User's Manual
Table Of Contents
- Chapter 0 - Front Cover
- Chapter 0 - Table of Contents
- Chapter 1 - Introduction
- Chapter 2 - Starting Out
- Chapter 3 - Example Applications
- Chapter 4 - Utilities and Features
- Chapter 5 - Web Configuration Manager
- Chapter 6 - Serial Configuration and Applications
- Chapter 7 - Bridging and Mesh Networking
- Chapter 8 - Antenna Setup
- Apx A - Licensing Information
- Apx B - Interface Ports
- Apx C - Radio Configuration
- Apx D - Security
- Apx E - Troubleshooting
- Apx F - Horizon 2.4 Specifications
- Apx G - Horizon 900 Specifications
- Apx H - Horizon 4.9 Specifications
- Apx I - Horizon 5.8 Specifications
APPENDIXD
SECURITY
Revised: 27 Jun 16 APX D-2 ESTeem Horizon Series
128‐BITWEP
The128WEPusesaparticularalgorithm calledRC4encryptiontoencodeanddecodetrafficthatisbasedona104‐bitencryption
keyanda24‐bitInitializationVector(IV).RC4startswitharelativelyshortencryptionkey(104bits)thatisexpandedintoanearly
infinitestreamofkeysto accompanythest
reamofpackets.
ThebasicconceptofRC4isgood,butthewayit’simplementedinWEPleavesitopentocompromise.Theresearchersthattest
theintegrityofthesystemusuallyfocusononepieceoftheimplementation,theInitializationVector(IV).
TheIV(24bits)isthealgorith
mcomponentthat’ssupposedtokeepexpandedkeysfromrepeating.Fromtheresearcher’spoint
ofview,ahigh‐volumeaccesspointismathematicallyguaranteedtoreusethesamekeystreamatleastonceaday.Whenthis
happens,it’scalledanIVcoll is ionthisbecomesasoftspottoenterthesyst
em.
Theresearchersaren’tsayingthatit’seasytobreakintothesystem,orthatit’sbeingdoneonaregularbasis,onlythatitispossible
andadministratorsshouldconsiderwaystoreducethepossibility
AccessControlList(ACL)
TheACLisoneofthesimplestyetmostsecuremethodsofnetworksecurity.TheACLisaconfigurableMACfilterintheModel
192EthatcanbesettoallowspecificMACaddressonthewirelessnetworkbyindividualaddressoraddressranges.Thesame
filtercanal so besettorej
ectindividualMAC addressesoraddressranges.
TheMACaddressisaunique,6hexadecimalfieldaddressassignedatthemanufacturerthatcannotbechanged.TheMACaddress
istraceablethroughtheIEEEgoverningbodytothemanufacturerandisthe“fingerprint”for allEthernetdevices.
Using acomb
ination ofboth theWPA or 128‐BitWEP encryptionand the ACLfilter provide theESTeem an extr emelysecure
wirelessnetworkinglayer.
DisablingBroadcastProbesandHidingSSID
Asimplebutveryeffectivewayofsecuringanetworkistomakethenetworkdifficulttofind.Bydisablingbroadcastprobesand
hidingtheServiceSetIdentification(SSID),wirelessandnetwork“sniffers”willnotbeabletofindyourESTeemHorizonnetwork.
Togainaccessto thewirelessnetwork,youwouldberequi
redtohavetheSSIDandallsecurityloadedintheWLANcardsoftware
priortoenteringthenetwork.
ProprietaryBridgeCommunication
Althoughthe ESTeem Horizon is compatible withthe open communicationstandards IEEE802.11g and802.11b, therepeater
communicationbetweentheunitsisaproprietarycommunicationlink.Noothermanufacturerofwirelesshardwarecanaccess
theESTeemrepeaternetworkwhenbridgingbetweenEthernetnetworks.Thisproprietarycommunicationlayer,incombination
withtheothe
rsecuritysettings,allowsyou astheusertoreject wirelessclientsintothenetwork ifso desired.Whenusedin
conjunctionwiththeAccessControlListthe802.11gand802.11bclientaccesscanberemoved.
The security level of the bridge communication link is configurable for 64‐Bit WEP, 12
8‐Bit WEP or TKIP and is completely
independentoftheclientaccessleveloranyothercommunicationlinklevel.Forexample,anESTeemHorizoncanbeconfigured
forWPAEnterpriseforclientlevelaccess,communicatetoanotherESTeemHorizonusingaTKIPbridgelinkandalsocommunicate
128‐BitWEP toourold
erESTeemModel192Eradiomodemsallrunningsimultaneously.