User's Manual
Table Of Contents
- Chapter 0 - Front Cover
- Chapter 0 - Table of Contents
- Chapter 1 - Introduction
- Chapter 2 - Starting Out
- Chapter 3 - Example Applications
- Chapter 4 - Utilities and Features
- Chapter 5 - Web Configuration Manager
- Chapter 6 - Serial Configuration and Applications
- Chapter 7 - Bridging and Mesh Networking
- Chapter 8 - Antenna Setup
- Apx A - Licensing Information
- Apx B - Interface Ports
- Apx C - Radio Configuration
- Apx D - Security
- Apx E - Troubleshooting
- Apx F - Horizon 2.4 Specifications
- Apx G - Horizon 900 Specifications
- Apx H - Horizon 4.9 Specifications
- Apx I - Horizon 5.8 Specifications
APPENDIXD
SECURITY
Revised: 27 Jun 16 APX D-3 ESTeem Horizon Series
MasqueradeModes
WhentheESTeemHorizonisconfiguredineithertheAccessPointMasqueradeortheClientMasquerademodes,thewireless
modem functions as a network firewall.If access to the wired network is the greatest concern, place the ESTeem in the
Masquerademodeandthewirelessnetworkwillbecompletelyisolatedfromthewi
redEthernetnetwork.
IncreasingNetworkSecurity
Thefollowingareafewsuggestionstohelpimprov e theoverallsecurityofyourwirelessnetwork:
1. Enablethesecurity.Ifyouresearchallofthearticlesregardinghackers,theyhavegottenintotheuser’snetworkduetothe
securitynotbeingenabled.
2. SettheACL filtertoincludeonl
ythoseMACaddressofthewireless Ethernetdevicebeingusedonthenetwork.
3. Makesurethekeysarenotreusedinyourcompany,sincereuseincreasesthestatisticallikelihoodthatsomeonecanfigure
thekeyoutandchangethedefaultpassword onyouraccesspointorwirelessrouter
4. Asanetworka
dministrator,youshouldperiodicallysurveyyourcompanyusingatoollikeNetStumblertoseeifany"rogue"
accesspointspopupwithinyourcompanywithoutauthorization.Allofyourhardworkto"harden"yourwirelessnetwork
couldbewastedifarogueAPwaspluggedintoyournetworkbehindthefi
rewall .
5. ManyaccesspointsallowyoutocontrolaccessbasedontheMACaddressoftheNICattemptingtoassociatewithit.Ifthe
MACaddressofyourNICisn'tinthetableoftheaccesspoint,youwon'tassociatewithit.Andwhileit'str
uethatthereare
waysofspoofingaMACaddressthat'sbeensniffedoutoftheair,ittakesanadditionallevelofsophisticationtospoofaMAC
address.Thedownside ofdeployingMACaddresstablesisthatifyouhavealotofaccesspoints,maintainingthetablesin
eachaccesspointcouldbetimeconsuming.Somehigher‐end,enterpri
se‐levelaccesspointshavemechanismsforupdating
thesetablesacrossmultipleaccesspointsofthesamebrand.
6. Considerusinganadditionallevelofauthentication,suchasRemoteAccessDailinUserService(RADIUS),beforeyoupermit
anassociationwithyouraccesspointsth
roughWPAandWPA2Enterprise.
7. Ifyou'redeployingawirelessrouter,thinkaboutassigningstaticIPaddressesforyourwirelessNICsandturnoffDynamic
Host Configuration Protocol (DHCP) .If you're using a wireless router and have decided to turn off DHCP, also consider
changingtheIPsubnet.Manyw
irelessroutersdefaulttothe192.168.1.0networkanduse192.168.1.1asthedefaultrouter.
8. Only purchase Access Points that haveflashable firm wa r e.There area number of security enhancements that are being
developed,andyouwanttobesurethatyoucanupgradeyouraccesspoint.
9. Asi
mplesecuritytechniqueusedbythemilitaryistohavetheadministratorperiodicallychangethekeyforthesystemi.e.
weekly,monthly,etc.