WiMax Operator's Manual

More documents

Recommendations

Info

CHAPTER 9 ■ NETWORK SECURITY 191 has had extremely unfortunate consequences. In the 1970s and 1980s, hackers tended to be young computer professionals, and because the knowledge base required at the time was so extensive, not too many of them existed. Today any computer-savvy adolescents with a yen to hack can easily equip themselves with the weapons to do so without understanding the mechanisms by which they operate. We are also seeing an increase in the activity of cyber- criminal gangs who commit computer crimes for profit. Many of these organizations operate in Eastern Europe. Fortunately, security software has kept pace with the democratization of hacking, and the security professional now has a large arsenal available. And while the number of products on the market is considerable, the basic approaches they embody are not numerous, and the network operator should be able to easily comprehend them. Cybersecurity Technology Previous chapters have already covered firewalls. Firewalls are the first line of defense for the security administrator, but they should not be considered complete security solutions in and of themselves. Closely related to firewalls and sometimes included in the category are proxy servers, which are devices where information requested from a database is actually launched onto the network or where applications are executed on client software remote from the main server. Proxy servers protect vital information and programs from direct access by outside parties, and they limit damage to nonvital facilities in the face of a network attack. In other words, they serve as buffers. Diagnostic software detects the presence of malicious code and unusual activity within the network. Antivirus scans form a subcategory within this grouping, though they are not the only such products to which such nomenclature applies. Diagnostic software may be roughly divided into two primary divisions: software used in security audits to determine the overall vulnerability of the network and software used routinely to detect anomalies. In both cases, the developer must continually update the software for it to remain effective. Some such software has the ability not only to determine the nature of an attack or intrusion but to find its point of origin—in other words, to follow the hacker back to a home base even across multiple networks. Such software must also be updated more or less continuously, since skilled hackers are always finding new ways to disguise their activities and identities. Security professionals often use encryption software to render vital data unreadable to hackers. Modern encryption methods are highly effective, and encoded material can only be decrypted by intruders who have access to massively parallel computing systems running for weeks at a time. Encryption techniques today use rounds, which are successive reencryptions that can number in the millions and make the encrypted data seem more and more random and meaningless. Essentially, there is no way to decrypt such messages by clever insights. Instead the intruder has to try out all possible codes one by one with a specialized decryption program. With enough computing speed, almost any machine code can be cracked, but such speed is not available to a lone hacker with a Pentium processor. Business records, customer profiles, and billing information should be routinely encrypted and should never be presented where they can be intercepted in decrypted form. Encryption is also advisable in VPNs. To sound a cautionary note, if grid computing services (see Chapter 3) become generally available in the future, then hackers will have a formidable weapon for decrypting formerly secure information, and at that point the encryption industry will have to come up with new
192 CHAPTER 9 ■ NETWORK SECURITY approaches. But currently, encryption remains a powerful preventive tool for the security administrator. Finally, within the arsenal of defensive procedures, some software engines are designed not only to detect malicious code but also to prevent its effects by restoring network data to its state just prior to the detection of suspicious activity. Such software is a fairly new development, and it may not be entirely effective against all conceivable attacks. Authentication is sometimes considered a part of security and sometimes just a part of routine network operations. In a wireless network authentication, the process by which network users demonstrate that they are who they purport to be is especially important because the physical layer of the network is essentially open. Authentication today is normally performed in specialized servers, most of which now run Radius software. Safeguarding Network Elements from Hijacking and Malicious Code: Best Practices Securing network elements is, of course, vital to the integrity of the operation. While direct attacks on equipment operating systems intended to disable networks for lengthy intervals are not at all commonplace, intrusions into management systems have occurred in the past and undoubtedly will occur in the future. Obviously, they should be prevented at all costs. Unfortunately, many of today’s network elements are more vulnerable than the telco “big iron” of the past. Telephone circuit switches and asynchronous transfer mode (ATM) switches generally utilized some variant of Unix as an operating system and involved extremely arcane code that few hackers ever mastered. Indeed, most of the people who successfully hacked into telephone central offices were experienced individuals working in telecommunications. In contrast, many network devices manufactured today use open or commonly understood platforms such as Linux, Windows NT, or Java. They may incorporate some type of software firewall to thwart intruders, but they are not inherently difficult to understand or manipulate. And because wireless transmissions can be physically intercepted with great ease, there is little physical layer security possible in the network, and the network operator must remain largely dependent on specialized security software. The danger is compounded because most equipment today is designed to permit remote management by an authorized network administrator from a supposedly secure Web site. Obviously, that greatly eases the job of network administrators, enabling them to respond to problems in the network anywhere and at any time without having to visit the central office. However, if the administrator can access the OSS suite, then so can a hacker—if that individual can get past whatever security measures are in place. Accordingly, the network operator must make certain that there are no “trap doors” permitting entry into the management system that bypass authentication measures. Denial-of-Service Attacks: A Special Case Denial-of-service (DoS), or flooding attacks, have been used for many years by hackers. They are launched by capturing a large number of terminals and using them to transmit meaningless messages that flood the public network affected beyond its carrying capacity. DoS attacks are different from viruses and worms. They do not introduce malicious code into network elements or management software, and they are transitory in their effects. And yet they can shut down a network effectively for hours. Recently several vendors have
Page 2 and 3:
WiMax Operator’s Manual Building
Page 4:
This book is dedicated to my wife.
Page 8 and 9:
Contents About the Author . . . . .
Page 10 and 11:
■CONTENTS ix Performing Site Surv
Page 12:
■CONTENTS xi Cyberwarfare . . . .
Page 16:
About the Technical Reviewer ■ROB
Page 20 and 21:
Introduction Broadband wireless has
Page 22 and 23:
CHAPTER 1 ■ ■ ■ Wireless Broa
Page 24 and 25:
CHAPTER 1 ■ WIRELESS BROADBAND AN
Page 26 and 27:
Page 28 and 29:
Page 30 and 31:
Page 32:
Page 35 and 36:
14 CHAPTER 2 ■ ARCHITECTING THE N
Page 37 and 38:
Page 39 and 40:
Page 41 and 42:
Page 43 and 44:
Page 45 and 46:
Page 47 and 48:
Page 49 and 50:
Page 51 and 52:
Page 53 and 54:
Page 55 and 56:
34 CHAPTER 3 ■ STRATEGIC PLANNING
Page 57 and 58:
Page 59 and 60:
Page 61 and 62:
Page 63 and 64:
Page 65 and 66:
Page 67 and 68:
Page 69 and 70:
Page 71 and 72:
Page 73 and 74:
Page 75 and 76:
Page 77 and 78:
Page 79 and 80:
Page 81 and 82:
Page 83 and 84:
Page 85 and 86:
64 CHAPTER 4 ■ SETTING UP PHYSICA
Page 87 and 88:
Page 89 and 90:
Page 91 and 92:
Page 93 and 94:
Page 95 and 96:
Page 97 and 98:
Page 99 and 100:
Page 101 and 102:
Page 103 and 104:
Page 105 and 106:
Page 107 and 108:
Page 109 and 110:
Page 111 and 112:
Page 113 and 114:
Page 115 and 116:
Page 117 and 118:
Page 119 and 120:
Page 121 and 122:
100 CHAPTER 4 ■ SETTING UP PHYSIC
Page 123 and 124:
102 CHAPTER 5 ■ STRATEGIES FOR SU
Page 125 and 126:
Page 127 and 128:
Page 129 and 130:
Page 131 and 132:
Page 133 and 134:
Page 135 and 136:
Page 137 and 138:
Page 139 and 140:
Page 141 and 142:
Page 143 and 144:
Page 145 and 146:
Page 147 and 148:
Page 149 and 150:
Page 152 and 153:
CHAPTER 6 ■ ■ ■ Beyond Access
Page 154 and 155:
CHAPTER 6 ■ BEYOND ACCESS 133 Rou
Page 156 and 157:
CHAPTER 6 ■ BEYOND ACCESS 135 (Qo
Page 158 and 159:
CHAPTER 6 ■ BEYOND ACCESS 137 The
Page 160 and 161:
CHAPTER 6 ■ BEYOND ACCESS 139 ins
Page 162 and 163: Figure 6-4. Wireless public network
Page 164 and 165: CHAPTER 6 ■ BEYOND ACCESS 143 sto
Page 166 and 167: Specialized Content Distribution Pl
Page 168 and 169: Beyond the Central Office CHAPTER 6
Page 170 and 171: CHAPTER 6 ■ BEYOND ACCESS 149 out
Page 172 and 173: CHAPTER 6 ■ BEYOND ACCESS 151 som
Page 174 and 175: CHAPTER 7 ■ ■ ■ Service Deplo
Page 176 and 177: CHAPTER 7 ■ SERVICE DEPLOYMENTS O
Page 196: CHAPTER 7 ■ SERVICE DEPLOYMENTS O
Page 199 and 200: 178 CHAPTER 8 ■ NETWORK MANAGEMEN
Page 208 and 209: CHAPTER 9 ■ ■ ■ Network Secur
Page 210 and 211: CHAPTER 9 ■ NETWORK SECURITY 189
Page 214 and 215: CHAPTER 9 ■ NETWORK SECURITY 193
Page 216 and 217: Index ■Numbers 2.4GHz to 928MHz b
Page 218 and 219: asic access and best-effort deliver
Page 220 and 221: ■D dark fiber, features of, 75-76
Page 222 and 223: harmonics, impact on AC power, 188
Page 224 and 225: challenges to, 85-86 and NLOS, 121
Page 226 and 227: PONs (passive optical networks), fe
Page 228 and 229: signal diversity, providing with ad
Page 230 and 231: ■V VDSL and entertainment service
Page 233: forums.apress.com FOR PROFESSIONALS
show all

WiMax Operator's Manual

Create successful ePaper yourself

Delete template?

Save as template?