Networking / Beginners

---

Security Design

Security is the most important concern in developing these requirements for your wireless infrastructure. As requirements change and networking improves in step with the evolution from 802.11b to 802.11a and beyond, understanding the dynamics of providing a secure access conduit is essential to providing speed tempered with access for authorized personnel only.

When creating your wireless infrastructure, by default, systems are designed to be "open" so that any wireless station in range of the transmitter can "roam" right onto your network. From a security standpoint this is dangerous because someone could easily try to access your system from the parking lot of your building.

You can design your system with wireless routers and access points that are easily configured to accept only transmissions from wireless stations that have been preauthorized to join your network.

Just as the dynamic host confiuration protocol (DHCP) server in a wired network assigns a static IP address to a specific workstation, wireless LANs can be configured in much the same way. The configuration dialog in most products permits an administrator to enter into the memory of the router the MAC address (a unique identifier for each wired or wireless network interface card) of each card. This means that only those stations flagged for access can roam onto the network. Any station that has not been authorized will not be able to join the system.

This leaves the vulnerability to eavesdropping still a problem for most wireless infrastructures. In the 802.11b framework, the 2.4-GHz frequency spread is common enough that almost anyone can get a device to eavesdrop on the signal. However, since 802.11a operates in the unlicensed portions of the 5-GHz band, eavesdropping in that frequency range is much more difficult.

Nevertheless, the question of preventing eavesdropping in the 802.11b area is the most common problem. What users can do is create a virtual private network (VPN) to mission-critical network resources when connecting wirelessly. In combination with the default level of wireless encryption, the VPN will add another layer of encryption, making it difficult if not impossible for a hacker to eavesdrop on the signal. If he were to decipher your wireless encryption scheme, then there would still be another level of decryption necessary before viewing any of the information in the wireless stream.

Monitoring Activity

One of the best tools to use to maintain your wireless infrastructure security is not any tool, but actual human intervention. The best way to defend your network infrastructure from attack is to have an actual person review the access logs and access attempts into your WLAN. If it appears that someone is gaining access to network resources at off hours or is attempting to break a password, you will be able to determine this in a relatively short period of time.

Once you can determine if someone is attempting to gain access to your systems, you can use techniques to triangulate the signal of the person attempting to break into your network. For example, you can trace the signal back to an attacker sitting in his car right outside your building, and the police can make an arrest.

There are even law enforcement agencies who can take the uncorrupted access logs from your access point and use that information as a vehicle for prosecuting would-be attackers on your system. The reason "uncorrupted" is because logs can be rewritten or modified by intruders so that the information is inconclusive and cannot be used against someone for prosecution. This is why early detection is the most important element in making certain that your wireless infrastructure remains secure and private.