How to cheat at securing a wireless network phần 2

  • Số trang: 47 |
  • Loại file: PDF |
  • Lượt xem: 27 |
  • Lượt tải: 0
transuma

Đã đăng 28936 tài liệu

Mô tả:

Wireless Security • Chapter 2 Figure 2.4 Enable WEP on the WRT54G Figure 2.5 The WEP Keys Window Next, select the key (1–4) that you will initially use by choosing the appropriate radio button next to Default Transmit Key. Finally, click Save Settings in the Wireless Security tab to save your settings. www.syngress.com 23 24 Chapter 2 • Wireless Security SOME INDEPENDENT ADVICE Some people will argue that WEP is a “broken” standard and should not be used. Yes, WEP is an easy protocol to hack and allows intruders to gain the encryption key to your wireless network using tools included in the Aircrack suite. However, due to wireless connections by other devices (game consoles, PDAs, and the like), you may be forced to use WEP instead of the more secure WPA. Remember that no security is bad security, and that something is always better than nothing. Enabling WEP encryption on your network may be the difference between your network or your unencrypted neighbor’s being hacked. Enabling Wi-Fi Protected Access An alternative and more secure approach to wireless security on an access point is to use Wi-Fi Protected Access, or WPA. WPA uses an improved encryption process based on the Temporal Key Integrity Protocol (TKIP).TKIP jumbles the keys and incorporates an integrity-checking feature to ensure that the keys have not been tampered with. WPA also includes client authentication via the Extensible Authentication Protocol (EAP). EAP uses a public key encryption mechanism to ensure that only authorized systems have access to the access point. In late 2004, the Institute of Electrical and Electronics Engineers (IEEE) ratified the 802.11i specification, more commonly referred to as WPA2. WPA2 uses AES as the encryption standard, whereas WPA uses the TKIP standard.This is not to say that WPA is not secure but to acknowledge that wireless security is ever changing. WPA2 also supports a personal authentication implementation (PSK) and an enterprise authentication implementation (RADIUS).This chapter focuses on the WPA standard. Log in to the WRT54G and click the Wireless tab. Click the Wireless security subtab to enable WPA. From the drop-down list, choose WPA-Personal, as shown in Figure 2.6. www.syngress.com Wireless Security • Chapter 2 Figure 2.6 The WRT54G WPA Setup Screen Leave the WPA algorithm as TKIP. Enter a shared key of between 21 and 63 characters in the WPA Shared Key: text box. Leave the Group Key Renewal at its default of 3600 seconds (see Figure 2.7). Figure 2.7 WPA Shared Key Click Save Settings to save the WPA settings on the WRT54G. It is still a good idea to follow the previous security steps to enable wireless MAC filters and disable www.syngress.com 25 26 Chapter 2 • Wireless Security the SSID broadcast. Be careful not to set the SSID to anything personal to you, such as your phone number, home address, or name. Filtering by Media Access Control (MAC) Address After you have set a unique SSID, disabled SSID broadcast, and enabled WEP encryption, you need to filter access to the WRT54G by MAC address. Filtering access to the access point allows only those MAC addresses specified in the list the ability to access the wireless network. First, from the main Wireless tab, click the Wireless MAC Filter tab to display the option to enable or disable Wireless MAC filtering (see Figure 2.8). Figure 2.8 The Wireless MAC Filter screen Next select Enable from the Wireless MAC Filter radio buttons.This will reveal the MAC filter options, as shown in Figure 2.9. Figure 2.9 The Wireless MAC Filter Options www.syngress.com Wireless Security • Chapter 2 Choose the Permit Only PCs listed to access the wireless network radio button, and click the Edit MAC Filter List button to display the MAC Address Filter List window (see Figure 2.10). Figure 2.10 The MAC Address Filter List Window In the provided text boxes, enter the MAC addresses of wireless clients that are allowed to access your wireless network, and then click Apply, as shown in Figure 2.11. Figure 2.11 Enter Allowed MAC Addresses www.syngress.com 27 28 Chapter 2 • Wireless Security Finally, click Save Settings in the Advanced Wireless window to save your settings and enable filtering by MAC address. Keep in mind that this should not be the only security measure implemented. Using various tools in Windows and/or Linux, it is easy for an attacker to spoof his or her local MAC address to gain access to your wireless network. SOME INDEPENDENT ADVICE Finding your MAC address is a simple process with any operating system. Using Windows XP, from a command line, you can type: ipconfig /all to show the MAC address of the installed network devices. Linux makes the process just as simple. From a terminal window, type: ifconfig –a And find the HWaddr for the requested network interface. This is the MAC address. Enabling Security Features on a D-Link DI-624 AirPlus 2.4GHz Xtreme G Wireless Router with Four-Port Switch Although Linksys has a sizable share of the home access point market, D-Link also has a large market share. D-Link products are sold at most big computer and electronics stores such as Best Buy and CompUSA.This section details the steps you need to take to enable the security features on the D-Link 624 AirPlus 2.4GHz Xtreme G Wireless Router with Four-Port Switch.The DI-624 is an 802.11g access point with a built-in router and switch, similar in function to the Linksys WRT54G. Setting a Unique SSID The first security measure to enable on the D-Link DI-624 is setting a unique SSID. First you need to log into the access point. Configure your local workstation with a static IP in the 192.168.0.0/24 subnet and point your browser to 192.168.0.1. Use the username admin with a blank password to access the initial setup screen (see Figure 2.12). www.syngress.com Wireless Security • Chapter 2 Figure 2.12 The D-Link DI-624 Initial Setup Screen Next click the Wireless button on the left side of the screen to bring up the Wireless Settings screen, as shown in Figure 2.13. Figure 2.13 The Wireless Settings Screen In the SSID textbox, enter a unique SSID, as shown in Figure 2.14, and click Apply to save and enable the new SSID. www.syngress.com 29 30 Chapter 2 • Wireless Security Figure 2.14 Set a Unique SSID Disabling SSID Broadcast After you have set a unique SSID, enabled 128-bit WEP, and filtered access by MAC address, you need to disable SSID broadcast. From the Advanced Features screen, click the Performance button, as shown in Figure 2.15. Figure 2.15 The Advanced Performance Options www.syngress.com Wireless Security • Chapter 2 Select the Disabled radio button next to SSID Broadcast, and click Apply to save your settings, as shown in Figure 2.16. Figure 2.16 Disabling SSID Broadcast Enabling Wired Equivalent Privacy After you have set a unique SSID, you will need to enable 128-bit WEP encryption. First, choose the Enabled radio button next to WEP, as shown in Figure 2.17. Figure 2.17 Enable WEP www.syngress.com 31 32 Chapter 2 • Wireless Security Next choose 128Bit from the WEP Encryption drop-down box, as shown in Figure 2.18. Figure 2.18 Require 128-Bit WEP Encryption Then you need to assign a 26-character hexadecimal number to at least Key1 (see Figure 2.19). A 26-digit hexadecimal number can contain the letters A–F and the numbers 0–9. Figure 2.19 Assign WEP Keys www.syngress.com Wireless Security • Chapter 2 Finally, after you have assigned your WEP keys, click Apply to save your settings. Any wireless clients that connect to the DI-624 must be configured to use this WEP key. Enable Wi-Fi Protected Access To enable WPA on the access point, on the left side of the screen click the Wireless button.To enable WPA, click the radio button labeled WPA-PSK next to the Authentication option (see Figure 2.20). Figure 2.20 Enabling WPA Enter a passphrase into the Passphrase text box, and retype the passphrase in the Confirmed Passphrase text box to verify it, as shown in Figure 2.21. Click Apply to confirm the settings and enjoy added wireless security protection! www.syngress.com 33 34 Chapter 2 • Wireless Security Figure 2.21 WPA Passphrase Filtering by Media Access Control Address After you have set a unique SSID and enabled 128-bit WEP encryption, you should filter access to the wireless network by Media Access Control (MAC) address. First click the Advanced tab, as shown in Figure 2.22. Figure 2.22 The Advanced Options Screen www.syngress.com Wireless Security • Chapter 2 Next click the Filters button on the left side of the screen, as shown in Figure 2.23. Figure 2.23 The Advanced Filters Options Then choose the MAC Filters radio button.This makes the MAC filtering options visible, as shown in Figure 2.24. Figure 2.24 The MAC Filtering Options www.syngress.com 35 36 Chapter 2 • Wireless Security Finally, select the Only allow computers with MAC address listed below to access the network radio button and enter the MAC address of each client card that is allowed to access the network.You must also enter a descriptive name of your choice for each client in the Name text box (see Figure 2.25). Note that you must click Apply after each MAC address entered. Figure 2.25 Filter by MAC Address Enabling Security Features on Apple’s Airport Extreme 802.11g Access Point In early 2003, Apple released the Airport Extreme base station to the masses, supporting the 802.11b and 802.11g protocols. Even though this access point was released as an Apple product, it fully supports Apple, Windows, and Linux clients running WEP or WPA encryption. Configuring the Airport Extreme is usually done from an Apple, whether a Powerbook, iBook, or MacBook. Apple provided applications for configuring the Airport for Windows-based operating systems, but it is a much easier process from an Apple workstation.This section focuses on configuring the Airport Extreme from a Apple Powerbook G4. www.syngress.com Wireless Security • Chapter 2 Connecting to the AirPort Extreme and Setting a Unique SSID The easiest way to connect to the Airport is via the wireless connection. Ensure that your wireless card is enabled by clicking the wireless symbol at the top right of the screen and clicking Turn AirPort On, as shown in Figure 2.26. Figure 2.26 Enabling the AirPort Card on the Apple PowerBook Once you enable the Airport card, you can reclick the wireless symbol and see any access points broadcasting in your area. We want to click the Apple Network ###### listing to connect to our AirPort (see Figure 2.27). NOTE To ensure that you are connecting to the correct access point, verify that the network number listed in the drop-down list matches the last six characters of your Airport ID, located on the access point itself. Figure 2.27 Connect to the Appropriate Airport Access Point www.syngress.com 37 38 Chapter 2 • Wireless Security Once you have connected to the Airport, you will use the AirPort Admin Utility in Mac OS X to configure the Airport. Launch the AirPort Admin Utility by clicking the Finder, then Applications | Utilities | AirPort Admin Utility (see Figure 2.28).This series of clicks will open the AirPort Admin Utility. Click Rescan to locate the Airport if it does not automatically populate the window after a few seconds. Figure 2.28 Launching the Admin Utility and Finding the Airport Base Station Click the appropriate base station, and click Configure to enter the base station properties (see Figure 2.29). Setting a Unique SSID At the main properties screen, we will set the SSID by changing the Name text box, under the AirPort Network heading.Type in the SSID, remembering not to include any personal information such as address as part of the SSID. At this point, it would also be a good idea to change the Name of the Airport under the Base Station heading, to obfuscate the fact that this is an Apple Airport product (see Figure 2.30). Click Update to save the SSID. www.syngress.com Wireless Security • Chapter 2 Figure 2.29 Airport Default Properties Figure 2.30 Setting the SSID Disabling SSID Broadcast To disable the broadcast of the Airport’s SSID, click the Create a closed network check box.This will not allow the SSID to be broadcast to clients.You will be prompted on whether or not to disable the broadcast. Click OK. However, any www.syngress.com 39 40 Chapter 2 • Wireless Security client authorized to connect to the Airport must know the SSID beforehand to make the connection (see Figure 2.31). Figure 2.31 Disabling the SSID Broadcast Setting a Password on the Airport Because the Airport is in a default configuration, it is wise to set a password on the Airport to disable the ability of anyone making unauthorized changes. From the main base station properties windows, click the Change Password… button and enter and confirm a password for the Airport. Click OK to set the password. Click Update to save the changes to the Airport (see Figure 2.32). Figure 2.32 Setting a Password on the Airport www.syngress.com Wireless Security • Chapter 2 Enabling Wired Equivalent Privacy To enable WEP on the Airport, click the Change Wireless Security… button to open the Properties dialog box (see Figure 2.33). Figure 2.33 WEP Default Setting Click WEP from the drop-down menu.You will be presented with the options to add your encryption key.Type in an encryption key that is not easily guessable, and retype the key to confirm. Ensure that the Encryption Type: is set to 128 bit WEP, and click OK to enable WEP encryption (see Figure 2.34). Figure 2.34 Configuring a WEP Encryption Key Anyone who attempts to this access point will now be required to enter the encryption key to make the connection. Enabling Wi-Fi Protected Access Enabling WPA on the Airport is just as simple as enabling WEP encryption. From the main setup screen, click the Change Wireless Security… button to open the Wireless Security dialog box. Change the Wireless Security: drop-down list to WPA2 Personal (see Figure 2.35). www.syngress.com 41 42 Chapter 2 • Wireless Security Figure 2.35 WPA Settings Ensure that the Password option is set, and enter a password or passphrase of between 8 and 63 ASCII characters.The Encryption Type: may be left at the default WPA and WPA2 option to allow both WPA and WPA2 connections. If only WPA clients or only WPA2 clients will be connecting, you may change this option to reflect that fact. Leave the Group Key Timeout: at its default of 60 minutes. Click OK to save the settings and enable WPA (see Figure 2.36). Figure 2.36 Entering the WPA Password Filtering by Media Access Control Address To prevent connections to the Airport by workstations not authorized to do so, enable filtering by the MAC address.The MAC address of the connecting wireless www.syngress.com
- Xem thêm -