On 17 Apr 2006 at 21:21, Jacqueline MacWhirter wrote:
> How to stop someone from using your internet resource how can you block
> them --I was asked this tonight for an example suppose someone had a
> wireless laptop and tapped into your internet resources - you have high
> speed cable how could you block them ? Thank you Jacqueline MacWhirter
In order for this scenario to occur, you would need to have not only high
speed cable, but *also* some way of sharing that resource (a router or a
machine with ICS enabled) and wireless access to your LAN (via the router,
or ICS on a machine with a wireless NIC, or a wireless AP (access point)).
So then the question becomes: If I allow wireless access to my LAN, how
do I make sure that it's only used by the people I want to allow to use it?
(The fact that one of your LAN resources is fast Internet access is a reason
why others might want to, but it's not the point of vulnerability.)
There are three major approaches -- which can all be undertaken at once,
if you like:
1. SSID
Wireless networks are identified by an ID string, or SSID. Specifically,
if two wireless "base stations" are using the same SSID, a wireless client
will assume that it can move from one to the other and remain connected to
the same network.
By default, the base station will broadcast its SSID periodically; this is
how clients identify nearby networks. There's usually an option to turn off
this broadcast.
BUT
(a) turning off the broadcasts may not stop the base station from
answering "Is anybody out there?" probes, and
(b) the SSID will be used to identify traffic when the wireless is
actually being used.
Conclusion: Not broadcasting the SSID doesn't buy you much security. It
was never designed to.
2. MAC address
Most wireless base stations can accept a list of MAC addresses of wireless
adapters that they will accept connections from. Not all of them make it
easy to find and manage this list; the default is to be willing to talk to
anybody.
This means finding out the MAC address of each new wireless client you
want to be able to use. If you buy a new wireless NIC, you have to add it
to the list, and decide whether to remove the old one.
And since the MAC addresses of source and destination appear in every
packet, there's very little to stop an intruder from copying the MAC address
of a legitimate client.
3. WEP key
Virtually all current wireless gear supports at least WEP. WEP is
designed primarily as a mechanism to encrypt packets over wireless, so that
others cannot simply "listen in" on the conversation. [This is intended to
protect the Confidentiality of the wireless traffic.] However, it's usually
fairly easy to configure the base station to accept connections only from
clients who already have the WEP key being used, so that it functions like a
resource access password.
Cracking the WEP key is not as hard as most security professionals would
really like, but if all an intruder is after is fast Internet access,
they'll likely go to a neighbor's unprotected wireless network rather than
invest the time and effort in cracking your key. And that's good enough for
home and small business use.
David Gillett
CISSP CCNP CCSE
PCBUILD's List Owners:
Bob Wright<[log in to unmask]>
Drew Dunn<[log in to unmask]>
|