CompTIA wants administrators of small office, home office (SOHO) networks to be able to secure those networks in ways that protect the data stored on them. This objective looks at the security protection that can be added to a wireless SOHO network, while the one that follows examines similar procedures for a wired network.
The wireless network is not and never will be secure. Use wireless only when absolutely necessary. If you must deploy a wireless network, here are some tips to make some improvements to wireless security:
In addition to those created with the installation of the operating system(s), default accounts are also often associated with hardware. Wireless access points, routers, and similar devices often include accounts for interacting with, and administering, those devices. You should always change the passwords associated with those devices and, where possible, change the usernames.
If there are accounts that are not needed, disable them or delete them. Make certain you use strong password policies and protect the passwords with the same security you use for users or administrators (in other words, don’t write the router’s password on an address label and stick it to the bottom of the router).
All radio frequency signals can be easily intercepted. To intercept 802.11a/b/g/n traffic, all you need is a PC with an appropriate 802.11a/b/g/n card installed. Many networks will regularly broadcast their name (known as an SSID broadcast) to announce their presence. Simple software on the PC can capture the link traffic in the wireless AP and then process this data to decrypt account and password information.
You should change the SSID—whether or not you choose to disable its broadcast or not—to keep it from being a value that many outsiders come to know. If you use the same SSID for years, then the number of individuals who will have left the company or otherwise learned of its value will only increase. Changing the variable adds one more level of security.
The types of wireless encryption available (WEP, WPA, WPA2, etc.) were discussed in Chapter 6, “Networking Fundamentals.” It’s important to remember that you should always enable encryption for any SOHO network you may administer, and you should choose the strongest level of encryption you can work with.
One method of “protecting” the network that is often recommended is to turn off the SSID broadcast. The access point is still there and can still be accessed by those who know of it, but it prevents those who are looking at a list of available networks from finding it. This should be considered a very weak form of security because there are still ways, albeit a bit more complicated, to discover the presence of the access point besides the SSID broadcast.
Most APs offer the ability to turn on MAC filtering, but it is off by default. In the default stage, any wireless client that knows of the existence of the AP can join the network. When MAC filtering is used, the administrator compiles a list of the MAC addresses associated with the users’ computers and enters them. When a client attempts to connect, an additional check of the MAC address is performed. If the address appears in the list, the client is allowed to join, otherwise they are forbidden from so doing. On a number of wireless devices, the term network lock is used in place of MAC filtering, and the two are synonymous.
Antenna placement can be crucial in allowing clients to reach the access point. For security reasons, you do not want to overextend the reach of the network so that people can get onto the network from other locations (the parking lot, the building next door, etc.). Balancing security and access is a tricky thing to do.
There isn’t any one universal solution to this issue, and it depends on the environment in which the access point is placed. As a general rule, the greater the distance the signal must travel, the more it will attenuate, but you can lose a signal quickly in a short space as well if the building materials reflect or absorb it. You should try to avoid placing access points near metal (which includes appliances) or near the ground. They should be placed in the center of the area to be served and high enough to get around most obstacles.
On the chance that the signal is actually traveling too far, some access points include power level controls that allow you to reduce the amount of output provided.
While DHCP can be a godsend, a SOHO network is small enough that you can get by without it issuing IP addresses to each host. The advantage to statically assigning the IP addresses is that you can make certain which host is associated with which IP address and then utilize filtering to limit network access to only those hosts.
3.137.184.90