Chapter 8. Hardware and Network Protection


77


an industry level, and several vendors market 802.11b (also called Wi Fi) access and compatibil 


ity as a value added feature of their core offerings. Consumers have also embraced the standard for


small office/home office (SOHO) networks. The popularity has also extended from LANs to MANs


(Metropolitan Area Networks), especially in populated areas where a concentration of wireless access


points (WAPs) are available. There are also wireless Internet service providers (WISPs) that cater to


frequent travelers who require broadband Internet access to conduct business remotely.


The 802.11b specification allows for direct, peer to peer connections between nodes with wireless


NICs. This loose grouping of nodes, called an ad hoc network, is ideal for quick connection shar 


ing between two or more nodes, but introduces scalability issues that are not suitable for long term


wireless connectivity.


A more suitable solution for wireless access in fixed structures is to install one or more WAPs that


connect to the traditional network and allowing wireless nodes to connect to through the WAP as if


it were on the Ethernet mediated network. The WAP effectively acts as a bridge router between the


nodes connected to it and the rest of the network.


8.1.3.1. 802.11b Security


Although wireless networking is comparable in speed and certainly more convenient than traditional


wired networking mediums, there are some limitations to the specification that warrants thorough


consideration. The most important of these limitations is in its security implementation.


In the excitement of successfully deploying an 802.11x network, many administrators fail to exercise


even the most basic security precautions. Since all 802.11b networking is done using high band radio 


frequency (RF) signals, the data transmitted is easily accessible to any user with a 802.11b NIC, a


wireless network scanning tool such as NetStumbler or Wellenreiter, and common sniffing tools


such as


dsniff


and


snort


. To prevent such aberrant usage of private wireless networks, the 802.11b


standard uses the Wired Equivalency Privacy (WEP) protocol, which is an RC4 based 64  to 128 


bit encrypted key shared between each node or between the AP and the node. This key will encrypt


transmissions and decrypt incoming packets dynamically and transparently. Administrators often fail


to employ this shared key encryption scheme, however; either they forget to do so or choose not to do


so because of performance degradation (especially over long distances). Enabling WEP on a wireless


network can greatly reduce the possibility of data interception.


Relying on WEP, however, is still not a sound enough means of protection against determined mali 


cious users. There are specialized utilities whose purpose is to crack the RC4 WEP encryption algo 


rithm and exposes the shared key. AirSnort and WEP Crack are two such specialized applications. To


protect against this, administrators should adhere to strict policies regarding usage of wireless meth 


ods to access sensitive information. Administrators may choose to augment the security of wireless by


restricting connectivity to SSH or VPN connections, which introduces an additional encryption layer


above the WEP encryption. Using this policy, a malicious user outside of the network that cracks the


WEP encryption has to additionally crack the VPN or SSH encryption which, depending on the en 


cryption method, can employ up to triple strength 168  or 192 bit DES algorithm encryption (3DES)


or proprietary algorithms of even greater strength. Administrators who apply these policies should


certainly restrict plain text protocols such as TELNET or FTP, as passwords and data can be exposed


using any of the aforementioned attacks.


8.1.4. Network Segmentation and DMZs


For administrators who wish to run externally accessible services such as HTTP, email, FTP, and DNS,


it is recommended that these publicly available services be physically and/or logically segmented


from the internal network. Firewalls and hardening of hosts and applications are effective ways to


deter casual intruders. However, determined crackers will find ways into the internal network if the


services they have cracked reside on the same logical route as the rest of the network. The externally


accessible services become what the security regards as a demilitarized zone (DMZ), a logical network








footer






  


 


 


        

 


 

  

    

      
      
 Home 
      | About Us | Network 
      | Services | Support 
      | FAQ | Control Panel 
      | Order Online |
      Sitemap | Contact

      

      web hosting comparison

      
 

    

  

  




Our partners: 
PHP: Hypertext Preprocessor Best Web Hosting
Java Web Hosting
Inexpensive Web Hosting 
Jsp Web Hosting 




Cheapest Web Hosting
Jsp Hosting
Cheap Hosting



Visionwebhosting.net Business web hosting division of Web 
Design Plus. All rights reserved