Figure 6-10: Configuring a router to open specific ports Finally, you can usually configure Internet access policies Figure 6-11, providing access controls for specific machines on your
Trang 1Note: I f you supply a firewall as a standalone appliance, you may want to turn the router's firewall off More in Chapter 10
By default, most of today's small routers block packets from well-known ports If you want to let them through, or want to let through traffic from specific Web applications such as games, then you will need to open the ports manually, as in Figure 6-10 You enter the ports you want to open in the Start and End boxes (These make it easier to enter a range of ports.) If you have a Web server or FTP server with static IP addresss, you will need
to open their ports, for example
Figure 6-10: Configuring a router to open specific ports
Finally, you can usually configure Internet access policies (Figure 6-11), providing access controls for specific machines on your internal network
Trang 2Adding Routers to an Ethernet 139
First, you create a list of workstations to be affected by the policy, as in Figure 6-12 Then you indicate when you want to deny or allow access Notice also at the bottom of the access policy screen that you can block Web sites by URL or keyword (It may not be as flexible as many stand- alone parental control applications, but it's a start!)
Figure 6-11: Configuring Internet access policies
Note: You may have noticed that this router also has a screen for configuring wireless connections We'll look at that in Chapter 7
Trang 3Figure 6-12: Setting up a list of PCs for an Internet access policy
Trang 4Integrating Wire/ess
Transmissions
If you read the popular press, you would think that small networks were wireless, and nothing but wireless The ostensible ease of setting up and using a wireless network seems to be endlessly appealing And there is no question that a wireless connection is convenient for connecting a comput-
er such as a laptop that needs only occasional access to your network or that changes its location frequently However, there are major drawbacks
to wireless n e t w o r k s ~ e s p e c i a l l y in terms of s e c u r i t y ~ t h a t should make even the smallest of small business users think twice
In this chapter we'll look at why the most common wireless networks aren't truly Ethemet (and why they can't be) We'll also talk about wireless standards and speeds, along with how wireless connections work Along the way we'll explore the security issues that still plague today's wireless connections
141
Trang 5Wireless MAC Protocol versus Ethernet
MAC Protocol
As you will remember, the Ether MAC protocol (CSMA/CD) relies on the ability of connected devices to detect the presence of a signal on the net- work wire When a device detects a signal, it knows that the wire is in use and that it must wait to transmit Wireless connections, however, can't use CDMA/CD Why? Because wireless devices can't detect collisions And why not? Because wireless transmissions are half duplex
With CSMA/CD, the transmitting device must send a flame and then imme- diately listen for a collision But a wireless device can't send and listen at the same time Therefore, if it transmits and a collision occurs, it has no way to detect that collision CSMA/CA (Carrier Sense Multiple Access/Collision Avoidance) tries to minimize collisions It works in the following way:
1 A device waiting to transmit checks to see if there is a carrier signal (access point is busy)
2 If the access point is not busy, it sends a jamming signal to alert other devices that it will be transmitting
3 If there is a signal, the device waits a random amount of time and then checks the transmission channel again
4 If the access point is still busy, the device doubles its wait time, and continues to do so until it can gain control of the tramission frequency The randomness of the wait intervals and the increasing wait time mini- mize the collisions Packets that are mangled by collisions won't generate TCP acknowledgment packets and will therefore be resent
Wireless Speeds and Standards
One reason that wireless networks aren't as widely used in business net- works as they are in home networks is speed: Although some current stan- dards are rated to perform as well as wired networks, in practice wireless networks almost never achieve anywhere near their rated throughput The standards are constantly pushing speeds upward, and we can only hope
Trang 6Wireless Speeds and Standards 143
Table 7-1:
that eventually wireless technologies actually will be able to achieve rated speeds
At this point, the standards for wireless tranmissions are subsets of the
I E E E ' s 802.11 and 802.16 specifications (See Table 7-1.) Notice first that with the exception of the as yet unreleased 802.1 l n, the Wi-Fi standards are all slower than wired networks In addition, they operate in the same bands as most coredless telephones!
Wireless Networking Standards
Maximum
802.1 la Wi-Fi 54 Mbps (5 WEP; WPA,
Good for multimedia, voice, and large images Nonetheless, not widely used
Greater range than 802.11 a First widely implemented wireless standard
Compatible with 802.11 b Widely used
Specifies additional security for 802.1 l x networks
Has a range of up to 250 meters Interferes with 802.1 lb and 802.11 g networks
Intended for wireless MANs Intended for connecting small peripherals, such as keyboards, PDAs, and cell phones, to computers
a This standard is not as yet approved It is scheduled for final approval in July 2007 and release in April 2008 Currently, you can purchase products labeled "pre-n," but there is no guarantee that those products will be compatible with the standard that is ultimately released
b WiMax speeds depend heavily on distance The 75 Mpbs speed is achievable for up to four
miles, but drops to 50 Mbps between 4 and 6 miles, and to 17 Mbps over 6 miles
Trang 7Most of wireless access points handle both 802.1 lb and 802.1 lg transmis- sions Most laptops come equipped with 802.1 lg wireless adapters None- theless, the compatibility doesn't work in the same way as autosensing ports on an Ethemet switch The switch can operate with one port at 10 Mbps, several ports at 100 Mbps, and yet even more ports at 1000 Mbps; the speed of the transmissions between each device and the switch is a mat- ter for the switch and device, independent of the speed of other devices connected to the switch However, if both 802.1 lb and 802.1 lg devices are communicating with the same access point, the access point slows down to 802.1 lb speeds for all of its transmissions, removing the advantage of hav- ing the faster devices
At the time this book was written, it made sense to purchase 802.11g equipment, especially for new installations where no 802.11b devices would be in use It was somewhat risky to purchase pre-n equipment, given that there was no guarantee that it would be compatible with 8012.1 In equipment that was produced in response to the final accepted standard
Wireless Access Points
Wireless network adapters communicate with wireless access points
(APs) As you read in Chapter 6, an access point may be built into a small router, along with an Ethernet switch (for example, Figure 7-1) Alterna- tively, you can purchase stand-alone access points, which don't look much different from the all-in-one router (The little antennas sticking up are a dead giveaway that you're dealing with a wireless device.)
Note: The irony o f the preceding is that a stand-alone ac- cess point costs the same as, if not more, than a small router with a switch and access point built in
Service 'de? Identifiers
Wireless access points are limited in range It therefore is not unusual to have more than one access point with overlapping ranges in the same net- work To distinguish themselves, APs have names known as Service Set Identifiers (SSIDs) When a remote device wants to connect to an AP, it
Trang 8Wireless Access Points 145
Figure 7-1: A router with a built-in wireless access point (Courtesy of Belkin Corportation)
supplies the SSID of the access point it wants to use In public hot spots, however, many APs may share an SSID to make it easier for clients to move from one AP to another without signal interruption
By default, APs broadcast their SSIDs for any wireless adapter in range to pick up This is why it is so easy to connect to the wireless service in an airport, for example The driver for a laptop's wireless adapter searches for SSID broadcasts and identifies the strongest signal it can find That is the network to which it will attempt to connect first
APs broadcasting their SSIDs are therefore wide open to any device in range, a major security problem There are two very simple things you can
do to prevent just anyone from connecting to your wireless access points: Turn off the broadcast of the SSID and change the default name of the AE The default names are usually something like the name of the manufactur-
er of the AP or the word "wireless" or something else equally insecure For example, there are probably tens of thousands of unsecured wireless rout- ers in the United States broadcasting the SSID "linksys." For more well- known SSIDs, see Table 7-2
Trang 9Table 7-2: Well-Known SSIDs
If your access point is part of a router, you'll use the router's Setup utility
to take care of this (for example, Figure 7-2) Otherwise, you'll use the Set-
up utility that is part of the AP
Figure 7-2: Configuring SSID broadcast
Trang 10Wireless Access Points 147
Note: How big a problem is the SSID broadcast, really ? You de- cide: From the second floor of my house, which is set 150 feeet back from the road, a guest in my guest room can pick up the SSID broadcast of my neighbors across the street The signal is going through two stick-built houses and traveling at least 250 feet Although brick, stone, and metal can restrict the range of wireless signals, don't count on your walls keeping in your wireless transmissions
Turning off the broadcast of the SSID and changing the default SSID will
go a long way toward deterring war drivers, individuals who use special- ized equipment and antennas to find open wireless networks However, it isn't enough to deter the sophisticated service and data thief For that you need encryption, which is discussed in the last section of this chapter
Adding Access Points to a Wired Network
It's relatively simple to add a wireless access point (or two, or three, .) to
a wired network:
If you purchase a router with a built-in access point, just add the router to your network The access point automatically be- comes part of the network
If you purchase a stand-alone access point, be sure that it has
an Ethernet port Then, use a short Cat 5 or better patch cable
to connect the AP to a port on an Ethernet switch Each AP you add to the network will consume one port on a switch
You do, however, need to pay some attention to where you place your ac- cess points Wi-Fi signals do travel through wood quite well, but not as well through metal and concrete Floors tend to present more of a barrier than walls Therefore, you want to place APs fairly high where they are least likely to encounter barriers in the transmission path (Line-of-sight is optimal but does defeat the purpose of allowing equipment to move from place to place in the office !)
If you have office space that is broken up with cubicle partitions, try to place the APs above the level of the cubicle walls Although Wi-Fi signals will certainly go through cubicle walls, with too many walls the signal strength will attenuate to such a point that it is unusable
Trang 11Wireless Security Issues
We've talked a bit about the problems with a wide-open wireless network:
If an AP broadcasts its SSID, then anyone with a wireless-equipped device can piggyback off your network, stealing your Intemet service and perhaps intercepting packets traveling on your network The simplest protection is
to turn off the broadcast of the SSID and to change the SSID from the AP's default value Neither of these actions, however, will prevent a knowledge- able hacker from picking up network packets as they travel through the air It's unfortunate, but we have to operate our wireless networks under the as- sumption that someone is intercepting network traffic and looking inside our packets to steal confidential information The first line of defense against such actions is encryption, changing the payload of the packets so that the payloads are unintelligible to unauthorized users
Encryption schemes today are key based Using one or two keys (depend- ing on the type of encryption), an encryption scheme uses secret values to change the data field of a message; the recipient of the message must also have a key to change the data field back to its original, unencrypted form Some keys can be cracked with an appliction of high-end desktop comput- ing power The strength of a key generally depends on how long it is and the complexity of the method used to transform the data based on the key The longer the key, the better; the more complex the method, the better
Trang 12Wireless Security Issues 149
I~ The RC4 algorithm relies on a secret cryptographic key How- ever, in many cases all wireless access points and clients use the same key
The default cryptographic key used by WEP is only 40 bits long and rarely changes WEP also uses a 24-bit initialization vector (IV), which changes every transmission Even if a net- work changes the IV for each conversation, a moderately busy network will end up recycling and reusing IVs about every five hours Whenever keys are reused (or not changed, in the case
of the encryption key), a system cracker has the opportunity to collect multiple packets using the same key, making extracting the message content from the packet much easier
WEP encrypts only data It doesn't encrypt the initialization of
a connection, including client authorization information The
IV is also sent in the clear with every packet (Many encryption sessions must start with an IV in the clear, but not all send it with every packet!)
Access points ship with WEP turned off Network administra- tors need to turn it on to get any benefit at all (You can argue whether this is the manufacturer's fault or WEP's fault, but nonetheless, you have to turn it on.)
I~ WEP can be difficult to configure because the key must be en- tered identically into every system Therefore, many users don't bother to turn it on
Note: As mentioned earlier, WEP uses an encryption key that may be used by multiple clients and that doesn't change fre- quently Here is how it works: The key and the IV are used as input to the RC4 algorithm to generate a pseudorandom stream, which is used as the key stream for the stream (Vernam) cypher
f o r the data The problem is that the same input to the RC4 al- gorithm produces the same Vernam cypher key stream There- fore, as the IVs are reused and combined with the unchanging encryption key, all a cracker needs to do is obtain an unencrypt-
ed message and its encrypted version It isn't too hard to deduce the key stream and then use it to decrypt all messages using the same IV Even without an unencrypted message, a cracker can perform a logical XOR operation on two messages encrypted with the same IV to produce a weakly encrypted message that is easier to crack
Trang 13All this being said, WEP is better than nothing! If your access point pro- vides no other security measures, at least turn on WEP, using your router
or AP's management facilities For example, you can see the setup of WEP using a 128-bit key in Figure 7-3 You enter a passphrase~something longer and more difficult to guess than " t e s t " ~ a n d tell the router/AP to generate the keys Each device that joins the network will need to supply the passphrase, as well as knowing the SSID of the AP (assuming that you have turned off the broadcast)
Figure 7-3: Setting up WEP
WiFi Protected Access
The 802.1 li standard is not a physical layer standard, such as a, b, and g, but instead was designed to provide security for existing wireless technol- ogies However, because it took so long to develop 802.1 li, an alternative security solution, which is compatible with 802.1 l i ~ W i F i Protected Ac- cess ( W P A ) ~ a l s o emerged
Trang 14Wireless Security Issues 151
WPA replaces WEP with stronger encryption, including a 48-bit IV It also can operate in two modes The first requires preshared k e y s ~ s u c h as
p a s s w o r d s ~ b e t w e e n an access point and a client The second mode al- lows the use of external authentication services, such as RADIUS
WPA's encryption uses the Temporal Key Integrity Protocol (TKIP) and is support by most current APs (See Figure 7-4.) Its major provisions include
a method for changing the encryption key with each packet sent during a communications session, making it much more difficult for a system cracker to decipher a message, even if he or she should intercept all packets from a single session
Figure 7-4: Setting up WPA WPA includes secure user authentication, something missing from WEE
As noted earlier, the WPA provisions allow access points to use a authen- tication server (for example, RADIUS) and also allow clients to authenti- cate access points This can significantly reduce the chances that clients will connect to an unauthorized access point that has been inserted into a wireless network If a network is too small to support an external authori- zation server, then WPA operates in its preshared key mode
Trang 15802.11i on Top of WPA
802.11i includes the WPA encryption methods, but in addition provides
Robust Security Network (RSN), a procedure that allows access points and
clients to determine which type of encryption will be used during a com- munications session The beauty of this approach is that encryption meth- ods can be updated as new algorithms are developed
802.1 li also mandates the use of Advanced Encryption Standard (AES) to
provide even stronger encryption Unfortunately, AES can't be added to existing access points with simply a software upgrade, as can WPA; it re- quires changes to the hardware, although most wireless equipment manu- factured after 2002 is compatible with 802.1 li, as in Figure 7-5
Figure 7-5: Configuring WPA2 (802.11i) security using AES
Note: The U.S government has endorsed AES as its pri- mary encryption method, replacing the original Data En- cryption Standard (DES)
Note: 802.11 i is known familiarly as WPA2