protocol (IP) address. A
router-assigned IP address will contain a string of digits like this:
192.168.1.10. Unlike a MAC address, which the device sends to the router, your
router will use its Dynamic Host Control
Protocol (DHCP) server to assign and send a unique IP address to each device
joining the network. According to one persistent tech myth, you can control the
number of devices that can join your network by limiting the pool of IP
addresses your router can draw--a range from 192.168.1.1 to 192.168.1.10, for
instance. That's baloney, for the same reason that the next claim is.
Myth No. 5: Disable your router's DHCP server
The flawed logic behind this myth
claims that you can secure your network by disabling your
router's DHCP server
and manually assigning IP address to each device. Supposedly, any device that
doesn't have one of the IP addresses you assigned won't be able to join your
network. In this scenario, you would create a table consisting of IP addresses
and the devices they're assigned to, as you would with a MAC addresses. You'd
also need to configure each device manually to use its specified IP address.
The weakness that negates these
procedures is that if a hacker has already penetrated your network, a quick IP
scan can determine the IP addresses your network is using. The hacker can then
manually assign a compatible address to a device in order to gain full access
to your network. As with MAC address filtering, the main effect of limiting IP
addresses (or assigning them manually) is to complicate the process of
connecting new devices that you approve of to your network.
Encryption is the best network security
Several types of encryption have
emerged over the years. Wired Equivalent Privacy (WEP) provided the best
security in the early days of Wi-Fi. But today WEP encryption can be cracked in
a matter of minutes. If that's the only security your router provides, or if
some of your networked devices are so old that they can work only with WEP,
it's long past time for you to recycle them and upgrade to a newer standard.
Wi-Fi Protected Access (WPA) came
next, but that security protocol had security problems, too, and has been
superseded by WPA2. WPA2 has been around for nearly 10 years. If your equipment
is old enough to be limited to WPA security, you should consider an upgrade.
Both WPA and WPA2 have two
different modes: Personal (aka PSK, an acronym for Pre-Shared Key) and
Enterprise (aka RADIUS, an acronym for Remote Authentication Dial In User
Server). WPA Personal is designed for home use and is easy to set up. You
simply establish a password on your router and then enter that password on each
computer and other device that you want to connect to your Wi-Fi network. As
long as you use a strong password--I recommend using 13 or more mixed-case
characters and symbols--you should be fine. Don't use words found in the
dictionary, proper nouns, personal names, the names of your pets, or anything
like that. A strong password might look like this: h&5U2v$(q7F4*.
Your router might include a
push-button security feature called Wi-Fi Protected Setup (WPS). WPS enables
you to join a device to your WPA2-secured wireless network by pushing a button
on the router and a button on the client (if the client also supports WPS). A
flaw in WPS leaves it vulnerable to brute-force attacks, however. If you're
particularly security-conscious, you might consider turning off WPS in your
router.
Enterprise-mode WPA2 is designed
for networks run by businesses and organizations. It provides a higher level of
security than WPA, but it requires a RADIUS server or a hosted RADIUS service.
Now that you understand the best
way to secure your network, spend a few minutes making sure that your router is
configured properly.
Source(s):
- http://www.networkworld.com/news/tech/2010/062110-tech-update.html
- http://www.meritalk.com/uploads_legacy/whitepapers/DispellingMythsWireless.pdf
So “Once more unto the breach, dear friends, once more;”
____________________________________________________________
About Rick Ricker
An IT professional with over 21 years experience in Information Security, wireless broadband, network and Infrastructure design, development, and support.
For more information, contact Rick at (800) 399-6085 x502
No comments:
Post a Comment
Thanks for your input, your ideas, critiques, suggestions are always welcome...
- Wasabi Roll Staff