Product Card

Table Of Contents

APPENDIX E

SECURITY

Revised: 1 Aug 05 APX E-1 EST P/N AA107G

OVERVIEW

The security for the ESTeem Model 195Eg, like all network security, must be multi-layered. One level of security is never enough

to make sure that data does not end up in the wrong hands. Please review the following security levels and decide what is the most

appropriate for your network.

128-BIT WEP

The 128 WEP uses a particular algorithm called RC4 encryption to encode and decode traffic that is based on a 104-bit encryption

key and a 24-bit Initialization Vector (IV). RC4 starts with a relatively short encryption key (104 bits) that is expanded into a

nearly infinite stream of keys to accompany the stream of packets.

The basic concept of RC4 is good, but the way it’s implemented in WEP leaves it open to compromise. The researchers that test

the integrity of the system usually focus on one piece of the implementation, the Initialization Vector (IV).

The IV (24 bits) is the algorithm component that’s supposed to keep expanded keys from repeating. From the researcher’s point

of view, a high-volume access point is mathematically guaranteed to reuse the same key stream at least once a day. When this

happens, it’s called an IV collision this becomes a soft spot to enter the system.

The researchers aren’t saying that it’s easy to break into the system, or that it’s being done on a regular basis, only that it is

possible and that administrators should consider ways to reduce the possibility.

WPA

Wi-Fi Protected Access with Preshared Key (WPA PSK)

WPA, which uses 802.1x, was introduced in 2003 to improve on the authentication and encryption features of WEP. All

authentication is handled within this access point device. WPA has two significant advantages over WEP:

1. An encryption key differing in every packet. The TKIP (Temporal Key Integrity Protocol) mechanism shares a starting

key between devices. Each device then changes their encryption key for every packet. It is extremely difficult for hackers

to read messages even if they have intercepted the data.

2. Certificate Authentication (CA) can be used, blocking a hacker posing as a valid user.

Wi-Fi Protected Access with Enterprise Server (WPA Enterprise)

Like WPA PSK, WPA Enterprise uses 802.1x. However, a backend authentication server handles the authentication decision. The

most commonly type of authentication server is a RADIUS server. The ESTeem Model 195Eg can be configured to operate with

an established RADIUS server on the network.

WPA is server/client relationship from a software driver on a computer’s wireless LAN (WLAN) card to an Access Point. The

scope of WPA is limited in use to this configuration only. The ESTeem Model 195Eg can support WPA Enterprise and PSK as an

Access Point, but the level of security on the Bridging layer is configured separately.

ACCESS CONTROL LIST (ACL)

The ACL is one of the simplest yet most secure methods of network security. The ACL is a configurable MAC filter in the Model

192E that can be set to allow specific MAC address on the wireless network by individual address or address ranges. The same

filter can also be set to reject individual MAC addresses or address ranges.

The MAC address is a unique, 6 hexadecimal field address assigned at the manufacturer that can not be changed. The MAC

address is traceable through the IEEE governing body to the manufacturer and is the “fingerprint” for all Ethernet devices.

PAGE 1
APPENDIX E SECURITY OVERVIEW The security for the ESTeem Model 195Eg, like all network security, must be multi-layered. One level of security is never enough to make sure that data does not end up in the wrong hands. Please review the following security levels and decide what is the most appropriate for your network. 128-BIT WEP The 128 WEP uses a particular algorithm called RC4 encryption to encode and decode traffic that is based on a 104-bit encryption key and a 24-bit Initialization Vector (IV).
PAGE 2
APPENDIX E SECURITY Using a combination of both the WPA or 128-Bit WEP encryption and the ACL filter provide the ESTeem an extremely secure wireless networking layer. DISABLING BROADCAST PROBES AND HIDING SSID A simple but very effective way of securing a network is to make the network difficult to find. By disabling broadcast probes and hiding the Service Set Identification (SSID), wireless and network “sniffers” will not be able to find your ESTeem Model 195Eg network.
PAGE 3
APPENDIX E SECURITY 7. Many access points allow you to control access based on the MAC address of the NIC attempting to associate with it. If the MAC address of your NIC isn't in the table of the access point, you won't associate with it. And while it's true that there are ways of spoofing a MAC address that's been sniffed out of the air, it takes an additional level of sophistication to spoof a MAC address.