|
| |
Best Practices for Locustworld’s Mesh Network
By Don Moskauk
March 25, 2004
|
Wireless
Mesh Networks technology is creating new opportunities and will dramatically
changing the world of computing. As with wired technology, wireless and Mesh has
also have security risks. Locustworld’s Mesh
encryption is strong. The
basic security on MeshAP has the following:
 | To
prevent spoofing each node has a certificated IP address. |
| Nodes
exchange keys to the endpoints using 2048 bit RSA and then encrypt data
using 128 bit AES and Blowfish overlayed. |
| An
additional shared key can be
used with the dynamic keys to create a private mesh.
As a result, this will not connect
with nearby mesh networks, even with the same ESSID, and this can also
prevent hostile route injection in to your network. |
| On
top of that you can run WEP over
your network at the Ethernet layer
and if you use dual radio or
wlan-ethernet bridges then
you can put WEP on your backbone with
unencrypted local cells. |
| For
full end-to-end security SSL is
available and the MeshAP also
supports PPTP and IPsec tunnels for
securing the last hop to the client. |
Wireless
Mesh Networks, which use radio frequencies to broadcast in the unlicensed 2.4GHz
frequency band, can be as simple as two computers equipped with Wireless Mesh
Networks interface cards or as complex as hundreds of computers outfitted with
cards communicating through Locustworld’s MeshAP. They’re relatively
inexpensive and easy to install. But they also introduce a number of critical
security risks and challenges, and it’s important to implement strong security
measures through www.Wiana.org to
mitigate these risks. What follows are potential risks and associated best
practices to help you secure your network and understand Wireless Mesh
characteristics:
Risk 1:
Insufficient policies, and awareness
Though
establishing policies to govern Wireless Mesh Networks would appear to be a
basic requirement, Mesh ISP often fail to take this step or to inform clients of
the risks associated with not using Wireless Mesh Network security accordance
with the policies. Once policies are implemented, it’s critical to communicate
them to increase client’s awareness and understanding.
How
to mitigate:
Develop
Mesh ISP-wide policies with detailed procedures regarding Wireless Mesh Networks
devices and usage. Maintain these policies and procedures to keep current with
technology and trends. While each Mesh ISP will have specific requirements, at a
minimum require the registration of all LANs as part of overall security
strategy. And because a policy isn’t effective if Clients aren’t in
compliance, monitor the network to ensure that Clients are following the policy
as intended.
Conduct
regular security awareness and communication sessions for both systems
administrators and Clients. It’s important to keep systems administrators
informed of technical advances and protocols, but it’s equally important for
Clients to understand the reasons for the protocols. An informed Client will
more likely be a compliant one, without as much protest. These communication
sessions should stress the importance of vigilance.
Risk No. 2:
Access
constraints
Wireless
Mesh Networks access points repeatedly send out signals to announce themselves
so that Clients can find them to initiate connectivity. This signal transmission
occurs when 802.11 beacon frames containing the MeshAP Extended Service Set
Identifier are sent unencrypted. (ESSID’s are names or descriptions used to
differentiate networks from one another.) This could make it easy for
unauthorized Clients to learn the network name and attempt an attack or
intrusion.
How
to mitigate:
Enable
available security features. Embedded security features are disabled by
default.
Change
the default settings. The Locustword sets the Default ESSID’s. For example,
Locustworld’s default ESSID is “Locustworld”. Not changing these makes it
easier for an unauthorized Client to gain access (this is Open Sourced). Define
a complex ESSID naming convention. Don’t change the ESSID to reflect
identifiable information, since this too could make it easy for an unauthorized
Client to gain access. Instead, use long, no meaningful strings of characters,
including letters, numbers and symbols.
Move
or encrypt the ESSID and the Wired Equivalent Privacy (WEP) key that are
typically stored in the Windows registry file. Moving these privileged files
makes it more difficult for a hacker to acquire privileged information. This
step could either prevent an unauthorized intrusion or delay the intrusion until
detection occurs.
Please
note that the mesh encryption is much stronger than WEP and with the PPTP or IP sign on you've got a very secure setup. You can use WEP as
well.
Using
a closed network. With a closed network, Clients type the ESSID into the client
application instead of selecting the ESSID from a list. This feature makes it
slightly more difficult for the Client to gain access, but education on this
risk-mitigation strategy can reduce potential resistance.
To
gain maximum advantage of a closed network, change the ESSID regularly so that
Client that has left can’t gain access to the network. Develop and implement
an ESSID management process to change the ESSID regularly and to inform
authorised Client of the new ESSID.
Track client’s equipment. Require that
Wireless Mesh Networks be placed behind the main routed interface so the MeshAP
can shut them off if necessary. If LANs are being used at home, require specific
security configurations, including encryption and virtual private network (VPN)
tunneling.
Change Root password on MeshAP
Risk 3:
Rogue MeshAP
Rogue
access points are those installed by Clients without coordinating with MESH ISP.
Because access points are inexpensive and easy to install, rogue installations
will be more common.
Rogue
MeshAP are often poorly configured and might permit traffic that can be hard for
intrusion-detection software to pinpoint.
How
to mitigate:
Conduct
extensive site surveys regularly to determine the location of all MeshAP. Ensure
that MeshAP aren’t near interfering appliances such as microwave ovens,
electrical conduits, elevators or furniture.
Provide
narrow beam or horizontal antennas for Wireless Mesh Networks devices to better
contain and control the radio frequency array and thus prevent unauthorized
access.
MeshAP
have development release software, you can install security patches and upgrades
in future releases.
WIANA
or RADIUS is an additional authentication step. Interface this authentication
server to a Client database to ensure that the requesting Client is
authorised.
Force
a minimum 30-minute re-authentication for all Clients.
Risk 4:
Traffic
analysis and eavesdropping
Without
actually gaining access to the network, unauthorized parties can passively
capture client’s confidential data traversing the network via airwaves to the
MeshAP and can easily read it because it’s sent in clear text. So an attacker
could alter a legitimate message by deleting, adding to, changing or reordering
the message. Or the attacker could monitor transmissions and retransmit messages
as a legitimate Client.
Currently, Wireless Client Networks are
surrounded by weak 802.11b or g Access Control Mechanisms, resulting in weak
message authentication.
How
to mitigate:
1.
Encrypt all traffic over the mesh including bridges and clients devices. There
are a variety of methods to select from:
|
Use
application encryption such as Pretty Good Privacy, Secure Shell (SSH) or
Secure Sockets Layer. |
|
Enable
WEP, an encryption method that’s intended to give Wireless Mesh Networks
Clients security equivalent to being on a wired network but that has been
proved to be insecure (its RC4 stream cipher, which is used to encrypt the
data, has been cracked). Both 40- and 128-bit keys have been cracked — the
128-bit encryption only prolongs the cracking process. Despite its
weaknesses, the WEP security that’s built into Wireless Mesh Networks can
delay an unauthorized Client’s intrusion or possibly prevent a novice
hacker’s attacks entirely. (Note: The WEP factory default is OFF.) |
|
Require
the use of a VPN running at least FIPS-141 triple Data Encryption Standard
and encrypting all traffic, not only the ID and password. Segment all
Wireless Mesh Networks traffic behind a firewall and configure each client
with a VPN client to tunnel the data to a VPN concentrator on the wired
network. Configure so Clients communicate only with the VPN concentration
point. Evaluate the following features when purchasing VPN technologies:
interoperability with existing infrastructure, support for a Wireless Mesh
Networks, packet-filtering or Stateful-inspection firewall, automatic
security updates and a centralized management console. |
2.
Implement two-factor authentication scheme using access tokens for Clients
accessing critical infrastructure.
3.
Utilize 802.11b for key management and Wiana authentication standards.
4.
Use Extensible Authentication Protocols.
5.
Activate the Broadcast Key Rotation functionality. Set a specific amount of time
(usually 10 minutes or less) on the access point; each time the counter runs
out, the access point broadcasts a new WEP key, encrypting it with the old, thus
reducing the amount of time available to crack the key.
6.
Restrict LAN access rights by role.
Risk 5:
Insufficient
network performance
Wireless
Mesh Networks LANs have limited transmission capacity. Networks based on 802.11b
have a bit rate of 11Mbit/sec. Media Access Control overhead alone consumes
roughly half of the normal bit rate.
Capacity
is shared between all the Clients associated with an MeshAP, and aggregations
doesn’t exist on MeshAP (expected soon), network performance can be improved
dramatically if the appropriate numbers of access points are available to
Clients.
Frequently,
unauthorized Clients’ intentions are to steal bandwidth rather than view and
alter the data passing along the Wireless Mesh Networks. Therefore, these
unauthorized Clients can significantly reduce network performance for authorised
Clients. Finally, DoS attack can disable or disrupt your operations. A DoS
doesn’t have to be intentional. For example, Clients can transfer large files
that can cause a network outage.
Another
unintentional DoS can occur when legitimate traffic uses the same radio channel.
Conversely, a DoS can also be an intentional overflow, such as a ping flood to
intentionally cause network disruptions.
How
to mitigate:
1.
Continually monitor network performance and investigate any anomalies
immediately.
2.
Segment the access point’s coverage areas to reduce the number of people using
each access point.
3.
In Wiana apply the traffic-shaping solution to allow administrators to
proactively manage traffic rather than react to irregularities.
Risk 6:
Hacker
attacks
Because
Wireless Mesh Networks are insecure between the client and MeshAP, they’re
prone to attacks. Such attacks can include spreading viruses, loss of
confidentiality and data integrity, and data extraction without detection,
privacy violations and identity theft. Although it should be pointed out
that flooding at the radio layer is
likely to be the most common attack a mesh will experience.
How
to mitigate:
1.
Deploy a network-based intrusion-detection system on the Wireless Mesh Networks
network; review logs weekly.
2.
Use and maintain antivirus software. Push out antivirus software upgrades to
clients from servers.
3.
Create frequent backups of data and perform periodic restorations.
Host mapping
Host mapping allows you to map a public
internet address (or lan address) from your gateway point to a remote wireless or wired device connected to a
remote Meshbox anywhere on the mesh.
For windows file sharing, its possible to enter the IP address URL, into windows and it will connect directly to the
fileshare.
How to mitigate
It is recommended to set it to a static ip
in the top end of the range 192.168.X.220-240 in the range of the dhcp that the Meshbox it is connected to is giving out.
Remote node gateway type is set to “IP”. With a hostmapped host you can access it's fileshare simply by
typing its ip into the address bar of windows explorer. Your clients should be warned to secure their
computer to prevent sharing. Hostmapping opens up security implications for the remotely attached device. The hostmap
also only runs when the remote node has Internet gateway connectivity.
Risk 8:
MAC spoofing/session hijacking
Wireless
Mesh Networks 802.11 networks don’t authenticate frames, which may result in
frames being altered, authorised sessions being hijacked or authentication
credentials being stolen by an impostor. Therefore, the data contained within
their frames can’t be assured to be authentic, since there’s no protection
against forgery of frame source addresses.
Because
attackers can observe Media Access Control addresses of stations in use on the
network, they can adopt those addresses for malicious transmission. Finally,
station addresses, not the Clients themselves, are identified. That’s not a
strong authentication technique, and an unauthorized party can compromise
it.
How
to mitigate:
1.
Limit access to specific MAC addresses that are filtered via a firewall. This
technique isn’t completely secure, because MAC addresses can be duped, but it
does improve the overall security strategy. Another difficulty with this
technique is the maintenance effort required. A MAC address is tied to a
hardware device, so every time an authorised device is added to or removed from
the network, the MAC address has to be registered into the database. Therefore
use USERID and Password and MAC address.
2.
Monitor logs weekly and scans critical host logs daily.
3.
Use proven data link layer cryptography such as SSH, Transport-Level Security or
IPsec.
Risk No. 9:
Physical security deficiencies
Commonly
used Wireless and handheld devices such as PDAs, laptops and MeshAP are easy to
lose or to steal because of their small size and portability. In the event of a
theft, the unauthorized party can compromise such devices to obtain proprietary
information about your Wireless Mesh Networks configuration.
How
to mitigate:
1.
Implement strong physical security controls, including barriers and guards to
prevent the theft of equipment and unauthorized access.
2.
Label and maintain inventories of all fielded Wireless Mesh Networks and
handheld devices.
3.
Use device-independent authentication so that lost or stolen devices can’t
gain access to the Mesh.
Summary
After
examining just a few risks associated with Wireless Mesh Networks, their
high-risk nature becomes quite evident.
To moderate risks, management and systems administrators must perform
ongoing risk assessments to ensure not just that they understand the risks that
they face, but that they also take appropriate steps to mitigate the
risks.
Overall,
the greatest weakness with Wireless Mesh Networks security isn’t the technical
shortcomings but out-of-the-box insecure installations. This risk can be
overcome with attention to detail. But remember that the human factor is the
weakest link and that this risk needs to be considered when appointing a network
administrator and funding suitable review procedures.
Mitigating
the risk provides opportunity that just needs to be managed. It’s an
inspiration for progress and should be a welcome challenge, as long as it’s
given the proper consideration.
|
|
Wireless
Mesh Networks technology is creating new opportunities and will dramatically
changing the world of computing. As with wired technology, wireless and Mesh has
also have security risks. Locustworld’s Mesh
encryption is strong. The
basic security on MeshAP has the following:
| To
prevent spoofing each node has a certificated IP address. |
| Nodes
exchange keys to the endpoints using 2048 bit RSA and then encrypt data
using 128 bit AES and Blowfish overlayed. |
| An
additional shared key can be
used with the dynamic keys to create a private mesh.
As a result, this will not connect
with nearby mesh networks, even with the same ESSID, and this can also
prevent hostile route injection in to your network. |
| On
top of that you can run WEP over
your network at the Ethernet layer
and if you use dual radio or
wlan-ethernet bridges then
you can put WEP on your backbone with
unencrypted local cells. |
| For
full end-to-end security SSL is
available and the MeshAP also
supports PPTP and IPsec tunnels for
securing the last hop to the client. |
Wireless
Mesh Networks, which use radio frequencies to broadcast in the unlicensed 2.4GHz
frequency band, can be as simple as two computers equipped with Wireless Mesh
Networks interface cards or as complex as hundreds of computers outfitted with
cards communicating through Locustworld’s MeshAP. They’re relatively
inexpensive and easy to install. But they also introduce a number of critical
security risks and challenges, and it’s important to implement strong security
measures through www.Wiana.org to
mitigate these risks. What follows are potential risks and associated best
practices to help you secure your network and understand Wireless Mesh
characteristics:
Risk 1:
Insufficient policies, and awareness
Though
establishing policies to govern Wireless Mesh Networks would appear to be a
basic requirement, Mesh ISP often fail to take this step or to inform clients of
the risks associated with not using Wireless Mesh Network security accordance
with the policies. Once policies are implemented, it’s critical to communicate
them to increase client’s awareness and understanding.
How
to mitigate:
Develop
Mesh ISP-wide policies with detailed procedures regarding Wireless Mesh Networks
devices and usage. Maintain these policies and procedures to keep current with
technology and trends. While each Mesh ISP will have specific requirements, at a
minimum require the registration of all LANs as part of overall security
strategy. And because a policy isn’t effective if Clients aren’t in
compliance, monitor the network to ensure that Clients are following the policy
as intended.
Conduct
regular security awareness and communication sessions for both systems
administrators and Clients. It’s important to keep systems administrators
informed of technical advances and protocols, but it’s equally important for
Clients to understand the reasons for the protocols. An informed Client will
more likely be a compliant one, without as much protest. These communication
sessions should stress the importance of vigilance.
Risk No. 2:
Access
constraints
Wireless
Mesh Networks access points repeatedly send out signals to announce themselves
so that Clients can find them to initiate connectivity. This signal transmission
occurs when 802.11 beacon frames containing the MeshAP Extended Service Set
Identifier are sent unencrypted. (ESSID’s are names or descriptions used to
differentiate networks from one another.) This could make it easy for
unauthorized Clients to learn the network name and attempt an attack or
intrusion.
How
to mitigate:
Enable
available security features. Embedded security features are disabled by
default.
Change
the default settings. The Locustword sets the Default ESSID’s. For example,
Locustworld’s default ESSID is “Locustworld”. Not changing these makes it
easier for an unauthorized Client to gain access (this is Open Sourced). Define
a complex ESSID naming convention. Don’t change the ESSID to reflect
identifiable information, since this too could make it easy for an unauthorized
Client to gain access. Instead, use long, no meaningful strings of characters,
including letters, numbers and symbols.
Move
or encrypt the ESSID and the Wired Equivalent Privacy (WEP) key that are
typically stored in the Windows registry file. Moving these privileged files
makes it more difficult for a hacker to acquire privileged information. This
step could either prevent an unauthorized intrusion or delay the intrusion until
detection occurs.
Please
note that the mesh encryption is much stronger than WEP and with the PPTP or IP sign on you've got a very secure setup. You can use WEP as
well.
Using
a closed network. With a closed network, Clients type the ESSID into the client
application instead of selecting the ESSID from a list. This feature makes it
slightly more difficult for the Client to gain access, but education on this
risk-mitigation strategy can reduce potential resistance.
To
gain maximum advantage of a closed network, change the ESSID regularly so that
Client that has left can’t gain access to the network. Develop and implement
an ESSID management process to change the ESSID regularly and to inform
authorised Client of the new ESSID.
Track client’s equipment. Require that
Wireless Mesh Networks be placed behind the main routed interface so the MeshAP
can shut them off if necessary. If LANs are being used at home, require specific
security configurations, including encryption and virtual private network (VPN)
tunneling.
Change Root password on MeshAP
Risk 3:
Rogue MeshAP
Rogue
access points are those installed by Clients without coordinating with MESH ISP.
Because access points are inexpensive and easy to install, rogue installations
will be more common.
Rogue
MeshAP are often poorly configured and might permit traffic that can be hard for
intrusion-detection software to pinpoint.
How
to mitigate:
Conduct
extensive site surveys regularly to determine the location of all MeshAP. Ensure
that MeshAP aren’t near interfering appliances such as microwave ovens,
electrical conduits, elevators or furniture.
Provide
narrow beam or horizontal antennas for Wireless Mesh Networks devices to better
contain and control the radio frequency array and thus prevent unauthorized
access.
MeshAP
have development release software, you can install security patches and upgrades
in future releases.
WIANA
or RADIUS is an additional authentication step. Interface this authentication
server to a Client database to ensure that the requesting Client is
authorised.
Force
a minimum 30-minute re-authentication for all Clients.
Risk 4:
Traffic
analysis and eavesdropping
Without
actually gaining access to the network, unauthorized parties can passively
capture client’s confidential data traversing the network via airwaves to the
MeshAP and can easily read it because it’s sent in clear text. So an attacker
could alter a legitimate message by deleting, adding to, changing or reordering
the message. Or the attacker could monitor transmissions and retransmit messages
as a legitimate Client.
Currently, Wireless Client Networks are
surrounded by weak 802.11b or g Access Control Mechanisms, resulting in weak
message authentication.
How
to mitigate:
1.
Encrypt all traffic over the mesh including bridges and clients devices. There
are a variety of methods to select from:
|
Use
application encryption such as Pretty Good Privacy, Secure Shell (SSH) or
Secure Sockets Layer. |
|
Enable
WEP, an encryption method that’s intended to give Wireless Mesh Networks
Clients security equivalent to being on a wired network but that has been
proved to be insecure (its RC4 stream cipher, which is used to encrypt the
data, has been cracked). Both 40- and 128-bit keys have been cracked — the
128-bit encryption only prolongs the cracking process. Despite its
weaknesses, the WEP security that’s built into Wireless Mesh Networks can
delay an unauthorized Client’s intrusion or possibly prevent a novice
hacker’s attacks entirely. (Note: The WEP factory default is OFF.) |
|
Require
the use of a VPN running at least FIPS-141 triple Data Encryption Standard
and encrypting all traffic, not only the ID and password. Segment all
Wireless Mesh Networks traffic behind a firewall and configure each client
with a VPN client to tunnel the data to a VPN concentrator on the wired
network. Configure so Clients communicate only with the VPN concentration
point. Evaluate the following features when purchasing VPN technologies:
interoperability with existing infrastructure, support for a Wireless Mesh
Networks, packet-filtering or Stateful-inspection firewall, automatic
security updates and a centralized management console. |
2.
Implement two-factor authentication scheme using access tokens for Clients
accessing critical infrastructure.
3.
Utilize 802.11b for key management and Wiana authentication standards.
4.
Use Extensible Authentication Protocols.
5.
Activate the Broadcast Key Rotation functionality. Set a specific amount of time
(usually 10 minutes or less) on the access point; each time the counter runs
out, the access point broadcasts a new WEP key, encrypting it with the old, thus
reducing the amount of time available to crack the key.
6.
Restrict LAN access rights by role.
Risk 5:
Insufficient
network performance
Wireless
Mesh Networks LANs have limited transmission capacity. Networks based on 802.11b
have a bit rate of 11Mbit/sec. Media Access Control overhead alone consumes
roughly half of the normal bit rate.
Capacity
is shared between all the Clients associated with an MeshAP, and aggregations
doesn’t exist on MeshAP (expected soon), network performance can be improved
dramatically if the appropriate numbers of access points are available to
Clients.
Frequently,
unauthorized Clients’ intentions are to steal bandwidth rather than view and
alter the data passing along the Wireless Mesh Networks. Therefore, these
unauthorized Clients can significantly reduce network performance for authorised
Clients. Finally, DoS attack can disable or disrupt your operations. A DoS
doesn’t have to be intentional. For example, Clients can transfer large files
that can cause a network outage.
Another
unintentional DoS can occur when legitimate traffic uses the same radio channel.
Conversely, a DoS can also be an intentional overflow, such as a ping flood to
intentionally cause network disruptions.
How
to mitigate:
1.
Continually monitor network performance and investigate any anomalies
immediately.
2.
Segment the access point’s coverage areas to reduce the number of people using
each access point.
3.
In Wiana apply the traffic-shaping solution to allow administrators to
proactively manage traffic rather than react to irregularities.
Risk 6:
Hacker
attacks
Because
Wireless Mesh Networks are insecure between the client and MeshAP, they’re
prone to attacks. Such attacks can include spreading viruses, loss of
confidentiality and data integrity, and data extraction without detection,
privacy violations and identity theft. Although it should be pointed out
that flooding at the radio layer is
likely to be the most common attack a mesh will experience.
How
to mitigate:
1.
Deploy a network-based intrusion-detection system on the Wireless Mesh Networks
network; review logs weekly.
2.
Use and maintain antivirus software. Push out antivirus software upgrades to
clients from servers.
3.
Create frequent backups of data and perform periodic restorations.
Host mapping
Host mapping allows you to map a public
internet address (or lan address) from your gateway point to a remote wireless or wired device connected to a
remote Meshbox anywhere on the mesh.
For windows file sharing, its possible to enter the IP address URL, into windows and it will connect directly to the
fileshare.
How to mitigate
It is recommended to set it to a static ip
in the top end of the range 192.168.X.220-240 in the range of the dhcp that the Meshbox it is connected to is giving out.
Remote node gateway type is set to “IP”. With a hostmapped host you can access it's fileshare simply by
typing its ip into the address bar of windows explorer. Your clients should be warned to secure their
computer to prevent sharing. Hostmapping opens up security implications for the remotely attached device. The hostmap
also only runs when the remote node has Internet gateway connectivity.
Risk 8:
MAC spoofing/session hijacking
Wireless
Mesh Networks 802.11 networks don’t authenticate frames, which may result in
frames being altered, authorised sessions being hijacked or authentication
credentials being stolen by an impostor. Therefore, the data contained within
their frames can’t be assured to be authentic, since there’s no protection
against forgery of frame source addresses.
Because
attackers can observe Media Access Control addresses of stations in use on the
network, they can adopt those addresses for malicious transmission. Finally,
station addresses, not the Clients themselves, are identified. That’s not a
strong authentication technique, and an unauthorized party can compromise
it.
How
to mitigate:
1.
Limit access to specific MAC addresses that are filtered via a firewall. This
technique isn’t completely secure, because MAC addresses can be duped, but it
does improve the overall security strategy. Another difficulty with this
technique is the maintenance effort required. A MAC address is tied to a
hardware device, so every time an authorised device is added to or removed from
the network, the MAC address has to be registered into the database. Therefore
use USERID and Password and MAC address.
2.
Monitor logs weekly and scans critical host logs daily.
3.
Use proven data link layer cryptography such as SSH, Transport-Level Security or
IPsec.
Risk No. 9:
Physical security deficiencies
Commonly
used Wireless and handheld devices such as PDAs, laptops and MeshAP are easy to
lose or to steal because of their small size and portability. In the event of a
theft, the unauthorized party can compromise such devices to obtain proprietary
information about your Wireless Mesh Networks configuration.
How
to mitigate:
1.
Implement strong physical security controls, including barriers and guards to
prevent the theft of equipment and unauthorized access.
2.
Label and maintain inventories of all fielded Wireless Mesh Networks and
handheld devices.
3.
Use device-independent authentication so that lost or stolen devices can’t
gain access to the Mesh.
Summary
After
examining just a few risks associated with Wireless Mesh Networks, their
high-risk nature becomes quite evident.
To moderate risks, management and systems administrators must perform
ongoing risk assessments to ensure not just that they understand the risks that
they face, but that they also take appropriate steps to mitigate the
risks.
Overall,
the greatest weakness with Wireless Mesh Networks security isn’t the technical
shortcomings but out-of-the-box insecure installations. This risk can be
overcome with attention to detail. But remember that the human factor is the
weakest link and that this risk needs to be considered when appointing a network
administrator and funding suitable review procedures.
Mitigating
the risk provides opportunity that just needs to be managed. It’s an
inspiration for progress and should be a welcome challenge, as long as it’s
given the proper consideration.
|
