Wireless network security analysis. Analysis of wireless network security methods
Arzamas branch
Completed:
Pushkova K.S.,
4th year student
full-time education,
direction of training
"Applied Informatics"
________________________
(student signature)
Coursework
Scientific supervisor:
Candidate of Biological Sciences, Associate Professor Shirokova N.P.
Arzamas
Chapter I……………………………………………………………………………..6
Chapter III
Introduction
Chapter I WIRELESS NETWORK SECURITY ANALYSIS
Major threats to wireless networks
Information security threats that exist when using wireless networks are divided into two types:
1) Direct – threats to information security that arise when transmitting information via the IEEE 802.11 wireless interface;
2) Indirect - threats associated with the presence of a large number of Wi-Fi networks on the site and near the site.
Direct threats
The data transmission channel used in wireless networks may be subject to external influence for the purpose of using personal information, violating the integrity and availability of information. Wireless networks have both authentication and encryption, but these security options have their drawbacks. The possibility of blocking data transmission in a wireless network channel was not given due attention when developing the technology. Such channel blocking is not dangerous, since wireless networks play a supporting role, but blocking can be a preparatory stage for a “man in the middle” attack, in which a third device appears between the user and the access point, redirecting information through itself. This impact provides the ability to delete or change information.
Strangers
Aliens (RogueDevices, Rogues) are devices that allow unauthorized access to the corporate network, bypassing the protective solutions specified by the security policy. Avoiding the use of wireless devices does not provide protection against wireless attacks if an intruder appears on the network. Such a device can be devices that have wired and wireless interfaces: access points, projectors, scanners, laptops with enabled interfaces, etc.
Breaking encryption
WEP security is very weak. There is a lot of special software on the Internet for hacking this technology, which selects traffic statistics so that it is enough to reconstruct the encryption key. The WPA and WPA2 standards also have vulnerabilities of varying severity that allow them to be hacked. In this regard, WPA2-Enterprise (802.1x) technology can be viewed from a positive perspective.
Service failures
DoS attacks are used to disrupt the quality of network operation or to completely stop clients’ access to networks. In the case of a Wi-Fi network, it is very difficult to notice the source that loads the network with “junk” packets - its location is determined only by the coverage area. At the same time, there is a hardware version of this attack - a sufficiently strong source of interference is installed in the required frequency range.
WEP security mode
WEP (Wired Equivalent Privacy) is a network security method available for working with legacy devices, but its use is discouraged due to the relatively easy security hacking. When you use WEP, you set up a network security key, which encrypts the data your computer sends to other devices over the network.
There are two WEP security methods:
1) authentication in an open system;
2) authentication using shared keys.
These methods do not provide a high level of security, but the open system authentication method is more secure. For most wireless network devices and access points, the shared key authentication key is the same as the static WEP encryption key that is used to secure the network. By intercepting a Shared Key Authentication message, you can use analytics to extract the Shared Key Authentication key and then the static WEP encryption key, which gives you full access to the network.
WPA security mode
WPA (Wi-Fi Protected Access) is an updated wireless device certification program. WPA technology includes several components:
v 802.1x protocol - a universal protocol for authentication, authorization and accounting (AAA);
v TKIP protocol - Temporal Key Integrity Protocol, another translation option - Temporal Key Integrity Protocol;
v EAP protocol - Extensible Authentication Protocol;
v MIC - cryptographic packet integrity check (Message Integrity Code);
v RADIUS protocol
Data encryption in WPA is carried out by the TKIP protocol, which uses the same encryption algorithm as WEP (RC4), but uses dynamic (frequently changing) keys. This technology uses a longer initialization vector and uses a cryptographic checksum (MIC) to verify the integrity of packets.
The RADIUS protocol works together with an authentication server (RADIUS server). In this mode, wireless access points are in enterprise mode.
In the absence of a RADIUS server, the role of the authentication server is performed by the access point - the so-called WPA-PSK mode.
Security mode WPA-PSK
WPA-PSK (pre-shared key). In this technology, a common key is specified in the configuration of all access points. The same key is also registered on user mobile devices. This security method is more secure than WEP, but is not convenient from a management point of view. The PSK key must be set on each wireless device; all clients on the network can see it. If you need to block access to a specific user on the network, you need to set a new PSK again on each network device. As a result, this WPA-PSK mode can be used in a home network or a small office with a small number of users.
Let's look at the mechanisms of how WPA works. WPA technology was introduced as a temporary measure until the 802.11i standard came into use. Some manufacturers, prior to the introduction of this standard, began to use WPA2 technology, which to some extent includes elements of the 802.11i standard, for example, using the CCMP (Counter Mode with Cipher Block Chaining Message Authentication Code Protocol) protocol, instead of TKIP. WPA2 uses advanced AES (Advanced Encryption Standard) encryption technology as the encryption algorithm. To work with keys, the 802.1x protocol is used, which can perform several functions. On security issues, let's look at user authentication functions and encryption key distribution. In this protocol, authentication is performed at the port level. Until the user authenticates, he can send/receive packets that are relevant only to his credentials process and nothing more. Only after successful authentication will the ports of the access point or switch be opened and the client will be able to use network resources.
The EAP protocol performs authentication functions and is just a superstructure for authentication methods. All the advantages of the protocol are that it is very simply implemented on the access point, since it does not need to know any of the features of the various authentication methods. In this case, the access point as an authenticator performs only transfer functions between the user and the authentication server. The following authentication methods exist:
ü EAP-SIM, EAP-AKA - performed in GSM mobile networks;
ü LEAP - proprioretory method from Cisco systems;
ü EAP-MD5 - the simplest method, similar to CHAP;
ü EAP-MSCHAP V2 - the authentication method is based on the use of user login/password in MS networks;
ü EAP-TLS - authentication based on digital certificates;
ü EAP-SecureID - the method is based on the use of one-time passwords.
In addition to the above, two more methods can be distinguished: EAP-TTLS and EAP-PEAP, which, before directly authenticating the client, first create a TLS tunnel between the user and the authentication server, within which the authentication itself is performed, using the MD5, TLS, PAP, CHAP methods , MS-CHAP, MS-CHAP v2. Creating a tunnel increases authentication security by protecting against man-in-the-middle, session hihacking, or dictionary attacks.
The authentication scheme consists of three components:
v Supplicant - an application running on the user's device trying to connect to the network;
v Authenticator - access node, authenticator (wireless access point or wired switch supporting the 802.1x protocol);
v Authentication Server - authentication server (RADIUS server).
Authentication consists of the following steps:
1) The client sends an authentication request to the access point.
2) The access point responds by creating a request for client identification to the client.
3) The client responds by sending a packet with the necessary data, which the access point redirects towards the authentication server.
4) The authentication server sends a request to the authenticator (access point) for information about the authenticity of the client.
5) The authenticator forwards this packet to the client.
After this, mutual identification of the server and client is performed. The number of packets sent in one direction and the other varies depending on the EAP method, but in wireless networks only “strong” authentication is used with mutual authentication of the client and server (EAP-TLS, EAP-TTLS, EAP-PEAP) and the creation of encryption of the communication channel .
6) At the next stage, the authentication server, with the necessary information from the client, allows or denies the user access, sending a corresponding message to the authenticator (access point). The authenticator opens the port if a positive response is received from the authentication server.
7) The port opens, the authenticator sends a message to the client indicating the successful completion of the process, and the client gains access to the network. After the client is disconnected, the port on the access point returns to the “closed” state.
EAPOL packets are used to connect the client and the access point. The RADIUS protocol is used in communication between the authenticator and the RADIUS server.
Initial authentication is performed based on common data that is known to both the client and the authentication server, for example, login/password, certificate, etc. In this case, a “master key” is created, with the help of which the client and the authentication server generate a “paired master key”, which is transmitted to the access point from the authentication server. Subsequently, based on the “paired master key”, all other keys that change over time are created, which close the transmitted traffic.
Chapter III SETTING UP SECURITY IN A WIFI NETWORK
Conclusion
In this course work, a study was conducted of methods for increasing data security when transmitting them using wireless networks.
To achieve the goal of the course work, the following tasks were completed:
1) the principle of operation of a wireless network has been studied;
2) the types of threats and their negative impact on the operation of wireless networks were investigated;
3) the means of protecting wireless network information from unauthorized access were analyzed;
4) the wireless network has been protected from unauthorized access to it.
The analysis of threats to wireless networks showed that the most upset threats are strangers, unfixed communications, denial of access, and eavesdropping.
A review of software used to protect wireless network information showed that it is most appropriate to use the WPA2 mode. WPA2 is an updated wireless device certification program. In this mode, data security and access control to wireless networks are enhanced, encryption is supported in accordance with the AES standard (Advanced Encryption Standard), which has a more robust cryptographic algorithm. This security mode was applied when setting up a TP-Link wireless router.
During the study, all assigned tasks were completed. The goal of the course work has been achieved.
Arzamas branch
Faculty of Physics and Mathematics
Department of Applied Informatics
Completed:
Pushkova K.S.,
4th year student
full-time education,
direction of training
"Applied Informatics"
focus (profile) Applied informatics in economics
________________________
(student signature)
Coursework
Analysis of wireless network security methods
Scientific supervisor:
Candidate of Biological Sciences, Associate Professor Shirokova N.P.
Arzamas
Introduction……………………………………………………………………………….…4
Chapter I
1.1 Operating principle of wireless networks……………………………………6
1.2 Main threats of wireless networks…………………………………….9
1.2.1 Direct threats………………………………………….………………..9
1.2.2 Aliens………………………………………………………………………………10
1.2.3 Unfixed nature of the connection……………………………………..10
1.3 Vulnerabilities of networks and devices………………………………………………………...11
1.3.1 Incorrectly configured access points………………….…11
1.3.2 Incorrectly configured wireless clients……….…11
1.3.3 Cracking encryption………………………………………………………12
1.3.4 Impersonation and IdentityTheft……………………………………………………12
1.3.5 Service failures…………………………………………………………….13
CHAPTER II WIRELESS NETWORKS PROTECTION MEANS.....………..…14
2.1 WEP security mode…………………………………………...……..14
2.2 WPA security mode…………………………………………….……14
2.3 WPA-PSK security mode………………………………………….…15
Chapter III SETTING UP SECURITY IN A WIFI NETWORK………………….19
3.1 Configuration of devices in wireless networks………………………….19
3.2 Setting up wireless network security using the example of a TP-Link router.................................................... ........................................................ ........................22
Conclusion………………………………………………………………………………….29
List of sources used………………………………………………………..30
Introduction
In the modern world, wireless networks are used in almost all areas of human activity. This widespread use of wireless networks is due to the fact that they can be used not only on personal computers, but also on mobile devices, as well as their convenience due to the absence of cable lines and relatively low cost. Wireless networks satisfy a set of requirements for quality, speed, security, and reception range. Particular attention must be paid to security as one of the most important factors.
With the growing use of wireless networks, users are faced with the problem of protecting information from unauthorized access to this network. This paper discusses ways to protect wireless network information.
The relevance of creating conditions for safe use of a wireless network is due to the fact that, unlike wired networks, where you must first gain physical access to the system cables, in wireless networks you can access the network using a regular receiver located in the area where the network is distributed.
However, despite the different physical organization of networks, the creation of security and wired wireless networks is the same. When organizing information security in wireless networks, it is necessary to pay more attention to ensuring the impossibility of leakage and integrity of information, verifying the identity of users and access points.
The object of study in this work is information security tools in wireless networks.
The subject of the research is technologies for protecting information in wireless networks from unauthorized access.
The purpose of the course work is to study methods for increasing data security during transmission using wireless networks.
To achieve the goal of the course work, you must complete the following tasks:
1) study the principle of operation of a wireless network;
2) explore the types of threats and their negative impact on the operation of wireless networks;
3) analyze the means of protecting information in wireless networks;
4) protect the wireless network from unauthorized access to it.
Chapter I WIRELESS NETWORK SECURITY ANALYSIS
"...Information security and wireless networks?
But aren’t these mutually exclusive concepts?”
From a conversation at the Svyazexpocom-2004 exhibition"
Wireless communication devices based on 802.11x standards are moving very aggressively in the network equipment market today. This is not surprising: ease of use for mobile and quasi-mobile users, organization of commercial and corporate hotspots, “last mile”, connection of local networks (LANs) with each other - all this is not a complete list of reasons for implementing such solutions. Indeed, the number of all kinds of operating 802.11x equipment in the world is impressive: according to J"son & Partners, the number of hot spots alone at the end of 2003 exceeded 43 thousand, and by the end of 2004 it should reach 140 thousand. Russia's share in these indicators is small, but the number of wireless communication networks (including hot spots) is steadily growing in our country. We also note that in our country more than 80% of corporate wireless communication networks are built on the “oldest” and most frequently used. equipment - Cisco Aironet.
But it's not just the numbers that are impressive; Much more surprising is the number of misconceptions associated with ensuring secure data transmission in such networks. The range of opinions here is the widest: from complete trust in any equipment and any of its settings to unflattering characteristics of the kind that we cited as an epigraph.
802.11x - susceptibility to external threats
The very essence of wireless data transmission is fraught with the possibility of unauthorized connections to access points, data interception and other troubles. The absence of a cable, which is organizationally easy to protect, creates a feeling of unpleasant openness and accessibility.
It is worth mentioning “non-protocol” threats - they are the basis of the problem. When developing a wireless corporate network, administrators primarily care about high-quality coverage of the office area. Very often, no one simply takes into account that insidious hackers can connect to the network directly from a car parked on the street. In addition, there are situations when, in principle, it is impossible to eliminate the very possibility of “hearing” the transmitted traffic. An example is external antennas. By the way, in the CIS countries connecting LAN offices to each other using wireless is a very popular solution.
An equally dangerous threat is the possibility of equipment theft. If the security policy of a wireless network is based on MAC addresses, then any component (network card, access point) stolen by an attacker instantly makes this network open.
And finally, the problem of “too smart” users. Often, unauthorized connection of access points to LANs is the work of the organization’s employees themselves. Moreover, this is done solely for the convenience of work, sometimes even with good intentions. Of course, these employees also ensure information protection when connecting such devices to the network on their own and do not always imagine the consequences of such “self-defense.”
These and similar problems need to be addressed comprehensively. Let us note right away that organizational measures are not considered within the framework of this article - they are most often selected based on the operating conditions of each specific network. As for technical measures, mandatory mutual authentication of devices and the introduction of active (for example, Observer 8.3, Airopeek NX 2.01, Wireless Sniffer 4.75) and passive (such as APTools 0.1.0, xprobe 0.0.2) control tools give a very good result .
Vulnerability of "old" security methods
The IEEE 802.11 committee has always been involved in protecting data in wireless networks. Unfortunately, the methods used to ensure the security of 802.11x networks at the stage of their initial development (1997-1998) were, to put it mildly, unsuccessful. They included WEP (Wired Equivalent Privacy) encryption and authentication: MAC address-based, Open, and PreShared Key.
Let's consider the listed methods in order. The classic WEP encryption protocol, developed by RSA Data Security, uses a 40-bit key that is added to the generated initialization vector (IV, its length is 24 bits). Using the resulting key, user data and a checksum are encrypted using the RC4 algorithm. Vector IV is transmitted in the clear.
The first disadvantage of this method is that a 40-bit key is not enough for peace of mind. Even DES, with its 56-bit key, has long been recognized as unreliable. The second disadvantage is the immutability of the key; Using a static key simplifies the hacking problem. Since the 40-bit key is unreliable, I would like to change it more often. And finally, the approach to encryption itself is highly questionable. The size of IV is 24 bits, which means that it will be repeated no later than after 5 hours (packet length 1500 bytes, speed 11 Mbit/s).
Nikita Borisov, Ian Goldberg and David Wagner were the first to study this problem, and already in 2001, the first implementations of drivers and programs appeared to cope with WEP encryption. A document describing this vulnerability is published at: http://www.isaac.cs.berkeley.edu/isaac/wep-faq.htm l.
Authentication methods are also not very reliable. For example, it costs nothing to “overhear” the entire authentication procedure by MAC address - after all, MAC addresses in the frame are transmitted unencrypted. If an attacker knows about the accepted authentication method, he is almost ready to enter the network. The most reliable of the listed methods is PreShared Key, but it is only good if it is securely encrypted and regularly replaces high-quality passwords.
It is a common misconception that using a unique Service Set ID (SSID) will prevent unauthorized connections. Alas, the SSID is only suitable for logical division of network devices into groups - nothing more. The only thing you can do with an SSID is confuse a young hacker by using "unprintable" characters. Access points (Access Point, AP), for example, from Cisco Systems, allow you to do this (you can specify the characters included in the SSID in hexadecimal - \xbd\xba).
Thus, if we also take into account the mass of “inquisitive” teenagers with laptops, a wireless communication network inevitably faces the problem of protecting against almost guaranteed WEP attacks.
WEP attacks
The insufficient key length, the lack of key rotation, and the RC4 encryption principle itself, described above, make it possible to organize a very effective passive attack. Moreover, the attacker does not need to perform any actions by which he could be detected; it is enough to simply listen to the channel. In this case, no special equipment is required - a regular WLAN card, purchased for 20-25 dollars, will suffice, as well as a program that will accumulate packets on the hard drive until the values of the IV vector coincide. When the number of packets becomes sufficient (usually from 1 million to 4 million), it is easy to calculate the WEP key. One of the most popular programs for such “exercises” is AirSnort (http://airsnort.shmoo.com). This software works with network cards from Cisco Systems, cards based on NMC Prism-2 (there are quite a few of them), as well as Orinoco cards or their clones.
A hacker using active attack methods can achieve good results. For example, you can send known data from outside the LAN, say, from the Internet, while simultaneously analyzing how the access point encrypted it. This method allows you to both calculate the key and manipulate the data.
Another active attack method is Bit-Flip attack. The algorithm of actions here is as follows (Fig. 1):
- We intercept a WEP encrypted frame.
- We randomly change several bits in the “data” field and recalculate the CRC-32 checksum.
- We send the modified frame to the access point.
- The access point will accept the frame at the link layer because the checksum is correct.
- The access point will try to decrypt the data and respond with a known text, for example: “Your encryption key is incorrect.”
- Comparing the encrypted and unencrypted text can allow the key to be calculated.
In this article, we will not consider a possible DOS attack on equipment using the DSSS wideband modulation method. This type of equipment includes 802.11b and 802.11a devices operating at low speeds.
Interim conclusions
All of the above suggests that old methods of ensuring security in wireless networks are unreliable; and if the equipment does not allow the implementation of modern solutions for information protection, then the choice of strategies is small: either use the strictest administrative policies (see the sidebar "Administrative measures"), or use IPSec - ESP technology.
IPSec - ESP technology will certainly protect data, but will greatly reduce LAN performance. Still, this technology was developed for global networks, and it is wasteful to use it within a wireless local network. Its use over wireless channels is justified only in the case of connecting branches or other similar solutions.
Modern security requirements, or "Life with Cisco"
For the peace of mind of any user, there are only three issues that need to be addressed for their traffic: confidentiality (data must be securely encrypted), integrity (data must be guaranteed not to be changed by a third party) and authenticity (confidence that the data is received from the correct source).
Authentication
The 802.1x standard is defined as more modern than the 1997-1998 standards. an authentication method that is widely used in various network equipment, including wireless devices. Its fundamental difference from older authentication methods is as follows: until mutual verification is carried out, the user can neither receive nor transmit any data. The standard also provides for dynamic management of encryption keys, which naturally makes a passive attack on WEP more difficult.
For example, a number of developers use the EAP-TLS and PEAP protocols for authentication in their devices, but Cisco Systems (http://www.cisco.com) approaches the problem more “broadly”, offering for its wireless networks, along with these, the following a number of protocols.
Extensible Authentication Protocol - Transport Layer Security(EAP-TLS) is an IETF standard that provides authentication through the two-way exchange of digital certificates.
Protected EAP(PEAP) is still a draft standard by the IETF. It provides for the exchange of digital certificates and additional verification of name and password through a specially created encrypted tunnel.
Lightweight EAP(LEAP) is a proprietary protocol of Cisco Systems. A "lightweight" mutual authentication protocol similar to the two-way Challenge Authentication Protocol (CHAP). Uses a shared key, so requires some intelligence when generating passwords. Otherwise, like any other method, PreShared Key is susceptible to dictionary attacks.
EAP - Flexible Authentication via Secure Tunneling(EAP-FAST) - developed by Cisco based on the IETF draft standard to protect against dictionary attacks and is highly reliable. Requires minimal effort from the administrator for support. The principle of its operation is similar to LEAP, but authentication is carried out over a secure tunnel. The first implementations appeared in April 2004. Supported starting from software versions IOS 12.2(11)JA, VxWorks 12.01T, Cisco Secure ACS 3.2.3.
All modern authentication methods (see table) imply support for dynamic keys, which is good news. However, if we compare all these standards in other respects, the EAP-TLS and PEAP methods seem more cumbersome. And this is true. They are more suitable for use in networks built on equipment from various manufacturers.
Features of authentication methods
| Indicator | Way | |||
| LEAP | EAP-FAST | PEAP | EAP-TLS | |
| Support for modern OS | Yes | Yes | Not all | Not all |
| Software complexity and resource intensity of authentication | Low | Low | Average | High |
| Difficulty of control | Low* | Low | Average | Average |
| Single Sign on (single login on Windows) | Yes | Yes | No | Yes |
| Dynamic Keys | Yes | Yes | Yes | Yes |
| One-time passwords | No | Yes | Yes | No |
| Support for user databases not in Microsoft Windows format | No | Yes | Yes | Yes |
| Fast Secure Roaming | Yes | Yes | No | No |
| Local authentication capability | Yes | Yes | No | No |
The authentication methods developed by Cisco look nicer. What makes them especially attractive is their support for Fast Secure Roaming technology, which allows you to switch between different access points (switching time is approximately 100 ms), which is especially important when transmitting voice traffic. With EAP-TLS and PEAP, re-authentication will take significantly longer and will result in the conversation being dropped. The main disadvantage of LEAP and LEAP-FAST is obvious - these protocols are supported only in Cisco Systems equipment.
Encryption and integrity
Based on 802.11i recommendations, Cisco Systems has implemented the TKIP (Temporal Key Integrity Protocol) protocol, which ensures the change of the PPK (Per Packet Keying) encryption key in each packet and monitoring the integrity of MIC (Message Integrity Check) messages.
The PPK procedure involves changing the IV in each packet. Moreover, encryption is carried out using the hash function value from the IV and the WEP key itself. If we also take into account that WEP keys change dynamically, the reliability of the encryption becomes quite high.
Ensuring integrity is the responsibility of the MIC procedure. The MIC and SEQuence number fields are added to the generated frame; the sequence number of the packet is indicated in the SEQ field, which allows you to protect against attacks based on repetitions and violations of sequence. A packet with an incorrect sequence number is simply ignored. The 32-bit MIC field contains the hash function value calculated from the values of the 802.11 packet header itself, the SEQ field, and user data (Fig. 2).
Another promising encryption and integrity protocol that has already proven itself in wired solutions is AES (Advanced Encryption Standard). It was developed relatively recently - in October 2001 and has better cryptographic strength compared to DES and GOST 28147-89. AES key length is 128, 192 or 256 bits. As noted, it provides both encryption and integrity.
Note that the algorithm used in it (Rijndael) does not require large resources either during implementation or operation, which is very important for reducing data latency and processor load.
AES already runs on Cisco IOS (k9) starting with 12.2(13)T. Currently, almost all Cisco Systems 802.11g devices are ready to support AES. The online community is awaiting the announcement of the release of this software, but the repeatedly stated deadlines are not met. However, now some clarity has emerged. The company announced that all devices operating in the 802.11g standard can be completely freely equipped with new software, which will certainly appear soon... But only after the ratification of the 802.11i standard. The standard was ratified by the IEEE at the end of June (see sidebar "802.11i Standard Ratified"). So we're waiting, sir.
Wi-Fi Protected Access
The Wi-Fi Protected Access (WPA) standard is a set of rules for implementing data protection in 802.11x networks. Since August 2003, WPA compliance has been part of the requirements for equipment certified as Wi-Fi Certified (http://www.wi-fi.org/OpenSection/pdf/Wi-Fi_Protected_Access_Overview.pdf).
Note that the WPA specification includes a slightly modified TKIP-PPK protocol. Encryption is performed on a “mixture” of several keys - the current and subsequent ones. In this case, the IV length is increased to 48 bits.
WPA also defines message integrity control according to a simplified version of MIC (Michael MIC), which differs from the one described in that the hash function is calculated based on fewer fields, but the MIC field itself is longer - 64 bits. This makes it possible to implement additional information protection measures, for example, tighten the requirements for re-associations, re-authentications, etc.
The specifications also include support for 802.1x/EAP and shared key authentication and, of course, key management.
It is especially pleasing that WPA devices are ready to work with both clients whose equipment supports modern standards, and with clients who are completely unconcerned about their security and use old equipment or software. The author categorically recommends: distribute users with different degrees of security across different virtual LANs and implement your security policy in accordance with this.
Today, provided that modern equipment and software are used, it is quite possible to build a secure and attack-resistant wireless network based on 802.11x standards. To do this, you just need to apply a few reasonable postulates to it.
We must remember that a wireless network is almost always connected to a wired one. In addition to the need to protect wireless channels, this fact serves as an incentive to introduce new security methods in wired networks. Otherwise, a situation may arise where the network has fragmented security, which essentially creates a potential security threat.
It is advisable to use equipment that has a Wi-Fi Certified certificate issued later than August 2003, i.e., confirming compliance with WPA.
Many administrators, when installing devices on the LAN, save the manufacturer's default settings. In serious wireless networks this is absolutely unacceptable.
Of course, we need to implement 802.1x/EAP/TKIP/MIC and dynamic key management. If the network is mixed, use virtual local networks. Now almost any serious access point manufacturer supports this technology. And if he doesn’t support it, then you shouldn’t support such a manufacturer by purchasing his equipment. In the case of using external antennas (for example, when connecting different LANs to each other), VPN virtual private network technology is recommended.
It is worth combining protocol and software methods of protection with administrative ones. It also makes sense to think about implementing Intrusion Detection System (IDS) technology to detect possible intrusions. You can also use the software products described above.
Finally, and most importantly, use common sense when planning a secure wireless network. Remember: any encryption or other manipulation of data inevitably introduces additional delay, increases the amount of service traffic and the load on the processors of network devices. Of course, security is an important factor in modern networks, but it becomes meaningless if user traffic does not receive the proper bandwidth. After all, unfortunately, any networks are created ultimately for users, and not for administrators. However, the topic of QoS in 802.11x wireless networks deserves a separate article.
802.11i standard ratifiedOn June 25, 2004, the Institute of Electrical and Electronics Engineers (IEEE) ratified the long-awaited wireless LAN security standard, 802.11i. Before its adoption, back in 2002, the industry consortium Wi-Fi Alliance proposed using the WPA protocol as an intermediate option. It includes some 802.11i mechanisms, including TKIP encryption and the ability to use the 802.1x user authentication system based on the RADIUS protocol. The WPA protocol exists in two modifications: lightweight (for home users) and including the 802.1x authentication standard (for corporate users). The official 802.11i standard adds to the capabilities of the WPA protocol the requirement to use the AES encryption standard, which provides a level of security that meets the requirements of FIPS Class 140-2 (Federal Information Processing Standard) used in the US government. However, in many existing networks, the AES protocol may require replacement equipment unless it is equipped with special encryption and decryption capabilities. In addition, the new standard has acquired several relatively little-known properties. One of them - key-caching - records information about him unnoticed by the user, allowing him not to enter all the information about himself again when leaving the wireless network coverage area and then returning to it. The second innovation is pre-authentication. Its essence is as follows: from the access point to which the user is currently connected, a pre-authentication packet is sent to another access point, providing this user with pre-authentication even before registering at the new point and thereby reducing authorization time when moving between access points . The Wi-Fi Alliance intends to begin testing devices for compliance with the new standard (also called WPA2) before September of this year. According to its representatives, widespread replacement of equipment will not be necessary. And while WPA1-enabled devices can operate in environments where advanced encryption and RADIUS authentication are not required, 802.11i products can be considered WPA equipment that supports AES. |
Department of Education, Science and Youth Policy
Voronezh region
state educational budgetary institution
secondary vocational education
Voronezh region
"Voronezh College of Construction Technologies"
(GOBU SPO VO "VTST")
Maintenance of computer equipment and computer networks
DIPLOMA PROJECT
Development of technology for protecting information in wireless networks
Organizational Consultant
economic part of S.N. Mukhina
Standard control _ L.I. Short
Head N.A. Merkulova
Developed by _ M.A. Sukhanov
Voronezh 2014
Annotation
Introduction
1.1 Main threats of wireless networks
1.3 Technologies for protecting information in wireless networks
1 Setting up the WPA program
2 Traffic encryption
4. Occupational health and safety
4.1 Electrical safety when operating technical equipment
4.2 Premises requirements
4.3 Measures for fire-fighting equipment
Conclusion
List of abbreviations
Application
Annotation
This thesis project involved the development of information security technology for wireless networks, which can be used to increase the protection of the user’s computer, corporate networks, and small offices.
During the course of the diploma project, an analysis of information security technology for wireless networks was carried out, and an analysis of software products that made it possible to increase the protection of wireless networks from threats was carried out.
As a result of the project, we gained experience in configuring software products that make it possible to maximally protect a wireless network from common threats.
The diploma project consists of four sections, contains twenty-four figures, one table.
protection information network
Introduction
Wireless networks are already used in almost all areas of activity. The widespread use of wireless networks is due to the fact that they can be used not only on personal computers, but also on phones, tablets and laptops, due to their convenience and relatively low cost. Wireless networks must meet a number of requirements for quality, speed, range and security, with security often being the most important factor.
The relevance of ensuring the security of a wireless network is due to the fact that while in wired networks an attacker must first gain physical access to the cable system or terminal devices, then in wireless networks a conventional receiver installed within the network’s range is sufficient to gain access.
Despite the differences in communication implementation, the approach to security of wireless networks and their wired counterparts is identical. But when implementing information security methods in wireless networks, more attention is paid to the requirements for ensuring the confidentiality and integrity of transmitted data, and for verifying the authenticity of wireless clients and access points.
The object of the study is the means of protecting information in wireless networks.
The subject of the research is the technology of information protection of wireless networks
The goal of the diploma project is to improve the quality of information security in wireless networks
To achieve this goal, the following tasks were solved:
types of threats and their negative impact on the functioning of wireless networks have been studied;
analyzed software products that protect wireless network information;
technology for protecting wireless network information has been developed;
The practical focus of the developed thesis project is that as a result of the application of this thesis project, the protection of wireless network information from unauthorized connections, stable Internet connection speed, and control of unauthorized traffic consumption are achieved.
1. Threat analysis and wireless network security
The principle of wireless data transmission includes the possibility of unauthorized connections to access points. When developing a corporate network, administrators must first of all provide for not only high-quality communications coverage of the office area, but also provide security measures, since you can connect to the network from a car parked on the street.
An equally dangerous threat to wireless networks is the possibility of equipment theft: router, antenna, adapter. If the wireless network security policy is based on MAC addresses, then a network card or router stolen by an attacker can open access to the wireless network.
1 Main threats of wireless networks
Wireless technologies, operating without the physical and logical limitations of their wired counterparts, expose network infrastructure and users to significant threats. The most common threats are the following:
Strangers. "Strangers" are devices that provide unauthorized access to a wireless network, often bypassing the protection mechanisms defined by corporate security policies. Most often these are unauthorized access points. Statistics show that the outsider threat is responsible for the majority of wireless network hacks. The role of a stranger can be a home router with Wi-Fi support, a Soft AP software access point, a laptop with wired and wireless interfaces turned on simultaneously, a scanner, a projector, etc.
Unfixed communication - wireless devices can change network connection points during operation. For example, “random associations” can occur when a laptop with Windows XP (which is quite trusting of all wireless networks) or simply an incorrectly configured wireless client automatically associates and connects the user to the nearest wireless network. This mechanism allows attackers to “switch over” an unsuspecting user for subsequent vulnerability scanning. attack (English: Man in the middle, “man in the middle”) - a term used in cryptography and refers to a situation where a cryptanalyst (attacker) is able to read and modify of his own free will, messages exchanged between correspondents, and none of the latter can guess his presence in the channel. A MITM attack is a method of compromising a communication channel, in which an attacker, having connected to a channel between counterparties, actively interferes with the transmission protocol, deleting, distorting information or imposing false information. A Man in the middle attack usually begins with eavesdropping on a communication channel and ends with an attempt by a cryptanalyst to replace an intercepted message, extract useful information from it, and redirect it to some external resource.
Example: Object A sends some information to object B. Object C has knowledge about the structure and properties of the data transmission method used and plans to intercept this information. To carry out an attack, C “appears” to object A as object B, and to object B as object A. Thus, object A, sending information to object B, unconsciously sends it to object C. In turn, object C, having received the information and performed some actions with it forwards the data to the real object B. Object B believes that the information was received directly from A.
Denial of Service - A denial of service attack can be achieved in several ways. If a hacker manages to establish a connection to a wireless network, his malicious actions can cause a number of serious consequences, such as sending responses to Address Resolution Protocol (ARP) requests to change the ARP tables of network devices in order to disrupt network routing or injecting an unauthorized Dynamic Host Configuration Protocol (DHCP) server to issue invalid addresses and network masks. If a hacker finds out the details of the wireless network settings, he can reconnect users to his access point, and the latter will be cut off from network resources that were accessible through the “legitimate” access point.
Eavesdropping
Anonymous pests can intercept radio signals and decrypt transmitted data. The equipment used to eavesdrop on a network may be no more sophisticated than that used for routine access to that network. To intercept a transmission, an attacker must be close to the transmitter. Interceptions of this type are almost impossible to register, and even more difficult to prevent. The use of antennas and amplifiers gives the attacker the opportunity to be at a considerable distance from the target during the interception process. Eavesdropping allows you to gather information on a network that you can later attack. The attacker's primary goal is to understand who is using the network, what data is available on it, what the capabilities of the network equipment are, at what moments it is being exploited most and least intensively, and what the territory of the network deployment is.
1.2 Wireless Network Security Tools
To protect against the most common threats to wireless networks, you can use the following software (Wi-Fi Protected Access) is an updated wireless device certification program. WPA technology consists of several components:
802.1x protocol - universal protocol for authentication, authorization and accounting (AAA)
EAP protocol - Extensible Authentication Protocol
TKIP protocol - Temporal Key Integrity Protocol, another translation option - Temporal Key Integrity Protocol - cryptographic verification of packet integrity (Message Integrity Code)
RADIUS protocol
The TKIP protocol is responsible for data encryption in WPA, which, although it uses the same encryption algorithm - RC4 - as in WEP, but unlike the latter, uses dynamic keys (that is, the keys change frequently). It uses a longer initialization vector and uses a cryptographic checksum (MIC) to verify the integrity of packets (the latter being a function of the source and destination addresses and the data field). The protocol is designed to work in conjunction with an authentication server, which is usually a RADIUS server. In this case, wireless access points operate in enterprise mode.
If there is no RADIUS server on the network, then the role of the authentication server is performed by the access point itself - the so-called mode
WPA-PSK (pre-shared key, shared key). In this mode, a common key is pre-registered in the settings of all access points. It is also registered on client wireless devices. This method of protection is also quite secure (relative to WEP), but is very inconvenient from a management point of view. The PSK key must be registered on all wireless devices; users of wireless devices can see it. If you need to block access to a network for a client, you will have to re-register a new PSK on all network devices, and so on. In other words, WPA-PSK mode is suitable for a home network and perhaps a small office, but nothing more.
This series of articles will look at how WPA works in conjunction with an external RADIUS server. But before we get to it, let's look a little more closely at the mechanisms of WPA. WPA technology was a temporary measure until the 802.11i standard came into use. Some manufacturers, before the official adoption of this standard, introduced WPA2 technology, which uses technologies from 802.11i to varying degrees. Such as using the CCMP protocol (Counter Mode with Cipher Block Chaining Message Authentication Code Protocol), instead of TKIP, it uses the advanced encryption standard AES (Advanced Encryption Standard) as an encryption algorithm. And the 802.1x protocol is still used for key management and distribution.
As mentioned above, the 802.1x protocol can perform several functions. In this case, we are interested in user authentication functions and encryption key distribution. It should be noted that authentication occurs "at the port level" - that is, until the user is authenticated, he is allowed to send/receive packets related only to his authentication process (credentials) and nothing more. And only after successful authentication, the port of the device (whether it is an access point or a smart switch) will be opened and the user will have access to network resources.
Authentication functions are assigned to the EAP protocol, which itself is only a framework for authentication methods. The beauty of the protocol is that it is very simple to implement on the authenticator (access point), since it does not need to know any specific features of the various authentication methods. The authenticator serves only as a transmission link between the client and the authentication server. There are quite a few authentication methods: SIM, EAP-AKA - used in GSM mobile communication networks - proprietary method from Cisco systems MD5 - the simplest method, similar to CHAP (not strong) MSCHAP V2 - authentication method based on user login/password in MS networks TLS - authentication based on digital certificates SecureID - method based on one-time passwords
In addition to the above, the following two methods should be noted, EAP-TTLS and EAP-PEAP. Unlike the previous ones, these two methods first create a TLS tunnel between the client and the authentication server before directly authenticating the user. And already inside this tunnel the authentication itself is carried out, using either standard EAP (MD5, TLS), or old non-EAP methods (PAP, CHAP, MS-CHAP, MS-CHAP v2), the latter work only with EAP-TTLS (PEAP used only in conjunction with EAP methods). Pre-tunneling improves authentication security by protecting against man-in-middle, session hihacking, or dictionary attacks.
The PPP protocol appeared there because EAP was originally planned to be used over PPP tunnels. But since using this protocol only for authentication over a local network is unnecessary redundancy, EAP messages are packaged in “EAP over LAN” (EAPOL) packets, which are used to exchange information between the client and the authenticator (access point).
The authentication scheme consists of three components: - software running on the client machine trying to connect to the network - access node, authenticator (wireless access point or wired switch supporting the 802.1x protocol) Server - authentication server (usually a RADIUS server).
The authentication process consists of the following stages:
The client can send an authentication request (EAP-start message) to the access point
The access point (Authenticator) responds by sending the client a client identification request (EAP-request/identity message). The authenticator can send an EAP request on its own if it sees that any of its ports have become active.
The client responds by sending an EAP-response packet with the necessary data, which the access point (authenticator) redirects towards the Radius server (authentication server).
The authentication server sends a challenge packet (a request for information about the client’s authenticity) to the authenticator (access point). The authenticator forwards it to the client.
Next, the process of mutual identification of the server and client occurs. The number of stages of packet forwarding back and forth varies depending on the EAP method, but for wireless networks only “strong” authentication with mutual authentication of the client and server (EAP-TLS, EAP-TTLS, EAP-PEAP) and pre-encryption of the communication channel is acceptable.
At the next stage, the authentication server, having received the necessary information from the client, allows (accept) or denies (reject) access, forwarding this message to the authenticator. The authenticator (access point) opens the port for the Supplicant if a positive response (Accept) came from the RADIUS server.
The port opens, the authenticator sends a success message to the client, and the client gains access to the network.
After the client is disconnected, the port on the access point returns to the “closed” state.
EAPOL packets are used for communication between the client (supplicant) and the access point (authenticator). The RADIUS protocol is used to exchange information between the authenticator (access point) and the RADIUS server (authentication server). When transiting information between the client and the authentication server, EAP packets are repackaged from one format to another at the authenticator.
Initial authentication is performed on the basis of common data that both the client and the authentication server know about (such as login/password, certificate, etc.) - at this stage the Master Key is generated. Using the Master Key, the authentication server and client generate a Pairwise Master Key, which is passed to the authenticator by the authentication server. And based on the Pairwise Master Key, all other dynamic keys are generated, which close the transmitted traffic. It should be noted that the Pairwise Master Key itself is also subject to dynamic change. (Wired Equivalent Privacy) is an old method of ensuring network security. It is still available to support legacy devices, but its use is not recommended. Enabling WEP configures the network security key. This key encrypts the information that the computer transmits over the network to other computers. However, WEP security is relatively easy to break.
There are two types of WEP security methods: open system authentication and shared key authentication. Neither provides a high level of security, but the shared key authentication method is less secure. For most computers and wireless access points, the shared key authentication key is the same as the static WEP encryption key that is used to secure the network. An attacker who intercepts successful shared key authentication messages can use sniffing tools to determine the shared key authentication key and then the static WEP encryption key. Once a static WEP encryption key is determined, an attacker can gain full access to the network. For this reason, this version of Windows does not automatically support network configuration through WEP shared key authentication.
Uses a pseudo-random number generator (RC4 algorithm) to obtain the key, as well as initialization vectors. Since the latter component is not encrypted, it is possible for third parties to intervene and recreate the WEP key.
The analysis of threats to wireless networks showed that the most upset threats are strangers, unfixed communications, denial of access, and eavesdropping.
A review of software tools used to protect information on wireless networks showed that it is most advisable to use the WPA program. The WPA program is an updated wireless device certification program. The WPA program enhances data security and access control to wireless networks, and supports encryption in accordance with the AES standard (Advanced Encryption Standard), which has a more robust cryptographic algorithm.
2. Technologies for protecting information in wireless networks
1 Setting up the WPA program
The ability to configure WPA in Windows XP appears with the installation of Service Pack version 2 (or the corresponding updates located on the Microsoft website).
<#"363" src="doc_zip2.jpg" /> <#"352" src="doc_zip3.jpg" /> <#"327" src="doc_zip4.jpg" /> <#"325" src="doc_zip5.jpg" /> <#"376" src="doc_zip6.jpg" /> <#"351" src="doc_zip7.jpg" /> <#"351" src="doc_zip8.jpg" /> <#"326" src="doc_zip9.jpg" /> <#"291" src="doc_zip10.jpg" /> <#"311" src="doc_zip11.jpg" /> <#"298" src="doc_zip12.jpg" /> <#"349" src="doc_zip13.jpg" /> <#"justify">2.3 Traffic encryption
Any access point allows you to enable encryption mode for traffic transmitted over a wireless network. Encrypting traffic hides the data of network users and makes it very difficult for attackers to decrypt data transmitted over an encrypted network. There are several encryption methods, the most common of which are WEP and, more secure, WPA and WPA-2. The WEP encryption method is not strong enough by modern standards, so modern 802.11g access points already use the improved WPA encryption method. Let's consider setting up WPA encryption. In the control panel of the access point, enable the “WPA-PSK” mode (preferably “WPA2-PSK”), sometimes there may be submodes of which you need to choose personal or simplified, since others may not work on your network without a dedicated server . In WPA mode, you need to select the encryption algorithm “AES” or “TCIP” and enter the encryption key, which can be any symbols (it is advisable to use a key of the maximum length, symbols mixed with numbers).
Figure 15-Configuring WPA-PSK mode on the access point
All Wi-Fi adapters are configured in the same way. Namely, on each computer/laptop, in the “Wireless Network Connection” properties, select “WPA-PSK” for authentication and “AES” or “TKIP” data encryption, depending on the encryption selected at the access point.
Figure 16-Configuring the network adapter in WPA-PSK mode
Step 1 Open your web browser, type the router's IP address (192.168.1.1 by default) in the address bar and press Enter.
Figure 17-Browser window
Step 2 Enter the username and password on the login page, the default username and password is admin.
Step 3 From the left menu, select Wireless -> Wireless Settings, the wireless settings window will open.
Figure 19-Wireless network settings window
SSID (Wireless Network Name): Set a new name for your wireless network
Channel: 1, 6 or 11 are better than Auto.
Check the "Enable Wireless Router Radio" and "Enable SSID Broadcast" boxes.
Note: After clicking the Save button, a message appears Changes to wireless settings will only work after you restart your computer, please click here to restart your computer now . You do not need to reboot your router until you have completed all wireless network settings.
Step 5 From the menu on the left, select Wireless -> Wireless Security, on the right side, enable the WPA - PSK / WPA 2-PSK option.
Figure 20-WPA-PSK setup
Version: WPA - PSK or WPA 2- PSK
Encryption: TKIP or AESPassword: Enter the password (Pre-shared key length is from 8 to 63 characters.)
Step 7 From the menu on the left, select Systems Tools -> Reboot. Reboot the router for the settings to take effect.
Figure 21-Utilities
3. Organizational and economic part
The cost of the adapter was chosen by comparing three price lists of such companies as SaNi, Ret and DNS-SHOP, prices are shown in Table 1
ShopPriceProduct name PETRUR 1,841 Powerline network adapter TP-Link TL-WPA2220KITСаНИ2 RUR 2,190 Powerline TP-Link TL-WPA2220KITDNS-SHOP network adapter RUR 1,870 Powerline TP-Link TL-WPA2220KIT network adapter Table 1-Comparison of three price lists
By analyzing and comparing prices, I concluded that it is most profitable to purchase this adapter with WPA support in the PET store, since the price was 1841 rubles.
Occupational Health and Safety
General situation.
The labor safety instruction is the main document establishing for workers the rules of conduct at work and the requirements for safe performance of work.
Knowledge of the Labor Safety Instructions is mandatory for workers of all categories and skill groups, as well as their immediate supervisors.
At each Facility, safe routes through the Facility to the place of work and evacuation plans in case of fire and emergency must be developed and brought to the attention of all personnel.
Every worker is obliged:
comply with the requirements of these Instructions;
immediately inform your immediate supervisor, and in his absence, a superior manager, about the accident that has occurred and about all violations of the requirements of the instructions noticed by him, as well as about malfunctions of structures, equipment and protective devices;
remember personal responsibility for failure to comply with safety requirements;
ensure the safety of protective equipment, tools, devices, fire extinguishing equipment and occupational safety documentation at your workplace.
IT IS PROHIBITED to carry out orders that contradict the requirements of this Instruction and the “Inter-industry rules for labor protection (safety rules) during the operation of electrical installations” POT R M-016-2001 (RD 153-34.0-03.150-00).
Any computer is an electrical device and poses a potential threat. Therefore, when working with a computer, it is necessary to comply with safety requirements.
Before starting work, you should make sure that the electrical wiring, switches, plug sockets with which the equipment is connected to the network are in good condition, that the computer is grounded and that it is working properly. It is unacceptable to use low-quality and worn-out components in the power supply system, as well as their surrogate substitutes: sockets, extension cords, adapters, tees. It is unacceptable to independently modify sockets to accept plugs that meet other standards. Electrical contacts of sockets should not experience mechanical stress associated with connecting massive components (adapters, tees, etc.). All power cables and wires should be located at the back of the computer and peripheral devices. Their placement in the user's work area is unacceptable.
It is prohibited to perform any operations related to connecting, disconnecting or moving components of a computer system without first turning off the power. The computer should not be installed near electrical heaters or heating systems. It is unacceptable to place foreign objects on the system unit, monitor and peripheral devices: books, sheets of paper, napkins, dust covers. This results in permanent or temporary blockage of the ventilation openings. Do not introduce foreign objects into the service or ventilation openings of computer system components.
Some computer components are capable of maintaining high voltage for a long time after
Features of the power supply of the system unit. All components of the system unit receive electricity from the power supply. The PC power supply is a stand-alone unit located at the top of the system unit. Safety regulations do not prohibit opening the system unit, for example, when installing additional internal devices or upgrading them, but this does not apply to the power supply. The computer power supply is a source of increased fire hazard, so it can only be opened and repaired in specialized workshops. The power supply has a built-in fan and ventilation holes. Due to this, dust will inevitably accumulate in it, which can cause a short circuit. It is recommended to periodically (once or twice a year) use a vacuum cleaner to remove dust from the power supply through the ventilation holes without opening the system unit. It is especially important to perform this operation before each transportation or tilt of the system unit.
System of hygienic requirements. Working with a computer for a long time can lead to health problems. Short-term work with a computer installed in gross violations of hygiene standards and rules leads to increased fatigue. The harmful effects of a computer system on the human body are complex. Monitor parameters affect the organs of vision. The equipment of the workplace affects the organs of the musculoskeletal system. The nature of the arrangement of equipment in a computer class and the mode of its use affects both the general psychophysiological state of the body and its visual organs.
Video system requirements. In the past, monitors were viewed primarily as a source of harmful radiation, primarily affecting the eyes. Today this approach is considered insufficient. In addition to harmful electromagnetic radiation (which on modern monitors has been reduced to a relatively safe level), image quality parameters must be taken into account, and they are determined not only by the monitor, but also by the video adapter, that is, the entire video system as a whole.
At the workplace, the monitor must be installed in such a way as to exclude the possibility of reflection from its screen towards the user from sources of general lighting in the room.
The distance from the monitor screen to the user’s eyes should be from 50 to 70 cm. There is no need to try to move the monitor as far as possible from the eyes for fear of harmful radiation (based on everyday experience with TV), because the viewing angle of the most characteristic objects is also important for the eye. Optimally, the monitor should be placed at a distance of 1.5 D from the user's eyes, where D is the size of the monitor screen, measured diagonally. Compare this recommendation with the 3...5 D value recommended for household televisions, and compare the size of the characters on the monitor screen (the most typical object that requires concentration) with the size of objects typical for television (images of people, buildings, natural objects). An excessive distance from the eyes to the monitor leads to additional strain on the visual organs, affects the difficulty of transition from working with a monitor to working with a book, and manifests itself in the premature development of farsightedness. An important parameter is the frame rate, which depends on the properties of the monitor, video adapter and software settings of the video system. To work with texts, the minimum frame rate allowed is 72 Hz. For graphics work, a frame rate of 85 Hz or higher is recommended.
Workplace requirements. The requirements for the workplace include requirements for a desktop, a seat (chair, armchair), rests for arms and legs. Despite its apparent simplicity, ensuring the correct placement of computer system elements and the correct seating of the user is extremely difficult. A complete solution to the problem requires additional costs comparable in magnitude to the cost of individual components of a computer system, therefore, in everyday life and in production, these requirements are often neglected.
The monitor should be installed directly in front of the user and should not require rotation of the head or body.
The desktop and seat should be of such a height that the user's eye level is slightly above the center of the monitor. You should look at the monitor screen from top to bottom, and not vice versa. Even short-term work with a monitor installed too high leads to fatigue of the cervical spine.
If, when correctly positioning the monitor relative to eye level, it turns out that the user’s feet cannot rest freely on the floor, a footrest should be installed, preferably an inclined one. If the legs do not have reliable support, this will certainly lead to poor posture and fatigue of the spine. It is convenient when computer furniture (desk and work chair) have means for height adjustment. In this case, it is easier to achieve the optimal position.
The keyboard should be located at such a height that the fingers rest on it freely, without tension, and the angle between the shoulder and forearm is 100° - 110°. For work, it is recommended to use special computer tables that have pull-out shelves for the keyboard. Working with the keyboard for a long time can cause fatigue in the tendons of the wrist joint. A serious occupational disease is known - carpal tunnel syndrome, associated with incorrect hand position on the keyboard. To avoid excessive stress on the hand, it is advisable to provide a work chair with armrests, the height of which, measured from the floor, coincides with the height of the keyboard.
When working with the mouse, your hand should not be suspended. The elbow or at least the wrist should have firm support. If it is difficult to provide the necessary location of the desktop and chair, it is recommended to use a mouse pad with a special support roller. There are often cases when, in search of support for the hand (usually the right one), the monitor is placed on the side of the user (respectively, on the left), so that he works half-turned, resting the elbow or wrist of the right hand on the table.
4.1 Electrical safety requirements
When using computer technology and peripheral equipment, each employee must carefully and carefully handle electrical wiring, devices and equipment and always remember that neglecting safety rules threatens both human health and life
To avoid electric shock, you must know and follow the following rules for the safe use of electricity:
It is necessary to constantly monitor at your workplace the good condition of electrical wiring, switches, plug sockets with which the equipment is connected to the network, and grounding. If a malfunction is detected, immediately turn off the power to the electrical equipment and notify the administration. Continued operation is only possible after the fault has been eliminated.
To avoid damage to the wire insulation and short circuits, the following is not permitted:
a) hang something on wires;
b) paint over and whiten cords and wires;
c) lay wires and cords behind gas and water pipes, behind radiators of the heating system;
d) pull the plug out of the socket by the cord, force must be applied to the body of the plug.
To prevent electric shock, the following is prohibited:
a) often turn the computer on and off unnecessarily;
b) touch the screen and the back of the computer blocks;
c) work on computer equipment and peripheral equipment with wet hands;
d) work on computers and peripheral equipment that have violations of the integrity of the case, violations of wire insulation, faulty power-on indication, with signs of electrical voltage on the case
e) place foreign objects on computer equipment and peripheral equipment.
It is prohibited to clean electrical equipment from dust and dirt while under voltage.
It is prohibited to check the functionality of electrical equipment in rooms that are not suitable for use with conductive floors, damp, and do not allow accessible metal parts to be grounded.
Repair of electrical equipment is carried out only by specialist technicians in compliance with the necessary technical requirements.
It is unacceptable to carry out repairs on computers and peripheral equipment while under voltage.
To avoid electric shock, when using electrical appliances, you must not simultaneously touch any pipelines, heating radiators, or metal structures connected to the ground.
When using electricity in damp areas, take special care.
If a broken wire is detected, you must immediately inform the administration about it and take measures to prevent people from coming into contact with it. Touching the wire is life-threatening.
The salvation of a victim in case of electric shock mainly depends on the speed of his release from the effects of the current.
In all cases of electric shock to a person, call a doctor immediately. Before the doctor arrives, you must, without wasting time, begin providing first aid to the victim.
It is necessary to immediately begin artificial respiration, the most effective of which is the “mouth to mouth” or “mouth to nose” method, as well as external cardiac massage.
Artificial respiration is performed for the person affected by the electric current until the doctor arrives.
4.2 Premises requirements
The premises must have natural and artificial lighting. The location of workstations behind monitors for adult users in basements is not permitted.
The area per workplace with a computer for adult users must be at least 6 m2, and the volume must be at least -20 m3.
Rooms with computers must be equipped with heating, air conditioning or effective supply and exhaust ventilation systems.
For interior decoration of rooms with computers, diffusely reflective materials with a reflectance coefficient for the ceiling of 0.7-0.8 should be used; for walls - 0.5-0.6; for the floor - 0.3-0.5.
The floor surface in computer operating rooms must be smooth, without potholes, non-slip, easy to clean and wet, and have antistatic properties.
There should be a first aid kit and a carbon dioxide fire extinguisher in the room to extinguish a fire.
4.3 Fire safety requirements
It is prohibited to have flammable substances in the workplace
The following is prohibited on the premises:
a) light a fire;
b) turn on electrical equipment if the room smells of gas;
c) smoke;
d) dry something on heating devices;
e) close ventilation holes in electrical equipment
Sources of ignition are:
a) spark due to static electricity discharge
b) sparks from electrical equipment
c) sparks from impact and friction
d) open flame
If a fire hazard or fire occurs, personnel must immediately take the necessary measures to eliminate it, and at the same time notify the administration about the fire.
Premises with electrical equipment must be equipped with fire extinguishers of the OU-2 or OUB-3 type.
Conclusion
Today, wireless networks have become widespread, which leads to the need to develop technology for protecting information in wireless networks.
As a result of the research conducted in this thesis project, the following conclusions can be drawn:
Wireless data transmission includes the possibility of unauthorized connection to access points, unfixed communication, eavesdropping; for this it is necessary to provide high-quality security measures, since you can connect to the network from a car parked on the street.
A software review showed that specialized programs such as WEP and WPA are used to protect wireless network information.
It is most advisable to use the WPA program to protect information from wireless networks, since the WPA program enhances data security and access control to wireless networks, and supports encryption in accordance with the AES standard (Advanced Encryption Standard, an advanced encryption standard), which has a more strong cryptographic algorithm.
List of sources used
Aknorsky D. A little about wireless networks // Computer Price.-2003.-No. 48.
Berlin A.N. Telecommunication networks and devices. //Internet University of Information Technologies - INTUIT.ru, BINOM. Knowledge Laboratory, 2008. - 319 pages Information transmission systems. Course of lectures. /S.V. Kunegin - M.: military unit 33965, 1998, - 316 p. with ill.
DIY wireless network
Vishnevsky V.M., Lyakhov A.I., Portnoy S.L., Shakhnovich I.V. Broadband wireless information transmission networks. - 2005. - 205 p.
Data recovery in a wireless network //iXBT URL:#"justify">Gultyaev A.K. Data recovery. 2nd ed. - St. Petersburg: Peter, 2006. - 379 p.:
Zorin M., Pisarev Yu., Solovyov P. Wireless networks: current state and prospects. - Connect! // World of Communications. 1999. No. 4. page. 104.
Zaidel I. A flash drive should live a long time //R.LAB URL:#"justify">Zorin M., Pisarev Y., Solovyov P. Radio equipment in the 2.4 GHz range: challenges and opportunities // PCWeek/Russian Edition.1999.№ 20-21.p.
Christian Barnes, Tony Boates, Donald Lloyd, Erik Uhle, Jeffrey Poslans, David M. Zanjan, Neil O'Farrell, Protection against wireless network hackers. - Publisher: IT Company, DMK press. - 2005. - 480 p.
Merritt Maxim, David Pollino., Wireless Network Security. - 2004. - 288s
Molta D., Foster-Webster A. Testing equipment for wireless LANs of the 802.11 standard // Networks and communication systems. 1999. No. 7. page.
Mitilino S. Security of wireless networks //ITC-Online.-2003.-No. 27 URL:#"justify">Norenkov, V.A. Trudonoshin - M.: Publishing house of MSTU im. N.E. Bauman, 1998. 232 p.
Olifer V.G., Olifer N.A. Basics of data networks. //Internet University of Information Technologies - INTUIT.ru, 2005 - 176 pages.
Oleinik T. Wireless networks: current state and prospects.//Home PC.-2003.-No. 10.
Software of the PC-3000 Flash //ACE Lab URL:#"justify">
Proletarsky A.V., Baskakov I.V., Chirkov D.N. Wireless Wi-Fi networks. - 2007. - 216s
Proletarsky A.V., Baskakov I.V., Fedotov R.A. Organization of wireless networks. - Publisher: Moscow. - 2006. - 181 p.
Sebastian Rapley. LAN without restrictions // PC Magazine/Russian Edition.1999.№12.p.105.
Stakhanov S. Wi-Fi data recovery//Data Recovery Center Stakhanov URL:#"justify">Wireless network technologies//iXBT URL:#"justify">Data recovery utilities//ACE Data Recovery Center URL:#"justify" >Frank J. Doerfler, Jr., Les Freed. Wireless LANs //PC Magazine/Russian Edition.2000.No.6. .
Yuri Pisarev. Wireless networks: on the way to new standards // PC Magazine/Russian Edition.1999.No. 10. p. 184.
Yuri Pisarev. Security of wireless networks // PC Magazine/Russian Edition.1999.№12.page. 97. Fi. Wireless network Author: John Ross Publisher: NT Press Year of publication: 2007 Pages: 320fu: “combat” techniques for hacking and protecting wireless networks title
List of abbreviations
WEP - Wired Equivalent Privacy - Wi-Fi Protected Access- Address Resolution Protocol - Advanced Encryption Standard - Temporal Key Integrity Protocol fi - Wireless Fidelity
Appendix A
Figure 22- WPA security
Figure 23 - Building a secure wireless network
Figure 24 - WPA-enabled adapter
Diplomas, coursework, essays, tests...
Development of technology for protecting information in wireless networks
Type of work: Diploma Subject: ProgrammingOriginal work
Excerpt from work
Department of Education, Science and Youth Policy of the Voronezh Region state educational budgetary institution of secondary vocational education of the Voronezh region
"Voronezh College of Construction Technologies"
(GOBU SPO VO "VTST")
Maintenance of computer equipment and computer networks DIPLOMA PROJECT Development of technology for information security means of wireless networks Consultant on organizational and
economic part S. N. Mukhina Standard control _ L. I. Korotkikh Head N. A. Merkulova Developed by _ M. A. Sukhanov Voronezh 2014
1. Threat analysis and wireless network security
1.1 Main threats of wireless networks
1.3 Technologies for protecting information in wireless networks
2.1 Setting up the WPA program
2.2 Traffic encryption
3. Organizational and economic part
4. Occupational health and safety
4.1 Electrical safety when operating technical equipment
4.2 Premises requirements
4.3 Measures for fire-fighting equipment
Conclusion
List of sources used
List of abbreviations
Appendix Abstract In this diploma project, technology was developed to protect information from wireless networks, which can be used to increase the protection of the user’s computer, corporate networks, and small offices.
During the course of the diploma project, an analysis of information security technology for wireless networks was carried out, and an analysis of software products that made it possible to increase the protection of wireless networks from threats was carried out.
As a result of the project, we gained experience in configuring software products that make it possible to maximally protect a wireless network from common threats.
The diploma project consists of four sections, contains twenty-four figures, one table.
security information network Introduction Wireless networks are already used in almost all areas of activity. The widespread use of wireless networks is due to the fact that they can be used not only on personal computers, but also on phones, tablets and laptops, due to their convenience and relatively low cost. Wireless networks must meet a number of requirements for quality, speed, range and security, with security often being the most important factor.
The relevance of ensuring the security of a wireless network is due to the fact that while in wired networks an attacker must first gain physical access to the cable system or terminal devices, then in wireless networks a conventional receiver installed within the network’s range is sufficient to gain access.
Despite the differences in communication implementation, the approach to security of wireless networks and their wired counterparts is identical. But when implementing information security methods in wireless networks, more attention is paid to the requirements for ensuring the confidentiality and integrity of transmitted data, and for verifying the authenticity of wireless clients and access points.
The object of the research is the means of protecting information of wireless networks. The subject of the research is the technology of protecting information of wireless networks. The goal of the diploma project is to improve the quality of protecting information of wireless networks. To achieve this goal, the following tasks were solved:
types of threats and their negative impact on the functioning of wireless networks have been studied;
analyzed software products that protect wireless network information;
technology for protecting wireless network information has been developed;
The practical focus of the developed thesis project is that as a result of the application of this thesis project, the protection of wireless network information from unauthorized connections, stable Internet connection speed, and control of unauthorized traffic consumption are achieved.
1. Analysis of threats and security of a wireless network The principle of wireless data transmission includes the possibility of unauthorized connections to access points. When developing a corporate network, administrators must first of all provide for not only high-quality communications coverage of the office area, but also provide security measures, since you can connect to the network from a car parked on the street.
An equally dangerous threat to wireless networks is the possibility of equipment theft: router, antenna, adapter. If the wireless network security policy is based on MAC addresses, then a network card or router stolen by an attacker can open access to the wireless network.
1.1 Key Threats to Wireless Networks Wireless technologies, operating without the physical and logical limitations of their wired counterparts, expose network infrastructure and users to significant threats. The most common threats are the following:
Strangers. "Strangers" are devices that provide unauthorized access to a wireless network, often bypassing the protection mechanisms defined by corporate security policies. Most often these are unauthorized access points. Statistics show that the outsider threat is responsible for the majority of wireless network hacks. The role of a stranger can be a home router with Wi-Fi support, a Soft AP software access point, a laptop with wired and wireless interfaces turned on simultaneously, a scanner, a projector, etc.
Unfixed communication - wireless devices can change network connection points during operation. For example, “random associations” can occur when a laptop with Windows XP (which is quite trusting of all wireless networks) or simply an incorrectly configured wireless client automatically associates and connects the user to the nearest wireless network. This mechanism allows attackers to “switch on” an unsuspecting user for subsequent vulnerability scanning.
MITM attack (English Man in the middle, “man in the middle”) is a term used in cryptography and refers to a situation where a cryptanalyst (attacker) is able to read and modify at will the messages exchanged between correspondents, and none of the latter cannot guess his presence in the channel. A MITM attack is a method of compromising a communication channel in which an attacker, having connected to a channel between counterparties, actively interferes with the transmission protocol by deleting, distorting information or imposing false information. A Man in the middle attack usually begins with eavesdropping on a communication channel and ends with an attempt by a cryptanalyst to replace an intercepted message, extract useful information from it, and redirect it to some external resource.
Example: Object A sends some information to object B. Object C has knowledge about the structure and properties of the data transmission method used and plans to intercept this information. To carry out an attack, C “appears” to the object, A as object B, and object B as object A. Thus, object A, sending information to object B, unconsciously sends it to object C. In turn, object C, having received the information and commits Some actions in it forward data to the real object B. Object B believes that the information was received directly from A.
Denial of Service – A denial of service attack can be achieved in several ways. If a hacker manages to establish a connection to a wireless network, his malicious actions can cause a number of serious consequences, such as sending responses to Address Resolution Protocol (ARP) requests to change the ARP tables of network devices in order to disrupt network routing or injecting an unauthorized Dynamic Host Configuration Protocol (DHCP) server to issue invalid addresses and network masks. If a hacker finds out the details of the wireless network settings, he can reconnect users to his access point, and the latter will be cut off from network resources that were accessible through the “legitimate” access point.
Eavesdropping Anonymous pests can intercept radio signals and decrypt transmitted data. The equipment used to eavesdrop on a network may be no more sophisticated than that used for routine access to that network. To intercept a transmission, an attacker must be close to the transmitter. Interceptions of this type are almost impossible to register, and even more difficult to prevent. The use of antennas and amplifiers gives the attacker the opportunity to be at a considerable distance from the target during the interception process. Eavesdropping allows you to gather information on a network that you can later attack. The attacker's primary goal is to understand who is using the network, what data is available on it, what the capabilities of the network equipment are, at what moments it is being exploited most and least intensively, and what the territory of the network deployment is.
1.2 Wireless Network Security Tools
The following software can be used to protect against the most common wireless network threats:
WPA (Wi-Fi Protected Access) is an updated wireless device certification program. WPA technology consists of several components:
802.1x protocol -- Universal Authentication, Authorization, and Accounting (AAA) protocol
EAP protocol -- Extensible Authentication Protocol
TKIP protocol - Temporal Key Integrity Protocol, another translation option - Temporal Key Integrity Protocol
MIC -- cryptographic packet integrity check (Message Integrity Code)
RADIUS protocol
The TKIP protocol is responsible for data encryption in WPA, which, although it uses the same encryption algorithm - RC4 - as in WEP, but unlike the latter, uses dynamic keys (that is, the keys change frequently). It uses a longer initialization vector and uses a cryptographic checksum (MIC) to verify the integrity of packets (the latter being a function of the source and destination addresses and the data field).
The RADIUS protocol is designed to work in conjunction with an authentication server, which is usually a RADIUS server. In this case, wireless access points operate in enterprise mode.
If there is no RADIUS server on the network, then the role of the authentication server is performed by the access point itself - the so-called mode
WPA-PSK (pre-shared key, shared key). In this mode, a common key is pre-registered in the settings of all access points. It is also registered on client wireless devices. This method of protection is also quite secure (relative to WEP), but is very inconvenient from a management point of view. The PSK key must be registered on all wireless devices; users of wireless devices can see it. If you need to block access to a network for a client, you will have to re-register a new PSK on all network devices, and so on. In other words, WPA-PSK mode is suitable for a home network and perhaps a small office, but nothing more.
This series of articles will look at how WPA works in conjunction with an external RADIUS server. But before we get to it, let's look a little more closely at the mechanisms of WPA. WPA technology was a temporary measure until the 802.11i standard came into use. Some manufacturers, before the official adoption of this standard, introduced WPA2 technology, which uses technologies from 802.11i to varying degrees. Such as using the CCMP protocol (Counter Mode with Cipher Block Chaining Message Authentication Code Protocol), instead of TKIP, it uses the advanced encryption standard AES (Advanced Encryption Standard) as an encryption algorithm. And the 802.1x protocol is still used for key management and distribution.
As mentioned above, the 802.1x protocol can perform several functions. In this case, we are interested in user authentication functions and encryption key distribution. It should be noted that authentication occurs "at the port level" - that is, until the user is authenticated, he is allowed to send/receive packets related only to his authentication process (credentials) and nothing more. And only after successful authentication, the port of the device (whether it is an access point or a smart switch) will be opened and the user will have access to network resources.
Authentication functions are assigned to the EAP protocol, which itself is only a framework for authentication methods. The beauty of the protocol is that it is very simple to implement on the authenticator (access point), since it does not need to know any specific features of the various authentication methods. The authenticator serves only as a transmission link between the client and the authentication server. There are quite a few authentication methods:
EAP-SIM, EAP-AKA -- used in GSM mobile networks
LEAP - proprioretory method from Cisco systems
EAP-MD5 is the simplest method, similar to CHAP (not robust)
EAP-MSCHAP V2 -- authentication method based on user login/password in MS networks
EAP-TLS -- authentication based on digital certificates
EAP-SecureID -- method based on one-time passwords
In addition to the above, the following two methods should be noted, EAP-TTLS and EAP-PEAP. Unlike the previous ones, these two methods first create a TLS tunnel between the client and the authentication server before directly authenticating the user. And already inside this tunnel the authentication itself is carried out, using either standard EAP (MD5, TLS), or old non-EAP methods (PAP, CHAP, MS-CHAP, MS-CHAP v2), the latter work only with EAP-TTLS (PEAP used only in conjunction with EAP methods). Pre-tunneling improves authentication security by protecting against man-in-middle, session hihacking, or dictionary attacks.
The PPP protocol appeared there because EAP was originally planned to be used over PPP tunnels. But since using this protocol only for authentication over a local network is unnecessary redundancy, EAP messages are packaged in “EAP over LAN” (EAPOL) packets, which are used to exchange information between the client and the authenticator (access point).
The authentication scheme consists of three components:
Supplicant - software running on a client machine trying to connect to the network
Authenticator -- access node, authenticator (wireless access point or wired switch supporting 802.1x protocol)
Authentication Server -- authentication server (usually a RADIUS server).
The authentication process consists of the following stages:
The client can send an authentication request (EAP-start message) to the access point
The access point (Authenticator) responds by sending the client a client identification request (EAP-request/identity message). The authenticator can send an EAP request on its own if it sees that any of its ports have become active.
The client responds by sending an EAP-response packet with the necessary data, which the access point (authenticator) redirects towards the Radius server (authentication server).
The authentication server sends a challenge packet (a request for information about the client’s authenticity) to the authenticator (access point). The authenticator forwards it to the client.
Next, the process of mutual identification of the server and client occurs. The number of stages of packet forwarding back and forth varies depending on the EAP method, but for wireless networks only “strong” authentication with mutual authentication of the client and server (EAP-TLS, EAP-TTLS, EAP-PEAP) and pre-encryption of the communication channel is acceptable.
At the next stage, the authentication server, having received the necessary information from the client, allows (accept) or denies (reject) access, forwarding this message to the authenticator. The authenticator (access point) opens the port for the Supplicant if a positive response (Accept) came from the RADIUS server.
The port opens, the authenticator sends a success message to the client, and the client gains access to the network.
After the client is disconnected, the port on the access point returns to the “closed” state.
EAPOL packets are used for communication between the client (supplicant) and the access point (authenticator). The RADIUS protocol is used to exchange information between the authenticator (access point) and the RADIUS server (authentication server). When transiting information between the client and the authentication server, EAP packets are repackaged from one format to another at the authenticator.
Initial authentication is performed on the basis of common data that both the client and the authentication server know (such as login/password, certificate, etc.) - at this stage the Master Key is generated. Using the Master Key, the authentication server and client generate a Pairwise Master Key, which is passed to the authenticator by the authentication server. And based on the Pairwise Master Key, all other dynamic keys are generated, which close the transmitted traffic. It should be noted that the Pairwise Master Key itself is also subject to dynamic change.
WEP (Wired Equivalent Privacy) is an old method of network security. It is still available to support legacy devices, but its use is not recommended. Enabling WEP configures the network security key. This key encrypts the information that the computer transmits over the network to other computers. However, WEP security is relatively easy to break.
There are two types of WEP security methods: open system authentication and shared key authentication. Neither provides a high level of security, but the shared key authentication method is less secure. For most computers and wireless access points, the shared key authentication key is the same as the static WEP encryption key that is used to secure the network. An attacker who intercepts successful shared key authentication messages can use sniffing tools to determine the shared key authentication key and then the static WEP encryption key. Once a static WEP encryption key is determined, an attacker can gain full access to the network. For this reason, this version of Windows does not automatically support network configuration through WEP shared key authentication.
Uses a pseudo-random number generator (RC4 algorithm) to obtain the key, as well as initialization vectors. Since the latter component is not encrypted, it is possible for third parties to intervene and recreate the WEP key.
The analysis of threats to wireless networks showed that the most upset threats are strangers, unfixed communications, denial of access, and eavesdropping.
A review of software tools used to protect information on wireless networks showed that it is most advisable to use the WPA program. The WPA program is an updated wireless device certification program. The WPA program enhances data security and access control to wireless networks, and supports encryption in accordance with the AES standard (Advanced Encryption Standard), which has a more robust cryptographic algorithm.
2. Technologies for protecting information in wireless networks
2.1 Setting up the WPA program
The ability to configure WPA in Windows XP appears with the installation of Service Pack version 2 (or the corresponding updates located on the Microsoft website).
Figure 1-Wireless adapter properties window
Service Pack 2 greatly expands the functionality and convenience of wireless network settings. Although the main menu items have not changed, new ones have been added.
Encryption is configured in the standard way: first select the wireless adapter icon, then click the Properties button.
Figure 2 - Wireless networks tab Go to the Wireless networks tab and select which network we will configure (usually there is only one). Click Properties.
Figure 3 - Properties window In the window that appears, select WPA-None, i.e. WPA with predefined keys (if you select Compatible, we will enable the WEP encryption configuration mode, which has already been described above).
Figure 4-Properties window Select AES or TKIP (if all devices on the network support AES, then it is better to select it) and enter the WPA key twice (the second in the confirmation field). Preferably something long and difficult to pick up.
After clicking Ok, the WPA encryption setup can also be considered complete.
In conclusion, a few words about the wizard that appeared with Service Pack 2
Figure 5 - Wireless network settings.
In the properties of the network adapter, select the Wireless networks button.
Figure 6-Adapter properties In the window that appears, click on Set up a wireless network.
Figure 7-Wireless Network Wizard Here they tell us where we are. Click Next.
Figure 8-Wireless Network Wizard Select Set up a wireless network. (If you select Add, you can create profiles for other computers on the same wireless network.)
Figure 10-Wireless Network Wizard In the window that appears, set the network SSID, activate WPA encryption, if possible, and select the key entry method. You can leave the generation to the operating system or enter the keys manually. If the first is selected, then a window will pop up asking you to enter the required key (or keys).
Figure 11-Window for selecting a network setup method Next, there are two ways to save wireless network settings:
In a text file, for subsequent manual entry on other machines.
Saving the profile on a USB flash drive for automatic entry on other machines with Windows XP with integrated Service Pack version 2.
Figure 12- Saving parameters to flash memory If the saving mode to Flash is selected, then in the next window you will be prompted to insert Flash media and select it in the menu.
Figure 13-Installation complete If manual saving of parameters was selected, then after pressing the button print...
Figure 14-Configured network parameters
... a text file with the parameters of the configured network will be displayed. Please note that random and long (i.e. good) keys are generated, but TKIP is used as the encryption algorithm. The AES algorithm can later be enabled manually in the settings, as described above.
2.3 Traffic encryption Any access point allows you to enable encryption mode for traffic transmitted over a wireless network. Encrypting traffic hides the data of network users and makes it very difficult for attackers to decrypt data transmitted over an encrypted network. There are several encryption methods, the most common of which are WEP and, more secure, WPA and WPA-2. The WEP encryption method is not strong enough by modern standards, so modern 802.11g access points already use the improved WPA encryption method. Let's look at setting up WPA encryption. In the control panel of the access point, enable the “WPA-PSK” mode (preferably “WPA2-PSK”), sometimes there may be submodes of which you need to choose personal or simplified, since others may not work on your network without a dedicated server. In WPA mode, you need to select the encryption algorithm “AES” or “TCIP” and enter the encryption key, which can be any symbols (it is advisable to use a key of the maximum length, symbols mixed with numbers).
Figure 15-Configuring WPA-PSK mode on the access point All Wi-Fi adapters are configured in the same way. Namely, on each computer/laptop, in the “Wireless Network Connection” properties, select “WPA-PSK” for authentication and “AES” or “TKIP” data encryption, depending on the encryption selected at the access point.
Figure 16-Configuring the network adapter in WPA-PSK mode
Step 1 Open your web browser, type the router's IP address (192.168.1.1 by default) in the address bar and press Enter.
Figure 17-Browser window Step 2 Enter the username and password on the login page, the default username and password is admin.
Figure 19-Wireless Network Setup Window SSID (Wireless Network Name): Set a new name for your wireless network Channel: 1, 6 or 11 are better than Auto.
Check the “Enable Wireless Router Radio” and “Enable SSID Broadcast” boxes.
Note: After clicking the Save button, the message “Changes to wireless network settings will only take effect after you restart your computer, please click here to restart your computer now.” You do not need to reboot your router until you have completed all wireless network settings.
Step 5 From the menu on the left, select Wireless -> Wireless Security, on the right side, enable the WPA - PSK / WPA 2-PSK option.
Figure 20-WPA-PSK setup
Version: WPA - PSK or WPA 2-PSK
Encryption: TKIP or AES
PSK Password: Enter the password (Pre-shared key length is from 8 to 63 characters.)
Step 7 From the menu on the left, select Systems Tools -> Reboot. Reboot the router for the settings to take effect.
Figure 21-Utilities
3. Organizational and economic part The cost of the adapter was selected by comparing three price lists of such companies as SaNi, Ret and DNS-SHOP, prices are shown in Table 1
Product name | |||
Powerline network adapter TP-Link TL-WPA2220KIT | |||
RUB 1,870 /website, 5/. | Powerline network adapter TP-Link TL-WPA2220KIT | ||
Table 1-Comparison of three price lists By analyzing and comparing prices, I concluded that it is most profitable to purchase this adapter with WPA support in the PET store, since the price was 1841 rubles.
4. Occupational health and safety General provisions.
1. The labor safety instruction is the main document establishing for workers the rules of conduct at work and the requirements for the safe performance of work.
2. Knowledge of the Labor Safety Instructions is mandatory for workers of all categories and skill groups, as well as their immediate supervisors.
At each Facility, safe routes through the Facility to the place of work and evacuation plans in case of fire and emergency must be developed and brought to the attention of all personnel.
4. Every worker is obliged:
comply with the requirements of these Instructions;
immediately inform your immediate supervisor, and in his absence, your superior manager, about the accident that has occurred and about all violations of the requirements of the instructions noticed by him, as well as about malfunctions of structures, equipment and protective devices;
remember personal responsibility for failure to comply with safety requirements;
ensure the safety of protective equipment, tools, devices, fire extinguishing equipment and occupational safety documentation at your workplace.
IT IS PROHIBITED to carry out orders that contradict the requirements of this Instruction and the “Inter-industry rules for labor protection (safety rules) during the operation of electrical installations” POT R M-016−2001 (RD 153−34.0−03.150−00).
Any computer is an electrical device and poses a potential threat. Therefore, when working with a computer, it is necessary to comply with safety requirements.
Before starting work, you should make sure that the electrical wiring, switches, plug sockets with which the equipment is connected to the network are in good condition, that the computer is grounded and that it is working properly. It is unacceptable to use low-quality and worn-out components in the power supply system, as well as their surrogate substitutes: sockets, extension cords, adapters, tees. It is unacceptable to independently modify sockets to accept plugs that meet other standards. Electrical contacts of sockets should not experience mechanical stress associated with connecting massive components (adapters, tees, etc.). All power cables and wires should be located at the back of the computer and peripheral devices. Their placement in the user's work area is unacceptable.
It is prohibited to perform any operations related to connecting, disconnecting or moving components of a computer system without first turning off the power. The computer should not be installed near electrical heaters or heating systems. It is unacceptable to place foreign objects on the system unit, monitor and peripheral devices: books, sheets of paper, napkins, dust covers. This results in permanent or temporary blockage of the ventilation openings. Do not introduce foreign objects into the service or ventilation openings of computer system components.
Some computer components are capable of maintaining high voltage for a long time after power supply to the system unit. All components of the system unit receive electricity from the power supply. The PC power supply is a stand-alone unit located at the top of the system unit. Safety regulations do not prohibit opening the system unit, for example, when installing additional internal devices or upgrading them, but this does not apply to the power supply. The computer power supply is a source of increased fire hazard, so it can only be opened and repaired in specialized workshops. The power supply has a built-in fan and ventilation holes. Due to this, dust will inevitably accumulate in it, which can cause a short circuit. It is recommended to periodically (once or twice a year) use a vacuum cleaner to remove dust from the power supply through the ventilation holes without opening the system unit. It is especially important to perform this operation before each transportation or tilt of the system unit.
System of hygienic requirements. Working with a computer for a long time can lead to health problems. Short-term work with a computer installed in gross violations of hygiene standards and rules leads to increased fatigue. The harmful effects of a computer system on the human body are complex. Monitor parameters affect the organs of vision. The equipment of the workplace affects the organs of the musculoskeletal system. The nature of the arrangement of equipment in a computer class and the mode of its use affects both the general psychophysiological state of the body and its visual organs.
Video system requirements. In the past, monitors were viewed primarily as a source of harmful radiation, primarily affecting the eyes. Today this approach is considered insufficient. In addition to harmful electromagnetic radiation (which on modern monitors has been reduced to a relatively safe level), image quality parameters must be taken into account, and they are determined not only by the monitor, but also by the video adapter, that is, the entire video system as a whole.
At the workplace, the monitor must be installed in such a way as to exclude the possibility of reflection from its screen towards the user from sources of general lighting in the room.
The distance from the monitor screen to the user’s eyes should be from 50 to 70 cm. There is no need to try to move the monitor as far as possible from the eyes for fear of harmful radiation (based on everyday experience with TV), because the viewing angle of the most characteristic objects is also important for the eye. Optimally, placing the monitor at a distance of 1.5 D from the user's eyes, where D is the size of the monitor screen, measured diagonally. Compare this recommendation with the 3...5 D value recommended for household televisions, and compare the size of the characters on the monitor screen (the most typical object that requires concentration) with the size of objects typical for television (images of people, buildings, natural objects). An excessive distance from the eyes to the monitor leads to additional strain on the visual organs, affects the difficulty of transition from working with a monitor to working with a book, and manifests itself in the premature development of farsightedness.
An important parameter is the frame rate, which depends on the properties of the monitor, video adapter and software settings of the video system. To work with texts, the minimum frame rate allowed is 72 Hz. For graphics work, a frame rate of 85 Hz or higher is recommended.
Workplace requirements. The requirements for the workplace include requirements for a desktop, a seat (chair, armchair), rests for arms and legs. Despite its apparent simplicity, ensuring the correct placement of computer system elements and the correct seating of the user is extremely difficult. A complete solution to the problem requires additional costs comparable in magnitude to the cost of individual components of a computer system, therefore, in everyday life and in production, these requirements are often neglected.
The monitor should be installed directly in front of the user and should not require rotation of the head or body.
The desktop and seat should be of such a height that the user's eye level is slightly above the center of the monitor. You should look at the monitor screen from top to bottom, and not vice versa. Even short-term work with a monitor installed too high leads to fatigue of the cervical spine.
If, when correctly positioning the monitor relative to eye level, it turns out that the user’s feet cannot rest freely on the floor, a footrest should be installed, preferably an inclined one. If the legs do not have reliable support, this will certainly lead to poor posture and fatigue of the spine. It is convenient when computer furniture (desk and work chair) have means for height adjustment. In this case, it is easier to achieve the optimal position.
The keyboard should be located at such a height that the fingers rest on it freely, without tension, and the angle between the shoulder and forearm is 100° - 110°. For work, it is recommended to use special computer tables that have pull-out shelves for the keyboard. Working with the keyboard for a long time can cause fatigue in the tendons of the wrist joint. A serious occupational disease is known - carpal tunnel syndrome, associated with incorrect hand position on the keyboard. To avoid excessive stress on the hand, it is advisable to provide a work chair with armrests, the height of which, measured from the floor, coincides with the height of the keyboard.
When working with the mouse, your hand should not be suspended. The elbow or at least the wrist should have firm support. If it is difficult to provide the necessary location of the desktop and chair, it is recommended to use a mouse pad with a special support roller. There are often cases when, in search of support for the hand (usually the right one), the monitor is placed on the side of the user (respectively, on the left), so that he works half-turned, resting the elbow or wrist of the right hand on the table.
4.1 Electrical safety requirements When using computer technology and peripheral equipment, each worker must carefully and carefully handle electrical wiring, instruments and equipment and always remember that neglecting safety rules threatens both health and human life. To avoid electric shock, you must firmly know and follow the following Rules for the safe use of electricity:
1. It is necessary to constantly monitor at your workplace the good condition of electrical wiring, switches, plug sockets with which the equipment is connected to the network, and grounding. If a malfunction is detected, immediately turn off the power to the electrical equipment and notify the administration. Continued operation is only possible after the fault has been eliminated.
2. To avoid damage to wire insulation and short circuits, the following is not permitted:
a) hang something on wires;
b) paint over and whiten cords and wires;
c) lay wires and cords behind gas and water pipes, behind radiators of the heating system;
d) pull the plug out of the socket by the cord, force must be applied to the body of the plug.
3. To avoid electric shock, it is prohibited:
a) often turn the computer on and off unnecessarily;
b) touch the screen and the back of the computer blocks;
c) work on computer equipment and peripheral equipment with wet hands;
d) work on computers and peripheral equipment that have violations of the integrity of the case, violations of wire insulation, faulty power-on indication, with signs of electrical voltage on the case
e) place foreign objects on computer equipment and peripheral equipment.
4. It is prohibited to check the performance of electrical equipment in rooms that are not suitable for use with conductive floors, damp, and do not allow accessible metal parts to be grounded.
5. Repair of electrical equipment is carried out only by specialist technicians in compliance with the necessary technical requirements.
6. It is unacceptable to carry out repairs on computers and peripheral equipment while under voltage.
7. To avoid electric shock, when using electrical appliances, you must not simultaneously touch any pipelines, heating radiators, or metal structures connected to the ground.
8. When using electricity in damp areas, take special care.
9. If a broken wire is discovered, you must immediately inform the administration about it and take measures to prevent people from coming into contact with it. Touching the wire is life-threatening.
10. The salvation of a victim in case of electric shock mainly depends on the speed of his release from the effects of electric current.
In all cases of electric shock to a person, call a doctor immediately. Before the doctor arrives, you must, without wasting time, begin providing first aid to the victim.
It is necessary to immediately begin artificial respiration, the most effective of which is the method? mouth to mouth¦ or? mouth to nose¦, as well as external cardiac massage.
Artificial respiration is performed for the person affected by the electric current until the doctor arrives.
4.2 Requirements for the premises The premises must have natural and artificial lighting. The location of workstations behind monitors for adult users in basements is not permitted.
The area per workplace with a computer for adult users must be at least 6 m², and the volume must be at least -20 m3.
Rooms with computers must be equipped with heating, air conditioning or effective supply and exhaust ventilation systems.
For interior decoration of rooms with computers, diffusely reflective materials with a reflection coefficient for the ceiling of 0.7−0.8 should be used; for walls -- 0.5−0.6; for the floor - 0.3−0.5.
The floor surface in computer operating rooms must be level, without potholes, non-slip, easy to clean and wet, and have antistatic properties? properties.
There should be a first aid kit and a carbon dioxide fire extinguisher in the room to extinguish a fire.
4.3 Fire safety requirements It is prohibited to have flammable substances in the workplace. The following is prohibited in the premises:
a) light a fire;
b) turn on electrical equipment if the room smells of gas;
c) smoke;
d) dry something on heating devices;
e) close ventilation openings in electrical equipment. Sources of ignition are:
a) spark from a discharge of static electricity b) sparks from electrical equipment c) sparks from impact and friction d) open flame If a fire hazard or fire occurs, personnel must immediately take the necessary measures to eliminate it, and at the same time notify the administration about the fire.
Premises with electrical equipment must be equipped with fire extinguishers of the OU-2 or OUB-3 type.
Conclusion Today, wireless networks have become widespread, which leads to the need to develop technology for protecting information in wireless networks.
As a result of the research conducted in this thesis project, the following conclusions can be drawn:
Wireless data transmission includes the possibility of unauthorized connection to access points, unfixed communication, eavesdropping; for this it is necessary to provide high-quality security measures, since you can connect to the network from a car parked on the street.
A software review showed that specialized programs such as WEP and WPA are used to protect wireless network information.
It is most advisable to use the WPA program to protect information from wireless networks, since the WPA program enhances data security and access control to wireless networks, and supports encryption in accordance with the AES standard (Advanced Encryption Standard, an advanced encryption standard), which has a more strong cryptographic algorithm.
List of sources used Aknorsky D. A little about wireless networks // Computer Price. - 2003. - No. 48.
Berlin A. N. Telecommunication networks and devices. //Internet University of Information Technologies - INTUIT.ru, BINOM. Knowledge Laboratory, 2008. - 319 pages Information transmission systems. Course of lectures. /S.V. Kunegin - M.: military unit 33 965, 1998, - 316 p. with ill.
DIY wireless network
Vishnevsky V.M., Lyakhov A.I., Portnoy S.L., Shakhnovich I.V. Broadband wireless information transmission networks. - 2005. - 205 p.
Data recovery on a wireless network //iXBT URL: http://www.ixbt.com/storage/faq-flash-p0.shtml
Gultyaev A.K. Data recovery. 2nd ed. - St. Petersburg: Peter, 2006. - 379 p.:
Zorin M., Pisarev Yu., Solovyov P. Wireless networks: current state and prospects. - Connect! // World of Communications. 1999. No. 4. page. 104.
Zaidel I. A flash drive should live a long time // R.LAB URL: http://rlab.ru/doc/long_live_flash.html
Zorin M., Pisarev Yu., Solovyov P. Radio equipment in the 2.4 GHz range: challenges and opportunities // PCWeek/Russian Edition.1999.№20−21.pp.
...Christian Barnes, Tony Boates, Donald Lloyd, Erik Uhle, Jeffrey Poslans, David M. Zanjan, Neil O'Farrell., Protecting against wireless network hackers. — Publisher: IT Company, DMK press. - 2005. - 480 p.
Merritt Maxim, David Pollino., Wireless Network Security. — 2004. — 288с Molta D., Foster-Webster A. Testing equipment for wireless LANs of the 802.11 standard // Networks and communication systems. 1999. No. 7. p.
Wireless networks are beginning to be used almost all over the world. This is due to their convenience, flexibility and relatively low cost. Wireless technologies must satisfy a number of requirements in terms of quality, speed, range and security, with security often being the most important factor.
The complexity of securing a wireless network is obvious. If in wired networks an attacker must first gain physical access to the cable system or terminal devices, then in wireless networks this condition disappears by itself: since the data is transmitted “over the air”, a conventional receiver installed within the network’s range is sufficient to gain access (see. section 2.2.3).
However, despite the differences in implementation, the approach to security of wireless networks and their wired counterparts is identical: there are similar requirements for ensuring the confidentiality and integrity of transmitted data and, of course, for authenticating both wireless clients and access points.
General information
Like all IEEE 802 standards, the basic wireless LAN standard IEEE 802.11 operates at the lower two layers of the ISO/OSI model - physical and data link. A network application, network OS, or protocol (such as TCP/IP) will work just as well on an 802.11 network as it does on an Ethernet network.
The basic architecture, features and services are defined in the basic 802.11 standard (see Section 4.2), which defines two modes of wireless network operation - client/server mode (or infrastructure mode) and point-to-point (Ad-hoc) mode.
In client/server mode, a wireless network consists of at least one AP (Access point) connected to a wired network and a certain set of wireless end stations. This configuration is called basic set of BSS services(Basic Service Set). Two or more BSSs forming a single subnet form extended set of ESS services(Extended Service Set). Since most wireless stations need to access file servers, printers, and the Internet available on a wired LAN, they will operate in client/server mode.
Point-to-point mode is a simple network in which communication between numerous stations is established directly, without the use of a special access point. This mode is useful if the wireless network infrastructure is not formed (for example, in a hotel, exhibition hall, airport).
At the physical layer of the 802.11 standard, 2 broadband radio frequency transmission methods and 1 in the infrared range are defined. RF methods operate in the 2.4 GHz ISM band and typically use the 83 MHz band from 2.400 GHz to 2.483 GHz. Broadband signal technologies used in RF techniques increase reliability, capacity, and allow many unrelated devices to share the same frequency band with minimal interference to each other.
The main addition that 802.11b makes to the core standard is support for two new data rates - 5.5 and 11 Mbps. To achieve these speeds, the DSSS (Direct Sequence Spread Spectrum) method was chosen.
The Data Link layer of the 802.11 standard consists of two sublayers: LLC Logical Link Control and MAC Media Access Control.
Securing Wireless Networks
The WLAN security system, based on the WEP (Wired Equivalent Privacy) protocol of the original 802.11 standard, has significant shortcomings. However, more effective WLAN information security technologies have emerged, which are described in the WPA (Wi-Fi
Protected Access) by the Wi-Fi Alliance and the 802.1 and IEEE standards and are designed to address the shortcomings of the 802.11 standard. Since the development process of the 802.1 standard took too long, the Wi-Fi Alliance was forced to propose its own WLAN information security technology in 2002 - the WPA standard.
The WPA standard is very attractive because it is relatively easy to implement and allows you to protect existing WLANs. The WPA and 802.1I standards are compatible with each other, so the use of WPA-supporting products can be considered the initial stage of the transition to a security system based on the 802.1I standard (see Section 4.2).
There are many similarities between the technologies of the 802.1 and WPA standards. Thus, they define an identical security system architecture with improved user authentication mechanisms and key distribution and update protocols. But there are also significant differences. For example, WPA technology is based on the dynamic key protocol TKIP (Temporal Key Integrity Protocol), which can be supported in most WLAN devices by updating their software, and the more functional concept of the 802.1 standard also provides for the use of the new AES encryption standard (Advanced Encryption Standard), with which only the latest WLAN equipment is compatible.
The WPA standard provides for the use of security protocols 802.Ix, EAP, TKIP and RADIUS.
The user authentication mechanism is based on the 802.1x access control protocol (designed for wired networks) and the Extensible Authentication Protocol (EAP). The latter allows the network administrator to enable user authentication algorithms via a RADIUS server (see Chapter 13).
Confidentiality and data integrity functions are based on the TKIP protocol, which, unlike the WEP protocol, uses a more efficient key management mechanism, but the same RC4 algorithm for data encryption. According to the TKIP protocol, network devices work with a 48-bit initialization vector (as opposed to the 24-bit initialization vector of the WEP protocol) and implement rules for changing the sequence of its bits, which eliminates key reuse and replay attacks.
The TKIP protocol provides for the generation of a new key for each transmitted packet and improved message integrity control using the cryptographic MIC (Message Integrity Code) checksum, which prevents a hacker from changing the contents of transmitted packets.
The WPA standard network security system operates in two modes: PSK (Pre-Shared Key) and Enterprise. To deploy a system running in PSK mode, a shared password is required. This system is easy to install, but it does not protect the WLAN as reliably as a system operating in Enterprise mode with a dynamic key hierarchy. Although TKIP uses the same RC4 block cipher as the WEP specification, WPA is more secure than WPA.
To make WLAN access points compatible with the WPA standard, you only need to upgrade their software. To transfer the network infrastructure to the 802.Hi standard, new equipment that supports the AES encryption algorithm will be required, since AES encryption creates a large load on the central processor of the wireless client device.
In order for corporate access points to work in a WPA or 802.1I network security system, they must support user authentication using the RADIUS protocol and implement the standard encryption method - TKIP or AES, which will require upgrading their software. And one more requirement is to quickly re-authenticate users after disconnecting from the network. This is especially important for the smooth functioning of real-time applications.
If the RADIUS server used to control access of wired network users supports the required EAP authentication methods, then it can be used to authenticate WLAN users. Otherwise, a WLAN RADIUS server must be installed. This server works as follows: it first checks the user's authentication information (against the contents of its database about their IDs and passwords) or their digital certificate, and then activates the dynamic generation of encryption keys by the access point and the client system for each communication session.
For WPA technology to work, the EAP-TLS (Transport Layer Security) mechanism is required, while the IEEE 802.1 P standard does not stipulate the use of specific EAP authentication methods. The choice of the EAP authentication method is determined by the specifics of the client applications and the network architecture. In order for laptops and PDAs to work with WPA or 802.1x network security, they must be equipped with client programs that support the 802.1x standard.
The simplest, from a deployment point of view, version of a WPA network security system is a system operating in PS K mode. It is intended for small and home offices and does not require a RADIUS server, and uses MIC to encrypt packets and calculate the cryptographic checksum PSK password. The level of network information security it provides is quite sufficient for most of the above offices. To increase the effectiveness of data protection, passwords containing at least 20 characters should be used.
It is advisable for enterprises to implement WPA standard network security systems with RADIUS servers. Most companies prefer such systems, since solutions running in PS K mode are more difficult to administer and are more vulnerable to hacker attacks.
Until 802.1I becomes available on the market, WPA will remain the most suitable standard for WLAN security.
The WPA and 802.1 standards are quite reliable and provide a high level of security for wireless networks. However, a security protocol alone is not enough - attention should also be paid to the correct construction and configuration of the network.
Physical protection. When deploying a Wi-Fi network, it is necessary to physically restrict access to wireless points.
Correct setting. The paradox of modern wireless networks is that users do not always enable and use the built-in authentication and encryption mechanisms.
Protecting user devices. You should not rely entirely on built-in network security mechanisms. The most optimal method is a layered defense method, the first line of which is defense equipment installed on a desktop PC, laptop or PDA.
Traditional measures. Effective operation of a computer on a network is unthinkable without classical protection measures - timely installation of updates, the use of protective mechanisms built into the OS and applications, as well as antiviruses. However, these measures are not enough today, since they are focused on protection against already known threats.
Network monitoring. The weak link in the corporate network is unauthorized access points. The task of localizing unauthorized access points is urgent. Special means for localizing access points allow you to graphically display the location of a “foreign” terminal on a map of a floor or building. If classical methods do not save you from intrusion, intrusion detection systems should be used.
URM agents. Many access points operate in open mode, so it is necessary to use methods to protect transmitted data. The UR1M client must be installed on the protected computer, which will take over the solution of this task. Almost all modern operating systems (for example, Yindows XP) contain such software components.