Something that continues to periodically come up is the need to remind people running manual staging to ensure they specify both the SSID and the Clone ID when they stage. I did some initial coverage of this when I first started the blog, but I wanted to revisit and demonstrate exactly why this is necessary.

The short version of why is simple: If you stage by SSID alone, NetWorker will delete/purge all instances of the saveset other than the one you just created. This is Not A Good Thing for 99.999% of what we do within NetWorker.

So to demonstrate, here’s a session where I:

1. Generate a backup
2. Clone the backup to tape
3. Stage the saveset only to tape

In between each step, I’ll run mminfo to get a dump of what the media database says about saveset availability.

Part 1 – Generate the Backup

Here’s a very simple backup for the purposes of this demonstration, and the subsequent mminfo command to find out about the backup:

[root@tara ~]# save -b Default -LL -q /etc
save: /etc  106 MB 00:00:07   2122 files
completed savetime=1258093549

[root@tara ~]# mminfo -q "client=tara.pmdg.lab,name=/etc" -r volume,ssid,cloneid,
savetime
 volume        ssid          clone id  date
Default.001    2600270829  1258093549 11/13/2009
Default.001.RO 2600270829  1258093548 11/13/2009

There’s nothing out of the ordinary here, so we’ll move onto the next step.

Part 2 – Clone the Backup

We’ll just do a manual clone to the Default Clone pool. Here we’ll specify the saveset ID alone, which is fine for cloning – but is often what leads people to being in the habit of not specifying a particular saveset instance. I’m using very small VTL tapes, so don’t be worried that in this case I’ve got a clone of /etc spanning 3 volumes:

[root@tara ~]# nsrclone -b "Default Clone" -S 2600270829
[root@tara ~]# mminfo -q "client=tara.pmdg.lab,name=/etc" -r volume,ssid,cloneid,
savetime
 volume        ssid          clone id  date
800843S3       2600270829  1258094164 11/13/2009
800844S3       2600270829  1258094164 11/13/2009
800845S3       2600270829  1258094164 11/13/2009
Default.001    2600270829  1258093549 11/13/2009
Default.001.RO 2600270829  1258093548 11/13/2009

As you can see there, it’s all looking fairly ordinary at this point – nothing surprising is going on at all.

Part 3 – Stage by Saveset ID Only

In this next step, I’m going to stage by saveset ID alone rather than specifying the saveset ID/clone ID, which is the correct way of staging, so as to demonstrate what happens at the conclusion of the staging. I’ll be staging to a pool called “Big”:

[root@tara ~]# nsrstage -b Big -v -m -S 2600270829
Obtaining media database information on server tara.pmdg.lab
Parsing save set id(s)
Migrating the following save sets (ids):
 2600270829
5874:nsrstage: Automatically copying save sets(s) to other volume(s)

Starting migration operation...
Nov 13 17:34:00 tara logger: NetWorker media: (waiting) Waiting for 1 writable
volume(s) to backup pool 'Big' disk(s) or tape(s) on tara.pmdg.lab
5884:nsrstage: Successfully cloned all requested save sets
5886:nsrstage: Clones were written to the following volume(s):
 BIG991S3
6359:nsrstage: Deleting the successfully cloned save set 2600270829
Successfully deleted original clone 1258093548 of save set 2600270829
from media database.
Successfully deleted AFTD's companion clone 1258093549 of save set 2600270829
from media database with 0 retries.
Successfully deleted original clone 1258094164 of save set 2600270829
from media database.
Recovering space from volume 4294740163 failed with the error
'Cannot access volume 800844S3, please mount the volume or verify its label.'.
Refer to the NetWorker log for details.
6330:nsrstage: Cannot access volume 800844S3, please mount the volume
or verify its label.
Completed recover space operation for volume 4177299774
Refer to the NetWorker log for any failures.
Recovering space from volume 4277962971 failed with the error
'Cannot access volume 800845S3, please mount the volume or verify its label.'.
Refer to the NetWorker log for details.
6330:nsrstage: Cannot access volume 800845S3, please mount the volume
or verify its label.
Recovering space from volume 16550059 failed with the error
'Cannot access volume 800843S3, please mount the volume or verify its label.'.
Refer to the NetWorker log for details.
6330:nsrstage: Cannot access volume 800843S3, please mount the volume
or verify its label.

You’ll note there’s a bunch of output there about being unable to access the clone volumes the saveset was previously cloned to. When we then check mminfo, we see the consequences of the staging operation though:

[root@tara ~]# mminfo -q "client=tara.pmdg.lab,name=/etc" -r volume,ssid,cloneid,
savetime
 volume        ssid          clone id  date
BIG991S3       2600270829  1258095244 11/13/2009

As you can see – no reference to the clone volumes at all!

Now, has the clone data been erased? No, but it has been removed from the media database, meaning you’d have to manually scan the volumes back in order to be able to use them again. Worse, if those volumes only contained clone data that was subsequently removed from the media database, they may become eligible for recycling and get re-used before you notice what has gone wrong!

Wrapping Up

Hopefully the above session will have demonstrated the danger of staging by saveset ID alone. If instead of staging by saveset ID we staged by saveset ID and clone ID, we’d have had a much more desirable outcome. Here’s a (short) example of that:

[root@tara ~]# save -b Default -LL -q /tmp
save: /tmp  2352 KB 00:00:01     67 files
completed savetime=1258094378
[root@tara ~]# mminfo -q "name=/tmp" -r volume,ssid,cloneid
 volume        ssid          clone id
Default.001    2583494442  1258094378
Default.001.RO 2583494442  1258094377
[root@tara ~]# nsrclone -b "Default Clone" -S 2583494442

[root@tara ~]# mminfo -q "name=/tmp" -r volume,ssid,cloneid
 volume        ssid          clone id
800845S3       2583494442  1258095244
Default.001    2583494442  1258094378
Default.001.RO 2583494442  1258094377
[root@tara ~]# nsrstage -b Big -v -m -S 2583494442/1258094377
Obtaining media database information on server tara.pmdg.lab
Parsing save set id(s)
Migrating the following save sets (ids):
 2583494442
5874:nsrstage: Automatically copying save sets(s) to other volume(s)

Starting migration operation...

5886:nsrstage: Clones were written to the following volume(s):
 BIG991S3
6359:nsrstage: Deleting the successfully cloned save set 2583494442
Successfully deleted original clone 1258094377 of save set 2583494442 from
media database.
Successfully deleted AFTD's companion clone 1258094378 of save set 2583494442
from media database with 0 retries.
Completed recover space operation for volume 4177299774
Refer to the NetWorker log for any failures.

[root@tara ~]# mminfo -q "name=/tmp" -r volume,ssid,cloneid
 volume        ssid          clone id
800845S3       2583494442  1258095244
BIG991S3       2583494442  1258096324

The recommendation that I always make is that you forget about using saveset IDs alone unless you absolutely have to. Instead, get yourself into the habit of always specifying a particular instance of a saveset ID via the “ssid/cloneid” option. That way, if you do any manual staging, you won’t wipe out access to data!

… via de naam van je draadloze netwerk.

Wireless network has become the default package when you install internet access at home. It always comes with a wireless router that gives you the option to connect wirelessly or via cable.

Read more…

One major improvement of Vista and Seven over XP and 2003 is more control over your wireless settings. There were two major security issues with wireless on previous Microsoft operating systems. One issue was connecting to unsecured networks automatically and the other issue was firewall settings that might leave a user vulnerable in a hotspot. Windows XP systems have a bad habit of automatically connecting to wireless networks within their range. Although the default wireless settings of XP can be changed, the fact that it connects to unsecured networks by default is somewhat disturbing. Another limitation of XP (and 2003) is the fact that your firewall settings will remain the same when migrating from your home network to a hotspot. This is extremely alarming if the user happens to have open shares with sensitive documents. While this example may seem far-fetched, it is very common for users to have open shares on their systems at work or home and go to a hotspot. A malicious user at the hotspot could access files in any of your shares. And, if there is no password on the administrative account, that malicious user may even be able to access the administrative shares.

To manage wireless connections in Vista and Seven, open the Network and Sharing Center in the Control Panel. Click on the Manage Wireless Networks link from the list in the task pane. Clicking the Add button will give you a menu of three items, including Add a network that is in range of the computer, Manually create a network profile, and Create an ad-hoc network.

The Add a network that is in range option in Manage Wireless Connections will display a list of networks that are broadcasting their Security Set Identifier (SSID). Along with each network displayed will be information about whether the network has security enabled or if it is unsecured. Vista and Seven will warn you if you connect to an unsecured network that your information may be visible to others. Unless you are on a secure site, people using sniffing tools such as Wireshark will be able to capture all of your plain text data. Microsoft recommends using WPA2 if your equipment will support it. A list of other wireless recommendations made by Microsoft is included in the following TechNet article. It is common knowledge among wireless security experts that Wifi Protected Access version 2 (WPA2) with Advanced Encryption Standard (AES) encryption and a very difficult Passphrase should be used on wireless networks. Although Wired Equivalent Privacy (WEP) or WPA with Temporal Key Integrity Protocol (TKIP) is better than nothing, these security mechanisms can be defeated.

The Manually create a network profile option in Manage Wireless Networks can be utilized if a network is not broadcasting its SSID. Turning off the broadcast of the SSID will help to prevent people from connecting to your network. If you are not broadcasting the SSID of your access point, users will not see the network in their list of available networks to connect to in Windows XP , Vista, or Seven. While turning off the broadcast of the SSID will help increase the security of your wireless, it will not prevent hackers with the right tools from getting the information. Even if the access point is not broadcasting the SSID, security measures such as the use of WPA2 with AES encryption and a strong Passphrase should also be utilized.

The Create an ad-hoc network is the final option when adding a network in Manage Wireless Networks. The ad hoc network will allow a group of computers to network without an available access point. In Vista and Seven, you can set up an ad hoc network with no encryption, WEP, or WPA2. WPA2 is recommended, and your WPA2 Passphrase can be from 8 to 63 characters long. Numbers, symbols, and uppercase and lowercase letters can all be utilized in the Passphrase.

Note: It can be up to 64 characters long if you only use the characters 0-9 and letters A-F. The characters can be displayed for you in plain text if you check the Display characters check box

Problem: I’ve got an iPhone 3G running 3.1.2(7D11) and I use a WLAN network at our office which does not broadcast it’s SSID for obscurity security reasons. Since some version, I guess 3.1, when I get within range of the SSID hidden network it no longer auto connects. Frustrating.

Solution: Apple to fix it in the next version I guess.

“Work around”: Not really a workaround, but a sightly less frustrating way of reconnecting… when in range of the network… recreate the network by entering the SSID and leave out any of the security stuff then click Join. The join will fail (for obvious reasons), but will then “remind” the phone that that network exists and will then connect using the previously configured settings.

Let’s play the WIRELESS SECURITY game! *Applause*

So, which one of the following is the most secure?!

1) Security Key (WEP): 2541293842 | SSID Hidden | MAC Addresses Filtered

2) Security Key (WPA): 2541293842 | SSID Hidden | MAC Addresses Filtered

3) Security Key (WPA): IhathN3v3rF41l3dTh33?! | SSID Visible | MAC Addresses NOT Filtered

4) Security Key (WPA): IhathN3v3rF41l3dTh33?! | SSID Hidden | MAC Addresses Filtered

5) Security Key (WPA2): IhathN3v3rF41l3dTh33?! | SSID Visible | MAC Addresses NOT Filtered

6) Security Key (WPA2): IhathN3v3rF41l3dTh33?! | SSID Hidden | MAC Addresses Filtered

Well? Any clues? It’s actually not much of a game. The least secure wireless network is at the top, the most secure is at the bottom. However, this doesn’t quite tell the whole story – as I would always use option 5 over option 6 and option 3 over option 4. Why? That is a very good question, to answer it – let’s break this down.

No Security Key vs. WEP Key vs. WPA Key vs. WPA2 Key

So you’ve  just got a shiny new wireless device, which is asking you to choose a “security mode” – or something similar.

Your options are No Security, WEP, WPA or WPA2 (WPA/WPA2 may be written as WPA-PSK, WPA2-PSK).

No Security shouldn’t even be considered. Not even for a second. If you’re a home user (or indeed a business user) and your wireless network has no security – you should switch to WPA or better now. Seriously, stop reading this article and make the change. If you don’t know how, then drop me an email (see the “about” page).

If you’re using WEP, then CONGRATULATIONS! You’ve officially earned one more point that people without security. However, you should also stop reading now and get your wireless network switched over to WPA or better. Anyone who tells you that WEP is “fine”, is probably not the kind of person you should associate with on a regular basis. At the very least, you should stop taking IT-related advice from them.

WPA and WPA2 are both decent wireless security solutions. If you’ve got a device that doesn’t support WPA2, then use WPA with AES – otherwise WPA2 is the system of choice. So, you’ve chosen WPA2 as your security mode! Have you passed the wireless security test yet?…

I’m afraid not. Unfortunately, the mode you choose (WPA2) is still only half the battle. Let’s imagine that you’re an evil genius, and you’ve created an evil fortress – which is protected by an impenetrable security bubble. The only gap in this bubble is protected by a door, which is guarded by a huge indestructible robot (named Colin). The only way in is to give the robot the correct password. This sounds pretty secure doesn’t it? However, what if the password to this evil fortress is set as “dog” or “sheep” or even “password”. It doesn’t matter that everything else is secure, the password has let you down. This is the biggest issue with wireless security. People set the security mode to something decent, and then use a terrible security key. It should be at least 20 characters and must contain numbers, upper case letters, lower case letters, and symbols (IhathN3v3rF41l3dTh33?!).

Naming your Network

Your SSID is essentially the name of your wireless network. It is a crime to leave this at the default setting, which will be something like  “BTHomeHub” or “NETGEAR”. Change it to something that doesn’t give any useful information away. Why not call your wireless network “Hamster” or “Boris”? It’s far better than calling it “34VictoryLane” or “TheJohnsons”.

MAC Address Filtering | Hidden SSID

So, you’ve secured your network with a good security mode and have got a strong wireless key in place. Now you see the options to hide your SSID (sometimes it says “disable SSID broadcast”) and to enable MAC Address Filtering. Annoyingly, these two options are practically pointless. Hiding your SSID is equivilant to making a file “hidden” in Windows. Anyone with half a brain would still be able to find and access the file, but you’ve made it slightly more difficult for you to access it. That is essentially what hiding your SSID does. It makes it more difficult for YOU to manage your wireless network (adding new devices etc), but doesn’t increase the overall security level (assuming you’ve followed the advice above and are running WPA2 with a strong key). It’s a waste of your time, so leave SSID visible. MAC Address Filtering is a pain. Every SINGLE time you want to add a new wireless device – you have to find it’s MAC address and specifically allow that MAC address to access the wireless. So, it might be a pain – but it must make your network SUPER secure, right? Of course it doesn’t. In a world of MAC address spoofing and wireless stumbling programs – MAC Address Filtering is almost totally useless. It’s a real pain to configure, and offers very little security benefit.

So, that is why I would choose option 5 to secure my wireless network, or option 3 if some devices don’t support WPA2. In fact, I’d probably choose the hidden 7th option for security – it’s called Ethernet, and it’ll blow your mind.

- James | October 2009

Note: To use WPA2 on XP, you must be running Windows XP SP3 (or SP2 with a KB update).

As you know everything these days is wireless. But, rarely do we care how we connect, instead often just get online. A lot of wireless routers that are available offer very useful features that you probably didn’t know about. Chances are if you’ve never accessed your router’s settings, you are just running the defaults which means your neighbors or anyone who drives by could potentially access your data or perform a criminal act that points to you. However, there are times when it’s OK to take the shields down and let people leech off your network. For that reason, you may want to periodically check who is accessing it. In most routers, they have a status page to display connected computers.

To learn how to secure a wireless router there are three important things to know: SSID (Service set identification), MAC (Media Access Control) Address, and WEP(Wired Equivalent Privacy) / WPA (Wifi Protected Access), don’t worry I will not bug on this tech terms. Let me explain it in 5 simple steps..

Step 1) Access Your Wireless Router’s Configuration: log in to your wireless router administrative control panel. This is usually done by opening a browser and going to http://192.168.1.1 (for most Linksys routers) or http://192.168.0.1 (for most D-Link routers). Check the user manual or quick-start guide that came with your router if either of those do not work. (Once there change the Admin password. Most wireless routers ship with a blank password. It is essential that this is changed else a potential hacker could get into your router configuration and lock you out of your own hardware. Many Linksys wireless routers, use the word “admin” as the default password. Either way, you should change this to something only you know and never give this out to anyone.)

Step 2) Change the SSID name: The SSID is your Network Name. That is, it’s how other computers know what to look for when connecting to your wireless network. Linksys wireless routers use “linksys” as their default name. D-Link uses, get ready, “dlink” as their default. Changing this to a unique name, but not something related to a personal password or anything personally identifiable. My tip i have seen wireless networks named things like, “computer-virus” and they like to scare people off.

Step 3) Disable/Turn-off SSID broadcast: By default, almost all wireless routers broadcast the SSID name you setup above. This means that anyone within range of your router (neighbors, random strangers driving by, criminals, etc.) can find out the name of your network and thus try to connect to it. Make it a bit harder by disabling this broadcast feature. Combined with the unique name above, these two steps will certainly ward off the casual wi-fi poachers.

Step 4) Enable WPA or WPA2 encryption: This is switched off by default. There is a choice of WEP, WPA and WPA2. Currently the latest encryption method is WPA2 so use this where possible. Both your wireless router and wireless PC adaptor must be configured to use the same encryption, it is the most effective and most important part of securing your wi-fi network as well as the information you send across it.

The benefits here are 2-fold:

1) It makes access to your wireless network password-protected.
2) It encrypts all the data you send while browsing the internet (credit card numbers, email passwords, etc.).

You’ll want to use WPA2 if your wireless router gives you that option and your computer supports it. If it does not, go with WPA. Do not even bother with WEP encryption, as this has been proven to be hackable in minutes and really only offers a false sense of security. You will be required to enter a password, or “shared key,” when setting this up. For this, you’ll want to pick a long string of both capital and lowercase letters as well as numbers. Stick with a string of ten characters or more to be safe, although some security experts suggest going with something over twenty characters. Keep in mind that you might have to give this out to trusted visitors and weekend guests, so don’t make this the same as any other password you use.

Step 5) (Optional) MAC address filtering: As said this is more optional which works well on most branded routers. All hardware has a unique MAC address associated with it, including your PC adaptor card. This MAC address can be added to access control list in the wireless router. Only devices added to the router’s access control list are allowed to be connected. Why did I make it optional simple with MAC address filtering, you can tell your wireless network to only allow access from certain computers by inputting their MAC address into the router settings. However, from a hacker’s point of view, what this does is give them a list of MAC addresses that can access the network and gives them one more piece of information to help them snoop around on your network. Also other good tip with this is to Disable web access to the Control Panel. The fact is, once you set up all this stuff you rarely have to access the Control Panel anyway, so this just makes it all the more secure.

Final get some help out of your router manufacturer like update your router latest router firmware from the manufacturer’s website and installed in the router. This will hopefully fix any bugs that have been found for your router and also help with any known security flaws in the router itself., finally backup all router settings. If you reset the router back to its factory default settings even by mistake, your configuration can later be easily restored back with this.

Tip: The major wireless router manufacturers are Linksys/Cisco, D-Link, and Netgear. You will see these brands dominate in most retail stores. Look for sales because these manufacturers often discount models from week to week and you can sometimes find a good deal for substantially less cost. Online, you will also see brands, such as Asus, Belkin, Buffalo Technology, Beetel and SMC, all worthy of consideration

To even make it complete, I found the right video where GetConnected hosts Mike Agerbo and AJ Vickery discuss wireless router security and give some simple tips on how to keep yourself and your home computers protected from an unexpected attack

Happy WIRELESS Surfing..

This is WeeFee. She is a Billion 7401VGP R3 firewall router. She came to me in January this year in a sexy blue box after I churned from the car accident that is Telstra Bigpond to Internode. In human years, that would make her 18, blonde and very Eastern European.

However for seven months, WeeFee tormented myself and every single occupant in my home by restricting access to the very reason she exists. Friends and family who came over all gave me grief over WeeFee as they simply could not access her ‘private parts’ wirelessly. No amount of foreplay, coercing, romancing or role-playing got WeeFee interested in ’sex’.

Oh she was very good when I have an ethernet cable stuck up her nice, round behind. She has her limitations (I am in an ADSL1 exchange) so she won’t go as fast as I would like but she serves her purpose when we have alone time with each other.

One of the things Sandeep and I looked into on the same night he arrived was trying to get WeeFee interested in ’sex’. Both of us accessed her account, probed her insides and teased her gently with little flicks and changing of codes. We went at it for about an hour.

But to no avail.

Frustrated, we attempted what no men would willingly admit in public but wished had the guts to do – ask for directions.

I called up Internode and within five minutes the nice bloke on the other end got WeeFee interested in ’sex’. He did what a single man couldn’t do in seven months. From interstate as well. Damn he must be a ’sex’ master. He must have achieved nirvana in his previous life.

Turns out, my SSID has underscores (_) in them. For seven months, I tinkered with WeeFee’s settings, thinking there must have been something wrong with the setup. All the hours spent browsing Whirlpool threads and Googling. Imagine my relief when WeeFee finally responded to ’sex’. Sandeep and I were elated. He could finally have ’sex’ without an ethernet cable, and I could partake in the activity whenever and wherever I wanted to.

As it stands, our home is always open to interested participants. WeeFee will always be ‘turned on’.

350Dominicana ha recibido el apoyo del Servicio Social de Iglesias Dominicanas, Inc (SSID). Esta organizacion sin fines de lucro que trabaja a nivel nacional e internacional como ente facilitador de procesos de gestion y autogestion de desarrollo comuntario.

El SSID trabaja y mantiene una red de relaciones con las iglesias, instituciones, y comunidades, en un proceso participativo de diálogo y coordinación, identificando las necesidades de los más pobres, mediante la organización comunitaria, priorización de las necesidades, capacitación y formación de multiplicadores, para que sean gestores de su propio desarrollo.

Sus objetivos principales son los siguientes:

• Educar y capacitar a las familias más pobres de las comunidades, para lograr que sean autores y actores de su propio desarrollo.

• Integrar al trabajo participativo las redes comunitarias y de las iglesias, para la multiplicación de los conocimientos y capacidades.

• Sumar los recursos de la comunidad, las iglesias, el Estado, organizaciones, empresas y agencias de cooperación para reducir la dependencia económica.

• Mantener al equipo de colaboradores actualizados en los procesos de desarrollo y cambio social del entorno local, nacional e internacional, para aunar esfuerzos y cumplir efectivamente con la misión y visión institucional.

• Promover entre la población meta el respeto y cumplimiento de los derechos humanos de los comunitarios; así como la formación y transformación de estructuras y estilos de vida que conduzcan a la promoción de la justicia social y los derechos que le son inherentes.

El equipo gestor de 350Dominicana agradece el apoyo formal del SSID. Este es otro ejemplo de como esta campaña esta creciendo y recibiendo apoyo general en la sociedad Dominicana. Esperamos poder seguir recibiendo el apoyo de aun mas personas, organizacions no-gubernamentales, empresas, y lideres nacionales.

Τα περισσότερα modem/router πλέον υποστηρίζουν και την δυνατότητα ασύρματης δικτύωσης.Έτσι λοιπόν αν θέλουμε ασύρματο δίκτυο στο σπίτι μας θα πρέπει να λάβουμε υπόψιν μας ότι το θέμα της ασφάλειας είναι μία διαφορετική υπόθεση από ότι στα ενσύρματα δίκτυα.Τα πράγματα που πρέπει να προσεχθούν λοιπόν εφόσον θέλουμε το ασύρματο δίκτυο μας να είναι ασφαλές είναι τα ακόλουθα:

1)Αλλαγή του ονόματος χρήστη και του κωδικού πρόσβασης στο router

Όλα τα modem/routers έχουνε ένα προκαθορισμένο λογαριασμό (username και password) για να μπορεί ο χρήστης να συνδέεται σε αυτά συνήθως μέσω του web interface.Πολλοί χρήστες όμως δεν αλλάζουν ποτέ αυτό το κωδικό.Επειδή αυτοί οι λογαριασμοί προέρχονται από τις εταιρείες που κατασκευάζουν τα modem/routers είναι λοιπόν ήδη γνωστοί σε πολύ κόσμο ή μπορούν πολύ εύκολα να ανακαλυφθούν μέσω του Google με μία απλή αναζήτηση.Αν λοιπόν κάποιος κακόβουλος χρήστης καταφέρει να συνδεθεί στο δίκτυο μας μπορεί πολύ εύκολα μέσω του web interface να κάνει ότι θέλει στο δίκτυο μας μέχρι και να μας κλέψει το Adsl account μας.

2)Επιλογή της κωδικοποίησης που θα χρησιμοποιηθεί

Για να επικοινωνήσει ένας υπολογιστής με το router ασυρματικά θα πρέπει να στείλει και να λάβει σήματα.Αν δεν έχει επιλεχθεί κάποια κωδικοποιήση τότε κάποιος εξωτερικός χρήστης μπορεί να δει την κίνηση του δίκτυου και να ανακαλύψει λογαριασμούς και κωδικούς που πληκτρολογούμε σε ιστοσελίδες.Πλέον όλα τα modem/router υποστηρίζουν δύο τρόπους κωδικοποίησης.Την WEP και την WPA2.Η WEP πλέον μπορεί να σπαστεί σε 30 δευτερόλεπτα ασχέτως το πόσο πολύπλοκη θα είναι η φράση που θα χρησιμοποιηθεί.Η χρήση της WPA2 λοιπόν είναι επιβεβλημένη καθώς και είναι και η δυνατότερη μέχρι σήμερα.Ο αλγόριθμος που συνίσταται να επιλεχθεί είναι το  TKIP+AES.Με μία δυνατή φράση κλειδί που θα περιέχει γράμματα,αριθμούς καθώς και σύμβολα όπως @,$,%,& κτλ θα είναι πολύ δύσκολο για κάποιον να σπάσει το δίκτυο μας και να συνδεθεί.Η καλύτερη βεβαίως πολιτική ασφαλείας είναι να αλλάζει αυτήν η φράση κλειδί ανά 1 μήνα τουλάχιστον.

3)Αλλαγή του SSID

Όλα τα ασύρματα modem/router έχουν και ένα SSID το οποίο και εκπέμπουν.Το  SSID ουσιαστικά δεν είναι τίποτα παραπάνω από το όνομα που έχει το δίκτυο.Με τις προκαθορισμένες ρυθμίσεις τα router συνήθως για SSID έχουν το όνομα του router.Αλλάζοντας το SSID λοιπόν αποτρέπουμε το να γνωρίζει κάποιος εξωτερικός χρήστης τι μοντέλο router έχουμε και επίσης υπάρχει σε πολλά routers και μία επιλογή για απόκρυψη του SSID κατά την μετάδοση.Έτσι προσθέτουμε ακόμα ένα επίπεδο προστασίας στο δίκτυο μας αφού κάποιος για να συνδεθεί θα πρέπει εκτός από την φράση κλειδί να γνωρίζει και το όνομα του δικτύου μας.

4)Ενεργοποίηση του MAC Address Filtering

Η MAC address όπως όλοι γνωρίζουμε είναι η φυσική διεύθυνση μίας κάρτας δικτύου και προέρχεται από τον κατασκευαστή της.Για να δούμε ποιά είναι η MAC address της κάρτας δικτύου μας το μόνο που πρέπει να κάνουμε είναι να ανοίξουμε την διαχείριση εντολών και να πληκτρολογήσουμε ipconfig/all.Έτσι αν το ασύρματο router μας υποστηρίζει MAC address filtering τότε το μόνο που μένει να κάνουμε είναι να την κάνουμε προσθήκη στο αντίστοιχο πεδίο του MAC address στο router.Με αυτόν τον τρόπο το router θα δίνει IP διεθύνσεις μόνο στις καταχωρημένες του MAC addresses που εμείς θα έχουμε επιλέξει και τις υπόλοιπες δεν θα τις δέχεται.

5)Χρησιμοποίηση του Firewall router

Σχεδόν όλα τα router έχουν ενσωματωμένο και κάποιο firewall και κάποιες άλλες λειτουργίες για την αποτροπή των ping προς το router.Αν το firewall του router είναι ενεργοποιημένο πολλά πακέτα προς αυτό από εξωτερικούς χρήστες δεν θα φτάνουν.

Όλα τα παραπάνω είναι τα βασικά που θα πρέπει να γνωρίζει κάποιος για να ασφαλίσει το οικιακό του ασύρματο δίκτυο.Ασφαλώς και δεν σημαίνει πως και μετά από αυτές τις συμβουλές θα είναι αδύνατον για κάποιον να μπει στο δίκτυο μας αν γνωρίζει τι πρέπει να κάνει.Αλλα σίγουρα θα έχει μεγάλες πιθανότητες να μην παραβιαστεί ποτέ το δίκτυο του καθώς θα απαιτεί πολλαπλάσιο χρόνο για να εισχωρήσει σε αυτό με όλα αυτά τα επίπεδα προστασίας.

For the fourth consecutive quarter PC Desktop Repair sees highest volume of work orders;  Enterprises are using OnForce in creative ways to optimize efficiencies

BOSTON – July 13, 2009 – OnForce, the trusted online marketplace and national network of thousands of technology service technicians, today released the OnForce Services Marketplace Index (OSMI) for the second quarter of 2009. Based on more than 70,000 service events this quarter across North America, the OSMI provides a comprehensive analysis of key spending trends in information technology (IT) and consumer electronic (CE) services. Key findings this quarter show that spending in the break-fix sector from diagnose and repair to parts swap remained at a consistent high with Q1 2009, accounting for 63 percent of all work orders. In addition, OnForce saw enterprises utilize the platform more extensively to handle longer term projects in order to maximize efficiency.

In terms of highest volume categories, PC Desktop ranked first for highest work order volume for the fourth straight quarter in a row (accounting for nearly one third of all jobs.) Of this, three quarters were break-fix related work. Other high volume work categories for the quarter included TV/Video and Network, which accounted for 19 percent and 13 percent of all work orders respectively.

Check out the entire report here: http://www.onforce.com/OSMI/Q209

WiFi is quickly becoming more prevalent in homes and businesses due to improvements in technology that make wireless almost as fast as a traditional wired network. With this convenience, we lose security. There are a few basic steps you can take to secure your network before hackers, snoops and the occasional unintentional user connects to your LAN.

The very first thing you should do before anything else is change your router’s password. Older routers have default passwords set by the manufacturer that everyone knows. Some do not have passwords at all. So when you setup your network for the first time, set a router password that is easy to remember and contains a mixture of letters, numbers and symbols. Write the password down, if necessary, but lock it away in a drawer or other private place. Since the router is the first line of defense, changing the password is essential.

Next, stop broadcasting your address. Your router will constantly scream to the world and announce its SSID to any wireless device that enters its area. Disabling SSID broadcast will help block the accidental connection from neighbors and essentially make your wireless network invisible. You’ll also want to change the default SSID of the router. For instance, Linksys uses “linksys.”

You’ll also want to enable encryption on the router. You can use WEP, WPA or WPA2. The type of encryption you choose really depends on the computers and Internet devices you have in your home or office. Some older wireless cards simply will not support WPA. While WEP is considered obsolete and quickly cracked by professional hackers, it is certainly better than running no encryption at all. If all of your devices support WPA2, then that is what you should use.

The last thing you should do is disable Ad-hoc networking. Ad-hoc networking is networking from computer to computer without the need to use the router. This is dangerous, as anyone within close proximity can easily gain access to your PC and its data. Generally, if you’re behind a LAN using a router, you will already be setup for infrastructure mode, therefore, the ad-hoc isn’t being used.

SOURCE: PCTECHBYTES.COM

Vamos lá:

Primeiro, você deve instalar o roteador . Para isso, basta ligar o modem da banda larga na porta WAN do roteador e ligar o cabo de rede em uma das portas LAN do roteador no seu PC (não use cabo crossover, para isso deve ser o cabo de rede normal mesmo). Verifique no manual do seu roteador qual é o endereço para configuração web. Com esse IP em mãos, apenas digite-o no navegador. O roteador irá pedir uma senha e nome de usuário, que também estarão no manual. Normalmente, haverá algum tipo de utilitário de configuração rápida. Com ele você colocará tudo para funcionar facilmente.

Essas configurações padrão não são seguras. Vamos às dicas:

- Não deixe sua rede visível. Desative o SSID broadcast, que anuncia sua rede ao mundo. Com a rede invisível, como vamos conectar a ela? No caso do Ubuntu, Kubuntu, Fedora ou qualquer distro com o Network Manager, basta clicar no ícone na systray e selecionar “Conectar a rede sem fio oculta”. Você deverá informar a senha e o nome da rede (essa é a jogada, para acessar será preciso saber o nome da rede). O NM irá lembrar dessas configurações e fazer sozinho da próxima vez.

- Selecione uma criptografia. Se a conexão não estiver criptografada, qualquer um com um sniffer (programa que intercepta pacotes em uma rede) irá conseguir ver o que você está fazendo e obter dados seus. E poderá usar a sua Internet também. Vamos às opções:

- WEP e WEP2: São os protocolos antigos. Desatualizados e fáceis de quebrar. Não use.

- WPA e WPA2: São protocolos atuais, seguros. Necessitam de um nome de usuário e senha para acesso.

- WPA-PSK e WPA-PSK2: São as versões para usuários domésticos dos anteriores. Exigem apenas uma senha e são mais fáceis de usar. São bem seguros.

- Obs.: Ao selecionar a criptografia da conexão, prefira o AES, que é extremamente seguro.

- Senha. Selecione uma senha bem longa, com 30 ou 40 caracteres, incluindo letras, símbolos e números. Senhas curtas são inúteis. Não se preocupe, pois o Network Manager irá decorar a senha e só pedirá ela na primeira conexão. Como a senha é longa, escreva em um papel e guarde em um lugar seguro.

- Filtre pelo MAC. Cada placa de rede possui um endereço único que a identifica. Você pode obtê-lo em “Sistema > Administração > Ferramentas de Rede” no Ubuntu. Na aba “Dispositivos”, selecione o seu dispositivo e veja o MAC.

Na configuração do roteador, adicione os endereços MAC de todas as placas de rede e placas wireless que irão usar a Web. Negue o acesso às outras placas.

- Limite o número de pessoas conectadas. Você tem duas opções:

- Desative o DHCP (atribuição automática de endereços IP): Com isso, você irá configurar IPs fixos para todos. Quem quiser acessar, deverá configurar sua conexão com IP fixo.

- Limite os IPs e reserve os endereços: Essa  é a solução que eu gosto mais. Vá nas opções de DHCP do roteador (deixe o DHCP ligado) e procure a opção de faixas de IP. Por exemplo, se você tem 4 computadores, limite a faixa a 192.168.1.(100 até 103), o que vai limitar o roteador a 4 IPs. Depois, procure a opção de reserva de IP e reserve esses 4 endereços para os MACs das placas de rede dos 4 PCs. Você não precisará configurar IP fixo para todo mundo e ainda vai conseguir limitar o acesso (só existem 4 IPs, todos reservados).

- Firewall e opções de segurança. Os roteadores contam com diversas opções, como proteção contra DoS, que devem ser ativadas. Ative o firewall também. Você pode testar a sua segurança no site ShieldsUp!

Le nostre reti wireless sono poco sicure, basta poco per potersi collegare a internet con l’access point di un altro…
Proviamo ad utilizzare Aircrack, uno dei migliori tools per il wireless craking ed il wardriving, supportato da diversi sistemi operativi, tra cui Windows.

Cosa vi serve:

- Scaricate ed installate Aircrack

- Se utilizzate “Winaircrack” (Aircrack con interfaccia grafica) copiate i files peek.dll e peek5.sys all’interno della cartella di Aircrack.

- Eseguiremo l’applicazione dal prompt di DOS: per poter eseguire il programma anche se non siamo nella directory che lo contiene, cliccate col tasto destro del mouse su “Risorse del computer, Proprietà, Avanzate, Variabili d’ambiente, Modifica” portatevi alla fine della linea su cui sono già scritte altre variabili d’ambiente, inserite un punto e virgola (“;”) e scrivete il percorso in cui si trova il programma Aircrack (es. C:\Documents and Settings\2BFree\Desktop\aircrack-ng-0.3-win\aircrack-ng-0.3-win\bin).

- Avrete anche bisogno di installare dei nuovi driver per il vostro adattatore di rete: i driver originali non sono stati pensati per fare cose simili (per trovare dei driver che possano fare al caso vostro visitate il sito WildPacket)

- Per installare i nuovi driver aprite “clic destro su Risorse del Computer, Proprietà, Gestione Periferiche, clic destro sul vostro adattatore di rete, Proprietà, Driver, Aggiorna Driver, Installa da un elenco o percorso specifico” scegliete il percorso in cui avete scaricato i driver. Assicuratevi infine che il vostro adattatore di rete sia ora compatibile col tutto

Per facilitarvi la comprensione, durante i vari passi di questo tutorial fate riferimento al diagramma di flusso presente sul sito Wireless Defence. Se non avete confidenza con i “MAC Address” allora, prima di proseguire, leggetevi anche il relativo articolo su Wikipedia.

Il primo passo è ovviamente quello di trovare una rete wireless . Potete andarvene in giro col vostro computer portatile a fare del wardriving oppure potete utilizzare una apposita chiavetta “Wi-fi Finder”.

Digitate “Airodump” nel prompt di DOS (Start, esegui, cmd). Vi comparirà una finestra contenete le schede di rete trovate sulla vostra macchina. Notate che accanto al nome delle schede di rete è presente un numero identificativo. Ad esempio:

14 NETGEAR WG511T 54 Mbps Wireless PC Card
22 NETGEAR WAG511 802.11a/b/g Dual Band Wireless PC Card

In questo caso digitate 22, il numero identificativo della scheda che ci interessa utilizzare (in genere è quella che riporta una qualche identificazione del tipo “802.11x”).

Ora vi viene chiesto di indicare il chipset utilizzato dal vostro adattatore di rete. Ad esempio:

Interface types: ‘o’ = HermesI/Realtek

‘a’ = Aironet/Atheros

Selezionate il vostro, in questo caso scegliendo “o” oppure “a”. Per sapere quale chipset è montato sulla vostra scheda di rete potete dare uno sguardo al sito: http://www.linux-wlan.org/docs/wlan_adapters.html.gz

Ora vi sarà richiesto di inserire il numero del canale da controllare (sniffing). In genere per gli USA e l’UK utilizzate l’11, per l’Europa il 14. Se volete fare una scansione di tutti i canali utilizzate lo zero.

Ora vi sarà richiesto di inserire il numero del canale da controllare (sniffing). In genere per gli USA e l’UK utilizzate l’11, per l’Europa il 14. Se volete fare una scansione di tutti i canali utilizzate lo zero.

In seguito il programma chiederà di digitare il nome da dare al file che verrà creato a partire dalla scansione del canale. Digitate il nome che vi pare, ad esempio “WEP1”.

Ora Aircrack vi chiederà se salvare gli interi pacchetti catturati o soltanto gli IV. Per craccare una chiave WEP vi basta salvare semplicemente gli IV (il che vi farà risparmiare diverso spazio sull’hard disk, quindi digitate “y”).

Adesso vedrete una schermata simile:

BSSID = l’indirizzo MAC dell’Access Point

PWR = indica la forza del segnale che si sta ricevendo

BEACONS = sono pacchetti “in chiaro” che l’Access Point trasmette sostanzialmente per dire “sono un access point, collegati a me”

DATA = è quello che ci interessa: sono gli IV che Aircrack utilizzerà per trovare
la password WEP

ENC = il tipo di incapsulamento: WEP, WPA, OPEN…

ESSID = Il nome della rete Wireless. L’SSID è una sorta di identificativo della rete. Se ad esempio l’Access Point ha come SSID il nome “pippo” allora le schede wireless che ci si vogliono connettere devono impostare a loro volta come SSID “pippo”.

Nella seconda parte dell’immagine sopra vediamo i vari client che stanno “dialogando” con l’Access Point”, più esattamente vediamo i vari indirizzi MAC dei client. Quest’informazione può risultare utile in seguito quindi annotatevi gli indirizzi MAC. Questo perché in un Access Point è possibile impostare un filtro di indirizzi MAC: in questo modo soltanto le schede di rete che hanno un indirizzo MAC riportato nel filtro potranno collegarsi. Ciò significa che anche se possediamo la chiave WEP non possiamo accedere all’Access Point a meno che l’indirizzo MAC del nostro adattatore di rete non sia stato impostato nel filtro dell’Access Point. Ad ogni modo un caso simile sarà trattato dopo, per il momento non preoccupiamocene.

Aicrack continuerà a collezionare IV finché non lo fermate. Più IV scaricate e più probabilità avete di decifrare la chiave. Non c’è un riferimento esatto del tipo “lunghezza chiave = tot numero di IV da scaricare”. In linea generale prendete per buono che per trovare una chiave WEP da 40 bit potete scaricare dai 250.000 ai 400.000 IV: Aircrack dovrebbe trovare la chiave in pochi secondi. Ad ogni modo vi conviene cominciare con pochi IV infatti, se questi non bastano ad Aircrack per trovare
la chiave WEP, non dovrete ricominciare tutto da zero: basterà che quando vi verrà chiesto il nome che volete dare al file inseriate lo stesso nome che avevate già utilizzato in precedenza (in tal modo il file non verrà sovrascritto ma verrà invece “continuato”, cioè incrementato). Per una chiave da 104 bit collezionate circa 2.000.000 di IV: a volte ne bastano molti meno (anche se il programma impiegherà più tempo per trovare la chiave), altre volte purtroppo dovrete scaricarne di più…

Quando sarete soddisfatti del numero di IV collezionati premete “CTRL + C” per fermare il programma.

Scrivendo “Aircrack-ng” nel prompt vi verrà mostrata la lista dei parametri che è possibile utilizzare. Supponiamo di aver scaricato intorno ai 400.000 IV, in genere sufficienti per scovare una chiave WEP da 40 bit. Digitiamo allora il comando “aircrack-ng -n 64 WEP1.ivs”. Con il parametro “-n 64” diciamo al programma che la chiave ha una lunghezza massima di 64 bit e di non provare quindi oltre (anche perché, come già ricordato, non abbiamo ancora scaricato abbastanza IV per lunghezze di chiave maggiori). Il parametro “-f” che in questo esempio non abbiamo utilizzato serve per specificare l’intensità dell’attacco brute-force che di default è a livello 2: volendo potete specificare un livello maggiore, ad esempio 5.

Da notare anche l’estensione del file (WEP1.ivs): sarà *.ivs se avevate deciso di salvare soltanto gli IV, sarà *.cap se avevate deciso di salvare gli interi pacchetti catturati.

Se avrete fortuna il programma vi restituirà un messaggio di “KEY FOUND” seguito dal nome della chiave.

Ora che avete la chiave utilizzatela proprio come se doveste connettervi ad una vostra rete “domestica”. Se l’SSID dell’Access Point è abilitato seguite questa spiegazione; in caso contrario vi rimando all’ultimo paragrafo di questa guida.

Start, Connetti a, Connessioni di rete senza fili, Visualizza reti senza fili disponibili. Se l’SSID è abilitato (è visibile), questo vi appare nella finestra delle connessioni disponibili (e in genere potete anche vedere se utilizza il WPA o meno come sistema di cifratura). Fate doppio clic sull’icona della connessione ed inserite la password che avete trovato in precedenza: è fatta. Se non riuscite a collegarvi la causa può essere:

1) L’access Point utilizza un filtro per indirizzi MAC

2) Siete troppo lontani dall’Access Point

3) La chiave che avete trovato è errata

1) L’AP utilizza un filtro per indirizzi MAC. In precedenza vi era stato detto di annotarvi gli indirizzi MAC che stavano dialogando con l’AP. Ora la cosa più semplice da fare è:
- Aspettare che uno degli indirizzi MAC annotati in precedenza si scolleghi
- Cambiare il nostro indirizzo MAC in modo da renderlo uguale a quello che si è appena scollegato (MAC Spoofing). Potete utilizzare il Software SMAC.

- Entrare nell’Access Point .

2) Siete troppo lontani dall’Access Point. Bisogno di spiegazioni??? Avvicinatevi…

3) La chiave che avete trovato è errata. O meglio… è possibile che sia corretta: assicuratevi di averla scritta in modo giusto. In particolar modo assicuratevi di non aver scritto eventuali zeri (“0”) come delle “O” in quanto non ci possono essere delle “O”!

Se l’SSID dell’Access Point è disabilitato nessun problema. Voi conoscete già qual è, vi è stato rivelato da Aircrack: vedi immagine sopra, ESSID. Quello che dovete fare è semplicemente inserire l’SSID trovato nelle impostazioni di connessione.
Start, Connetti a, Connessioni di rete senza fili, Visualizza reti senza fili disponibili, Modifica impostazioni avanzate, Reti senza fili, Aggiungi: scrivete l’SSID così come lo ha trovato Aircrack, l’autenticazione alla rete è normalmente APERTA > scegliere la cifratura WEP, togliere il segno di spunta dalla voce “la chiave sarà fornita automaticamente” ed inserire invece la chiave WEP che avete trovato grazie ad Aircrack (nota: inserite la chiave tutta di seguito, senza i due punti (“:”) di separazione).

Fonte BlogGiando

Note: This post contains information, educative material and NO rant

The Hindu carried out an article pushing the ever debated topic – Open Wi-Fi access points. The problem narrows down the the fact that these router are not set to use the security features by default. Most of the routers used these days have support for security, but people are ignorant how to use them.

We cant blame any individual for this. Wi-Fi routers are becoming common and going mainstream. Who wants to carry the wire wherever they go in their building or home? How many of them are tech-savvy? How many of them even give a thought that open networks are a danger not only to the country, but also to themselves. I am responsible for any misuse of the Internet connection which I have in my name.

The routers have many security features in them. To name a few MAC Address white-listing, SSID broadcast disabling and Encryption using WPA and WPA2. Let’s check each one of them

• MAC Addresses are physical address which should be unique to each hardware. The router can be set to accept connections only from these white-listed addresses. I know my definition of MAC address is not completely correct, but still it can give you a faint idea.
• SSID is Service Set Identifier which gives a name to the wifi network. Broadcasting is a bit risky, but still accepted.
• Encryptions like WEP, WPA and WPA2 are used usually. WEP should not be used as it easy to crack. WPA and WPA2 are becoming quite common and WPA2 should be used as much as possible. The only problem with WPA2 is that not all wifi cards in laptops are supported.

The problem zeroes down to the fact that who is responsible for educating the non-techy users how to securely use the routers? Don’t you feel that the ISP’s (Internet Service Providers) have greater responsibilties in this reguard?

El fabricante de hardware de red CP Tecnologies anunció la liberación de su router 3G inalámbrico portátil LevelOne MobileSpot (WBR-3800) para hacer un puente entre las conexiones de banda ancha móvil a Wi-Fi. Con un adaptador compatible 3G insertado en una ranura CardBus del portátil o un puerto USB, los usuarios pueden compartir el acceso a una red UMTS, EV-DO o HSDPA con cualquier dispositivo habilitado a la red Wi-Fi a través del router. Cuando una conexión a Internet falla, el LevelOne puede cambiar automáticamente a una red 3G para ofrecer un servicio ininterrumpido.

El MobileSpot soporta 802.11b/g en el enlace local, con características de seguridad que incluyen WPA, TKIP WPA-PSK/WPA2-PSK con autenticación/encriptación AES, así como protección cuando es conectado a Internet. El dispositivo cuenta con SSID oculto, filtrado de direcciones MAC y conexiones de datos garantizados IPSec. Un conmutador Ethernet 100Mbps está presente para los usuarios locales, además de un puerto Ethernet de 100 Mbps para una conexión WAN, tales como un cable módem o ADSL.

El router MobileSpot inalámbrico portátil es compatible con sistemas operativos Mac y PC y ya está disponible por 149 dólares.

Vía | ActualidadGadget

Teknik mengamankan Wireless LAN
Salah satu kendala/keraguan dari pengguna Wireless Local Area Network (WLAN) yang paling utama adalah masalah security. Dengan pemanfaatan teknologi wireless maka data-data yang dikirim mau tidak mau akan melewati “udara bebas”. Dengan kondisi tersebut ancaman terhadap isi datanya cukup besar. Beberapa ancaman terhadap sistem WLAN adalah adanya kerawanan terhadap bahaya penyusupan. Hal tersebut sangat dimungkinkan karena asal penyusup mempunyai WLAN card maka berarti dia sudah memiliki kesempatan untuk masuk ke jaringan. Dengan adanya kondisi diatas, maka diperlukan adanya keamanan jaringan WLAN secara berlapis-lapis.

Segmentasi Jaringan
Dengan model pengamanan segmentasi jaringan WLAN, maka network WLAN dimasukkan/dikategorikan ke dalam subnet tersendiri. Atau dengan solusi lain jaringan WLAN dipisahkan ke jaringan extranet.

SSID (Service Set Identifier)
SSID merupakan nama network dari suatu jaringan WLAN, dan dapat diset sesuai dengan keinginan administrator. SSID dikenal juga dengan istilah ESSID. Fungsi SSID dikaitkan dengan keamanan keamanan WLAN adalah merupakan garda terdepan terhadap sistem keamanan WLAN. Setiap client yang akan masuk jaringan WLAN atau terhubung ke AP maka harus mengetahui SSID dari AP tersebut.

Wireless Network
SSID pada dasarnya dapat diset broadcast maka sangat mudah diketahui oleh pengguna yang mempunyai WLAN card. Semua device (notebook atau PDA) dengan scanning jaringan WLAN maka dapat dengan mudah mengetahui jaringan WLAN baik dengan software bawaan WLAN card maupun software tambahan lain. MAC Filtering Sistem pengamanan yang ke-tiga adalah dengan memanfaatkan filtering MAC (Medium Access Control) address. Biasanya seting di sisi AP terdapat pilihan mengenai daftar MAC address yang akan kita inputkan, apakah untuk kategori allow/disallow atau forward all/block all. Penerapan keamanan WLAN dapat dilakukan melalui beberapa metode yaitu segmentasi jaringan, SSID, MAC filtering, WEP, WPA dan VPN. Kesadaran akan masalah keamanan WLAN masih perlu disosialisasikan.
sumber

Wireless networks are everywhere. And if you don’t have one at your business, it’s just a matter of time before you do.  The owner, or some C-executive will want it “just for the conference room” or “just for guests”. But they don’t want to spend too much, after all, it’s “just wireless”.  And after you put together an inexpensive solution (read Linksys, D-Link or Netgear WAP), and it performs like crap, bombs out when mulitple people are connected to it and needs to be rebooted every 7 days, the complaints will begin. 

Having put together several wireless network for several small environments, I’ve stepping in a lot of pitfalls. And faced down the CFO, VP Finance, CTO, VP Operations and inumerable Directors and Managers to explain the technical shortcomings of an inexpensive (read “cheap”) solution. Guess what? They generally don’t care. They just want it to work. So here’s my guidelines for business wireless networks: 

1. Get good business-class equipment. For my money, that start with Cisco’s Aironet series WAPs. You can pickup previously used Aironet units on Ebay for a few hundred dollars. They certainly cost more than the Linksys/D-Link/Netgear, but those are primarily residential-class units anyway. But the residential units will not stand up to mulitple simultaneous connections, and need to be rebooted frequently (like every week on the nose). 

2. As a minimum, use WPA2 with AES for encryption. WEP is an absolute no-no. It’s a proven weak encryption algorithm, and tools exist today that can crack it in less than a minute. WPA2 with AES is a stronger algorithm, which of course requires more processing, but the business class units with their stronger hardware and more robust firmware can handle it.

3. If at all possible, use authentication. There are a few alternatives (MAC filtering, WAP local passwords, RADIUS), but the best is RADIUS. Set your WAP to authenticate through a Windows RADIUS server using IAS. This way, only authorized users can get on, and their traffic is secure. 

4. If you need more than one wireless environment, such as an internal network, and a guest network, use mutliple SSIDs on your WAP. Here again the buisness-class unit will come to your rescue. You can run multiple SSIDs on one unit, each identified by a different VLAN. Most residential units will not support mulitple SSIDs. You’ll need to buy two (or more), easily doubling your administrative workload. And then’ll you be an SysAdminihater. 

5. Lastly, from a security standpoint, perform periodic site surveys. This will help you catch rogue WAPs that employees have set up. Chances are excellent that these rogue units have either default settings (which  are NOT secure) or weak security settings. And excellent free tool for detecting wireless network is NetStumbler. I highly recommend it. You can of course get fancier with your detection tools, like the Fluke EtherScope2, or the even more rigourous AirMagnet Survey, but the most important things is to survey your site regularly. 

Wireless networks can be powerful extensions of your network. Put in place a strong solution based on quality hardware and security policies and you’ll get smiles down the road, instead of curses.