Figure 11.14 You can change the wireless network configuration by selecting the Networks menu option. Selecting the Profiles option from the Odyssey Client Manager lets you choose from available profiles. Once one of the profiles is select- ed, as in Figure 11.15, you can determine how it will be used to inter- act with the Odyssey server. Finally, you can add or review the servers your client trusts for authentication and connection—it has certificates from—by selecting Networks from the menu (see Figure 11.16). When you first attempt a connection to your newly secured wire- less network, you will see a password dialog pop-up. If you are using Windows server log-on to complete the authentication process, use your Windows network password. Your Windows log-on name is already provided to the program from the username you logged onto your PC from. You will not see the log-in prompt again until your current authentication session has expired, requiring you to validate your log-on again with your password. This is a typical and expected feature—essentially logging you off the network connection if you have been away from your computer for a length of time—to reduce intrusions. Chapter 11 190 Figure 11.15 The typical profile is to use the Windows server password for authentication. Figure 11.16 Networks your client trusts for wireless connections are shown in the Networks dialog. Wireless Access and Security Solutions 191 WiMetrics: WiSentry Installation WiSentry is a wireless network security monitoring tool that creates a bridge between your intended wireless LAN setup and your wired LAN. In addition to creating a bridge it provides a sentry or access con- trol point on the wireless side of the bridge to either allow or deny spe- cific wireless devices to gain access to the wired LAN on the other side. It is suggested that you dedicate a Windows 2000 server to this task rather than simply adding another network card to an existing server because any unlikely security gap at the wireless side could expose data on this server. Such a server should not be a Domain Controller in an Active Directory infrastructure, nor should it have any file or resource sharing enabled that might expose data files or access control lists. Figure 11.17 shows the basic configuration for this system integrated into your existing network. Figure 11.17 How WiSentry integrates onto an existing wireless LAN. You will need a few things to get started: ■ An adequate hardware platform to support Windows 2000 Server software and multiple network cards, at a minimum: – Typically a 333 MHz or better Pentium II, III or IV system – 128–256 megabytes of RAM – 4 to 6 gigabytes of hard drive space Chapter 11 192 – Two 10/100 BaseT network cards installed ■ Windows 2000 Server, or Advanced Server software. Windows 2000 Professional and XP are also supported for WiSentry installations. ■ A DHCP server on the wired side of your network—this can be the server on which you are installing WiSentry. ■ A wireless access point—Orinoco AP-2000 or equivalent commer- cial unit is recommended. ■ Wireless client PC or laptop running Windows 98, Me, 2000, or XP, and wireless adapter. ■ WiSentry software. Windows 2000 Server Configuration Start with a basic Windows 2000 Server configuration. Do to install (or disable) Internet Information Server components and Routing and Remote Access, unless you will integrate them into a WLAN por- tal or provide an underlying login access control. If you do use Rout- ing and Remote Access features, be aware that the server will then contain user access information you probably do not want to expose should the wireless connection be compromised. IIS is fraught with security holes and is simply not an application or service I would want exposed to unforeseen compromises. As you install Windows 2000 Server, or after the installation is complete, configure the network connections as follows: ■ Determine which LAN card will connect to the wired LAN and which will be used for the wireless access points. ■ Provide fixed IP addresses within your wired LAN subnet to each of the LAN cards. ■ You may wish to configure a specific subnet for wireless services, and configure this into your internal router as well. ■ Set the Gateway addresses for each card to the address of your internal router. ■ Configure DNS addresses. ■ Configure WINS server address as appropriate. ■ Configure this server to provide DHCP addresses for the wired LAN subnet. This is optional if you already have a DHCP server on the wired network. Wireless Access and Security Solutions 193 With this basic configuration in place, connect your wireless access point to the LAN card assigned to this purpose, and the wired LAN to the respective LAN card for it. Next, configure your access point, providing the following: ■ A fixed IP address ■ Gateway address for the wired LAN ■ SSID for the access point ■ If available, do not enable DHCP from the access point; DHCP will pass through to the server or wired LAN ■ Type of security you wish to use—conventional security methods are supported once wireless clients or additional access points are authorized access through the bridge ■ WEP keys, if appropriate WiSentry Installation and Use The WiSentry installation is straightforward, beginning with a nor- mal Windows installation process, followed by installation of Sun’s Java Runtime Environment. A reboot of the server is required to complete the installation and activate the bridge service. Once the server reboot is complete, the installation finishes, and you are ready to run the WiSentry administrative program which serves as the access control point and alerting mechanism for wireless clients. When run, the WiSentry administrative program (shown in Figure 11.18) begins to sniff the networks for access points. Discovered access points appear on a listing of Active devices. Viewing this list shows you all known wireless devices and what type of device they are, along with the device’s MAC address and any IP addresses assigned to them. Color coding indicates if they are unauthorized or authorized. Initially all found devices except the bridge service is color-coded red to indicate it is unauthorized. Your first action will be to identify which device is your access point, then authorize it so it can be used to pass wireless clients to the wired LAN. This is done by selecting Authorize from the Action item on the top menu bar of the program. Once the access point is authorized you can evaluate all wireless client devices and choose whether or not to authorize them for LAN access. Chapter 11 194 Wireless client devices will be able to associate with an access point but will not be able to obtain an IP address from or access the wired LAN until they are authorized. This enforces that you must know which wireless devices exist and be able to identify them by MAC address or host name before authorizing them for LAN access. You can leave WiSentry running smoothly by itself, checking every so often for rogue access points and new wireless clients wan- dering around in range of the WLAN, but you will probably want to set some alarms to pop-up and alert you to any new activity. Figure 11.19 show the alert configuration screen, with the types of possi- ble intrusions that can be detected and how you want to be notified of them. You can configure the alarms and monitor the system on a sepa- rate workstation rather than just the server. As shown in Figure 11.20, when an intruder, an unauthorized access point, or wandering client try to communicate with your network, you will get a pop-up dialog and a list of devices and their classification. Wireless Access and Security Solutions 195 Figure 11.18 The WiSentry administrative program is where active wireless devices are detected, reported, and authorized, or denied access to the wired LAN. Figure 11.19 Alert configuration in WiSentry provides options for the type of possible intrusion you wish to be notified of and how. Figure 11.20 The WiSentry alert pop-up tells you what type of device is connecting to your WLAN or if rogue access points have been connected. Chapter 11 196 Once you receive an alert you will want to review the Unautho- rized Devices portion of the administrative screen to get more infor- mation about the identity of the intruding device (Figure 11.21) and then authorize it if appropriate. Figure 11.21 WiSentry provides the name, MAC address, and IP address of unauthorized devices so you identify them and determine if you wish to allow them access to your network resources. As you can see, WiSentry packs a lot of work behind the scenes and makes it easy to deal with WLAN security and access issues. ISS: Wireless Scanner While you can control access to and through your WLAN, and you can see which devices are trying to connect to it, it’s still a good idea to have an idea of how your WLAN security configuration appears from the inside out. Internet Security Systems has produced a wireless ver- sion of their network security scanning software. First, ISS is intended Wireless Access and Security Solutions 197 to be installed on a system with a PC Card WLAN adapter—so a lap- top or desktop with PC Card adapter is required. Using a laptop allows you to roam about and get close to access points and sniff out unknown or rogue APs. Once installed you should run its driver con- figuration program to get a driver in place that will allow the scanning software to properly control the WLAN card and take in everything in the air. This driver will likely render the card unable to connect with your present network, and the driver configuration program allows you to switch back to the LAN-functional driver as needed. Once the sniffing driver is ready to go you can begin taking live scans of the airwaves around you. Data is collected and presented on three different views—the first (Figure 11.22) is of detected access points, the second (Figure 11.23) is of detected vulnerabilities, and the third (Figure 11.24) is of detected wireless clients. The MAC or hardware address for each device makes it somewhat easier to iden- tify the device. Figure 11.22 The ISS Wireless Scanner summary listing of discovered access points shows MAC address, channel used, signal strength, and time detected. Chapter 11 198 Figure 11.23 The Vulnerabilities view in Wireless Scanner gives a summary listing of potential issues and their severity. These views are simply summary listings of what has been detect- ed. Once you have collected a data sampling, go to the Reports menu selection and create one of several available reports to understand the WLAN environment, have an inventory of the devices, and an assessment of any vulnerability issues. A sample report of technical details is shown in Figure 11.25. The Technical Details reports breaks down everything known about detected devices and the vulnerabilities found in them. This report will give you the call-to-action to begin securing your network. The two most common issues you will find in most WLAN setups are either the lack of encryption requirement at an access point and broadcasting the SSID, which can identify the owner or location of a particular access point. Wireless Access and Security Solutions 199 [...]... (IRQ) 13 Clock and timer resources using fixed addresses and IRQs 0 and 8 Memory and device addressing chips using DMA channels 0 and 2 Keyboard using fixed addressing and IRQ 1 Diskette drives using known/expected addressing and IRQ 6 Video display adapter using known/expected addressing These listed devices are part of the system board or basic input/output system (BIOS) programming and, as with other... in the order they are found This is true even for plug-andplay/universal serial bus (USB) devices—although the rules and results of plug -and- play and auto-configuration seem quite out of order, random, and illogical in some cases IBM originally provided for a handful of devices its developers believed we might use These include: I I I COM (serial) and LPT (parallel) I/O ports (which are probably the... PC/XT Hard Disk Adapter 324-327h Secondary PC/XT Hard Disk Adapter 328-32Fh Not Assigned 330-33Fh Not Assigned 340-34Fh Not Assigned 350-35Fh Not Assigned 360 - 363 h PC Network Card—Low I/O Port 364 - 367 h Reserved 368 -36Ah PC Network Card—High I/O Port 36C-36Fh Reserved 370-377h Secondary Diskette Drive Adapter 378-37Fh LPT 2 or LPT 1—1st or 2nd Parallel I/O Port 380-389h Not Assigned 380-38Ch BISYNC_1 or... IBM Prototype Card 320-323h Not Assigned 324-327h Not Assigned 328-32Fh Not Assigned 330-33Fh Not Assigned 340-34Fh Not Assigned 350-35Fh Not Assigned 360 - 363 h PC Network Card—Low I/O Port 364 - 367 h Reserved 368 -36Ah PC Network Card—High I/O Port 36C-36Fh Reserved (continued on next page) 214 TABLE 12.3 Chapter 12 I/O Address System Use or Device 370-377h Secondary Diskette Drive Adapter 378-37Fh LPT... Apple Macintosh, and later versions of Linux Plug -and- play is not just about assigning addresses and IRQs to devices Sometimes it simply supports a connection method, such as USB or IEEE-1394 Most, if not all, peripheral component interconnect (PCI) and advanced graphics port (AGP)-based and PCMCIA/PC card devices are plug -and- play devices Plug -and- play must be supported within all USB and IEEE-1394 devices... Network Figure 13.1 223 The diagram of our desired wireless LAN and Internet connection configuration Figure 13.2 The diagram of our desired wireless LAN and Internet connection configuration with the addition of a local file and web server The steps we will take to set up and verify the components, individually and together, are: I Install DSL modem and its connection management software to establish... provides both front- and back-end approaches to access control, and although it is not a specific authentication or encryption solution, it will work with the methods you choose for this purpose ISS’s Wireless Scanner adds another level of detail to knowing what is going on in your wireless LAN environment and will help you tighten up any obvious security gaps Wireless Access and Security Solutions... clear-cut and rule-based when it comes to figuring out which driver or piece of software is conflicting with another and crashing the system It is in most cases easier, however, to change drivers and software than to reconfigure or replace hardware For these issues, you should be vigilant in contacting the vendors of your system boards, laptops, and wireless devices to obtain and apply patches and updated... server added to provide web and e-mail services to the local users and the Internet The components for these configurations are readily available off-the-shelf from most computer stores and on-line sites They are very easy to install and manage on their own, and fit together to create a modular, easily maintained, almost hands-off network configuration Creating a SOHO Wireless Network Figure 13.1... designation followed by a colon (LPT1:, for example, and COM2:), while generically, it is LPT and COM Specifying only LPT or COM in DOS commands will result in an error message, and the desired command or operation will not occur For the console and devices of which there is only one of that type, there is no number You may see CON, but the computer must use CON: 2 06 Chapter 12 The logical assignment of parallel . for authentication. Figure 11. 16 Networks your client trusts for wireless connections are shown in the Networks dialog. Wireless Access and Security Solutions 191 WiMetrics: WiSentry Installation WiSentry is a wireless. (IRQ) 13 ■ Clock and timer resources using fixed addresses and IRQs 0 and 8 ■ Memory and device addressing chips using DMA channels 0 and 2 ■ Keyboard using fixed addressing and IRQ 1 ■ Diskette. is true even for plug -and- play/universal serial bus (USB) devices—although the rules and results of plug -and- play and auto-configuration seem quite out of order, random, and illogical in some