[ Pobierz całość w formacie PDF ]
.This data can be a target all in itself, but the client can alsobecome an entry point into the network for an attacker.If anattacker can break into a client computer, he can use it as ameans to access protected resources throughout the rest of thenetwork.The chapters in this section will show you how toconfigure client stations securely on a wide range of platforms.Chapter 3.Station SecurityConnecting to a wireless network puts your computer at risk.Eavesdroppersmay intercept traffic sent between client stations and the access point.Malicious access points may attempt to force associations in order toperform man-in-the-middle attacks.Hackers using the same access pointmay try to exploit your computer.Due to the shared, physically unsecurednature of an 802.11 network, client stations are more likely to be the targetof an attack.Establishing proper security on stations connecting to a wireless network isthe first step to creating a secure wireless infrastructure.The security of anentire infrastructure is like a chain; it is only as secure as its weakest link.Typically, wireless stations are laptops or workstations controlled by anindividual, not by a team of security professionals.These stations may notbe under the same scrutiny as a fileserver or firewall would be.Unfortunately, an unsecured wireless workstation can be an excellent vectorfor an attack on an entire infrastructure.3.1 Client Security GoalsThere are two main security considerations for safe usage of a clientcomputer on a wireless network.The first is preventing a compromise of theclient itself.A compromise of the client could lead to stolen or corrupteddata, and provide an entry point for the attacker into the wider network.Thesecond main consideration is using secure methods to communicate withother network services from the client.3.1.1 Prevent Access to the ClientThe client needs to be protected from attack over the network.The primarymeans of accomplishing this is through the use of a firewall.A firewall on aclient should block all unknown incoming traffic and allow for outboundconnections.Connections directly to or from other computers on the wirelessnetwork should also be blocked.The exact means of accomplishing this for aspecific OS will be covered in the five chapters that follow.In addition to establishing a firewall, unneeded services on the client shouldbe disabled.If there is a pressing reason to run a specific service from aclient, firewall rules need to be modified to allow traffic to that service.It isvital that any exposed services are run using up-to-date software.Outdatedsoftware with security vulnerabilities is the primary entry point for attackers.In addition, we'll discuss the use of static ARP to protect against layer 2man-in-the-middle attacks.These attacks can lead to eavesdropping ormanipulation of network sessions.The use of static ARP entries can preventthese attacks from succeeding, since the host will not modify its ARP tablewhen it receives malicious information.Static ARP tables can beoverwhelmingly complex to administer in large networks but can be a usefuland easy tool in a smaller network.For more information on ARP attacks,see ARP Poisoning.3.1.2 Secure CommunicationThe manner in which you access services across the network is just asimportant as host security.It does not matter how bulletproof your firewall isif send your username and password in the clear every time you check youremail with an IMAP request.Remember that an attacker can be passivelylistening to the network and not necessarily actively attacking your host.At the time of this writing, WEP is not an acceptable solution for preservingthe confidentiality of data traversing a wireless network.There are severalproblems with WEP that greatly weaken its effectiveness.WEP is betterthan cleartext; it raises the bar for an attacker to obtain transmitted data.However, a sophisticated attacker may still be able to bypass the encryptionprovided by WEP, thereby exposing your data.In order to prevent sensitive data from being compromised, you need toprovide for encryption at a higher level in the stack.Note that we did not sayit was necessary to protect all of your data, just your sensitive data.Differentusers define sensitive information differently.While one user may think alldata sent or received is sensitive, another may feel that there is no risk in anattacker seeing what web pages they are surfing.In general, you shouldwork to protect usernames, passwords, credit-card information, and otherunique, personal information.Whether or not you feel your DNS requestsand Slashdot trolling are worthy of higher levels of encryption is up to you.3.1.2.1 SSLSecure Socket Layer (SSL) is a public-key, cryptography-basedconfidentiality mechanism.It is historically associated with web pagesaccessed via secure HTTP (HTTPS).However, any protocol can beencapsulated in SSL for secure network transit.SSL is great for protectingtransaction-based protocols such as web traffic and mail transactions.When surfing the Web using a wireless connection, you should pay specialattention to pages that require you to authenticate yourself or that you havereached via authentication.Your initial authentication will involve sendingyour authentication credentials (i.e., username/password combinations) tothe remote server.Unfortunately, subsequent pages accessed on the site afterauthentication may contain sensitive data, including your credentials or acookie representing successful authentication.An attacker may be able toreplay your authentication or your cookie to gain access to the sameresources.Access to those pages and subsequent pages on the site should beaccessed via HTTPS.The same advice goes for submission of credit-cardinformation.Web traffic is not the only candidate for SSL protection [ Pobierz całość w formacie PDF ]

zanotowane.pl

doc.pisz.pl

pdf.pisz.pl

swpc.opx.pl