Copper Wire

Under the heading of copper cabling, there are basically two categories to consider: twisted-pair cabling and coaxial cabling.

Twisted-Pair Cabling

Twisted-pair cabling consists of two or more pairs of wires twisted together to provide noise reduction. The twist in the wires causes induced noise signals to cancel each other out. In this type of cabling, the number of twists in each foot of wire indicates its relative noise immunity level.

When discussing twisted-pair cabling with data networks, there are two basic types to consider: unshielded twisted pair (UTP) and shielded twisted pair (STP). UTP networking cable contains four pairs of individually insulated wires, as illustrated in Figure 16.1.

STP cable is similar with the exception that it contains an additional foil shield that surrounds the four-pair wire bundle. The shield provides extended protection from induced electrical noise and cross talk by supplying a grounded path to carry the induced electrical signals away from the conductors in the cable.

Coaxial Cabling

Coaxial cable (often referred to simply as “coax”) is familiar to most people as the conductor that carries cable TV into their homes. Coaxial cable is constructed with an insulated solid or stranded wire core surrounded by a dielectric insulating layer and a solid or braided metallic shield. Both the wire and shield are wrapped in an outer protective insulating jacket, as illustrated in Figure 16.2.

In the past, coaxial cable was widely used for Ethernet LAN media. However, because the thickness and rigidity of coaxial cable make it difficult and time-consuming to install, the networking industry and network standards development groups have abandoned coaxial cable in favor of unshielded twisted-pair cabling.

Coax cable continues to be used for some applications, such as Internet service delivered to residential settings through the commercial cable television (CATV) system. In addition, several varieties of coaxial cable are available for transporting video and high-data-rate digital information. This comes into play with computers, audio/video equipment, and intelligent home products with residential networks.

Light Waves

Fiber-optic cable is plastic or glass cable designed to carry digital data in the form of light pulses. The signals are introduced into the cable by a laser diode and bounce along its interior until they reach the end of the cable, as illustrated in Figure 16.3. At the end, a light-detecting circuit receives the light signals and converts the information back into an electrical signal. This type of cabling provides tremendous capacity, offering potential signaling rates in excess of 200,000 Mbps. However, current access protocols still limit fiber-optic LAN speeds to 100 Mbps.

Light moving through a fiber-optic cable does not attenuate (lose energy) as quickly as electrical signals moving along a copper conductor. Therefore, segment lengths between transmitters and receivers can be much longer when using fiber-optic cabling. In some fiber-optic applications, the maximum cable length can range up to 2 kilometers.

Because it cannot be tapped without physically breaking the conductor, fiber-optic cable also provides a much more secure data transmission medium than copper cable. Basically, light introduced into the cable at one end does not leave the cable except through the other end. In addition, fiber-optic cable electrically isolates the transmitter and receiver so that no signal level matching normally needs to be performed between the two ends.

Wireless Signals

Wireless networks connect computer nodes using high-frequency radio waves. The IEEE organization oversees a group of wireless networking specifications under the IEEE-802.xx banner. The IEEE 802.11x (also known as Wireless Fidelity or Wi-Fi) wireless standards have gained wide acceptance as the preferred wireless networking technology for both business and residential network applications.

Bluetooth (IEEE 802.15.1) is a wireless networking specification for personal area networks (PANs) that has gained widespread acceptance in some areas, such as meshing together personal devices including PDAs, cell phones, and digital cameras, as well as PCs, notebooks, and printers, as shown in Figure 16.4. This bringing together of different types of digital devices in a common forum is referred to as convergence.

Bluetooth devices use low power consumption, short-range radio frequency signals to provide a low cost, secure communication link. The specification provides for three power classes. Thus, Bluetooth devices will be categorized as Bluetooth class 1, class 2, or class 3. A power class denotes the power level and range of that device. Power classes 1, 2, and 3 can project a power/range of 100 mW/100 meters, 2.5 mW/10 meters, and 1mW/1meter, as shown in Table 16.1.

The Bluetooth specification implements Adaptive Frequency Hopping Spread Spectrum (AFHSS) in the license-free 2.4GHz range to provide security and avoid crowded frequency ranges. The Bluetooth protocol divides the 2.4 GHz frequency range into 79 different 1 MHz communication channels. The frequency-hopping mechanism changes channels up to 1,600 times per second. Lastly, the frequency hops channels in one of six predefined patterns. All this frequency hopping is done to lower the effects of other electronic interference.

The data transfer rate for Bluetooth version 1.1 and 1.2 devices is 723.1 Kbps and a big boost of 2.1 Mbps for Bluetooth 2.0 devices.

Bluetooth devices can be connected to only one device at a time; connecting to them will prevent them from connecting to other devices and showing up in inquiries until they disconnect from the other device. However, the standard also provides for constructing multipoint wireless networks using Bluetooth technologies.

Under the Bluetooth specification, up to eight devices can be grouped together to form a piconet. Any device can become the master device and assume control of the network by issuing a request broadcast. The other seven devices become slave devices until the master device releases its position.

The master device uses time division multiplexing to rapidly switch from one slave device to another around the network. In this manner, the Bluetooth network operates like a wireless USB network. Any device in the network can assume the master device role when it is available.

In the computer networking environment, the Bluetooth specification enables several Bluetooth peripheral devices to simultaneously communicate with a host device. In particular, Bluetooth is used with local host computers communicating with wireless input and output devices such as mice, keyboards, and printers.

Like Bluetooth, the ZigBee (IEEE 802.15.4) standard is a wireless, mesh-networked PAN protocol that provides for a 10-meter communication range with data transfer rates at 250 Kbps, as shown in Figure 16.5. The ZigBee standard has been embraced by the smart home automation and industrial controls communities, as well as several areas of the smart grid consortium. It is also being considered for use with personal biomedical sensors to provide secure, remote medical-data acquisition.

The IEEE 802.16 – WiMAX specification was established to provide guidelines for wider area wireless networking capabilities. WiMAX is a broadband wireless access standard designed to provide Internet access across large geographic areas such as cities, counties, and in some cases countries, as shown in Figure 16.6. It is also designed to provide interoperability with the 802.11 Wi-Fi standard.

Securing Wireless Networks

While wireless networks are very popular due to their ease of installation, there are a number of security issues concerning using them to communicate personal or otherwise sensitive information. Transmissions from wireless network devices cannot simply be confined to the local environment of a residence or business.

Although the range of most wireless network devices is typically limited to a few hundred feet, RF signals can easily be intercepted even outside the vicinity of the stated security perimeter. Any unauthorized mobile terminal can accomplish this using an 802.11 receiver. Any intercepted transmissions, being unencrypted, are then easily read.

In order to minimize the risk of security compromise on a wireless LAN, the IEEE-802.11 wireless standard provides for several encryption options. An early security feature called Wired Equivalent Privacy (WEP) provides a 128-bit mathematical key encryption scheme for encrypting data transmissions and authenticating each computer on the network. Enabling the WEP function adds some security for data being transmitted. However, at this time, WEP no longer provides the assurance it had years ago.

You will also need to enter the WEP key value (password), either in the form of hexadecimal number string or as an ASCII character string. Working with the ASCII option is easier for most people. Record this string for use with the network’s client computers. Each client computer will need to have the key installed the next time they attempt to connect to the network. When requested by the system, enter and confirm the WEP key.

While WEP was secure enough years ago, a patient or determined attacker today can easily crack it. This vulnerability led the wireless industry to create a stronger WiFi Protected Access (WPA) standard and then create an improved WPA2.

The weakness with WEP is how it encrypts every packet using the same static key. Therefore, a patient hacker only needs to collect enough packets and use brute force to discover the static key. With a reasonable amount of computing power, this is done in minutes or at most a few days. To counter this vulnerability, WPA uses the Temporary Key Integrity Protocol (TKIP) and IEEE 802.1X Extensible Authentication Protocol (EAP) user authentication protocol to provide increased security. This combination requires users to employ usernames and passwords to access the network. After the user logs in, the access point generates a temporary key that is used to encrypt data transfers between the AP and the client computer. WEP, WPA, and WPA2 are included on most APs and are relatively simple to configure.

All of the computers in a network must be configured to use the same key to communicate. Therefore, if you enable encryption on the AP, you will need to input the same key on each computer in the network. For home setups, encryption is enabled and configured by a browser-based configuration wizard. For corporate setups, encryption might be configured by browser or command line. In any case, if the configuration wizard provides for multiple encryption levels, you should select the highest (strongest) level of encryption that doesn’t result in a significant drop in throughput.

If possible, you should set up the router to use WPA-PSK along with a strong password. The PSK option enables WPA to use pre-shared keys instead of a separate Certificate Authority (CA) computer to provide user authentication. The PSK permits a password to be set on the router and shared with the rest of the users.

If WPA is simply not an option, you should enable WEP with 128-bit encryption. In addition, after you’ve installed and authenticated all the wireless clients, you should set the SSID Broadcast option to Disable, so that outsiders do not use SSID to acquire your address and data. Also, change the SSID name from the default value if you have not already done so.

If wireless networking technology is being used within a secure server room, additional physical hardening steps should be taken in securing the room. This may include physically hardening the room’s architecture, such as electrically isolating the server room’s ceiling and floor, as well as its walls to prevent the wireless signals from escaping.

Objectives

The purpose of this lab is to examine some of the more advanced security configuration settings of your router. Logs will be examined and turned on. SSID broadcasting will be disabled. Next, antennas will have their power lowered and turned off entirely. Finally, Universal Plug and Play will be disabled.

Resources

• PC with Windows 10 physically connected to your SOHO router
• SOHO router

Procedure

1. Open the Microsoft Edge browser.
2. Type in the IP address of your gateway in the address bar of your browser. Remember, you can find this by going to the command line and issuing IPCONFIG. (See Steps 7 through 12 in Chapter 15’s hands-on exercise for additional assistance.)
3. At the login screen (see Figure 16.7), provide your administrator credentials.

   

4. The first advanced setting of interest is to enable logging. Recall that logging is the act of recording events, such as users logging in or recording when software was updated. For a router, who and when someone has connected to the network is of interest.
5. Find the location of the log settings. They may be under some advanced settings. For this example, these logs were found under Advanced ➣ Administration ➣ Logs. See Figure 16.8.

   

6. Make sure the logs are turned on. Admin logins, admin failed logins, and DHCP assignments should be turned on.
7. The next security improvement is to turn off SSID broadcasting and change the default name. Turning SSID broadcasting off is security through obscurity. See Figure 16.9.

8. Find your wireless settings and disable all SSID broadcasts. For this router, the relevant options were found under Advanced ➣ Setup ➣ Wireless Setup.
9. Change the name to something memorable. Alternatively, write down the SSID somewhere safe.
10. Make sure you click Apply or Enable to save your changes.
11. Another, more effective security version of turning off SSID broadcasting is to turn off the antenna entirely. We will turn off only the 5 GHz antenna; the 2.4 GHz antenna will stay on.

12. Find a setting that disables the wireless antenna. It may be called Disable Wireless Router Radio or Disable Wireless Antenna. For this example, the setting was found under Advanced ➣ Advanced Setup ➣ Wireless Settings. See Figure 16.10.

    

13. Yet another antenna-based feature is to lower the transmission power. This improves security by forcing attackers into closer proximity to the router to wirelessly connect. This also retains your ability to connect to your router wirelessly.
14. Find this setting. The name may be different. For this example, the setting is named Transmit Power Control and can be found under Advanced ➣ Advanced Setup ➣ Wireless Settings. In fact, the transmission power setting is in the same area as the settings to turn off the antenna. You can refer to Figure 16.10.
15. The last setting worth turning off is Universal Plug and Play, or UPnP. UPnP is a set of network protocols that allow networked devices to easily discover each other’s presence and communicate over a network.

16. Find and disable the UPnP setting. For this example, the UPnP setting was found under Advanced ➣ Advanced Setup ➣ UPnP. UPnP is standardized; the location of the setting may change, but the name will not. See Figure 16.11.

Lab Questions

1. What are the default log settings for your router?
2. How does turning off SSID broadcasts improve security?
3. Why was only one antenna turned off?
4. Why would you lower the power on an antenna?
5. How do you think disabling UPnP improves security?

Lab Answers

1. What are the default log settings for your router?

   Some of the default settings for the example router are to log router operation and attempted access to blocked sites and services.

2. How does turning off SSID broadcasts improve security?

   It provides security through obscurity.

3. Why was only one antenna turned off?

   Turning off all the antennas would completely remove the wireless capabilities of the router.

4. Why would you lower the power on an antenna?

   Lowering the power on an antenna is a halfway measure between turning wireless signals off and still having wireless connectivity. In addition, this forces intruders into closer physical proximity to your router.

5. How do you think disabling UPnP improves security?

   Once a threat agent is in your network, UPnP allows a threat agent to easily access the rest of your network. Turning it off reduces this threat.