Syngress - Eleventh Hour Network+ Exam N10-004 Study Guide (11 ...
Syngress - Eleventh Hour Network+ Exam N10-004 Study Guide (11 ...
Syngress - Eleventh Hour Network+ Exam N10-004 Study Guide (11 ...
You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
68 CHAPTER 4 Wireless Networking<br />
■<br />
Denial of service (DoS) and flooding attacks A DoS occurs when an<br />
attacker has engaged most of the resources a host or network has available,<br />
rendering it unavailable to legitimate users.<br />
PROTECTION AGAINST SPOOFING AND NETWORK HIJACKING<br />
Protecting against these attacks involves adding several additional components to<br />
the wireless network. The following are examples of measures that can be taken:<br />
■ Using an external authentication source such as RADIUS or SecurID, will<br />
prevent an unauthorized user from accessing the wireless network and the<br />
resources with which it connects.<br />
■ Requiring wireless users to use a VPN to access the wired network also<br />
provides a significant stumbling block to an attacker.<br />
■ Allowing only SSH access or SSL-encrypted traffic into the network.<br />
■ Many of WEP’s weaknesses can be mitigated by isolating the wireless network<br />
through a firewall and requiring that wireless clients use a VPN to<br />
access the wired network.<br />
There are several different tools that can be used to protect a network from IP<br />
spoofing with invalid address resolution protocol (ARP) requests. These tools,<br />
such as ArpWatch, notify an administrator when ARP requests are detected,<br />
allowing the administrator to take the appropriate action to determine whether<br />
someone is attempting to hack into the network.<br />
Another option is to statically define the MAC/IP address definitions. This prevents<br />
attackers from being able to IP spoof without having the defined matching<br />
pieces of information. The best protection available is to change the secret key on<br />
a regular basis and add additional authentication mechanisms such as RADIUS<br />
or dynamic firewalls to restrict access to the wired network. However, unless every<br />
wireless workstation is secure, an attacker only needs to go after one of the other<br />
wireless clients to be able to access the resources available to it.<br />
PROTECTION AGAINST MITM THROUGH ROGUE APS<br />
Regular wireless site surveys can be used to see if someone has violated your company<br />
security policy by placing an unauthorized AP on the network, regardless<br />
of their intent. Frequent site surveys also have the advantage of uncovering the<br />
unauthorized APs that company staff members may have set up in their own<br />
work areas, thereby compromising the entire network and completely undoing<br />
the hard work that went into securing the network in the first place. This is usually<br />
done with no malicious intent, but for the convenience of the user, who may<br />
want to be able to connect to the network through his or her laptop in meeting<br />
rooms or break rooms or other areas that don’t have wired outlets.<br />
PROTECTING AGAINST DOS AND FLOODING ATTACKS<br />
There is little that can be done to protect against DoS attacks. In a wireless environment,<br />
an attacker does not have to even be in the same building or neighborhood.