Plug & pray? A layered security system can help keep your wireless system safe.Have you gone wireless? It's not as complex as you may think. It's easy to install--simply plug and play--and cheap. A two-user wireless network can be purchased and installed for as little as $200. Not only will this impress your friends and family, you'll increase your productivity and gain access anywhere and anytime within your home or office. On the flip side Flip side In the context of general equities, opposite side to a proposition or position (buy, if sell is the proposition and vice versa). , what many wireless users don't realize is that going wireless can compromise their network's security. The truth is, hacking into an improperly configured wireless system is a piece of cake ... like shooting fish in a barrel ... like taking candy from a baby. You get the point. Hackers roam the streets with notebook computers, wireless access cards, high-gain antennas and global positioning systems looking for Looking for In the context of general equities, this describing a buy interest in which a dealer is asked to offer stock, often involving a capital commitment. Antithesis of in touch with. unsecured access points. Known as "war driving," this new breed of hacker looks for free Internet access See how to access the Internet. , access to confidential data and a new network to compromise. A wireless network essentially provides the world a public entrance to the programs and data on your network--unless you have taken appropriate network security steps. We've all heard the saying that it's better to give than receive, but freely exposing your network resources to the outside world is going a bit too far. You can significantly reduce your risk of being hacked by taking a few simple steps. Keep in mind, however, that no access point will ever be 100 percent secure. Rather, the steps you take hopefully will encourage would-be hackers to look for an easier, less secure network to compromise. SEVEN STEPS TO SECURE COMPUTING For the general concept, see . Secure Computing Corporation, or SCC, is a public company (NASDAQ: SCUR) that develops and sells computer security products, such as:
(1) Change the default administrator password for the access point. This should be obvious, but there are hundreds of access points for which no thought has ever been given to changing a password. Passwords should be at least 10 characters, include upper and lower case letters, numbers and special characters, such as exclamation points or the pound symbol. (2) Change the SSID (Service Set IDentifier) The name assigned to a wireless Wi-Fi network. All devices must use this same, case-sensitive name to communicate, which is a text string up to 32 bytes long. . Each access point in a wireless network is programmed with a unique identifier With reference to a given (possibly implicit) set of objects, a unique identifier is any identifier which is guaranteed to be unique among all identifiers used for those objects and for a specific purpose. known as a Service Set Identifier In Wi-Fi Wireless LAN computer networking, a service set identifier (SSID) is a code attached to all packets on a wireless network to identify each packet as part of that network. (SSID). It's also sometimes referred to as an Extended Service Set Identifier (ESSID ESSID Extended Service Set Identifier (IEEE 802.11 wireless networking) ESSID Electronic Spread Spectrum Identification ). Most access points come preconfigured Set up ahead of time. It implies that the device or software application has been modified to suit the customer or situation. See ghosting server. with the manufacturer's name as the SSID. To access the network, client computers must present the correct SSID to the access point. The SSID is a 32-character unique identifier attached to the header of packets sent over a wireless network (WLAN See wireless LAN. WLAN - wireless local area network ) that acts as a password when a mobile device tries to connect to the access point. The SSID differentiates one WLAN from another so all access points and devices attempting to connect to a specific WLAN must use the same SSID. A device will not be permitted to join the wireless network unless it can provide the unique SSID. Because an SSID can be sniffed in plain text from a packet, it does not supply any security to the network. Changing the SSID does, however, make hacking a bit more inconvenient. (3) Don't let the outside world know you're there. Turn off SSID broadcasting, also known as closed mode. This feature is not available on all access points, so make sure to spend the couple of extra dollars required to purchase an access point with this feature. By default, the SSID is turned on, making it easy for the casual user to join the system. Similar to changing the SSID name, turning off the SSID broadcast does not make your access point secure, but does require the hacker to jump through a couple more hoops to sniff out your network. (4) Enable MAC address filtering. While access points are identified by SSID, client computers can be identified by the unique 12-character MAC (Media Access Control) address associated with its 802.11x network card. Typically the address can be found on the box the card shipped in, on the card itself or obtained by running the IPCONFIG/all command from a command prompt The symbol displayed in a command-driven system that indicates it is ready for user input. For example, in a DOS command line or in the Windows emulation of the DOS command line, c:\budget> would be the command prompt when the current drive is C: and the current directory is BUDGET. line in Windows 2000 or XP. To increase security, an access point can be configured with a list of the MAC addresses associated with the client computers that are allowed access to the network. This is best suited for small networks as the task of managing MAC address lists for a large network can become unruly. Again, enabling MAC addresses alone isn't a guarantee against backing, but it provides another layer of security. Tools are easily obtained from the Internet that allow hackers to easily capture and "spoof" MAC addresses to gain access to a wireless network. (5) Enable Wired Equivalent Privacy Wired Equivalent Privacy or Wireless Encryption Protocol (WEP) is a scheme to secure IEEE 802.11 wireless networks. It is part of the IEEE 802.11 wireless networking standard. (WEP (Wired Equivalent Privacy) An IEEE standard security protocol for wireless 802.11 networks. Introduced in 1997, WEP was found to be very inadequate and was superseded by WPA, WPA2 and 802.11i. ). Wireless transmissions are easy to intercept. To provide an additional layer of security, the current 802.11 standard specifies the WEP security protocol to provide encrypted communication between the client computer and the access point. WEP keys are 64 or 128-bit (eight or 16-character) keys used to encrypt data using a public algorithm. All client computers and access points on the network typically use the same key to encrypt and decrypt To convert secretly coded data (encrypted data) back into its original form. Contrast with encrypt. See plaintext and cryptography. data. WEP is generally first configured at the access point by assigning a key or allowing the access point to randomly generate a WEP key. Once the access point has been configured, the unique WEP encryption must be enabled and a key must be entered for each client computer. WEP encryption on the client's computer is enabled by accessing the properties screen for the wireless network card. In Windows XP The previous client version of Windows. XP was a major upgrade to the client version of Windows 2000 with numerous changes to the user interface. XP improved support for gaming, digital photography, instant messaging, wireless networking and sharing connections to the Internet. , this can be done by going to the Control Panel, then selecting Network Connections, double-clicking the wireless network card, clicking properties and going to the wireless tab. WEP encryption has been proven to be vulnerable and can be cracked using some easily obtained tools and a little patience (64-bit WEP encryption can take several hours to several days to crack). For that reason, however, it is wise to change WEP keys on a regular schedule to minimize your risk. For those willing to invest a few extra dollars, it is worth the investment to plan a wireless infrastructure that uses access points and wireless network cards capable of automatically assigning new WEP keys based on a user-defined schedule. You won't find these access points at your local discount retail stores, such as Fry's, Best Buy or Office Depot Office Depot (NYSE: ODP) is one of the world's leading suppliers of office products and services. The Company's selection of brand name office supplies includes business machines, computers, computer software and office furniture, while its business services encompass copying, . (6) For larger networks, implement Virtual Private Network (VPN (Virtual Private Network) A private network that is configured within a public network (a carrier's network or the Internet) in order to take advantage of the economies of scale and management facilities of large networks. ) wireless security. A full description of the implementation of this technology is beyond this article's scope. However, network administrators well versed in implementing and configuring VPNs and firewalls can implement this security layer on their own. Those without this expertise should seek assistance from a qualified network engineer or security consultant. To deploy this technology, the access point is generally configured with open access, no WEP encryption (access points still should be renamed with SSID broadcast disabled) and isolated from the enterprise network. This is done by either using a "demilitarized zone"--provided by the firewall--to place the access point on its own network or a VPN server running on its own network. In either configuration, all users are required to use a VPN (either outside the network or inside the firewall) to gain access to their network. The VPN server now provides authentication and full encryption over the wireless network. As a final precaution related to implementing a VPN, client computers making a wireless VPN connection to the network should be equipped with personal firewall protection, such as Zone Alarm, Black Ice or Norton Internet Security Norton Internet Security (NIS) is a computer utility suite made by Symantec Corporation, with a focus on providing comprehensive Internet protection. It is available for both Microsoft Windows and Mac OS X. It is one of Symantec's flagship products. . While somewhat complex to implement, the VPN security model is essential for larger networks deploying wireless technology. (7) Unplug the access point when it is not in use. The most secure access point is the one that has no power! All kidding aside, why leave your door open when no one is home? WIRELESS RESPONSIBILITIES Wireless computing has many benefits and will continue to change the way we work. But using the technology carries with it a responsibility to keep our information and that of our clients secure. Security is applied in layers. Eliminating one layer makes it that much easier for an intruder to enter your system. When implementing a wireless system, take the time and spend the money to do it right. Wireless computing without proper security is not a matter of plugging and playing--it's a matter of plugging and praying. Bob Gaby, CPA (Computer Press Association, Landing, NJ) An earlier membership organization founded in 1983 that promoted excellence in computer journalism. Its annual awards honored outstanding examples in print, broadcast and electronic media. The CPA disbanded in 2000. , MCP (1) See Microsoft certification. (2) (MultiChip Package) A chip package that contains two or more chips. It is essentially a multichip module (MCM) that uses a laminated, printed-circuit-board-like substrate (MCM-L) rather than ceramic (MCM-C). is a partner at Encino-based Information Technology Group Inc, and a member of CalCPA's Technology Committee. You can reach him at bgaby@itgusa.com. |
|
||||||||||||||||||||
Printer friendly
Cite/link
Email
Feedback
Reader Opinion