|
|
Programming Help |
Homework Help |
Counseling Astrology Advice | Tarot Advice | Parenting Dating Advice | Love Advice | Divorce Advice Legal Advice | Debt Advice | Career Advice W IRELESS N ETWORK S ECURITY 3-25 3.5.3.1.1 Access Point Configuration Network administrators need to configure APs in accordance with established security policies and requirements. Properly configuring administrative passwords, encryption settings, reset function, automatic network connection function, Ethernet MAC Access Control Lists (ACL), shared keys, and Simple Network Management Protocol (SNMP) agents will help eliminate many of the vulnerabilities inherent in a vendor's software default configuration. Updating default passwords. Each WLAN device comes with its own default settings, some of which inherently contain security vulnerabilities. The administrator password is a prime example. On some APs, the factory default configuration does not require a password (i.e., the password field is blank). Unauthorized users can easily gain access to the device if there is no password protection. Administrators should change default settings to reflect the agency's security policy, which should include the requirement for strong (i.e., an alphanumeric and special character string at least eight characters in length) administrative passwords. If the security requirement is sufficiently high, an agency should consider using an automated password generator. An alternative to password authentication is two-factor authentication. One form of two-factor authentication uses a symmetric key algorithm to generate a new code every minute. This code is a one-time use code that is paired with the user's personal identification number (PIN) for authentication. Another example of two-factor authentication is pairing the user's smart card with the user's PIN. This type of authentication requires a hardware device reader for the smart card or an authentication server for the PIN. Several commercial products provide this capability. However, use of an automated password generator or two-factor authentication mechanism may not be worth the investment, depending on the agency's security requirements, number of users, and budget constraints. Given the need to ensure good password authentication and policies, it is important to note the critical importance of ensuring that the management interface has the proper cryptographic protection to prevent the unauthorized disclosure of the passwords over the management interface. Numerous mechanisms exist that can be exploited to ensure that encrypted access protects those critical "secrets" in transit. Secure Shell (SSH) and SSL are two such mechanisms. Establishing proper encryption settings. Encryption settings should be set for the strongest encryption available in the product, depending on the security requirements of the agency. Typically, APs have only a few encryption settings available: none, 40-bit shared key, and 104-bit shared key (with 104-bit shared key being the strongest). Encryption as used in WEP, simple stream cipher generation, and exclusive-OR processing does not pose an additional burden on the computer processors performing the function. Consequently, agencies do not need to worry about computer processor power when planning to use encryption with the longer keys. However, it should be noted that some attacks against WEP yield deleterious results regardless of the key size. It is important to note that products using 128-bit keys will not interoperate with products that use 104-bit keys. Controlling the reset function. The reset function poses a particular problem because it allows an individual to negate any security settings that administrators have configured in the AP. It does this by returning the AP to its default factory settings. The default settings generally do not require an administrative password, for example, and may disable encryption. An individual can reset the configuration to the default settings simply by inserting a pointed object such as a pen into the reset hole and pressing. If a malicious user gains physical access to the device, that individual can exploit the reset feature and cancel out any security settings on the device. The reset function, if configured to erase basic operational information such as IP address or keys, can further result in a network DoS, because APs may not operate without these settings. Having physical access controls in place to prevent unauthorized users from resetting APs can mitigate the threats. Agencies can detect threats by performing regular security audits. Additionally, reset can be invoked remotely over the management interface on some products. For |
Find more freelance jobs
|
