Electronic Systems Technology ESTEEM195EP BASE STATION TRANSMITTER User Manual CHAPTER 2
Electronic Systems Technology BASE STATION TRANSMITTER CHAPTER 2
Contents
- 1. FCC INFORMATION
- 2. SPECIFICATIONS
- 3. INTERFACE PORTS
- 4. RADIO CONFIGURATION
- 5. SECURITY
- 6. TROUBLESHOOTING
- 7. QUICK START GUIDE 1
- 8. FRONT COVER
- 9. TABLE OF CONTENTS
- 10. INTRODUCTION
- 11. CONFIGURATION DIAGRAMS
- 12. STARTING OUT
- 13. WEB CONFIGURATION MANAGER
- 14. EXAMPLE CONFIGURATIONS 1
- 15. EXAMPLE CONFIGURATIONS 2
- 16. REPEATING FIGURES
- 17. ANTENNA SETUP
- 18. QUICK START GUIDE 2
- 19. QUICK START GUIDE 3
SECURITY
APPENDIX E
SECURITY
Revised: 1 Aug 05 APX E-1 EST P/N AA107G
OVERVIEW
The security for the ESTeem Model 195Eg, like all network security, must be multi-layered. One level of security is never enough
to make sure that data does not end up in the wrong hands. Please review the following security levels and decide what is the most
appropriate for your network.
128-BIT WEP
The 128 WEP uses a particular algorithm called RC4 encryption to encode and decode traffic that is based on a 104-bit encryption
key and a 24-bit Initialization Vector (IV). RC4 starts with a relatively short encryption key (104 bits) that is expanded into a
nearly infinite stream of keys to accompany the stream of packets.
The basic concept of RC4 is good, but the way it’s implemented in WEP leaves it open to compromise. The researchers that test
the integrity of the system usually focus on one piece of the implementation, the Initialization Vector (IV).
The IV (24 bits) is the algorithm component that’s supposed to keep expanded keys from repeating. From the researcher’s point
of view, a high-volume access point is mathematically guaranteed to reuse the same key stream at least once a day. When this
happens, it’s called an IV collision this becomes a soft spot to enter the system.
The researchers aren’t saying that it’s easy to break into the system, or that it’s being done on a regular basis, only that it is
possible and that administrators should consider ways to reduce the possibility.
WPA
Wi-Fi Protected Access with Preshared Key (WPA PSK)
WPA, which uses 802.1x, was introduced in 2003 to improve on the authentication and encryption features of WEP. All
authentication is handled within this access point device. WPA has two significant advantages over WEP:
1. An encryption key differing in every packet. The TKIP (Temporal Key Integrity Protocol) mechanism shares a starting
key between devices. Each device then changes their encryption key for every packet. It is extremely difficult for hackers
to read messages even if they have intercepted the data.
2. Certificate Authentication (CA) can be used, blocking a hacker posing as a valid user.
Wi-Fi Protected Access with Enterprise Server (WPA Enterprise)
Like WPA PSK, WPA Enterprise uses 802.1x. However, a backend authentication server handles the authentication decision. The
most commonly type of authentication server is a RADIUS server. The ESTeem Model 195Eg can be configured to operate with
an established RADIUS server on the network.
WPA is server/client relationship from a software driver on a computer’s wireless LAN (WLAN) card to an Access Point. The
scope of WPA is limited in use to this configuration only. The ESTeem Model 195Eg can support WPA Enterprise and PSK as an
Access Point, but the level of security on the Bridging layer is configured separately.
ACCESS CONTROL LIST (ACL)
The ACL is one of the simplest yet most secure methods of network security. The ACL is a configurable MAC filter in the Model
192E that can be set to allow specific MAC address on the wireless network by individual address or address ranges. The same
filter can also be set to reject individual MAC addresses or address ranges.
The MAC address is a unique, 6 hexadecimal field address assigned at the manufacturer that can not be changed. The MAC
address is traceable through the IEEE governing body to the manufacturer and is the “fingerprint” for all Ethernet devices.
APPENDIX E
SECURITY
Revised: 1 Aug 05 APX E-2 EST P/N AA107G
Using a combination of both the WPA or 128-Bit WEP encryption and the ACL filter provide the ESTeem an extremely secure
wireless networking layer.
DISABLING BROADCAST PROBES AND HIDING SSID
A simple but very effective way of securing a network is to make the network difficult to find. By disabling broadcast probes and
hiding the Service Set Identification (SSID), wireless and network “sniffers” will not be able to find your ESTeem Model 195Eg
network. To gain access to the wireless network, you would be required to have the SSID and all security loaded in the WLAN
card software prior to entering the network.
PROPRIETARY BRIDGE COMMUNICATION
Although the ESTeem Model 195Eg is compatible with the open communication standards IEEE 802.11g and 802.11b, the
repeater communication between the units is a proprietary communication link. No other manufacturer of wireless hardware can
access the ESTeem repeater network when bridging between Ethernet networks. This proprietary communication layer, in
combination with the other security settings, allows you as the user to reject wireless clients into the network if so desired. When
used in conjunction with the Access Control List the 802.11g and 802.11b client access can be removed.
The security level of the bridge communication link is configurable for 64-Bit WEP, 128-Bit WEP or TKIP and is completely
independent of the client access level or any other communication link level. For example, an ESTeem Model 195Eg can be
configured for WPA Enterprise for client level access, communicate to another ESTeem Model 195Eg using a TKIP bridge link
and also communicate 128-Bit WEP to our older ESTeem Model 192E radio modems all running simultaneously.
MASQUERADE MODES
When the ESTeem Model 195Eg is configured in either the Access Point Masquerade or the Client Masquerade modes, the
wireless modem functions as a network firewall. If access to the wired network is the greatest concern, place the ESTeem in the
Masquerade mode and the wireless network will be completely isolated from the wired Ethernet network.
INCREASING NETWORK SECURITY
The following are a few suggestions to help improve the overall security of your wireless network:
1. Enable the security. If you research all of the articles regarding hackers, they have gotten into the user’s network due to the
security not being enabled.
2. Set the ACL filter to include only those MAC address of the wireless Ethernet device being used on the network.
3. Set "Hide SSID" to True. As you take your access point out of the box, broadcast SSID is enabled which means that it will
accept any SSID. By hiding the SSID configured in the client must match the SSID of the access point.
4. Make sure the keys are not reused in your company, since reuse increases the statistical likelihood that someone can figure the
key out and change the default password on your access point or wireless router
5. Change the default SSID of your product. Don't change the SSID to reflect your company's main names, divisions, or
products. It just makes you too easy to target.
6. As a network administrator, you should periodically survey your company using a tool like NetStumbler to see if any "rogue"
access points pop up within your company without authorization. All of your hard work to "harden" your wireless network
could be wasted if a rogue AP was plugged into your network behind the firewall.
APPENDIX E
SECURITY
Revised: 1 Aug 05 APX E-3 EST P/N AA107G
7. Many access points allow you to control access based on the MAC address of the NIC attempting to associate with it. If the
MAC address of your NIC isn't in the table of the access point, you won't associate with it. And while it's true that there are
ways of spoofing a MAC address that's been sniffed out of the air, it takes an additional level of sophistication to spoof a
MAC address. The downside of deploying MAC address tables is that if you have a lot of access points, maintaining the
tables in each access point could be time consuming. Some higher-end, enterprise-level access points have mechanisms for
updating these tables across multiple access points of the same brand.
8. Consider using an additional level of authentication, such as Remote Access Dailin User Service (RADIUS), before you
permit an association with your access points. While it's not part of the 802.11b standard, a number of companies are
optionally including some provision for RADIUS authentication.
9. If you're deploying a wireless router, think about assigning static IP addresses for your wireless NICs and turn off Dynamic
Host Configuration Protocol (DHCP). If you're using a wireless router and have decided to turn off DHCP, also consider
changing the IP subnet. Many wireless routers default to the 192.168.1.0 network and use 192.168.1.1 as the default router.
10. Don't buy Access Points or NICs that only support 64-bit WEP.
11. Only purchase Access Points that have flashable firmware. There are a number of security enhancements that are being
developed, and you want to be sure that you can upgrade your access point.
12. A simple security technique used by the military is to have the administrator periodically change the key for the system i.e.
weekly, monthly, etc.