\"Securing a Home Network\" 1- Depending on where you live or go to school, you
ID: 639217 • Letter: #
Question
"Securing a Home Network"
1- Depending on where you live or go to school, you could have DSL, broadband, or high-speed fiber. Identify the type of Internet access that you use at home or in school. Discuss the pros and cons of the service available within your area. Justify your response.
2- compare the best practices mentioned within the document to the way in which your own network is setup. Determine whether or not you will fix / change any aspect(s) of your current setup after reading about the specific best practices. Provide a rationale for your response.
Explanation / Answer
1. I use wi-fi Internet at home.
The popularity of wireless LANs is a testament primarily to their convenience, cost efficiency, and ease of integration with other networks and network components. The majority of computers sold to consumers today come equipped with all necessary wireless LAN technology.
Advantages of Wifi
Convenience- The wireless nature of such networks allows users to access network resources from nearly any convenient location within their primary networking environment
(a home or office). With the increasing saturation of laptop-style computers, this is particularly relevant.
Mobility- With the emergence of public wireless networks, users can access the internet even outside their normal work environment. Most chain coffee shops, for example, offer their customers a wireless connection to the internet at little or no cost.
Productivity- Users connected to a wireless network can maintain a nearly constant affiliation with their desired network as they move from place to place. For a business, this implies that an employee can potentially be more productive as his or her work can be accomplished from any convenient location.
Deployment- Initial setup of an infrastructure-based wireless network requires little more than a single access point. Wired networks, on the other hand, have the additional cost and complexity of actual physical cables being run to numerous locations (which can even be impossible for hard-to-reach locations within a building).
Expandability- Wireless networks can serve a suddenly-increased number of clients with the existing equipment. In a wired network, additional clients would require additional wiring.
Cost- Wireless networking hardware is at worst a modest increase from wired counterparts. This potentially increased cost is almost always more than outweighed by the savings in cost and labor associated to running physical cables.
Disadvantages of Wifi
BEST PRACTICES FOR NETWORK LAN TECHNOLOGY
Security- To combat this consideration, wireless networks may choose to utilize some of the various encryption technologies available. Some of the more commonly utilized encryption methods, however, are known to have weaknesses that a dedicated adversary can compromise.
Range- The typical range of a common 802.11g network with standard equipment is on the order of tens of meters. While sufficient for a typical home, it will be insufficient in a larger structure. To obtain additional range, repeaters or additional access points will have to be purchased. Costs for these items can add up quickly.
Reliability- Like any radio frequency transmission, wireless networking signals are subject to a wide variety of interference, as well as complex propagation effects that are beyond the control of the network administrator.
Speed- The speed on most wireless networks (typically 1-54 Mbps) is far slower than even the slowest common wired networks (100Mbps up to several Gbps). However, in specialized environments, the throughput of a wired network might be necessary.
WLANs can be made secure if you're smart about how you integrate wireless with your wired enterprise, leverage your existing security tools and select the right security technologies--from basic 802.11 security to VPNs to solutions based on the new generation of wireless authentication/encryption protocols. As with any technology, the trick then is to monitor your network's health to keep it safe.
Safety First
The perils awaiting unprotected WLANs are many. Wireless traffic is easily recorded. Passive eavesdroppers can gather proprietary information, logins, passwords, intranet server addresses, and valid network and station addresses. Intruders can steal Internet bandwidth, transmit spam, or use your network as a springboard to attack others. They can capture and modify traffic to masquerade as you, with financial or legal consequences. Even a low-tech attacker can disrupt your business by launching wireless packet floods against your APs, nearby servers, next-hop wired network or Internet uplink.
Policy
If you don't know what you're defending and why, your security measures are just shots in the dark. It's critical to identify business assets that must be protected and the impact of damage, theft or loss.
For wireless, as with dial-up and DSL, your policy should define access requirements. Who needs access to what and when? If your company already has a remote access policy for travelers and telecommuters, expand it to incorporate wireless. If you have no such policy, create one. Remember to include scenarios that are unique to wireless, like employees at public hot spots (see "Hot Spots Give Security Managers the Chills") or office visitors.
Consider how wireless changes the rules for office visitors. Few companies offer Ethernet access to visiting customers or business partners. Jacks in public areas are typically disabled or latched to known addresses. But wireless laptops and PDAs can easily associate with nearby APs or other wireless stations. This is both a threat and an opportunity. Security policies should define rules for "walled garden" guest access. For example, you may prohibit peer-to-peer networking while permitting logged guest sessions through specific APs with limited destinations, protocols, duration and bandwidth. If guest access is banned, your policy must state this so that steps can be taken to prevent visitor intrusion.
Once assets have been identified, enumerate threats and quantify risks. Security is always a balancing act, weighing risk against cost. After this foundation has been established, you can begin to consider WLAN implementation alternatives.
Taking Stock
Before you plot out access point deployment, conduct a site survey using a WLAN discovery tool such as NetStumbler. What you learn might surprise you. According to a recent Gartner report, at least one in five companies find APs deployed without IT department permission. Commodity pricing, retail distribution and setup wizards have made it trivial for employees to install rogue APs, which can expose corporate assets to outsiders and interfere with WLAN performance. Find and eliminate rogue APs from the start--or safely incorporate them into your wireless network design.
Site surveys also turn up unauthorized workstations. Create an inventory of laptops and PDAs with wireless adapters, documenting user, MAC address and operating system. This will be used to implement WLAN access controls. And you'll find an up-to-date list is essential when WLAN adapters are lost or stolen.
You may find nearby APs and stations that don't belong to you. Survey public areas (parking lots, hallways, lobbies) just beyond the physical boundaries of your facility, including upstairs and downstairs. Neighboring MAC addresses should be recorded, along with network name (SSID) and channel. This list will be used to avoid cross-channel interference and eliminate false-positive intrusion alerts.
Consider getting APs with high-grade antennas that produce strong yet tight signals. These provide focused connectivity for your users. At the same time, their narrow focus means the signals are less likely to spill out into the street, where a war driver can capture and exploit it.
WLAN Meets LAN
Consider how new WLAN segments will be integrated with and reuse components of your wired infrastructure. Your network topology, device placement and current security measures all have direct impact on wireless LAN security.
Restrict AP placement in your network topology. Wireless applications require protected access to the intranet and/or Internet, affecting routers, firewall rules and VPN policies. Wireless APs are untrusted entities and should always sit outside the firewall or within a DMZ--never inside the firewall.
Think in terms of a three-interface firewall--intranet on the inside, APs (and other public servers) on the DMZ, and Internet on the outside interface. Circumstances dictate whether your APs should sit on the DMZ or outside.
A DMZ can protect the WLAN from Internet threats while protecting the wired intranet from WLAN threats. However, for example, if your firewall doesn't let VPN tunnels originate in the DMZ, you may need to place your AP on the outside interface instead.
AP security capabilities vary greatly. Entry-level APs are essentially "dumb" hubs, bridging wireless and wired segments. Enterprise-grade APs, such as Cisco Systems' Aironet 1200 series and Proxim's ORiNOCO AP-2000 are like managed switches, offering security features like 802.1X port access control (more on this a bit later). A few "smart" APs, such as Colubris' CN1000 and Madge's Smart Wireless Access Point serve as VPN gateways.
Accordingly, your choice of AP will impact your WLAN topology (see "Alternative WLAN Network Topologies," below):
After entering the wired network, wireless traffic should be segregated so that different policies can be applied. Intranet servers, edge routers and bandwidth managers can be updated to filter on subnet(s) assigned to your WLAN. Even when addresses are hidden behind Network Address Translation (NAT), Virtual LAN (VLAN) tags can be used to avoid broadcasting wireless traffic throughout your Intranet.
Leverage existing security. In addition to firewalls and VPNs, the WLAN will be required to fit within your existing security infrastructure. Consider these points in making it all work together:
Integrate wireless networks and devices with existing management infrastructure. Determine if APs, stations and WLAN software should be inventoried, configured and monitored by solutions already in place and if new wireless management tools feed your existing supervisory systems.
Enterprise-grade APs and wireless gateways can often be remotely provisioned by SNMP network managers. Some AP vendors such as Cisco, Proxim and Symbol supply wireless network managers or network management system plug-ins. Third-party wireless policy management systems are starting to emerge (more on these later).
Wireless APs and gateways may generate SNMP traps or send Syslog messages, feeding log servers and analysis tools that already monitor wired networks. But WLANs have their own reporting needs, too. Enterprises may need to audit user activity; hot spot providers must record sessions to feed billing systems and generate revenue.
RADIUS access requests sent by 802.1X, VPNs and SSL portals can help. Devices sold to the ISP market are more likely to generate RADIUS accounting records.
Related Questions
Navigate
Integrity-first tutoring: explanations and feedback only — we do not complete graded work. Learn more.