Access Control

It is important to consider all types of access control techniques that
prevent unauthorized use of your wireless network by hackers. In addition
to the shared-key authentication method mentioned in the previous
section, there is another technique, extended service set identification
(ESSID). This represents an alphanumeric value programmed into a
wireless router to determine which subnet on your wired LAN it is part
of. This value is used as a means of authentication to make certain that
only authorized wireless users can access the network. If the wireless
user does not know the ESSID, he cannot use the network.

However, most wireless users can tell their network interface card to
enter “promiscuous mode” in an attempt to try and automatically determine
the ESSID. This is easily accomplished by setting the parameters
for the ESSID on the wireless computer without any value (null) whatsoever.
In this way, the wireless card will enter promiscuous mode and
automatically roam until it finds a wireless network to access. This is
the method by which most hackers gain access to computing systems.
Another means of controlling access is to tell the wireless router to
screen out any wireless network interface card that does not have a particular
media access control (MAC) or machine address. This is a very
good form of access control that will prevent unauthorized users who set
their cards into promiscuous mode from entering your network without
prior authorization.

These MAC addresses are retained on an access control list (ACL)
that is part of the wireless router or access point’s configuration. The
parameters are usually set by the internal Web server within these
devices. The router examines each unique MAC address and only allows
authorized MAC addresses to log onto the network. This form of control
effectively limits the access to your network to those stations that are
authorized; anyone else is rejected.
Administrators can enable this extra form of security to exclude hackers
from outside wireless computers as well as those users who are part
of a different network within your organization. By segmenting users
into pools, you can restrict access to wireless servers to those people who
have a “need” for access.

Note that it is possible to “spoof” a MAC address so that a hacker’s
wireless computer appears to be an authorized machine logging onto
your network. This is why it is important to maintain a log of all traffic
coming in through your wireless network, so that you can determine if
there are spikes in activity that don’t belong. Armed with this information, you can keep a watchful eye on your network for unauthorized
hacking activity and protect your mission-critical data.