Network Security Best Practices



Similar documents
9 Simple steps to secure your Wi-Fi Network.

INFORMATION TECHNOLOGY MANAGEMENT COMMITTEE LIVINGSTON, NJ ITMC TECH TIP ROB COONCE, MARCH 2008

Chapter 2 Configuring Your Wireless Network and Security Settings

Wireless Ethernet LAN (WLAN) General a/802.11b/802.11g FAQ

Chapter 3 Safeguarding Your Network

ENHWI-N n Wireless Router

USER GUIDE Cisco Small Business

MN-700 Base Station Configuration Guide

APPENDIX 3 LOT 3: WIRELESS NETWORK

ADDENDUM 12 TO APPENDIX 8 TO SCHEDULE 3.3

Quick Start Guide. WRV210 Wireless-G VPN Router with RangeBooster. Cisco Small Business

THE 123 OF WIRELESS SECURITY AT HOME 家 居 WIFI 保 安 123

A Division of Cisco Systems, Inc. GHz g. Wireless-G. Access Point with SRX. User Guide WIRELESS WAP54GX. Model No.

Security Awareness. Wireless Network Security

Wireless Security Overview. Ann Geyer Partner, Tunitas Group Chair, Mobile Healthcare Alliance

Security+ Guide to Network Security Fundamentals, Third Edition. Chapter 6. Wireless Network Security

Wireless Network Standard and Guidelines

Configuring Routers and Their Settings

YO-301AP POE AP Datasheet

Robust security is a requirement for many companies deploying a wireless network. However, creating a secure wireless network has often been

Deploying secure wireless network services The Avaya Identity Engines portfolio offers flexible, auditable management for secure wireless networks.

ECB1220R. Wireless SOHO Router/Client Bridge

Top 10 Security Checklist for SOHO Wireless LANs

User Guide. E-Series Routers


LW310V2 Sweex Wireless 300N Router

Go Wireless. Open up new possibilities for work and play

A Division of Cisco Systems, Inc. GHz g. Wireless-G. USB Network Adapter with RangeBooster. User Guide WIRELESS WUSB54GR. Model No.

Chapter 2 Wireless Settings and Security

Top 10 Security Checklist for SOHO Wireless LANs

NBG2105. User s Guide. Quick Start Guide. Wireless Mini Travel Router. Default Login Details. Version 1.00 Edition 1, 11/2012

A Division of Cisco Systems, Inc. Wireless-G. User Guide. Broadband Router WIRELESS WRT54GL (EU/LA) Model No.

EAP N Wall Mount Access Point / WDS AP / Universal Repeater

N600 WiFi USB Adapter

Table of Contents. Cisco Wi Fi Protected Access 2 (WPA 2) Configuration Example

USER GUIDE AC2400. DUAL BAND GIGABIT Wi Fi ROUTER. Model# E8350

ALL0237R. Wireless N 300Mbit Access Point/Repeater. User s Manual

The next generation of knowledge and expertise Wireless Security Basics

DATA PROJECTOR XJ-A146/XJ-A246/XJ-A256

Best Practices for Outdoor Wireless Security

STEP III: Enable the Wireless Network Card. STEP IV: Print out the Printer Settings pages to determine the IP Address

A Division of Cisco Systems, Inc. GHz g. Wireless-G. User Guide. Broadband Router WIRELESS WRT54GL. Model No.

Table of Contents. Wireless Installation Considerations... 10

DATA PROJECTOR XJ-A135/XJ-A145/XJ-A235/ XJ-A245

Ebonyi State University Abakaliki 2 Department of Computer Science. Our Saviour Institute of Science and Technology 3 Department of Computer Science

Wireless (Select Models Only) User Guide

LevelOne WAP User s Manual. 108 Mbps Wireless Access Point

Linksys WAP300N. User Guide

DSL-2600U. User Manual V 1.0

AC Wireless Dual Band Gigabit Router. Highlights

PCI Wireless Compliance with AirTight WIPS

Design and Implementation Guide. Apple iphone Compatibility

PePWave Surf Series PePWave Surf Indoor Series: Surf 200, AP 200, AP 400

Wireless-G. User Guide. GHz g. A Division of Cisco Systems, Inc. WIRELESS. Model No.WRT54GP2

Ensuring HIPAA Compliance in Healthcare

Wireless-G. GHz g. Broadband Router with 2 Phone Ports. Installation and Troubleshooting Guide WRT54GP2. VoIP

Wireless LAN Access Point. IEEE g 54Mbps. User s Manual

TRENDnet User s Guide. Cover Page

Particularities of security design for wireless networks in small and medium business (SMB)

ECB GHz Super G 108Mbps Access Point/Client Bridge/Repeater/WDS AP/

Configuring Wireless Security on ProSafe wireless routers (WEP/WPA/Access list)

TRENDnet User s Guide. Cover Page

AC1200 Multi-Function Concurrent Dual-Band Gigabit Wi-Fi Router

WL-5460AP. User s Manual. 54Mbps Multi-Function Wireless AP. AirLive WL-5460AP v2 User Manual

AC 750. Wireless Dual Band 4G LTE Router. Highlights

AC Wireless Dual Band Gigabit Router. Highlights

AC Wireless Tri-Band Gigabit Router. Highlights

Table of Contents. Wireless Security...40 What is WEP?...40 Configure WEP...41 What is WPA?...42 Configure WPA-PSK (Personal)

Wireless Security for Mobile Computers

How To Set Up A D-Link Dir-610N Router

Wireless-N. User Guide. Broadband Router WRT300N (EU/LA) WIRELESS. Model No.

Wireless Encryption Protection

A Division of Cisco Systems, Inc. GHz g. Wireless-G. User Guide. Access Point with Power Over Ethernet WIRELESS WAP54GP. Model No.

Security in Wireless Local Area Network

HP M n Access Point Configuration and Administration Guide

Table of Contents. Product Overview...4 Package Contents...4 System Requirements...4 Features...5 Hardware Overview...6 Connections...6 LEDs...

What is Bitdefender BOX?

THE IMPORTANCE OF CRYPTOGRAPHY STANDARD IN WIRELESS LOCAL AREA NETWORKING

IEEE a/ac/n/b/g Enterprise Access Points ECW5320 ECWO5320. Management Guide. Software Release v

BASIC INSTRUCTIONS TO CONFIGURE ZYXEL P8701T CPE USING THE WEB INTERFACE

WRE2205. User s Guide. Quick Start Guide. Wireless N300 Range Extender. Default Login Details. Version 1.00 Edition 1, 06/2012

Table of Contents. Table of Contents

ALLNET ALL-VPN10. VPN/Firewall WLAN-N WAN Router

A6210 WiFi USB Adapter ac USB 3.0 Dual Band User Manual

8 Steps for Network Security Protection

NOTICE. All brand and product names are the trademarks of their respective owners. Copyright 2011 All rights reserved.

Chapter 1 Configuring Internet Connectivity

8 Steps For Network Security Protection

Important Notice. Safety Precautions. Limitation of Liability. R90 Series

Catapult PCI Compliance

DV230 Web Based Configuration Troubleshooting Guide

WHITE PAPER. The Need for Wireless Intrusion Prevention in Retail Networks

12/3/08. Security in Wireless LANs and Mobile Networks. Wireless Magnifies Exposure Vulnerability. Mobility Makes it Difficult to Establish Trust

2.4GHz / 5GHz Dual CPU 600Mbps 11N AP/Router

Wireless Security and Healthcare Going Beyond IEEE i to Truly Ensure HIPAA Compliance

Cisco WAP4410N Wireless-N Access Point: PoE/Advanced Security. Cisco Small Business Access Points

Version /08/2014. User Manual. DAP-1665 Wireless AC1200 Dual Band Access Point DAP-1665

Transcription:

CEDIA WHITE PAPER Network Security Best Practices 2014 CEDIA

TABLE OF CONTENTS 01 Document Scope 3 02 Introduction 3 03 Securing the Router from WAN (internet) Attack 3 04 Securing the LAN and Individual Devices 4 05 Securing the Wireless Network 4 06 Authentication 6 07 Wireless Security Protocols 6 08 Conclusion 7 09 Informative References 7 CEDIA Education 7 CISCO Certification 7 10 Appendix A: Wireless Standards 7 11 Appendix B: Design and Implentation of a Wireless Solution 8 12 Appendix C: Abbreviations Used in this Document 9

01 DOCUMENT SCOPE Network security must be addressed by every electronic systems contractor (ESC) who has responsibility for their clients networks. It is not enough to simply leave equipment on its default settings and hope for the best, as one can expose the clients networks and the hardware and data that exist on them to malicious and potentially highly destructive attacks. This document must not be seen as a complete guide to network security, but rather as guidance for a pragmatic approach. Attackers will often search for networks that have been poorly secured. By following these guidelines, ESCs can decrease the likelihood that potential attackers will attempt an attack on a client s network, and in some cases can prevent attackers from even knowing the network exists. This white paper establishes best practices for implementing wireless local area network (WLAN) security in a residential environment based on the IEEE 802.11x and 802.3 standards. This document makes the assumption that a router is used between the WAN (The Internet) and LAN (Local Area Network). This can be in the form of a DSL modem/router or a router connected to a cable modem. This document will cover network security in three parts: 1. Securing the router from WAN (Internet) attack 2. Securing any wireless networks 3. Securing the LAN and individual devices 02 INTRODUCTION One of the primary benefits of wireless networking is the ease and convenience of connecting devices. This is also one of its biggest. In most cases, as soon as the integrated router or access point is connected to the modem, the wireless clients within range will immediately request and be granted connectivity, both internally and to the Internet. Unfortunately, that ease of connectivity and the fact that information is transmitted through the air makes the network vulnerable to interception and attacks. With wireless connectivity, the attacker does not need a physical connection to a computer or any of the network devices to access the network. The attacker can access the network from any location within transmission range. Once an attacker gains access to the network, they can piggyback onto Internet services, access computers on the network to damage files, or steal personal and private information. These vulnerabilities in wireless networking require manual configuration of built-in security features designed to help protect the WLAN from attacks. Many of these procedures are simple steps that should be performed during initial setup of the wireless device, as well as more advanced security configurations. Before we get into a detailed discussion on various aspects of network security, here are some basic Do s and Don ts when configuring an access point (AP): Turn off the wireless router when not in use. Whenever possible, use WPA or WPA2 security on the wireless router. Disable SSID broadcast. Always change the default administrator username and password. If possible, avoid using MAC ID filtering as it is can be laborious to enter all the addresses and it can still be hacked. If possible, do not use WEP security as it is a weak encryption standard and can be easily hacked. Do not share the administrator password with anyone besides the client. 03 SECURING THE ROUTER FROM WAN (INTERNET) ATTACKS Out of the box, most networking equipment will perform to its specification. It is essential, though, that the following is addressed: Choose a secure router. While it is not necessary to use expensive enterprise-grade equipment in a residential environment, the following considerations are essential: 2014 CEDIA 3

The router should have a built-in firewall. The router should be updated to the latest firmware. Consider including this as a regular chargeable maintenance item. Consider using limited-distribution product that is not readily available to the consumer market. This equipment will often be more secure. Always change the default administrator username and password on the router. Unless you or the client has an overriding and specific need, disable the ability for the router to be configured from its WAN (Internet) port. This feature exists on the majority of routers. If your router supports this feature, disable Respond to Ping from the Internet. This will make it harder for a potential attacker to identify your network from the Internet. Make sure the DMZ feature is disabled unless there is a specific requirement for using it. (The DMZ feature opens the router s firewall to all traffic and routes this traffic to a specific IP address on the local network.) When access to devices and services on the LAN is required from the WAN (Internet): NAPT (port forwarding) is the least secure method. Any attacker from the Internet will have easy access to the device that is open. Potentially, if this device s security is breached, the attacker could gain access to the entire network. In addition, all traffic on this connection is unencrypted while connected to the Internet. If used, ensure that very strong passwords are used on all open devices. VPN (virtual private network) is a much more secure method. If using a VPN, ensure that very strong passwords are used. It is also recommended that an enterprise-grade hardware device is used as the VPN endpoint. This functionality is built into the majority of enterprise-grade routers. 04 SECURING THE LAN AND INDIVIDUAL DEVICES The majority of routers come preset to use a Class C address range when issuing DHCP addresses. While a Class C (192.168.x.x) address is entirely appropriate, consider changing the subnet from the default setting (i.e., from 192.168.1.x to 192.168.75.x). Ensure that no LAN network sockets are accessible from outside the property. Ensure that virus scanning and Internet security software is kept up-to-date automatically and is checked periodically for integrity. Manage the client. Educate the client and explain the potential risks from the following: Opening e-mails from unknown sources Downloading anything from an unknown source Peer-to-peer networking software (e.g. LimeWire and Torrent software) Opening files from untrusted sources (i.e. from a CD or USB flash drive) Phishing messages that ask the user to divulge passwords and personal information 05 SECURING THE WIRELESS NETWORK SSID The SSID is used to identify the WLAN. All devices that wish to participate in the WLAN must use the same SSID. To allow easy detection of the WLAN by clients, the SSID is broadcast. It is possible to disable the broadcast feature of the SSID. If the SSID is not broadcast, wireless clients will need to have this value manually configured. A wireless host (STA) is defined as any device that contains wireless NIC (a computer hardware component that connects a computer to a computer network) and wireless client software. This client software allows the hardware to participate in the WLAN. Devices that are STAs include PDAs, ipods, laptops, desktop PCs, printers, projectors, Wi-Fi phones, and a plethora of other wireless-capable devices. In order for an STA to connect to the WLAN, the client configuration must match that of the access point (AP). This includes the SSID, security settings, and channel information if the channel was manually set on the AP. These settings are specified in the client software that manages the client connection. 4 2014 CEDIA

The wireless client software is usually integrated into the device operating system but can also be stand-alone, downloadable wireless utility software specifically designed to interact with the wireless NIC. By default, the AP will broadcast the SSID, so simply changing the name provides no additional security. Once the SSID has been renamed, the broadcast feature should be disabled. This effectively shields the WLAN from public view and makes the task of connecting to the network more difficult. This alone will not fully protect the network, as the SSID is transmitted between network devices in clear text and these signals can be intercepted. There are numerous freeware tools that sniff out wireless networks in an attempt to capture and analyze packet headers, enabling the hacker to gain access to all of the information necessary to access the network. Protecting your WLAN requires a combination of several actions. 802.11 AND 802.11X SECURITY Key considerations for 802.11 and 802.11x security include: Always change the manufacturer s default SSID, username, and password. Consider not broadcasting the SSID. Not broadcasting the SSID will keep the casual hacker from seeing the network and attempting to connect to it. One disadvantage is that the SSID will have to be manually entered into any new authorized devices that wish to access the wireless network. Once the SSID has been entered initially, it will not need to be re-entered for future access. Some APs allow for a guest account. If a guest account is used, ensure that it is secured to the same level as other networks. Make sure that all devices on the network support the chosen security method. All security methods incur bandwidth overheads that reduce throughput. WPA2 is the most recent standard on security and should be used where possible. The security technology (WEP, WPA, and WPA2) should be the same among all devices. Whenever possible, use the latest technology first (WPA2) and start working backward until you find a compatible technology that all devices support. MAC ID FILTERING Media Access Control (MAC) address filtering is perhaps the oldest security method for an AP. It relies on the fact that almost every networkable device on the planet has a unique address. Devices are defined by their MAC. This address can be added to a table of addresses that the AP will allow. If the address is not on the table, it will be denied by default. MAC ID filtering will limit access to a pre-defined list of devices. Sometimes it is the only security method that works with certain devices, as the devices themselves do not have any security configuration. One of the shortfalls of MAC ID filtering is that it is laborious to enter all of the MAC addresses into your AP. Additionally, a hacker can sniff out the MAC address and then spoof their address to be yours, thus allowing them to access your network. If there are many devices wishing to access the network, every one of these devices MAC addresses will have to be registered with every WAP. This process can be laborintensive, as each device s MAC must be loaded into the database. However, the majority of integrated routers (with AP) have the facility to poll the network for connected devices, harvest the MAC addresses, and allow the installer to individually permit or deny each device. The persistent hacker may still not be stopped, as a validated MAC address could be cloned onto an external device, defeating this automated authentication. TRAFFIC FILTERING Traffic filtering can control traffic entering or leaving the network. It can be used to permit or deny traffic to or from a specific MAC or IP address. Specific applications may be controlled using port numbers. For example, traffic filtering might be used to deny telnet traffic destined for the authentication server, preventing unauthorized access in an attempt to reconfigure the parameters. 2014 CEDIA 5

06 AUTHENTICATION Authentication is the process of permitting access using preset credentials, most commonly the use of a username and password. On a wireless network, authentication must occur before the client is allowed to connect to the WLAN. While this process will not stop the intercept of packets, it adds a significant level of security against the casual hacker. The two most common types of wireless authentication methods are open authentication and pre-shared keys (PSK). OPEN AUTHENTICATION By default, wireless devices do not require authentication, this is open authentication. This should only be used on public networks such as those at schools, coffee shops, airports, etc. PSK Using PSK, a device wishing to connect to the network sends a request to the AP and the AP returns a challenge request. The device then uses its PSK (which must match the key on the AP) to encrypt the challenge and then returns it to the AP. The AP compares the encrypted reply to the original challenge, and if it matches, the connection process continues. If MAC address filtering is also enabled, authentication must occur first. 07 WIRELESS SECURITY PROTOCOLS Security protocols are based on the lowest common denominator. Networks with legacy equipment may not be able to mange newer encryption protocols. When in doubt, use the most universal protocol, Wired Equivalent Privacy (WEP), to check the network security process, and then upgrade to the highest possible protocol. REGULAR WEP WEP was the first wireless encryption technology developed. Be careful of WEP passphrases, as they can easily be hacked. Because the length is a set standard (64-bit [10 ASCII characters] or 128-bit [26 ASCII characters]) a hacker can easily narrow his attack and break the password more quickly. With enough data, a hacker can use software that analyzes wireless traffic to identify the WEP key (which is used to encrypt the data and does not change). If a WEP key is used, it should be strong, though there is little difference between the time it takes to crack a strong key and the time it takes to crack a weak one. WPA VERSION 1 AND 2 Wi-Fi Protected Access (WPA) and the newer Wi-Fi Protected Access 2 (WPA2) are much more secure than WEP, as they use different encryption techniques. Furthermore, they use a range for the password instead of a pre-set range as in WEP. With WPA and WPA2, a password can be anywhere between 8 and 63 ASCII characters long. Most new devices support the WPA2 standard, and many manufacturers have allowed their devices to be compatible with WPA. So, for example, you can configure your AP for WPA2, but if the client only supports WPA, it will automatically fall back to that standard. As with any encryption, WPA and WPA2 take overhead and bandwidth more so than WEP but the benefits of WPA outweigh the overhead concerns. WPA PSK is much more secure than WEP as it uses Temporal Key Integrity Protocol (TKIP), which continuously changes the key used to encrypt the data. A PSK is used to initiate the connection. This should be a strong password. In the last few years, however, attackers have devised methods to hack into this. WPA2 PSK. WPA2 is currently required for any new product to bear the Wi-Fi trademark. If all equipment on a wireless network supports WPA2 PSK, that standard should be used. Unfortunately, some current products and many legacy products do not support either WPA or WPA2. If any devices on the network do not support WPA2, consider placing the non-compliant devices on a separate VLAN which has restricted access to the rest of the network. MANAGING SIGNAL STRENGTH The network cannot be attacked if there is no wireless signal. Additionally, as signal strength decreases, so does network throughput. In balancing the need for a strong signal within the property with the need to minimize signal strength outside the property s boundary, consider the following: 6 2014 CEDIA

The use of directional wireless antennas can keep a strong signal within the boundary of the property while minimizing the signal outside of the property boundary. Many WAPs have the ability to work at a reduced transmission power. The above solutions are best set up once the client has moved in and the property is fully furnished. 08 CONCLUSIONS Security is one of the primary factors to be considered when planning a wireless network, alongside manageability, scalability, performance, and interoperability. The convenience and flexibility of wireless networking is becoming ubiquitous in the residential electronic systems industry. It is critical that personnel are aware of security threats and are properly trained to institute the necessary safeguards to protect the client s network, data, and equipment from unauthorized access. Incorrect configurations may expose the network to external access and may also reduce the overall performance of the network. It is strongly recommended that key personnel gain training and certification. CEDIA University as well as industry manufacturers offer many courses in design, installation, and configuration. 09 INFORMATIVE REFERENCES CEDIA EDUCATION CEDIA offers a range of courses to give you the real world knowledge and skills to be able to securely configure devices in an integrated IP environment in the home: EST233 Networking for Technicians EST243 IP for Technicians (Hands-On) EST333 Advanced Networking (Hands-On) EST350 Networking & IP Workshop for Integrators (Hands-On) EST253 Wireless Network Technologies ESD341 Designing Ethernet Networks CISCO CERTIFICATION Cisco education and certification offers the ideal progression from CEDIA courses for anyone interested in the application of enterprise best practices to the design and configuration of larger-scale networks in the home. With the increasingly conflicting demands of high-bandwidth streaming, conferencing, low-latency control systems, and secure access, Cisco Certifications will quickly become a must-have in the skills armory of any residential electronic systems company. 10. APPENDIX A: WIRELESS STANDARDS A number of standards have been developed to ensure that wireless devices can communicate. They specify the RF spectrum used, data rates, how the information is transmitted, and more. The main organization responsible for the creation of wireless technical standards is the Institute of Electrical and Electronics Engineers (IEEE). The IEEE 802.11 standard governs the WLAN environment. There are four amendments to the IEEE 802.11 standard that describe different characteristics for 802.11a, 802.11b, 802.11g and 802.11n. These technologies are referred to as Wi-Fi. The Wi-Fi Alliance is responsible for testing WLAN devices from different vendors. The Wi-Fi logo on a device means equipment should be compatible. 802.11A: Uses 5 GHz RF spectrum Not compatible with 2.4 GHz spectrum; 802.11 b/g/n devices Range is approximately 33% that of the 802.11 b/g Relatively expensive to implement compared to other technologies Increasingly difficult to find 802.11a compliant equipment 2014 CEDIA 7

802.11B: First of the 2.4 GHz technologies Maximum data-rate of 11 Mbps Range of approximately 46 m (150 ft) indoors/96 m (300 ft) outdoors 802.11G: 2.4 GHz technologies Maximum data-rate increase to 54 Mbps Same range as the 802.11b Backwards compatible with 802.11b 802.11N: 2.4 and 5 GHz technologies Extends the range and data throughput Backwards compatible with existing 802.11g and 802.11b equipment (draft standard specifies 802.11a support CONSTRUCT AN INSTALLATION AND SECURITY MODEL Determine equipment location. Determine the appropriate equipment. Determine the wireless standard. Document router/ap configuration. Establish name, admin password, SSID, wireless security protocols, and authentication. SIMPLE CONFIGURATION CHECKLIST Change the factory default settings, including the admin password. Change the SSID and disable broadcast. Enable authentication with highest compatible level of encryption. Use MAC address filtering. 11 APPENDIX B: DESIGN AND IMPLENTATION OF A WIRELESS SOLUTION DETERMINE DEVICE LAYOUT, RANGE, AND SCOPE Bandwidth: How many simultaneous users are expected? What applications are expected? Coverage: Will range expansion be needed? Structural limitations: Determine the type of construction (Look for potential signal blocking). Assess existing installation and equipment. 8 2014 CEDIA

12 APPENDIX C: ABBREVIATIONS USED IN THIS DOCUMENT: AP Access Point WPA Wi-Fi Protected Access ISP Internet Service Provider VPN Virtual Private Network LAN Local Area Network WAN Wide Area Network MAC Media Access Control WAP Wireless Access Point PSK Pre-shared Key WEP Wired Equivalent Privacy SSID Service Set Identifier TKIP Temporal Key Integrity Protocol VLAN Virtual Local Area Network STA Wireless Network Client such as a laptop or PDA 2014 CEDIA 9

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information