5 Threats To Your Home Wireless Connection

Keeping your wireless connection safe should be a top priority, especially if you use your wireless laptop or cell phone to login to secure financial accounts or business email. We all use the internet to access personal information, do banking, and chat in private to friends. Image if someone was watching you, browsing through your files, or recording your every move on your computer? Well don’t just sit there and think that it will not happen to you! If you have a wireless connection then you should make sure it is safe and secure by adding at least one simple security measure. Wireless network security is very important when it comes to protecting your privacy and precious data.

The Risks of a Weak Wireless Connection

Last year, the Washington Post report on a series of Facebook scams. Hackers would break into people’s Facebook accounts, claim to have been robbed in a foreign country, and ask their Facebook friends for someone to wire them money. Could this fool your family and friends into handing over hundreds or thousands of dollars?

One thing that makes this possible is that hackers can access your Facebook account, no matter how strong your password, if they can snoop on your wireless connection. They don’t need special equipment to do this—any basic wireless card lets hackers snoop on wireless connections using free software.

There are three ways to protect yourself from wireless connection hackers:

1. Don’t use a wireless connection. Always plug your computer into a blue Ethernet cord.
2. Only use a wireless connection at least 1/2 mile (about 1 kilometer) away from any hackers.
3. Secure your wireless connection from the five types of threats described in this article.

Wireless Connection Threat #1: Unencrypted Connections

Unencrypted connections are great—they’re easy to set up on your wireless router and all of your devices connect automatically. But because they’re unencrypted, hackers can eavesdrop on all of your wireless traffic. Well, almost all of your wireless traffic—anything that uses Secure Socket Layer (SSL) encryption like websites starting with HTTPS will be encrypted.

Unfortunately, although Facebook and GMail and other sites use SSL for login screens, they don’t use it for their regular connections. In these cases, hackers can still break into your accounts by reading the cookie your Web browser sends to Facebook and Google every time you connect.

If you own the wireless connection, your best solution is to enable encryption on your router. Choose WPA encryption if possible, but on older routers you’ll need to settle for WEP. See the next section for information on the risks of WEP.

If you don’t own the wireless connection, for example you’re at a library or coffee shop, then you need to protect your connection by using a Virtual Private Network (VPN) or by using one of the plugins for your browser which force Facebook, GMail, and other services to use SSL.

Wireless Connection Threat #2: WEP

The Wired Equivilance Privacy (WEP) system was part of the original specification for wireless Internet, but within a few years of being released, hackers figured out how to break it. In 2007, three cryptoanalysts broke into a WEP connection using a 1.7 GHz laptop in less than 1 minute. They published their technique and now any hacker can use it to eavesdrop on any WEP-protected connection.

WEP has been officially replaced by Wifi Protected Access (WPA), but many old routers only support WEP. If you have an option to use WPA, please use it. If you don’t have support for WEP on your router and you’re concerned about security, you should see if the manufacturer of your router offers a firmware upgrade. Otherwise you should buy a newer router.

Wireless Connection Threat #3: Weak Passwords

WPA lets you secure your wireless connection using a password, but this password can be hacked like any other weak password. Because this password helps keep all of your other passwords secure, you should put some extra thought into making it very secure. Besides, you’ll only have to type it once on each computer, so it won’t be much of a hassle to make it extra hard to guess.

I suggest you add a few numbers and some punctuation to your password to help keep hackers from guessing it. Also make sure it’s at least 8 characters long—and preferably 12 characters or more.

Wireless Connection Threat #4: Snooping Users

No matter how secure you make your wireless network using WPA and strong passwords, you still must trust every user you let onto your network. Once users have access to your network, they can snoop on every packet sent on your wireless connection.

For example, if you’re at a hotel which uses WPA and you log into Facebook, any hacker who’s in a nearby room can also use his WPA-protected connection to snoop on your packets. At an office, employees can snoop on the boss’s WPA connection to get access to confidental information.

High-end routers can give each user their own secure connection, or you can just buy separate cheap routers for each class of user—for example, one router for managers and one router for employees.

Wireless Connection Threat #5: Traffic Analysis

One of the most advanced hacker techniques which is probably not used much in the real world is called traffic analysis. It lets hackers snoop on certain communication even when it’s encrypted.

For example, researchers from John Hopkins University in Maryland, US, were able to decode encrypted voice-over-IP (VoIP) phone calls by looking at the size of the encrypted packets. The sound “c” produced small packets, but the sound “ow” produced a big packet, so a small packet followed immediately by a large packet might mean someone said, “cow”.

Other researchers and possibly hackers can use traffic analysis to figure out all sorts of interesting things about your communication. There’s no easy solution to traffic analysis—you have to hope the people who make your software read the security journals. However, you can try to avoid sending highly-sensitive information on the same wireless communication network hackers use.

Having inadequate network security can cause problems with home networks.

Advantages and Disadvantages of Broadband Internet

There are many advantages and disadvantages in using a broadband internet connection and in case you’re planning to start using a broadband internet connection it is highly important to compare the advantages with the disadvantages to see how it matches your needs. Below are the advantages and the disadvantages of using a broadband connection.

Advantages

1. The Speed it Provides is Next to None

One major advantage of using a broadband connection is its incredible speed. Compared to other forms of internet connection a broadband connection is very fast and in most cases it can be more than 100 times faster than a dial-up connection. This makes it more useful and effective for someone who plans to download and upload large files on a regular basis. It will also be a great option for you if you spend a large percentage of your time online.

2. It is Not Dependent on Weather

Another major advantage of a broadband internet connection is that it is more reliable than other forms of internet connection. If you take a look at a dial-up connection you will notice it is mainly influenced by the weather and there are some days you won’t even be able to access the internet as a result of bad weather, a major advantage of a broadband connection is that it is reliable. Come rain come sun, a broadband connection will always be as effective.

3. It has the Best Service Delivery

A broadband internet connection is also very consistent and it always delivers up to expectation. Since dial-up connection is mainly influenced by weather you should be expecting slow speed on days with bad weather, this is not the case with a broadband connection and the speed will always be as consistent irrespective of the weather condition.

4. It is Easy to Use

A broadband connection is also easy to use compared to a dial-up connection. In most cases, you will be automatically connected when you start your computer so you won’t have any problem trying to re-enter your username and password when trying to access the internet. A broadband connection also saves your time and you won’t be experiencing technical glitches like constant disconnection (as is the case with a dial-up connection).

5. You Won’t be Charged Based on Your Duration Online

Imagine using a very slow dial-up connection that takes ages to load and download files only to have to pay hectic bills at the end of the month because you spent a lot of time online. Most broadband ISP offer you unlimited bandwidth and very few place a quota on you – the result is that you get more from your money since you’re able to use it effectively.

Disadvantages

1. It Can be More Expensive Compared to a Dial-up

One major disadvantage of a broadband connection is its price because if you’re someone who doesn’t spend much time online you will be charged the same amount whether you use the internet or not. While a dial-up connection can be economical for those who spend little time online you will get the best from a broadband connection if you spend most of your time online.

2. High Security Risk

Due to its flexibility and availability it can be easy to hack a broadband network. If you use a wireless broadband connection it can be very dangerous if you leave the default settings. In most cases, in order to get the best form of security from your broadband connection it is highly important to work on making it more secure.

Conclusion

Based on the advantages and disadvantages above you will notice that investing a broadband internet connection can be a great investment for you.

Limiting Internet Access Based on User Profile Using ASA and RADIUS

Introduction

Traditionally, IP Access lists (ACLs) have been used to restrict access to internal resources or to the Internet. With the growing complexity of networks, ACLs fail to provide the kind of dynamic access restrictions that are required. In this Chalk Talk, I am going to summarize Chapter 10 “Cut-through Proxy AAA on PIX/ASA” of the book AAA Identity Management Security, which discusses how ASA and RADIUS can be used to restrict access to Internet (and other network resources) based on user profile.

Cut-through Proxy Authentication

In normal scenarios, traffic from users is checked against interface ACLs and, based on Layer 3 and Layer 4 information, the packet is allowed or dropped. These interface ACLs are the same for all users.

Using the cut-through proxy authentication feature on ASA, it is possible to enforce authentication on all or certain types of traffic. After authentication, certain types of traffic can be denied or permitted based on user profile

To further elaborate the point, consider a situation where all traffic to the Internet goes through an ASA. You want to permit HTTP traffic for everyone but you also want to allow Telnet, FTP and RDP for a group of specific users only. In this situation, the following 2 things will be applied:

• An interface ACL permitting HTTP traffic outbound to the Internet
• A cut-through proxy authentication for Telnet, FTP and RDP traffic

Now when ASA receives an outbound Telnet, FTP or RDP traffic on the inside interface, it will enforce authentication and then, based on user profile received from the authentication server, the traffic will be permitted or denied.

The following figure summarizes the steps involved in a typical cut-through proxy authentication.

Configuring Cut-through Proxy Authentication

You should remember the following rules before configuring Cut-Through proxy authentication:

• You can configure ASA to enforce authentication on multiple types of sessions; however, the user needs to authenticate only once. This means that after the first authentication, the user profile is cached by the ASA for a duration specified by the User Authentication (uauth) timer.
• When the user authenticates, and ASA activates the uauth timer, those authenticated users will not be required to authenticate again and their traffic will be matched against the profile received from the authentication server.
• ASA supports direct authentication with FTP (TCP port 21), Telnet (TCP port 23), HTTP (TCP port 80), and HTTPS (TCP port 443). A user must first authenticate with one of these services before the security appliance allows other traffic that requires authentication.
• For Telnet and FTP, the security appliance generates an authentication prompt. For HTTP, the security appliance uses basic HTTP authentication and provides an authentication prompt. For HTTPS, the security appliance generates a custom login screen.
• ASA provides means to authenticate users using Virtual Telnet and HTTP sessions in case you do not want to enforce authentication on the supported protocols. This means that if you want to authenticate any other type of traffic, say RDP (TCP port 3389), users will need to initiate a Virtual Telnet or HTTP session to the ASA and authenticate first. When authenticated, they can initiate the other type of sessions. Virtual HTTP and Virtual Telnet sessions are discussed in detailed later in this Chalk Talk.

Before enabling cut-through proxy authentication, configure an extended ACL that defines the traffic on which authentication needs to be enforced. Permit statements in the access list define which traffic needs to be authenticated. Deny statements define which traffic needs to be excluded from authentication.

Assuming you already added a RADIUS server on ASA, the following command will enable cut-through proxy authentication:

aaa authentication match acl_name interface_name server_tag

Note that the interface_name specifies the interface where the traffic is received.

Going back to our example, to enforce authentication on Telnet, FTP and RDP traffic outbound to the Internet, the following configuration can be used:

aaa-server radiusserver protocol radius

aaa-server radiusserver host 10.1.2.10

key test

access-list myauth permit tcp 10.0.0.0 255.0.0.0 any eq 23

access-list myauth permit tcp 10.0.0.0 255.0.0.0 any eq 21

access-list myauth permit tcp 10.0.0.0 255.0.0.0 any eq 3389

aaa authentication match myauth inside radiusserver

Virtual Telnet, Virtual HTTP and HTTP Redirection

As mentioned earlier, ASA supports direct authentication with HTTP, HTTPS, FTP, and Telnet protocols only. If authentication is required for any other protocol, the user must authenticate using the supported protocols first. If you do not want to enforce authentication for any of the supported protocols, you can use the Virtual Telnet, Virtual HTTP, or HTTP Redirection features in ASA.

For this section consider an example where you have applied an interface ACL permitting all IP traffic except outbound RDP session to the Internet. Now there is a requirement to permit RDP sessions for a group of users. In this situation you can enforce authentication on RDP using the following commands:

access-list myauth permit tcp 10.0.0.0 255.0.0.0 any eq 3389

aaa authentication match myauth inside radiusserver

Because RDP traffic cannot be authenticated directly, ASA will drop all RDP traffic after applying the above configuration.. You will need to use one of the methods discussed in this section to first authenticate the user.

Each of the three methods of authenticating unsupported protocols—Virtual Telnet, Virtual HTTP and HTTP Redirection—have their own advantages and disadvantages. Your network, the technical level of the end users, security considerations, and other related considerations determine which method is best for you. Each of the three methods are discussed below:

• Virtual Telnet - The Virtual Telnet feature enables you to configure an IP address to which users can Telnet to authenticate. When an unauthenticated user Telnets to this IP address, the user is challenged for a username and password, and then authenticated by the RAIUS server. When authenticated, the user sees the message “Authentication Successful” and is disconnected. The user can now access other services that require authentication. The IP Address used for Virtual telnet has to be in the same subnet as the interface on which ASA receives the traffic that needs to be authenticated. ASA will respond to the ARP queries received for the virtual IP address. To configure Virtual Telnet, use the following command:

  virtual telnet virtual_telnet_ip_address
  

  If you use Virtual Telnet, the example given above will change to the following:

  access-list myauth permit tcp 10.0.0.0 255.0.0.0 any eq 3389
  
  access-list myauth permit tcp 10.0.0.0 255.0.0.0 10.1.1.20 eq 23
  
  aaa authentication match myauth inside radiusserver
  
  virtual telnet 10.1.1.20
  

• Virtual HTTP - Virtual HTTP is similar to Virtual Telnet. In this case, the end user uses HTTP to authenticate instead of Telnet. The IP Address and ACL considerations that apply to Virtual Telnet also apply to Virtual HTTP. ASA uses basic HTTP authentication for Virtual HTTP. It redirects all HTTP connections that require AAA authentication to the HTTP server on the security appliance, where the user is prompted for a username and password. To configure Virtual HTTP, use the following command:

  virtual http virtual_http_ip_address
  

  If you use Virtual HTTP, the example given above will change to the following:

  access-list myauth permit tcp 10.0.0.0 255.0.0.0 any eq 3389
  
  access-list myauth permit tcp 10.0.0.0 255.0.0.0 10.1.1.20 eq 80
  
  aaa authentication match myauth inside radiusserver
  
  virtual http 10.1.1.20
  

• HTTP Redirection - Redirection is an improvement over the Virtual HTTP method in that it provides an improved user experience when authenticating. The users can connect to the ASA’s interface IP address directly using HTTP or HTTPS and will get an authentication page. The HTTP page used in this method provides information such as the user’s IP address, authentication status and logout button unlike the Virtual HTTP method where no information is displayed. Another benefit with this method is that a Virtual IP address is not required. You can configure HTTP Redirection using the following command:

  aaa authentication listener http[s] interface_name [port portnum]
  

  
  

uauth Timer

When a cut-through proxy authentication is successful, ASA stores the authentication information and the user profile in its cache. The entry is created on the first authentication and is valid for any subsequent traffic. This means that if more than one kind of traffic needs authentication, the first authentication will be sufficient for all of them as long as the cache entry exists.

The uauth timer determines how long ASA will maintain the cache entry. When the uauth timer expires, the entry is removed, and the user will need to authenticate again. The uauth timer can be absolute or inactivity based. This means that the uauth timer can be made to expire after a fixed period or if there is no activity for a defined period.

In effect, the uauth timer influences the user experience to a great extent. If the timer is too short, the users will need to authenticate many times. If the timer is too long, the risk of misuse is high. So it is advisable that you experiment with the absolute and inactivity uauth timeouts to find the best range suited for your network.

By default, the uauth timer expires in 5 minutes, irrespective of activity status. You can change the uauth timer default using the following command:

timeout uauth hh:mm:ss [absolute | inactivity]

To configure absolute and inactivity timers together, use the command twice. You must ensure that the uauth duration is shorter than the xlate duration. The xlate duration defines the idle time after which an address translation slot is freed. ASA will not accept a timer that is longer than the xlate timer.

You can disable caching by using a uauth timer of 0. The timer can be set to a maximum of 1193:0:0.

Configuring User Profile on RADIUS server for Cut-through Proxy

We know the cut-through Proxy Authentication allows ASA to fetch user profiles from the RADIUS server and permit or deny traffic based on it. What really happens is that the RADIUS server sends an ACL, called downloadable ACL, to the ASA with the Access-Accept packet. ASA replaces the source IP address on the ACL entries with the IP address of the authenticating user and applies it over the Interface ACL. Now, the user’s traffic is checked against this combined ACL before being permitted out. When the uauth timer expires, the downloadable ACL is removed from the ASA.

If you are using CiscoSecure ACS, you can create downloadable ACLs and apply them to the user profile or the user’s group profile. In CiscoSecure ACS 4.x, downloadable ACLs can be configured at Shared Profile Components > Downloadable IP ACLs and applied to the profile from User Setup or Group Setup page.

If you are using CiscoSecure 5.x then downlodable ACLs can be configured at Policy Elements > Authorization and Permissions > Named Permission Objects > Downloadable ACLs. After creating the ACLs, you will need to bind them to anAuthorization Profile, which in turn can be applied to an authorization policy that is being used for Cut-through proxy authentication.

Note that the syntax of the downloadable ACL should match the ACL syntax used by ASA.

If you are not using CiscoSecure ACS then the Cisco vendor-specific attribute cisco-av-pair (Vendor ID 009 and attribute number 001) can be used to define downloadable ACLs in a user profile. An example of the ACL defined as the value for cisco-av-pairattribute is given below:

ip:inacl#1=permit tcp any any eq 3389

ip:inacl#2=permit tcp any any eq 23

Summary

Cut-through proxy AAA is an often neglected part of identity management solutions. Effective use of this feature can strengthen your network security by providing dynamic access policies on a user-by-user basis. It will also ensure that the interface ACLs on ASA stay small and manageable.

Before configuring Cut-through proxy authentication, it is important to identify what traffic needs to be authenticated and remember where you will need to use Virtual Telnet, Virtual HTTP, or HTTP Redirection.

Data Backup Site-Smartest Way To Protect Your Data

We all have a myth that the data recovery and back up processes are time consuming and tiresome processes. However it has been made easy by the data back up sites available in these days. There are lots of methods available in the market to provide the back up service based on your requirements. To make use of the online back up service all that you need is a system with an internet connection. It’s more important to choose the right back up service as choosing a good backup policy has become complicated in the modern days.

Most of the net users have a doubt whether our data would be safe when we use the online service or can someone may steal our data? Secure web based data back up storage facility has been introduced due to the technology enhancement of the latest modern trend. This made possible by storing the data in the encrypted form. Even large IT majors have their data back ups in the reliable data back up sites. There are back up sites which offer this service for home users, small enterprises and big companies as well. When you use the service of any data back up site, you need not worry even if your data is lost due to malicious viruses or your system gets crashed due to any unknown reasons.

You can choose the back up files on your own choice. The data backups are done regularly under the fixed intervals to ensure maximum possible security. Start using the data back up site immediately to defend your valuable resources and information.