APPENDIX E
SECURITY
Revised: 30 Jun 08
APX E-2
EST P/N AA107D
Using a combination of both the WPA or 128-Bit WEP encryption and the ACL filter provide the ESTeem an extremely secure
wireless networking layer.
DISABLING BROADCAST PROBES AND HIDING SSID
A simple but very effective way of securing a network is to make the network difficult to find. By disabling broadcast probes and
hiding the Service Set Identification (SSID), wireless and network “sniffers” will not be able to find your ESTeem Model 195Ed
network. To gain access to the wireless network, you would be required to have the SSID and all security loaded in the WLAN
card software prior to entering the network.
MASQUERADE MODES
When the ESTeem Model 195Ed is configured in either the Access Point Masquerade or the Client Masquerade modes, the
wireless modem functions as a network firewall. If access to the wired network is the greatest concern, place the ESTeem in the
Masquerade mode and the wireless network will be completely isolated from the wired Ethernet network.
INCREASING NETWORK SECURITY
The following are a few suggestions to help improve the overall security of your wireless network:
1.
Enable the security. If you research all of the articles regarding hackers, they have gotten into the user’s network due to the
security not being enabled.
2.
Set the ACL filter to include only those MAC address of the wireless Ethernet device being used on the network.
3.
Set "Hide SSID" to True. As you take your access point out of the box, broadcast SSID is enabled which means that it will
accept any SSID. By hiding the SSID configured in the client must match the SSID of the access point.
4.
Make sure the keys are not reused in your company, since reuse increases the statistical likelihood that someone can figure the
key out and change the default password on your access point or wireless router
5.
Change the default SSID of your product. Don't change the SSID to reflect your company's main names, divisions, or products.
It just makes you too easy to target.
6.
As a network administrator, you should periodically survey your company using a tool like NetStumbler to see if any "rogue"
access points pop up within your company without authorization. All of your hard work to "harden" your wireless network
could be wasted if a rogue AP was plugged into your network behind the firewall.
7.
Many access points allow you to control access based on the MAC address of the NIC attempting to associate with it. If the
MAC address of your NIC isn't in the table of the access point, you won't associate with it. And while it's true that there are
ways of spoofing a MAC address that's been sniffed out of the air, it takes an additional level of sophistication to spoof a MAC
address. The downside of deploying MAC address tables is that if you have a lot of access points, maintaining the tables in
each access point could be time consuming. Some higher-end, enterprise-level access points have mechanisms for updating
these tables across multiple access points of the same brand.
8.
If you're deploying a wireless router, think about assigning static IP addresses for your wireless NICs and turn off Dynamic
Host Configuration Protocol (DHCP). If you're using a wireless router and have decided to turn off DHCP, also consider
changing the IP subnet. Many wireless routers default to the 192.168.1.0 network and use 192.168.1.1 as the default router.
9.
A simple security technique used by the military is to have the administrator periodically change the key for the system i.e.
weekly, monthly, etc.