Electronic Systems Technology ESTEEM195EP BASE STATION TRANSMITTER User Manual CHAPTER 2

Electronic Systems Technology BASE STATION TRANSMITTER CHAPTER 2

SECURITY

APPENDIX E SECURITY   Revised: 1 Aug 05  APX E-1  EST P/N AA107G OVERVIEW  The security for the ESTeem Model 195Eg, like all network security, must be multi-layered.  One level of security is never enough to make sure that data does not end up in the wrong hands.  Please review the following security levels and decide what is the most appropriate for your network.  128-BIT WEP  The 128 WEP uses a particular algorithm called RC4 encryption to encode and decode traffic that is based on a 104-bit encryption key and a 24-bit Initialization Vector (IV).   RC4 starts with a relatively short encryption key (104 bits) that is expanded into a nearly infinite stream of keys to accompany the stream of packets.   The basic concept of RC4 is good, but the way it’s implemented in WEP leaves it open to compromise.  The researchers that test the integrity of the system usually focus on one piece of the implementation, the Initialization Vector (IV).    The IV (24 bits) is the algorithm component that’s supposed to keep expanded keys from repeating.  From the researcher’s point of view, a high-volume access point is mathematically guaranteed to reuse the same key stream at least once a day.  When this happens, it’s called an IV collision this becomes a soft spot to enter the system.    The researchers aren’t saying that it’s easy to break into the system, or that it’s being done on a regular basis, only that it is possible and that administrators should consider ways to reduce the possibility.   WPA  Wi-Fi Protected Access  with Preshared Key (WPA PSK) WPA, which uses 802.1x, was introduced in 2003 to improve on the authentication and encryption features of WEP. All authentication is handled within this access point device. WPA has two significant advantages over WEP:  1.  An encryption key differing in every packet. The TKIP (Temporal Key Integrity Protocol) mechanism shares a starting key between devices. Each device then changes their encryption key for every packet. It is extremely difficult for hackers to read messages even if they have intercepted the data.  2.  Certificate Authentication (CA) can be used, blocking a hacker posing as a valid user.   Wi-Fi Protected Access with Enterprise Server (WPA Enterprise) Like WPA PSK, WPA Enterprise uses 802.1x. However, a backend authentication server handles the authentication decision. The most commonly type of authentication server is a RADIUS server.  The ESTeem Model 195Eg can be configured to operate with an established RADIUS server on the network.  WPA is server/client relationship from a software driver on a computer’s wireless LAN (WLAN) card to an Access Point.  The scope of WPA is limited in use to this configuration only.  The ESTeem Model 195Eg can support WPA Enterprise and PSK as an Access Point, but the level of security on the Bridging layer is configured separately.   ACCESS CONTROL LIST (ACL)  The ACL is one of the simplest yet most secure methods of network security.  The ACL is a configurable MAC filter in the Model 192E that can be set to allow specific MAC address on the wireless network by individual address or address ranges.  The same filter can also be set to reject individual MAC addresses or address ranges.  The MAC address is a unique, 6 hexadecimal field address assigned at the manufacturer that can not be changed.  The MAC address is traceable through the IEEE governing body to the manufacturer and is the “fingerprint” for all Ethernet devices.
APPENDIX E SECURITY   Revised: 1 Aug 05  APX E-2  EST P/N AA107G Using a combination of both the WPA or 128-Bit WEP encryption and the ACL filter provide the ESTeem an extremely secure wireless networking layer.   DISABLING BROADCAST PROBES AND HIDING SSID  A simple but very effective way of securing a network is to make the network difficult to find.  By disabling broadcast probes and hiding the Service Set Identification (SSID), wireless and network “sniffers” will not be able to find your ESTeem Model 195Eg network.  To gain access to the wireless network, you would be required to have the SSID and all security loaded in the WLAN card software prior to entering the network.  PROPRIETARY BRIDGE COMMUNICATION  Although the ESTeem Model 195Eg is compatible with the open communication standards IEEE 802.11g and 802.11b, the repeater communication between the units is a proprietary communication link.  No other manufacturer of wireless hardware can access the ESTeem repeater network when bridging between Ethernet networks.  This proprietary communication layer, in combination with the other security settings, allows you as the user to reject wireless clients into the network if so desired.  When used in conjunction with the Access Control List the 802.11g and 802.11b client access can be removed.  The security level of the bridge communication link is configurable for 64-Bit WEP, 128-Bit WEP or TKIP and is completely independent of the client access level or any other communication link level.  For example, an ESTeem Model 195Eg can be configured for WPA Enterprise for client level access, communicate to another ESTeem Model 195Eg using a TKIP bridge link and also communicate 128-Bit WEP to our older ESTeem Model 192E radio modems all running simultaneously.  MASQUERADE MODES  When the ESTeem Model 195Eg is configured in either the Access Point Masquerade or the Client Masquerade modes, the wireless modem functions as a network firewall.  If access to the wired network is the greatest concern, place the ESTeem in the Masquerade mode and the wireless network will be completely isolated from the wired Ethernet network.    INCREASING NETWORK SECURITY  The following are a few suggestions to help improve the overall security of your wireless network:  1.  Enable the security.  If you research all of the articles regarding hackers, they have gotten into the user’s network due to the security not being enabled.  2.  Set the ACL filter to include only those MAC address of the wireless Ethernet device being used on the network.  3.  Set "Hide SSID" to True. As you take your access point out of the box, broadcast SSID is enabled which means that it will accept any SSID. By hiding the SSID configured in the client must match the SSID of the access point.  4.  Make sure the keys are not reused in your company, since reuse increases the statistical likelihood that someone can figure the key out and change the default password on your access point or wireless router  5.  Change the default SSID of your product. Don't change the SSID to reflect your company's main names, divisions, or products. It just makes you too easy to target.   6.  As a network administrator, you should periodically survey your company using a tool like NetStumbler to see if any "rogue" access points pop up within your company without authorization.  All of your hard work to "harden" your wireless network could be wasted if a rogue AP was plugged into your network behind the firewall.
APPENDIX E SECURITY   Revised: 1 Aug 05  APX E-3  EST P/N AA107G 7.  Many access points allow you to control access based on the MAC address of the NIC attempting to associate with it. If the MAC address of your NIC isn't in the table of the access point, you won't associate with it. And while it's true that there are ways of spoofing a MAC address that's been sniffed out of the air, it takes an additional level of sophistication to spoof a MAC address. The downside of deploying MAC address tables is that if you have a lot of access points, maintaining the tables in each access point could be time consuming. Some higher-end, enterprise-level access points have mechanisms for updating these tables across multiple access points of the same brand.  8.  Consider using an additional level of authentication, such as Remote Access Dailin User Service (RADIUS), before you permit an association with your access points. While it's not part of the 802.11b standard, a number of companies are optionally including some provision for RADIUS authentication.   9.  If you're deploying a wireless router, think about assigning static IP addresses for your wireless NICs and turn off Dynamic Host Configuration Protocol (DHCP).   If you're using a wireless router and have decided to turn off DHCP, also consider changing the IP subnet. Many wireless routers default to the 192.168.1.0 network and use 192.168.1.1 as the default router.   10.  Don't buy Access Points or NICs that only support 64-bit WEP.   11.  Only purchase Access Points that have flashable firmware. There are a number of security enhancements that are being developed, and you want to be sure that you can upgrade your access point.  12.  A simple security technique used by the military is to have the administrator periodically change the key for the system i.e. weekly, monthly, etc.

Navigation menu