More

Password protect network link on Geoserver


I plan on serving data with geoserver to multiple people in my organization. The data is somewhat sensitive and I was wondering if there is a way to password protect the info so that in order to visualize it on Google Earth as a Network link, you would need a global password?


I believe you need to look int using HTTP Basic authentication in GeoServer (supported by default) specifically for data. You can activate it for certain layers only, here below some good resources:

  1. Security in GeoServer
  2. Layer Security

Hope this helps.


Assuming the starting cell is given as (StartRow, StartCol) and the ending cell is given as (EndRow, EndCol), I found the following worked for me:

Note: Excel Cell B5 is given as row 5, col 2 in win32com. Also, we need list(. ) to convert from tuple of tuples to list of tuples, since there is no pandas.DataFrame constructor for a tuple of tuples.

Use xlwings, opening the file will first launch the Excel application so you can enter the password.

Based on the suggestion provided by @ikeoddy, this should put the pieces together:

Assuming that you can save the encrypted file back to disk using the win32com API (which I realize might defeat the purpose) you could then immediately call the top-level pandas function read_excel . You'll need to install some combination of xlrd (for Excel 2003), xlwt (also for 2003), and openpyxl (for Excel 2007) first though. Here is the documentation for reading in Excel files. Currently pandas does not provide support for using the win32com API to read Excel files. You're welcome to open up a GitHub issue if you'd like.


How to Secure Your Wi-Fi Router and Protect Your Home Network

To revist this article, visit My Profile, then View saved stories.

Photograph: Olly Curtis/MacFormat Magazine/Getty Images

To revist this article, visit My Profile, then View saved stories.

Your router is perhaps the most important gadget in your home. It checks all incoming and outgoing traffic, acting as a sentry to make sure that nothing dangerous comes in and nothing sensitive goes out. It controls access to your home Wi-Fi network and through that all of your phones, tablets, laptops, and more. If someone else gains access to that network—whether a remote hacker or your next-door neighbor—it can be quick work to compromise those devices.

With that in mind, it's essential to keep your router secure. The good news is these steps aren't too difficult or time-consuming, and they'll significantly reduce your risk.

These tips will require you to access your router's settings, which you can typically do through your web browser by typing in an IP address, or if you're lucky, through an app on your phone. If you're not sure how to find these settings, check the documentation that came with the router, or run a quick web search using your router's make and model.

You should be using WPA2 security to guard access to your router, which essentially requires every new device to submit a password to connect. This is enabled by default on just about every router, but if it's not active on your device, switch it on through your router settings.

It's a good idea to change the Wi-Fi password on a regular basis. Yes, it means you'll need to reconnect all your devices again, but it also kicks off any unwelcome visitors who might be lurking. Your router settings panel should give you a list of connected devices, though it might be tricky to interpret.

Weɽ also recommend changing the password required to access the router settings themselves, as many people just leave the defaults in place—and that means someone who knows the defaults or who can guess them could reconfigure your router. As with any password, make it very hard to guess but impossible to forget.

These password settings should be fairly prominently displayed inside the router settings panel, and if you router is a more recent model, you might well get warnings if the new passwords you pick are too easy to guess or brute force. Before long, WPA2 will give way to WPA3, which offers more set it and forget it security, but until then, pay close attention to your Wi-Fi password hygiene.

Your router runs low-level software called firmware which essentially controls everything the router does. It sets the security standards for your network, defines the rules about which devices can connect, and so on.

Some more modern routers update themselves in the background, but whatever model you have, it's always worth making sure the firmware is up to date. This means you've got the latest bug fixes and security patches, and are protected against whatever exploits have just been discovered.

The process varies from router to router, but as with the password settings, the option to update your router's firmware shouldn't be too difficult to find within the router control panel. If you get stuck, check the router documentation or the official support site on the web.

If you're lucky, the process will be automatic you might even get alerts on your phone every time a firmware update gets applied, which usually happens overnight. If you're unlucky, you might have to download new firmware from the manufacturer's site and point your router towards it. If so, it's absolutely worth the extra effort.

A lot of routers come with features designed to make remote access from outside your home easier, but unless you need admin-level access to your router from somewhere else, you can usually safely turn these features off from the router settings panel. Besides, most remote access apps work fine without them.

Another feature to look out for is Universal Plug and Play. Designed to make it easier for devices like games consoles and smart TVs to access the web without making you wade through a lot of configuration screens, UPnP can also be used by malware programs to get high-level access to your router's security settings.

Keeping remote access and UPnP turned on won't suddenly expose you to the worst of the internet, but if you want to be as safe as possible, turn them off. If it turns out that some of the apps and devices on your network rely on them, you can enable the features again without too much worry.

You should also think about disabling Wi-Fi Protected Setup. WPS has good intentions, letting you connect new devices with a button push or a PIN code, but that also makes it easier for unauthorized devices to gain access a numerical PIN is easier to brute force than an alphanumerical password. Unless you specifically need it, disable it.

If your router has the option of broadcasting a so-called guest network, take advantage of it. As the name suggests, it means you can grant your guests access to a Wi-Fi connection, without letting them get at the rest of your network—your Sonos speakers, the shared folders on your laptop, your printers, and so on.

It's not like your friends and family are hackers in disguise, but letting them on your primary network means they might access a file that youɽ rather they didn't, or inadvertently change a setting somewhere that causes you problems. It also puts another speed bump in the way of someone who is secretly trying to get access to your network without your permission—even if they're able to get on the guest network, they won't be able to take control of your other devices, or your router.

Your router should have the option to hide the SSID of your main network—basically the name of the network that appears when your devices scan for Wi-Fi. If visitors can't see this network then they can't connect to it, but you'll be able to add devices to it because you'll know what it's called. (And if you're not sure, it'll be listed in your router settings.)

Despite decades of relative neglect, most routers launched in the last couple of years come with excellent security built in. Manufacturers appreciate the importance of router security and reliability more than ever, so the products are much more user-friendly than they used to be. They now handle lot of the key security settings for you.

With that in mind, one of the highest risks to your router is that it's compromised by a device that it thinks it can trust—in other words, something on your phone or laptop gets access to it and causes some mischief, perhaps by secretly opening an entry point to your router that can be accessed remotely.


Contents

Anyone within the geographical network range of an open, unencrypted wireless network can "sniff", or capture and record, the traffic, gain unauthorized access to internal network resources as well as to the internet, and then use the information and resources to perform disruptive or illegal acts. Such security breaches have become important concerns for both enterprise and home networks.

If router security is not activated or if the owner deactivates it for convenience, it creates a free hotspot. Since most 21st-century laptop PCs have wireless networking built in (see Intel "Centrino" technology), they don't need a third-party adapter such as a PCMCIA Card or USB dongle. Built-in wireless networking might be enabled by default, without the owner realizing it, thus broadcasting the laptop's accessibility to any computer nearby.

Modern operating systems such as Linux, macOS, or Microsoft Windows make it fairly easy to set up a PC as a wireless LAN "base station" using Internet Connection Sharing, thus allowing all the PCs in the home to access the Internet through the "base" PC. However, lack of knowledge among users about the security issues inherent in setting up such systems often may allow others nearby access to the connection. Such "piggybacking" is usually achieved without the wireless network operator's knowledge it may even be without the knowledge of the intruding user if their computer automatically selects a nearby unsecured wireless network to use as an access point.

Wireless security is just an aspect of computer security however, organizations may be particularly vulnerable to security breaches [6] caused by rogue access points.

If an employee (trusted entity) brings in a wireless router and plugs it into an unsecured switchport, the entire network can be exposed to anyone within range of the signals. Similarly, if an employee adds a wireless interface to a networked computer using an open USB port, they may create a breach in network security that would allow access to confidential materials. However, there are effective countermeasures (like disabling open switchports during switch configuration and VLAN configuration to limit network access) that are available to protect both the network and the information it contains, but such countermeasures must be applied uniformly to all network devices.

Threats and Vulnerabilites in an industrial (M2M) context Edit

Due to its availability and low cost, the use of wireless communication technologies increases in domains beyond the originally intended usage areas, e.g. M2M communication in industrial applications. Such industrial applications often have specific security requirements. Hence, it is important to understand the characteristics of such applications and evaluate the vulnerabilities bearing the highest risk in this context. Evaluation of these vulnerabilities and the resulting vulnerability catalogs in an industrial context when considering WLAN, NFC and ZigBee are available. [7]

Wireless networks are very common, both for organizations and individuals. Many laptop computers have wireless cards pre-installed. The ability to enter a network while mobile has great benefits. However, wireless networking is prone to some security issues. [8] Hackers have found wireless networks relatively easy to break into, and even use wireless technology to hack into wired networks. [9] As a result, it is very important that enterprises define effective wireless security policies that guard against unauthorized access to important resources. [4] Wireless Intrusion Prevention Systems (WIPS) or Wireless Intrusion Detection Systems (WIDS) are commonly used to enforce wireless security policies.

The air interface and link corruption risk Edit

There were relatively few dangers when wireless technology was first introduced, as the effort to maintain the communication was high and the effort to intrude is always higher. The variety of risks to users of wireless technology have increased as the service has become more popular and the technology more commonly available. Today there are a great number of security risks associated with the current wireless protocols and encryption methods, as carelessness and ignorance exists at the user and corporate IT level. [5] Hacking methods have become much more sophisticated and innovative with wireless.

The modes of unauthorised access to links, to functions and to data is as variable as the respective entities make use of program code. There does not exist a full scope model of such threat. To some extent the prevention relies on known modes and methods of attack and relevant methods for suppression of the applied methods. However, each new mode of operation will create new options of threatening. Hence prevention requires a steady drive for improvement. The described modes of attack are just a snapshot of typical methods and scenarios where to apply.

Accidental association Edit

Violation of the security perimeter of a corporate network can come from a number of different methods and intents. One of these methods is referred to as “accidental association”. When a user turns on a computer and it latches on to a wireless access point from a neighboring company's overlapping network, the user may not even know that this has occurred. However, it is a security breach in that proprietary company information is exposed and now there could exist a link from one company to the other. This is especially true if the laptop is also hooked to a wired network.

Accidental association is a case of wireless vulnerability called as "mis-association". [10] Mis-association can be accidental, deliberate (for example, done to bypass corporate firewall) or it can result from deliberate attempts on wireless clients to lure them into connecting to attacker's APs.

Malicious association Edit

“Malicious associations” are when wireless devices can be actively made by attackers to connect to a company network through their laptop instead of a company access point (AP). These types of laptops are known as “soft APs” and are created when a cyber criminal runs some software that makes his/her wireless network card look like a legitimate access point. Once the thief has gained access, he/she can steal passwords, launch attacks on the wired network, or plant trojans. Since wireless networks operate at the Layer 2 level, Layer 3 protections such as network authentication and virtual private networks (VPNs) offer no barrier. Wireless 802.1X authentications do help with some protection but are still vulnerable to hacking. The idea behind this type of attack may not be to break into a VPN or other security measures. Most likely the criminal is just trying to take over the client at the Layer 2 level.

Ad hoc networks Edit

Ad hoc networks can pose a security threat. Ad hoc networks are defined as [peer to peer] networks between wireless computers that do not have an access point in between them. While these types of networks usually have little protection, encryption methods can be used to provide security. [11]

The security hole provided by Ad hoc networking is not the Ad hoc network itself but the bridge it provides into other networks, usually in the corporate environment, and the unfortunate default settings in most versions of Microsoft Windows to have this feature turned on unless explicitly disabled. Thus the user may not even know they have an unsecured Ad hoc network in operation on their computer. If they are also using a wired or wireless infrastructure network at the same time, they are providing a bridge to the secured organizational network through the unsecured Ad hoc connection. Bridging is in two forms. A direct bridge, which requires the user actually configure a bridge between the two connections and is thus unlikely to be initiated unless explicitly desired, and an indirect bridge which is the shared resources on the user computer. The indirect bridge may expose private data that is shared from the user's computer to LAN connections, such as shared folders or private Network Attached Storage, making no distinction between authenticated or private connections and unauthenticated Ad-Hoc networks. This presents no threats not already familiar to open/public or unsecured wifi access points, but firewall rules may be circumvented in the case of poorly configured operating systems or local settings. [12]

Non-traditional networks Edit

Non-traditional networks such as personal network Bluetooth devices are not safe from hacking and should be regarded as a security risk. Even barcode readers, handheld PDAs, and wireless printers and copiers should be secured. These non-traditional networks can be easily overlooked by IT personnel who have narrowly focused on laptops and access points.

Identity theft (MAC spoofing) Edit

Identity theft (or MAC spoofing) occurs when a hacker is able to listen in on network traffic and identify the MAC address of a computer with network privileges. Most wireless systems allow some kind of MAC filtering to allow only authorized computers with specific MAC IDs to gain access and utilize the network. However, programs exist that have network “sniffing” capabilities. Combine these programs with other software that allow a computer to pretend it has any MAC address that the hacker desires, [13] and the hacker can easily get around that hurdle.

MAC filtering is effective only for small residential (SOHO) networks, since it provides protection only when the wireless device is "off the air". Any 802.11 device "on the air" freely transmits its unencrypted MAC address in its 802.11 headers, and it requires no special equipment or software to detect it. Anyone with an 802.11 receiver (laptop and wireless adapter) and a freeware wireless packet analyzer can obtain the MAC address of any transmitting 802.11 within range. In an organizational environment, where most wireless devices are "on the air" throughout the active working shift, MAC filtering provides only a false sense of security since it prevents only "casual" or unintended connections to the organizational infrastructure and does nothing to prevent a directed attack.

Man-in-the-middle attacks Edit

A man-in-the-middle attacker entices computers to log into a computer which is set up as a soft AP (Access Point). Once this is done, the hacker connects to a real access point through another wireless card offering a steady flow of traffic through the transparent hacking computer to the real network. The hacker can then sniff the traffic. One type of man-in-the-middle attack relies on security faults in challenge and handshake protocols to execute a “de-authentication attack”. This attack forces AP-connected computers to drop their connections and reconnect with the hacker's soft AP (disconnects the user from the modem so they have to connect again using their password which one can extract from the recording of the event). Man-in-the-middle attacks are enhanced by software such as LANjack and AirJack which automate multiple steps of the process, meaning what once required some skill can now be done by script kiddies. Hotspots are particularly vulnerable to any attack since there is little to no security on these networks.

Denial of service Edit

A Denial-of-Service attack (DoS) occurs when an attacker continually bombards a targeted AP (Access Point) or network with bogus requests, premature successful connection messages, failure messages, and/or other commands. These cause legitimate users to not be able to get on the network and may even cause the network to crash. These attacks rely on the abuse of protocols such as the Extensible Authentication Protocol (EAP).

The DoS attack in itself does little to expose organizational data to a malicious attacker, since the interruption of the network prevents the flow of data and actually indirectly protects data by preventing it from being transmitted. The usual reason for performing a DoS attack is to observe the recovery of the wireless network, during which all of the initial handshake codes are re-transmitted by all devices, providing an opportunity for the malicious attacker to record these codes and use various cracking tools to analyze security weaknesses and exploit them to gain unauthorized access to the system. This works best on weakly encrypted systems such as WEP, where there are a number of tools available which can launch a dictionary style attack of "possibly accepted" security keys based on the "model" security key captured during the network recovery.

Network injection Edit

In a network injection attack, a hacker can make use of access points that are exposed to non-filtered network traffic, specifically broadcasting network traffic such as “Spanning Tree” (802.1D), OSPF, RIP, and HSRP. The hacker injects bogus networking re-configuration commands that affect routers, switches, and intelligent hubs. A whole network can be brought down in this manner and require rebooting or even reprogramming of all intelligent networking devices.

Caffe Latte attack Edit

The Caffe Latte attack is another way to defeat WEP. It is not necessary for the attacker to be in the area of the network using this exploit. By using a process that targets the Windows wireless stack, it is possible to obtain the WEP key from a remote client. [14] By sending a flood of encrypted ARP requests, the assailant takes advantage of the shared key authentication and the message modification flaws in 802.11 WEP. The attacker uses the ARP responses to obtain the WEP key in less than 6 minutes. [15]

There are three principal ways to secure a wireless network.

  • For closed networks (like home users and organizations) the most common way is to configure access restrictions in the access points. Those restrictions may include encryption and checks on MAC address. Wireless Intrusion Prevention Systems can be used to provide wireless LAN security in this network model.
  • For commercial providers, hotspots, and large organizations, the preferred solution is often to have an open and unencrypted, but completely isolated wireless network. The users will at first have no access to the Internet nor to any local network resources. Commercial providers usually forward all web traffic to a captive portal which provides for payment and/or authorization. Another solution is to require the users to connect securely to a privileged network using VPN.
  • Wireless networks are less secure than wired ones in many offices intruders can easily visit and hook up their own computer to the wired network without problems, gaining access to the network, and it is also often possible for remote intruders to gain access to the network through backdoors like Back Orifice. One general solution may be end-to-end encryption, with independent authentication on all resources that shouldn't be available to the public.

There is no ready designed system to prevent from fraudulent usage of wireless communication or to protect data and functions with wirelessly communicating computers and other entities. However, there is a system of qualifying the taken measures as a whole according to a common understanding what shall be seen as state of the art. The system of qualifying is an international consensus as specified in ISO/IEC 15408.

A wireless intrusion prevention system Edit

A Wireless Intrusion Prevention System (WIPS) is a concept for the most robust way to counteract wireless security risks. [16] However such WIPS does not exist as a ready designed solution to implement as a software package. A WIPS is typically implemented as an overlay to an existing Wireless LAN infrastructure, although it may be deployed standalone to enforce no-wireless policies within an organization. WIPS is considered so important to wireless security that in July 2009, the Payment Card Industry Security Standards Council published wireless guidelines [17] for PCI DSS recommending the use of WIPS to automate wireless scanning and protection for large organizations.

There are a range of wireless security measures, of varying effectiveness and practicality.

SSID hiding Edit

A simple but ineffective method to attempt to secure a wireless network is to hide the SSID (Service Set Identifier). [18] This provides very little protection against anything but the most casual intrusion efforts.

MAC ID filtering Edit

One of the simplest techniques is to only allow access from known, pre-approved MAC addresses. Most wireless access points contain some type of MAC ID filtering. However, an attacker can simply sniff the MAC address of an authorized client and spoof this address.

Static IP addressing Edit

Typical wireless access points provide IP addresses to clients via DHCP. Requiring clients to set their own addresses makes it more difficult for a casual or unsophisticated intruder to log onto the network, but provides little protection against a sophisticated attacker. [18]

802.11 security Edit

IEEE 802.1X is the IEEE Standard authentication mechanisms to devices wishing to attach to a Wireless LAN.

Regular WEP Edit

The Wired Equivalent Privacy (WEP) encryption standard was the original encryption standard for wireless, but since 2004 with the ratification WPA2 the IEEE has declared it "deprecated", [19] and while often supported, it is seldom or never the default on modern equipment.

Concerns were raised about its security as early as 2001, [20] dramatically demonstrated in 2005 by the FBI, [21] yet in 2007 T.J. Maxx admitted a massive security breach due in part to a reliance on WEP [22] and the Payment Card Industry took until 2008 to prohibit its use – and even then allowed existing use to continue until June 2010. [23]

WPAv1 Edit

The Wi-Fi Protected Access (WPA and WPA2) security protocols were later created to address the problems with WEP. If a weak password, such as a dictionary word or short character string is used, WPA and WPA2 can be cracked. Using a long enough random password (e.g. 14 random letters) or passphrase (e.g. 5 randomly chosen words) makes pre-shared key WPA virtually uncrackable. The second generation of the WPA security protocol (WPA2) is based on the final IEEE 802.11i amendment to the 802.11 standard and is eligible for FIPS 140-2 compliance. With all those encryption schemes, any client in the network that knows the keys can read all the traffic.

Wi-Fi Protected Access (WPA) is a software/firmware improvement over WEP. All regular WLAN-equipment that worked with WEP are able to be simply upgraded and no new equipment needs to be bought. WPA is a trimmed-down version of the 802.11i security standard that was developed by the IEEE 802.11 to replace WEP. The TKIP encryption algorithm was developed for WPA to provide improvements to WEP that could be fielded as firmware upgrades to existing 802.11 devices. The WPA profile also provides optional support for the AES-CCMP algorithm that is the preferred algorithm in 802.11i and WPA2.

WPA Enterprise provides RADIUS based authentication using 802.1X. WPA Personal uses a pre-shared Shared Key (PSK) to establish the security using an 8 to 63 character passphrase. The PSK may also be entered as a 64 character hexadecimal string. Weak PSK passphrases can be broken using off-line dictionary attacks by capturing the messages in the four-way exchange when the client reconnects after being deauthenticated. Wireless suites such as aircrack-ng can crack a weak passphrase in less than a minute. Other WEP/WPA crackers are AirSnort and Auditor Security Collection. [24] Still, WPA Personal is secure when used with ‘good’ passphrases or a full 64-character hexadecimal key.

There was information, however, that Erik Tews (the man who created the fragmentation attack against WEP) was going to reveal a way of breaking the WPA TKIP implementation at Tokyo's PacSec security conference in November 2008, cracking the encryption on a packet in between 12–15 minutes. [25] Still, the announcement of this 'crack' was somewhat overblown by the media, because as of August, 2009, the best attack on WPA (the Beck-Tews attack) is only partially successful in that it only works on short data packets, it cannot decipher the WPA key, and it requires very specific WPA implementations in order to work. [26]

Additions to WPAv1 Edit

In addition to WPAv1, TKIP, WIDS and EAP may be added alongside. Also, VPN-networks (non-continuous secure network connections) may be set up under the 802.11-standard. VPN implementations include PPTP, L2TP, IPsec and SSH. However, this extra layer of security may also be cracked with tools such as Anger, Deceit and Ettercap for PPTP [27] and ike-scan, IKEProbe, ipsectrace, and IKEcrack for IPsec-connections.

TKIP Edit

This stands for Temporal Key Integrity Protocol and the acronym is pronounced as tee-kip. This is part of the IEEE 802.11i standard. TKIP implements per-packet key mixing with a re-keying system and also provides a message integrity check. These avoid the problems of WEP.

EAP Edit

The WPA-improvement over the IEEE 802.1X standard already improved the authentication and authorization for access of wireless and wired LANs. In addition to this, extra measures such as the Extensible Authentication Protocol (EAP) have initiated an even greater amount of security. This, as EAP uses a central authentication server. Unfortunately, during 2002 a Maryland professor discovered some shortcomings [ citation needed ] . Over the next few years these shortcomings were addressed with the use of TLS and other enhancements. [28] This new version of EAP is now called Extended EAP and is available in several versions these include: EAP-MD5, PEAPv0, PEAPv1, EAP-MSCHAPv2, LEAP, EAP-FAST, EAP-TLS, EAP-TTLS, MSCHAPv2, and EAP-SIM.

EAP-versions Edit

EAP-versions include LEAP, PEAP and other EAP's.

This stands for the Lightweight Extensible Authentication Protocol. This protocol is based on 802.1X and helps minimize the original security flaws by using WEP and a sophisticated key management system. This EAP-version is safer than EAP-MD5. This also uses MAC address authentication. LEAP is not secure THC-LeapCracker can be used to break Cisco’s version of LEAP and be used against computers connected to an access point in the form of a dictionary attack. Anwrap and asleap finally are other crackers capable of breaking LEAP. [24]

This stands for Protected Extensible Authentication Protocol. This protocol allows for a secure transport of data, passwords, and encryption keys without the need of a certificate server. This was developed by Cisco, Microsoft, and RSA Security.

Other EAPs There are other types of Extensible Authentication Protocol implementations that are based on the EAP framework. The framework that was established supports existing EAP types as well as future authentication methods. [29] EAP-TLS offers very good protection because of its mutual authentication. Both the client and the network are authenticated using certificates and per-session WEP keys. [30] EAP-FAST also offers good protection. EAP-TTLS is another alternative made by Certicom and Funk Software. It is more convenient as one does not need to distribute certificates to users, yet offers slightly less protection than EAP-TLS. [31]

Restricted access networks Edit

Solutions include a newer system for authentication, IEEE 802.1X, that promises to enhance security on both wired and wireless networks. Wireless access points that incorporate technologies like these often also have routers built in, thus becoming wireless gateways.

End-to-end encryption Edit

One can argue that both layer 2 and layer 3 encryption methods are not good enough for protecting valuable data like passwords and personal emails. Those technologies add encryption only to parts of the communication path, still allowing people to spy on the traffic if they have gained access to the wired network somehow. The solution may be encryption and authorization in the application layer, using technologies like SSL, SSH, GnuPG, PGP and similar.

The disadvantage with the end-to-end method is, it may fail to cover all traffic. With encryption on the router level or VPN, a single switch encrypts all traffic, even UDP and DNS lookups. With end-to-end encryption on the other hand, each service to be secured must have its encryption "turned on", and often every connection must also be "turned on" separately. For sending emails, every recipient must support the encryption method, and must exchange keys correctly. For Web, not all web sites offer https, and even if they do, the browser sends out IP addresses in clear text.

The most prized resource is often access to the Internet. An office LAN owner seeking to restrict such access will face the nontrivial enforcement task of having each user authenticate themselves for the router.

802.11i security Edit

The newest and most rigorous security to implement into WLAN's today is the 802.11i RSN-standard. This full-fledged 802.11i standard (which uses WPAv2) however does require the newest hardware (unlike WPAv1), thus potentially requiring the purchase of new equipment. This new hardware required may be either AES-WRAP (an early version of 802.11i) or the newer and better AES-CCMP-equipment. One should make sure one needs WRAP or CCMP-equipment, as the 2 hardware standards are not compatible.

WPAv2 Edit

WPA2 is a WiFi Alliance branded version of the final 802.11i standard. [32] The primary enhancement over WPA is the inclusion of the AES-CCMP algorithm as a mandatory feature. Both WPA and WPA2 support EAP authentication methods using RADIUS servers and preshared key (PSK).

The number of WPA and WPA2 networks are increasing, while the number of WEP networks are decreasing, [33] because of the security vulnerabilities in WEP.

WPA2 has been found to have at least one security vulnerability, nicknamed Hole196. The vulnerability uses the WPA2 Group Temporal Key (GTK), which is a shared key among all users of the same BSSID, to launch attacks on other users of the same BSSID. It is named after page 196 of the IEEE 802.11i specification, where the vulnerability is discussed. In order for this exploit to be performed, the GTK must be known by the attacker. [34]

Additions to WPAv2 Edit

Unlike 802.1X, 802.11i already has most other additional security-services such as TKIP. Just as with WPAv1, WPAv2 may work in cooperation with EAP and a WIDS.

WAPI Edit

This stands for WLAN Authentication and Privacy Infrastructure. This is a wireless security standard defined by the Chinese government.

Smart cards, USB tokens, and software tokens Edit

Security token use is a method of authentication relying upon only authorized users possessing the requisite token. Smart cards are physical tokens in the cards that utilize an embedded integrated circuit chip for authentication, requiring a card reader. [35] USB Tokens are physical tokens that connect via USB port to authenticate the user. [36]

RF shielding Edit

It's practical in some cases to apply specialized wall paint and window film to a room or building to significantly attenuate wireless signals, which keeps the signals from propagating outside a facility. This can significantly improve wireless security because it's difficult for hackers to receive the signals beyond the controlled area of a facility, such as from a parking lot. [37]

Denial of service defense Edit

Most DoS attacks are easy to detect. However, a lot of them are difficult to stop even after detection. Here are three of the most common ways to stop a DoS attack.

Black holing Edit

Black holing is one possible way of stopping a DoS attack. This is a situation where we drop all IP packets from an attacker. This is not a very good long-term strategy because attackers can change their source address very quickly.

This may have negative effects if done automatically. An attacker could knowingly spoof attack packets with the IP address of a corporate partner. Automated defenses could block legitimate traffic from that partner and cause additional problems.

Validating the handshake Edit

Validating the handshake involves creating false opens, and not setting aside resources until the sender acknowledges. Some firewalls address SYN floods by pre-validating the TCP handshake. This is done by creating false opens. Whenever a SYN segment arrives, the firewall sends back a SYN/ACK segment, without passing the SYN segment on to the target server.

Only when the firewall gets back an ACK, which would happen only in a legitimate connection, would the firewall send the original SYN segment on to the server for which it was originally intended. The firewall doesn't set aside resources for a connection when a SYN segment arrives, so handling a large number of false SYN segments is only a small burden.

Rate limiting Edit

Rate limiting can be used to reduce a certain type of traffic down to an amount the can be reasonably dealt with. Broadcasting to the internal network could still be used, but only at a limited rate for example. This is for more subtle DoS attacks. This is good if an attack is aimed at a single server because it keeps transmission lines at least partially open for other communication.

Rate limiting frustrates both the attacker, and the legitimate users. This helps but does not fully solve the problem. Once DoS traffic clogs the access line going to the internet, there is nothing a border firewall can do to help the situation. Most DoS attacks are problems of the community which can only be stopped with the help of ISP's and organizations whose computers are taken over as bots and used to attack other firms.

With increasing number of mobile devices with 802.1X interfaces, security of such mobile devices becomes a concern. While open standards such as Kismet are targeted towards securing laptops, [38] access points solutions should extend towards covering mobile devices also. Host based solutions for mobile handsets and PDA's with 802.1X interface.

Security within mobile devices fall under three categories:

  1. Protecting against ad hoc networks
  2. Connecting to rogue access points
  3. Mutual authentication schemes such as WPA2 as described above

Wireless IPS solutions now offer wireless security for mobile devices. [39]

Mobile patient monitoring devices are becoming an integral part of healthcare industry and these devices will eventually become the method of choice for accessing and implementing health checks for patients located in remote areas. For these types of patient monitoring systems, security and reliability are critical, because they can influence the condition of patients, and could leave medical professionals in the dark about the condition of the patient if compromised. [40]

In order to implement 802.11i, one must first make sure both that the router/access point(s), as well as all client devices are indeed equipped to support the network encryption. If this is done, a server such as RADIUS, ADS, NDS, or LDAP needs to be integrated. This server can be a computer on the local network, an access point / router with integrated authentication server, or a remote server. AP's/routers with integrated authentication servers are often very expensive and specifically an option for commercial usage like hot spots. Hosted 802.1X servers via the Internet require a monthly fee running a private server is free yet has the disadvantage that one must set it up and that the server needs to be on continuously. [41]

To set up a server, server and client software must be installed. Server software required is an enterprise authentication server such as RADIUS, ADS, NDS, or LDAP. The required software can be picked from various suppliers as Microsoft, Cisco, Funk Software, Meetinghouse Data, and from some open-source projects. Software includes:

  • Aradial RADIUS Server
  • Cisco Secure Access Control Software (open-source)
  • Funk Software Steel Belted RADIUS (Odyssey)
  • Microsoft Internet Authentication Service
  • Meetinghouse Data EAGIS
  • SkyFriendz (free cloud solution based on freeRADIUS)

Client software comes built-in with Windows XP and may be integrated into other OS's using any of following software:

  • AEGIS-client
  • Cisco ACU-client
  • Intel PROSet/Wireless Software
  • Odyssey client (open1X)-project

RADIUS Edit

Remote Authentication Dial In User Service (RADIUS) is an AAA (authentication, authorization and accounting) protocol used for remote network access. RADIUS, developed in 1991, was originally proprietary but then published in 1997 under ISOC documents RFC 2138 and RFC 2139. [42] [43] The idea is to have an inside server act as a gatekeeper by verifying identities through a username and password that is already pre-determined by the user. A RADIUS server can also be configured to enforce user policies and restrictions as well as record accounting information such as connection time for purposes such as billing.

Today, there is almost full wireless network coverage in many urban areas – the infrastructure for the wireless community network (which some consider to be the future of the internet [ who? ] ) is already in place. One could roam around and always be connected to Internet if the nodes were open to the public, but due to security concerns, most nodes are encrypted and the users don't know how to disable encryption. Many people [ who? ] consider it proper etiquette to leave access points open to the public, allowing free access to Internet. Others [ who? ] think the default encryption provides substantial protection at small inconvenience, against dangers of open access that they fear may be substantial even on a home DSL router.

The density of access points can even be a problem – there are a limited number of channels available, and they partly overlap. Each channel can handle multiple networks, but places with many private wireless networks (for example, apartment complexes), the limited number of Wi-Fi radio channels might cause slowness and other problems.

According to the advocates of Open Access Points, it shouldn't involve any significant risks to open up wireless networks for the public:

  • The wireless network is after all confined to a small geographical area. A computer connected to the Internet and having improper configurations or other security problems can be exploited by anyone from anywhere in the world, while only clients in a small geographical range can exploit an open wireless access point. Thus the exposure is low with an open wireless access point, and the risks with having an open wireless network are small. However, one should be aware that an open wireless router will give access to the local network, often including access to file shares and printers.
  • The only way to keep communication truly secure is to use end-to-end encryption. For example, when accessing an internet bank, one would almost always use strong encryption from the web browser and all the way to the bank – thus it shouldn't be risky to do banking over an unencrypted wireless network. The argument is that anyone can sniff the traffic applies to wired networks too, where system administrators and possible hackers have access to the links and can read the traffic. Also, anyone knowing the keys for an encrypted wireless network can gain access to the data being transferred over the network.
  • If services like file shares, access to printers etc. are available on the local net, it is advisable to have authentication (i.e. by password) for accessing it (one should never assume that the private network is not accessible from the outside). Correctly set up, it should be safe to allow access to the local network to outsiders.
  • With the most popular encryption algorithms today, a sniffer will usually be able to compute the network key in a few minutes.
  • It is very common to pay a fixed monthly fee for the Internet connection, and not for the traffic – thus extra traffic will not be detrimental.
  • Where Internet connections are plentiful and cheap, freeloaders will seldom be a prominent nuisance.

On the other hand, in some countries including Germany, [44] persons providing an open access point may be made (partially) liable for any illegal activity conducted via this access point. Also, many contracts with ISPs specify that the connection may not be shared with other persons.


2 Answers 2

CIFS is a file sharing protocol. NFS is a volume sharing protocol. The difference between the two might not initially be obvious.

NFS is essentially a tiny step up from directly sharing /dev/sda1. The client actually receives a naked view of the shared subset of the filesystem, including (at least as of NFSv4) a description of which users can access which files. It is up to the client to actually manage the permissions of which user is allowed to access which files.

CIFS, on the other hand, manages users on the server side, and may provide a per-user view and access of files. In that respect, it is similar to FTP or WebDAV, but with the ability to read/write arbitrary subsets of a file, as well as a couple of other features related to locking.

This may sound like NFS is distinctively inferior to CIFS, but they are actually meant for a different purpose. NFS is most useful for external hard drives connected via Ethernet, and virtual cloud storage. In such cases, it is the intention to share the drive itself with a machine, but simply do it over Ethernet instead of SATA. For that use case, NFS offers greater simplicity and speed. A NAS, as you're using, is actually a perfect example of this. It isn't meant to manage access, it's meant to not be exposed to systems that shouldn't access it, in the first place.

If you absolutely MUST use NFS, there are a couple of ways to secure it. NFSv4 has an optional security model based on Kerberos. Good luck using that. A better option is to not allow direct connection to the NFS service from the host, and instead require going through some secure tunnel, like SSH port forwarding. Then the security comes down to establishing the tunnel. However, either one of those requires cooperation from the host, which would probably not be possible in the case of your NAS.

Mind you, if you're already using CIFS and it's working well, and it's giving you good access control, there's no good reason to switch (although, you'd have to turn the NFS off for security). However, if you have a docker-styled host, it might be worthwhile to play with iptables (or the firewall of your choice) on the docker-host, to prevent the other containers from having access to the NAS in the first place. Rather than delegating security to the NAS, it should be done at the docker-host level.


Update Protect’s Wi-Fi information

Tip: You should update Wi-Fi information for any Nest cameras before you update your Nest Protects. Your Nest Protects should talk to each other during setup and share Wi-Fi information. If your Protect doesn’t ask you for new Wi-Fi information, one of your other Nest products may be sharing Wi-Fi information with it.

2nd gen Nest Protect

On the Nest app home screen, tap Settings .

Under “Device options,” tap Wi-Fi connection.

Tap Next. Nest will attempt to connect to your Protect, and it will start looking for nearby Wi-Fi networks.

Select your Wi-Fi network and enter the password. Your Protect should automatically reconnect.

1st gen Nest Protect

Once it’s removed, set up Protect in the Nest app again. The app should walk you through connecting Protect to Wi-Fi.

Tip: For 1st gen Nest Protects, write down the entry key for each of your Protects and put it in a safe space. That way if you ever need to update its Wi-Fi information again, you won’t have to remove your Protect from the wall or ceiling to re-add it to the app.


What security threats are associated with network infrastructure devices?

Network infrastructure devices are often easy targets for attackers. Once installed, many network devices are not maintained at the same security level as general-purpose desktops and servers. The following factors can also contribute to the vulnerability of network devices:

  • Few network devices—especially small office/home office and residential-class routers—run antivirus, integrity-maintenance, and other security tools that help protect general-purpose hosts.
  • Manufacturers build and distribute these network devices with exploitable services, which are enabled for ease of installation, operation, and maintenance.
  • Owners and operators of network devices often do not change vendor default settings, harden them for operations, or perform regular patching.
  • Internet service providers may not replace equipment on a customer’s property once the equipment is no longer supported by the manufacturer or vendor.
  • Owners and operators often overlook network devices when they investigate, look for intruders, and restore general-purpose hosts after cyber intrusions.

Guidelines for Securing Wireless Local Area Networks (WLANs)

A wireless local area network (WLAN) is a group of wireless networking devices within a limited geographic area, such as an office building, that exchange data through radio communications. The security of each WLAN is heavily dependent on how well each WLAN component—including client devices, access points (AP), and wireless switches—is secured throughout the WLAN lifecycle, from initial WLAN design and deployment through ongoing maintenance and monitoring. The purpose of this publication is to help organizations improve their WLAN security by providing recommendations for WLAN security configuration and monitoring. This publication supplements other NIST publications by consolidating and strengthening their key recommendations.

A wireless local area network (WLAN) is a group of wireless networking devices within a limited geographic area, such as an office building, that exchange data through radio communications. The security of each WLAN is heavily dependent on how well each WLAN component—including client devices, access points (AP), and wireless switches—is secured throughout the WLAN lifecycle, from initial WLAN design and deployment through ongoing maintenance and monitoring. The purpose of this publication is to help organizations improve their WLAN security by providing recommendations for WLAN security configuration and monitoring. This publication supplements other NIST publications by consolidating and strengthening their key recommendations.

Keywords

Control Families

Access Control Configuration Management Planning Risk Assessment System and Communications Protection

Documentation

Document History:
02/21/12: SP 800-153 (Final)


How to Secure wireless networks

  • Changing default passwords that come with the hardware
  • Enabling the authentication mechanism
  • Access to the network can be restricted by allowing only registered MAC addresses.
  • Use of strong WEP and WPA-PSK keys, a combination of symbols, number and characters reduce the chance of the keys been cracking using dictionary and brute force attacks.
  • Firewall Software can also help reduce unauthorized access.

5. PLAN AHEAD. Create a plan for responding to security incidents.

Taking steps to protect data in your possession can go a long way toward preventing a security breach. Nevertheless, breaches can happen. Here’s how you can reduce the impact on your business, your employees, and your customers:

  • Have a plan in place to respond to security incidents. Designate a senior member of your staff to coordinate and implement the response plan.
  • If a computer is compromised, disconnect it immediately from your network.
  • Investigate security incidents immediately and take steps to close off existing vulnerabilities or threats to personal information.
  • Consider whom to notify in the event of an incident, both inside and outside your organization. You may need to notify consumers, law enforcement, customers, credit bureaus, and other businesses that may be affected by the breach. In addition, many states and the federal bank regulatory agencies have laws or guidelines addressing data breaches. Consult your attorney.

SECURITY CHECK

Question:
I own a small business. Aren’t these precautions going to cost me a mint to implement?

Answer:
No. There’s no one-size-fits-all approach to data security, and what’s right for you depends on the nature of your business and the kind of information you collect from your customers. Some of the most effective security measures—using strong passwords, locking up sensitive paperwork, training your staff, etc.—will cost you next to nothing and you’ll find free or low-cost security tools at non-profit websites dedicated to data security. Furthermore, it’s cheaper in the long run to invest in better data security than to lose the goodwill of your customers, defend yourself in legal actions, and face other possible consequences of a data breach.