Objectives
There are many tools, technologies and concepts emerging in IT on almost a daily basis. We do not have time to learn all these in detail. What we need is a brief and simple explanation of a given term for understanding it without spending too much time. There are dictionaries available for this purpose. However, these dictionaries are best used for isolated referencing. By referring to different terms randomly, you will get the complete picture.
Therefore, I am providing an easy to understand glossary of important terms. I have kept the language simple in order to ensure that while explaining one term, another difficult term is not required.
This article is useful for
Novices (Everyone is a novice in the topic you are new to!)
Anyone new to the term(s) mentioned here is obviously the target audience. However, that does not mean existing IT professionals are excluded. Everyone can not know everything. An expert in VB may still start with ASP For Dummies!
For explaining complex terms to Decision makers or End users
Even if you know what is the meaning of the term extremely well, there is a catch! You can typically explain it in Technical Language. NOT in ENGLISH! Most technical persons find it difficult to explain technical terms in simple language. As a part of your job you will invariably need to do this. Your end users, clients, less experienced colleagues will need to be explained complex things in simple terms. This glossary will come in handy for this purpose.
Incidentally, this coverage is by no means complete. However, it is a good starting point.
This glossary is NOT in alphabetical order
The items are not mentioned in alphabetical order. The coverage is more in some kind of logical order. Some apparently non-technical terms are also included in order to maintain the continuity.
Information Technology (IT)
This is a collective term. It includes various tools, technologies, products, machines and accessories that are used for various tasks related to computing and automation.
The basic purpose of using all these things is to improve something which was earlier being done in some tedious, cumbersome, costly or inefficient way so that your company objectives or personal goals can be achieved more easily.
There are literally thousands of technologies and tools under this global term. Some categories include hardware (actual computers and accessories), operating systems (Windows NT, Unix, Novell), Application Software (Microsoft Office, Lotus Notes), Utilities (Media Player), Browsers (Internet Explorer, Netscape Navigator), peripherals (printers, mouse), case tools (Erwin Logic Works), ActiveX Components (Sheridan Data Widgets, Leadtools Imaging Control), and so on.
End User
The person(s) who finally use and benefit from a particular IT product. For example, developers use Visual Basic. Thus developers are the end users of Visual Basic. If a developer creates a Payroll system using Visual Basic, the employees from the Payroll department are the end users. The important issue is that typically end users are NOT aware of the complexity of the technology they are using. Therefore, it is important for developers to ensure that the end users can use the applications without learning complex concepts or jargon. A product, which is technically brilliant, is practically useless if the end user does not comprehend how to use it. If end users did not exist, IT professionals would be extinct!
IT professional (ITP)
A person who is a middleman between end user needs and Information Technology. IT professionals come in many flavors. System analysts, IT auditors, Trainers, Developers, Administrators, etc. However, the basic functionality remains the same. ITPs are expected to understand the pros and cons of various technologies as well as the user needs. Finally they are expected to select and utilize the right kind of technology for the user needs. This sounds simple. However, typically both user needs and technology keeps changing at an alarming pace. Thus keeping the balance between utilizing the correct tool for the appropriate need is a very challenging task. How well you can handle this challenge , on a long term basis, determines your success in IT.
Competitive Advantage
As mentioned above users have needs. These needs typically arise out of competition. Better service, integrated and automated business processes, better speed, faster processing, immediate availability of data and similar end user ambitions are basically because of the core desire to face the competition better. Thus the basic purpose of the existence of IT professionals is to ensure that the desired competitive advantage is available to end users using the right type of tool.
Operating System
This is a piece of software which provides basic infrastructure for developing and using various automation tasks. Operating system manages baseline functions like user interaction, input from mouse/keyboard, graphics, memory management, security, etc.
Application
This is a program created using some development language. Application automates or simplifies some user need(s). For example, Windows Calculator is a simple application. Erwin Logic Works is a specialized application which helps the end users ( database designers, in this case) to optimize database structure. Various types of IT persons manage different aspects application lifespan.
Functional Specifications
This is a document, which specifies the content and behavior of the application being developed. This document forms the base upon which the developers create the application. This document typically contains the user requirements, user interface details, business processes and validations and the application architecture.
Executable File
The final form of an application is a file, which can be run from the Operating System. Executable files are typically shown as icons on the desktop or in the Start menu of Windows.
Dynamic Link Library
These are programs that are not directly executable. Executable programs use the DLLs, whenever required. If multiple executable applications require some common functionality, DLLs are used. DLLs use less memory and are easier to upgrade if the functionality changes.
Suppose we have three independent applications. These use a function to check time. This function is actually the same but each of the applications contains a separate copy of it.
Instead of using this approach, we can use DLL concept by allowing all these application to share the Check Time part of the application.
As you can see the size of individual applications has reduced. In addition, changes to the Check Time function need to be done only once. We will cover DLLs in more detail in later articles.
Database
Any application requires some information. This is called data. For example, clock will need to know what the starting current time is. A large collection of such information is called database. Database management system is an application, which allows you to store and manipulate data in simple or complex ways.
Relational Database Management System
This is a sophisticated version of database management system, which offers many high-end features. It ensures that the information is always accurate, secure and available speedily. There are many RDBMS today like Oracle, SQL Server, Sybase, Informix, Ingress and so on. These applications typically handle very large amount of data. Therefore, these are installed on high performance computers or servers.
Database Driver
When data from the server needs to be viewed at a terminal, we require a method of communication from the client terminal and the database server. This purpose is served by an application called database driver. This driver moves data between client and server.
Open Database Connectivity
When your application uses data from a particular RDBMS, it becomes tied to it. If the RDBMS changes you will need to rewrite your application. This is a major constraint. In order to overcome this problem, the concept of ODBC was propagated. Using ODBC you can write one application which can work with many RDBMS packages without having to rewrite code. ODBC drivers are like database drivers and are typically supplied by the database vendor. Using ODBC you can manipulate, merge and analyze data from different sources.
DAO and RDO
Data Access Objects and Remote Data access Objects are two ways of handling data. DAO is typically used to handle local data (on the same machine). RDO is used to handle data from the server. DAO and RDO provide simple commands for information management.
OLE DB
This is a more enhanced and feature rich version of ODBC. OLE DB allows developers of database to access information from complex types of data applications.
Active Data Objects
This is a newer type of technology for accessing data. It is similar to RDO but has lesser complexity of programming. It works with a special type of database driver called OLD DB
Visual Interface
This is the visible part of the application. Menus, forms, report, buttons, etc are called the interface. The end user interacts with the interface to perform various tasks.
Business Logic
Rules /policies /methodologies of how data is to be manipulated is called the business logic. For example, in a clock application, you can not display a number more than 59 minutes. Similarly in a banking application you can not withdraw more money than your current balance.
Monolithic (Single Tier) Application
This method of making applications puts the business logic, data and visual interface in a single executable. This runs on a computer like a self-contained entity. The problem with this approach is that if the data, logic or interface changes you have to keep making the application again. If this application is being used by lots of users, you have to physically replace the older application with the newer one.
Two Tier (Client Server) Application
Here the data is stored on the server and the client application contains business logic along with visual interface. Large Data handling is performed very speedily because server is a more powerful computer. Some business logic is also stored along with data whenever feasible. For example business logic which says that age can be between 0 to 100 is better stored on the server than duplicating this validation on hundreds of client applications.
Three Tier Application
This type of application stores data on the server, business logic either on server or client and visual interface on the client. The main difference is the executable application does not contain the business logic. The logic is a separate application. Typically it is a special type of DLL (see above). This arrangement makes it easier to change the application. It also improves the speed of operations. Business logic can now be run on powerful servers rather than modest clients. Similar Business logic can be shared by many applications, using this approach.
Multi-tier application
This is a more sophisticated version of three-tier application. Here the business layer is split into multiple layers. This provides higher performance and better manageability if designed properly.
COM Component
In three-tier application, business logic was available as a shared resource. One way of implementing this shared resource is using a component. Each component behaves in a predictable, predetermined way. Its behavior can be manipulated using some characteristics and commands. For example if there was a component called stopwatch, it would have characteristics like Elapsed Time, Lap Time, etc. Similarly it would understand commands like Reset Stopwatch, Start, Stop. The characteristics are called Properties and the commands are called Methods.
Dynamic Data Exchange
When two applications want to exchange pure text information, this method of communication is used. This allows one application to talk to another application without these needing to know details about each other. For example if a word processor needed to pickup the name and address from a spreadsheet, DDE could be used. Apart from data, you can give some commands to the other application using DDE. Currently DDE is not used often because more usable and flexible methods of inter-application communication are now available.
Document
This is a conceptual representation of similar type of information. A spreadsheet, a letter written in a wordprocessor, a picture drawn in some image editor, a page on Internet are all examples of documents.
Compound Document
This is a special type of document, which allows another type of document to be mixed with it. For example within a letter you can add a picture.
Object Linking and Embedding
This is a technology by which part of one type of document can be attached or inserted into another type of document. The base document does not need to know how to handle the inserted document. For example a wordprocessor does not know how to draw and edit pictures. But when you embed a picture in a wordprocessor, the picture is displayed along with the text. Moreover, OLE allows you to edit the picture while it is inside another document. In short, OLE allows you to create compound documents. Although this jargon is very heavy and difficult, most of us use compound documents quite frequently.
ActiveX Technology
This is another way of providing reusable applications. Suppose you are an expert in drawing various types of graphs. You want to make money using this skill. You will typically create a separate application where users can enter data and draw various graphs. Now there are thousands of types of users who may want to draw different graphs. Doctors, architects, engineers, planners, scientists all want to draw graphs using for their own special needs.
To satisfy all of them you will have to understand a little about the needs of each profession and create a special application optimized for each one of them. This is not very easy to achieve because your skill lies in graph drawing and not in metallurgy or geography. Thus you will waste your time trying to capture all the market potential while spending lesser and lesser time on perfecting your graph drawing skills.
Instead there is a better approach. All that you do is create a component called Graph Component. This has all the features you can provide for drawing all types of graphs. Any developer to create a custom graph package for any type of end user can use this component. Now there are two immediate advantages. The developers do not need to reinvent the wheel because they are directly using your expertise in graph drawing. They won’t mind paying a small sum for this. On the other hand, you can fully concentrate on your core skill and not attempt to learn other unrelated disciplines. You can create upgraded versions of your component and add more features. This is reuse of technology. Components made in this way are called ActiveX components.
OLE Automation
This is a methodology by which one application can control other application using programming. For example, you have a large document containing 50 headings. You want to make a slide show in with each slide containing only the heading. Normally you would have to cut paste 50 times.
Data Warehouse
It is a large store of information derived from data within your organization. The data warehouse allows you to analyze information based upon various parameters, geographical locations, time periods, etc. The information can be easily rearranged to perform detailed analysis.
Data Mining
Mining is the process of using a warehouse database to derive business-related conclusions, trends, forecasts, etc using various tools including statistical methods.
Dumb Terminal
Typical UNIX terminals which were popular few years back. It is called dumb because the terminal does not perform any processing or calculations. It simply displays information on the screen. It also understands the keys pressed by you and sends the keys to the server, which interprets the keys and converts it into actions.
EDI
Electronic Data Interchange is a worldwide standard method of communicating business information between two companies. The information could be a purchase order, invoice, bill, etc. The information is exchanged in a predetermined format so that each company understands what the other company has sent. EDI can then talk to your order processing or accounts system internally and perform further actions like dispatch of material and billing.
Internet
Internet is a large network of computers across the world, which is accessible to any subscriber. The Internet was initially used for publishing information and content. Nowadays, the technology is also being used for actual business transactions, email, subscription-based services and numerous more functionality.
The most important advantage of internet is that is allows you to connect to any place from any other place at a very low cost. In addition, the Internet provides a simple but effective method of interacting with the target audience in a very quick and efficient manner.
Internet is becoming more and more popular as the preferred method of developing standard line of business type of applications.
The internet consists of one or more web servers connected together and many browsers.
Web server
Web server is software, which allows you to publish content, information, multimedia, etc on the Internet. Clients (users of the web site) connect to the web server using special protocols. The web server manages the client connections, security, application loading and display of information. Web servers, which participate in business applications, can also be configured to access data in external databases.
IP Address
A web server is identified by its web address like www.webserver.com. Internally, it is actually a four-part number like 202.33.1.19, which identifies any internet server in the world. This number is called the IP address.
Worldwide, an international body called InterNic allocates these IP addresses. This ensures that no two servers have the same IP address.
Intranet
It is a web server, which is used only within your organization. It is not listed on the Internet. This Intranet is typically used for automating internal tasks like disseminating information, sending and receiving group messages, publishing documents on the web, line of business applications, workflow and so on. External persons like the customers, vendors, etc can not access the Intranet.
Extranet
Extranet is a proper web server. However, apart from your employees and business associates (vendors, marketing staff, customers), nobody has access rights in Extranet. However, extranet is accessible from anywhere the same way as any other internet server. Therefore, you can cover all your key contacts using Extranet without having to spend for a large wide area network.
Extranets are used for applications like external vendor procurement, vendor queries, customer queries, etc.
E-commerce
All of us use some software for tasks like financial accounting, invoicing, order processing, dispatch, etc. All this software is typically loaded on machines within your office premises. The customers, vendors or other related parties may require information from this software. For example, the customer may want to know the dispatch details of a consignment or the progress of the manufactured item. Similarly Vendors may want to know your inventory levels and the projected consumption so that they can keep their material ready.
To answer such queries, traditionally, you had to talk to the customers on phone and then use the in-house software. This is cumbersome and inconvenient. If there are thousands of customers, it is difficult to have dedicated staff for just answering queries.
E-commerce is a method of making software, which enables your business functionality to be available to a target audience outside your organization. This means, potential customers can directly use any browser and look at products on sale using internet connection. They can even place orders, track order dispatch status and provide feedback.
This can occur without any person manning this service in your office. In addition, this service would be available 24 hours a day.
Thus E-commerce is a new method of software development which bridges the gap between the supplier and the consumer.
Business to Business Application
A software application, which automates the process of one organization performing business transactions with another organization. Manufacturer and supplier, vendor and dealers, agents and primary supplier, manufacturer and transporter are different types business to business relationships.
Even today there is lot of communication between these entities. For example, when a manufacturer wants to procure some raw material, a fax or document has to be sent as purchase order. The vendor will then enter the details of the purchase order into his own internal order processing system. After this is done, the status of the order execution, dispatch will be faxed back to the manufacturer. At each stage there is manual intervention required and at each stage there is delay and bottlenecks.
Using latest tools and technologies like COM and web programming, it is possible to automate these tasks. The manufacturer can directly place an order electronically to the vendor. The order will be automatically transferred into the order processing system of the vendor. The manufacturer will automatically get relevant progress information. At any point of time, if the manufacturer wants to know the status of the pending order, he can simply go to the vendor web site and using an Ecommerce application perform various queries.
Order amendment, cancellation, etc. can be implemented using the same methodology.
This method of developing and integrating applications provides a very simple but efficient mechanism of improving the response times, productivity, minimizing inventory and increasing competitiveness.
Site Server
A specialized web server which allows you to create business – to- business applications which integrate well with in-house systems. It also provides you facilities for creating a membership-based authentication for accessing information on your web site.
Site Server provides sophisticated methods of providing online purchase store functionality for consumer goods and services.
HTML
HyperText Markup Language. This language is used to publish and display information on the web. The web browser understands this language and acts accordingly.
This language specifies the display formats like the placement, colors, fonts, size, special effects, buttons, captions, images, etc.
For example
Sample Text
This HTML code specifies that the text “Sample Text” should be displayed in Bold font. Thus the browser will display as follows.
Sample Text
This language is used for creating web pages containing any kind of information, pictures, diagrams, audio, video and animation.
Hyperlink
Web pages contain links to other related information. When you click on a link, your browser displays the page referred to by the link.
The links look like this
More information about this subject.
Hyperlinks make the web very powerful medium for publishing complex amount of information with cross-linkages.
Knowledge management
A system which allows an organization to document the subject knowledge, experiences, troubleshooting and preventive information and any other reference material which is useful. On many occasions, such information is either not captured or is available only to a few selected persons. Thus the organizational knowledge is very poorly utilized. Knowledge management system is a structured method of capturing, tagging, storing, searching and retrieving organizational experience and skill sets.
Using KM ensures that mistakes done once will not be repeated, skill acquired by one person will not be re-learnt by another person.
KM is a concept. It can be implemented by various means. Simplest would be a shared directory containing well-created documents with proper keywords. You can use a structured public folder in the Messaging system for the same purpose. Higher end systems can also use Site Server, Office 2000 and the workgroup editing features to create dynamic web based knowledgebase.
Knowledge Worker
Employees whose job profiles requires them to analyze and manipulate information to manage business in a more effective manner. Personal productivity tools are very important for this group of people. In addition, data from multitude of sources must be made available to these persons in an easy-to-use manner. The complexity of handling data should be hidden from them. Searching for the right piece of information is important. Therefore, end user level powerful search tools must be used in case of Knowledge workers.
OLAP
Online Analytical Processing. A database, which is capable of handling complex ad-hoc queries, typically used by Knowledge Workers. It also provides complex calculations, multidimensional viewing of data and faster indexing techniques.
EIS
Executive Information System is a set of tools designed to organize information into categories and reports for senior executives. Nowadays, it is known as Enterprise Information System.
Internet Portal
A web site which is the starting point of the web surfer. This typically provides extensive search, lot of consumer services, latest news, customizable layout and many more features, which simplify your web browsing experience. MSN, Yahoo, AOL are some examples. There are general-purpose portals or special portals. People of specific interests or professions use special portals. For example there are portals for music, medicine, sports, technology, etc.
ERP
Enterprise Resource Planning is a software used in an organizations to coordinate sales and order information with the manufacturing process in order to perform accurate scheduling, inventory management and utilize full capacity.
ERP requires integration across all functions relating to the manufacturing process. ERP is typically available as an off-the-shelf product. Thus it minimizes the time required for installing a fully functional application. However, ERP is typically costlier than developing a custom solution locally.
XML
This is an updated version of HTML. HTML is primarily used for describing how things are to be displayed on a web page. XML describes the information contained in the page rather than its appearance.
For example if you view the following on a web page,
Age : 30
Age is just a text and 30 is a number which can be edited by the user. You know that the number 30 pertain to age because it is visually next to it. However if there was just the number shown
30
In this case you had no way of knowing what this number represents.
XML allows you to internally specify that this 30 is the age. You can then use this information for formatting, searching, and sending understandable information between to companies and so on.
Thus XML describes data on the Web. XML is the most important method of exchanging information over the web from any source to destination. This will simplify transactions between different companies and entities.
Y2K Problem
Inability of some software and hardware to understand that year “00” means 2000 and not 1900. This simple omission can make many systems misbehave, calculate wrong results or completely stop operating. Each company needs to ensure that the computers, software, network equipment and other electronic gadgets in use by them are Y2K compliant. Some packaged software products provide free patches for making them Y2K compliant. Software written in-house must be tested and modified to ensure that the above-mentioned problem does not hamper the business processes.
Euro Symbol
Recently the European union introduced a uniform currency called Euro in the Europe. Earlier each country had its own currency. This change requires drastic changes to be made to any kind of software, which deals with European currency so that it understands the new currency. Some keyboards do not even support the Euro symbol. Many banking and financial systems need to be thoroughly checked and modified to accommodate this change.
GroupWare
A type of software or system, which allows multiple members of a project, team or group to work together, even though they are physically working at different locations. GroupWare makes it simple to manage your time, fix appointments, collect information from many team members, and perform online or offline meetings, share documents and other content and share knowledge.
Workflow
A method of developing software where business processes are converted into automated work modules. The software works in a serial manner, similar to manual business processes. However, completion of one step automatically leads to the initiation of the next step. The person(s) responsible for taking action on a specific process are notified using Email so that the response time can be minimized. Workflow systems typically require integration between messaging, database and web systems.
Messaging System
This type of software provides you with Email functionality within as well as outside the organization.
Email
A method of communicating information between each-other using a messaging system. Messages can contain text, graphics and files. More advanced method of communications contain formatted text, embedded objects and source code.
Mailbox
A place in the messaging system where the mail received and sent by you is stored. Mailbox can contain multiple folders created by you. Mailbox stores your mail till you file it in folders or delete it. Mailboxes can be stored on the main server or your local computer. If you are not in a position to connect to the mail server because you are away from office, you can create an offline mailbox. Now you can make any type of changes to your mailbox copy on local computer. When you connect to the main server later, changes made by you are reflected onto the main mailbox. This is called synchronization.
Public Folder
Is a folder, which is accessible to all members having access rights. Public folder is similar to the private mailbox based folders. However, it has one additional feature called replication. If you have many offices containing Exchange in multiple cities. You will want circulars and other bulletins created in HO to be sent automatically to branch offices. This can be done by creating a public folder called “circulars: and make this folder replicate itself automatically to all other sites.
Discussion Group
A feature where many persons from a group can conduct discussion on a given topic in an offline manner. Which means, it is possible for one person to create a topic for discussion and others can post their replies in the folder. More persons can even reply to the replies. This can continue as long as necessary. A new member joining the team can quickly understand what discussion has taken place till now by just browsing through the folder.
This discussion can occur even across multiple sites.
Thursday, May 13, 2010
AN IT Mantra- The DEFRAG Principle..
It is alright to be technically equipped with knowledge but the application of that knowledge combined with people skills ie. The human side of enterprise plays a crucial role in the evaluation of an IT professional.
Over the last 15 years working within the IT industry and managing teams in England, India & Australia I have devised a principle which I believe if implemented by IT Consultants, will help a long way in increasing their productivity and keeping self motivated in this stressful & demanding occupation as an IT professional.
I call it the DEFRAG principle and will unearth each alphabet and briefly explain its definition and importance.
D = Discipline: I strongly believe that an IT Professional must have the discipline to deliver outcome and not short cut the processes.
E = Environment: This refers to the operating environment and it is absolutely imperative that both physically and culturally the environment be conducive to high performance.
F = Focus: One of the essential objectives is to be able to focus on the important factors not the ‘white noise’ – emotions, complaints, blame etc.
R = Resources: Without essential resources there is no way that one can achieve success. Do you or your team have the ‘right’ resources to achieve the outcome?
A = Attitude: A positive attitude is an important aspect of an IT Professional. One must complete each task to a degree of excellence – near enough is NOT good enough – always remember attitude will surpass aptitude every day.
G = Goal: Stay clear about the end goal – don’t get lost and bogged down in the minutiae of the moment
I firmly believe that formulating such principles in your workplace and trying to abide by them often gives you a set of directions and provides you with an effective path to success.
So the next time you’re at a client site or fixing a PC, designing a network or setting up a server or wireless network, remember before you defrag the computer don’t forget to defrag your mind!
Over the last 15 years working within the IT industry and managing teams in England, India & Australia I have devised a principle which I believe if implemented by IT Consultants, will help a long way in increasing their productivity and keeping self motivated in this stressful & demanding occupation as an IT professional.
I call it the DEFRAG principle and will unearth each alphabet and briefly explain its definition and importance.
D = Discipline: I strongly believe that an IT Professional must have the discipline to deliver outcome and not short cut the processes.
E = Environment: This refers to the operating environment and it is absolutely imperative that both physically and culturally the environment be conducive to high performance.
F = Focus: One of the essential objectives is to be able to focus on the important factors not the ‘white noise’ – emotions, complaints, blame etc.
R = Resources: Without essential resources there is no way that one can achieve success. Do you or your team have the ‘right’ resources to achieve the outcome?
A = Attitude: A positive attitude is an important aspect of an IT Professional. One must complete each task to a degree of excellence – near enough is NOT good enough – always remember attitude will surpass aptitude every day.
G = Goal: Stay clear about the end goal – don’t get lost and bogged down in the minutiae of the moment
I firmly believe that formulating such principles in your workplace and trying to abide by them often gives you a set of directions and provides you with an effective path to success.
So the next time you’re at a client site or fixing a PC, designing a network or setting up a server or wireless network, remember before you defrag the computer don’t forget to defrag your mind!
Guide to Wireless Security
Setting up a wireless network is incredibly easy. There’s no cable to pull, no holes to drill; just plug in your wireless access point (AP), let your wireless connection manager auto-associate, and you’re online. Unfortunately, so is every other person who happens to be within broadcast range of your AP, and that’s where your trouble starts.
Every business has information that must be kept private. Trade secrets, source code, or even the company’s accounting books can find their way into nefarious hands all too easily. If you have customer data stored on your network, it’s even more imperative to lock down access. A few credit card numbers escaping into the wild can permanently damage your customers’ trust; just the possibility of credit card number theft can trigger regulatory disclosure procedures in some states. And wireless network access doesn’t stop at your business’s walls; if your network is open, anyone can squat in your parking lot and hop online.
The Threat
Know your enemy! There are three basic types of bad guys you need to guard your network against: thrill seekers and war drivers, bandwidth thieves, and knowledgeable attackers.
Thrill seekers and casual war drivers are the folks who drive around with a laptop, looking for wireless networks to hop on to. They often don’t do any damage; they’re motivated by the thrill of trespassing electronically. The simplest of security measures is usually enough to deter them, particularly if there are other open networks around.
Bandwidth thieves know exactly what they want. Maybe they’re sending bucketsful of spam, maybe they’re downloading pirated movies or porn. Whatever they’re doing, there’s a reason they want to do it on your network instead of their own—they don’t have to worry about being traced, they don’t have to bear liability for their actions, and they don’t have to pay for the bandwidth they use. Because they profit from intrusion, they’re more willing to crack their way into your network, but just like the thrill seekers, they’re looking for the easiest option available.
Serious, knowledgeable attackers are rare, but scary. Either they want the data on your network or they’re looking to cause you harm. They won’t be deterred by casual security measures because they aren’t looking for easy targets. They want valuable information that only you have, they expect it to be at least lightly guarded, and they’re prepared to work hard to gain access or even to break your network completely.
It’s easy for bad guys to become even more evil in a hurry, and network security is only as strong as its weakest link. In a recent case that got a lot of publicity, three war drivers discovered that a national retail chain store in the Midwest was using wireless pricing scanners. There was no human client access, just automated data transfer from the point of sale system. However, the transactions weren’t encrypted, and the AP used the default administration password, so the attackers were able to access the store’s general network. They installed a small program on one of the corporate servers that would capture credit card numbers to a text file, which they could easily retrieve from the parking lot. The three thieves were eventually caught and sentenced for fraud, but you don’t want your business to gain this kind of publicity.
Three Sample Scenarios
Coffee Shop with Hotspot Access
1 You’re setting up a network as a service to your customers, to get them to come more often, stay longer, and drink more coffee. Your users can be anyone who stops in with a laptop, so ease of use is most important. Because you’re operating a public network that you want people to connect to, there’s really not a whole lot you can or need to do. Trying to configure any form of authentication or encryption will drive away customers. You certainly don’t want the hassle of maintaining a user database and requiring people to log in. Recommended solution: get an AP that supports client isolation to help protect clients from each other. And keep this network completely separate from your internal store network, if you have one.
Small Accounting Firm
2 You’re setting up a network so that your three employees can easily share work and files. Your users are those three employees, plus you, so a little client configuration isn’t an issue. In addition to wardrivers and bandwidth thieves, you need to protect your customers’ financial data. Recommended solution: make sure all your wireless equipment is new and supports the latest features and protocols, then configure WPA-Personal. Choose something other than a dictionary word for your preshared authentication key.
Our rubric is to choose a passphrase—a complex sentence (with upper and lower case letters, numbers, and special characters) that is easy remember but difficult for others to guess. For example, "To be, or not to be? That is the question." Also, make sure your AP has an option to turn off client isolation, or the collaborative side of your network will be lost.
Law Firm with Guest Access
3 Your back office has wireless so that all the lawyers, paralegals, and assistants can easily share files and work on cases together. You are also offering guest access so that visiting clients or attorneys can easily access their own files. Security here is unbelievably vital; if your clients' legal records get out, you won’t just lose business, you can be disbarred or suffer criminal legal consequences. Recommended solution: build two wireless infrastructures. Use high-quality APs that support WPA2-Enterprise and dual Service Set Identifiers (SSIDs), one for your back office and one for guest access.
Configure the employee side to use WPA2-Enterprise for authentication and encryption. You'll need a RADIUS server (just run Internet Authentication Services on your domain controllers for simplicity) and updated client software (Windows XP SP2, at least). If you use EAP-TLS for authentication, you’ll need digital certificates too.
Configure the guest side as an open public network. Again, your guests won't be able to easily integrate with protocols like WPA-Personal or WPA-Enterprise, so save them (and yourself) the trouble. Make sure that you permit outbound Virtual Private Networking (VPN) through the guest side, so that they can connect back to their own corporate networks to retrieve data.
The Basics
Wireless network security isn’t a one-size-fits-all proposition. Before you can even think of implementing a security design, you have to consider several questions.
Who are your users? Are they your employees or your customers? How much configuration will users be willing to go through? Will they always be the same people, or will you have different people using the network every day?
Why are you installing a wireless network? Do you want to share files between employees? Do you want a gateway to the Internet? Do you want to be able to offer wireless access to your customers to get them through the door? Are you looking to replace an aging Token Ring cable plant in your facility?
What are you trying to protect? You don’t need to have security that the Pentagon would envy. What you need is enough security that breaking into your network is more trouble than the data inside is worth. Credit card numbers, source code, medical or legal records—those are all worth a lot. The employee handbook or the shift schedule? You might think these have little value, but to someone engaged in social engineering these resources contain highly useful information about the practices of your organization and the habits of your employees. Even your bandwidth is valuable. But remember that clever intruders can find their way to unexpected places, so make sure you aren’t putting more at risk than you think you are.
Before we get into the ins and outs of authentication servers and encryption protocols, there are some very basic, very easy steps to take that can substantially reduce your risk of intrusion.
Change your passwords It’s been said before, but it’s worth repeating: change your AP’s default administrator password, particularly if it’s "admin," "password," or null. Do it for every AP, every time. These passwords are widely known, and if you give someone administrator access to your AP, you might as well just leave printouts of your company data in a cardboard box on the curb.
Change IP addresses Different brands of APs use different WLAN IPs and different DHCP ranges. These are also user-configurable, and you can change them from the default to something that’s less likely used. Again, it gives less information about your AP to someone who’s up to no good. It doesn’t gain you very much security, but it’s easy to do and has no negative impact on your users, so it’s worth considering. Note, however, that your choice of addresses must work with the addressing scheme you’ve used in the rest of your network. If you aren’t responsible for maintaining IP addresses, work with the people in your organization who are. You can’t just randomly choose any IP address and expect it to work.
Use client isolation Some APs include a feature that prevents wireless clients from communicating with each other. Typically, in a corporate environment or in a workgroup, you’ve already instituted other mechanisms to either allow or prevent client-to-client communications, so this feature wouldn’t be important to you. But if you’re building a wireless hotspot or other public wireless network, look for APs that support client isolation and be sure to enable it. This helps keep poorly configured computers from attacking other computers on the network.
How Not to Secure a Wireless Network
There is a lot of bogus wireless security advice circulating the Internet. It gets repeated often in articles and seminars because, well, "it sounds good." Let’s dispel a couple common wireless security myths right now.
Hide your SSID The Service Set Identifier (SSID) in your AP is nothing more than a name. It was never intended to be a password, yet people have turned it into one by disabling its broadcast, thinking this makes their network more secure. This couldn’t be less true. Every time a client associates to an AP it includes the SSID in the association message—in clear text, visible to anyone with a wireless sniffer. So go ahead and let the SSID broadcast. Windows® XP zero configuration requires it, the 802.11 specification mandates it, and the kind of good wireless security we recommend here makes it such that it doesn’t matter that the SSID is visible.
Filter MAC addresses Media Access Control (MAC) address filtering sounds great in theory. Every network device in the world has a unique MAC address, so by restricting which MAC addresses can associate with your wireless network, you’re eliminating the possibility of intruders, right? No. The problem is that the MAC address is sent with the header of every packet, outside any encryption that’s being used, and packet analyzers are widely available, as are MAC spoofing applications. It’s also a hassle from the administrative end, since every new device that connects to the network has to be entered into the AP by the systems administrator. Save yourself the hassle and just avoid this so-called feature.
Access Control
After you’ve taken care of the basics, you can start looking at how you’re going to control access to your network. Start at the physical layer. Don’t make the AP physically available. It’s all too easy to reset the AP to its default settings. Once you know the make and model of the AP, the defaults are simple to figure out—often they’re printed on the bottom of the AP itself.
Some APs offer basic username/password authentication within the AP itself. Setting it up is simple; just enter your username/password pairs in the AP, or upload them from a text file on another machine. Access control is per-user, not per-device. These APs are easy to use, but are often substantially more expensive than standard equipment and may not support more than about 15 or 20 different users. They also lack integration with any directory system you’re using (such as Active Directory®), so requiring users to remember yet another ID and password won’t go over too well.
For more robust per-user access control than you can get within an AP, look to an external server authentication solution like Remote Authentication Dial-In User Service (RADIUS). By itself RADIUS won’t do anything to help you. But because advanced wireless security protocols like Wi-Fi Protected Access (WPA) (see the section on encryption that follows) can use RADIUS for user authentication, you can start to build an environment that integrates more smoothly with the rest of your network. RADIUS servers don’t necessarily have to be costly to set up. Internet Authentication Service (IAS), included in Windows 2003, is ideal for companies using Microsoft software.Server
As fast as access control solutions appear, ne’er-do-wells attempt to find ways to get around them. One of the most successful and frightening has been labeled the evil twin problem. In this scenario, someone sits out in your parking lot with a laptop running a Web server and an AP with a high-powered antenna on it. The thief configures the AP with your SSID, and configures the Web server to proxy and log transmitted information. The evil twin probably has a stronger signal because of the high-gain antenna, so users will associate with the false SSID instead of the true one. And any clear-text Web traffic, say logging into something that isn’t protected with secure sockets layer (SSL) will be visible to the attacker.
Now is this really a problem? It depends on what security measures you have in place. If you rely on plain old Wired Equivalent Privacy (WEP) then this is a problem. But if you’re using more sophisticated protocols, like dynamic WEP or WPA, then the problem goes away. These protocols incorporate a principle called mutual authentication. Not only does the client authenticate to the network, but the network authenticates to the client—either with a digital certificate from the RADIUS server or by the AP’s knowledge of an authentication key. Because the attacker can’t get access to the certificate or the key, your clients will refuse to connect to the evil twin. The attacker has created a denial of service problem, but can’t intercept your traffic.
Encryption
Now we can get to the nitty-gritty of security—protecting your data transmission with encryption. There are a lot of different encryption algorithms available, each with their advantages and disadvantages, and they’re not all interchangeable. The more you know, the more easily you can pick the right solution to suit your needs.
Static WEP is the first that comes to mind when people think of wireless encryption. It’s an old standard, supported by just about every wireless network device out there, so there are no worries about compatibility. It has two big disadvantages, though. The first is that it requires every user and every device to enter a long hexadecimal string to make connections. (Some devices support ASCII passkeys, but not all.) The second is that it’s become trivially easy to crack. With modern attack tools it takes only about 500,000 captured frames to perform statistical analysis against the data and recover the key. Given a fully utilized AP processing 1,500-byte frames (the typical size), you can capture 500,000 frames from an 802.11b network in just over eight minutes, and from an 802.11a or 802.11g network in less than three minutes.
Despite its pervasiveness in nearly all wireless equipment, static WEP has reached the end of its productive life. Don’t use it. Instead, choose from one of the alternatives described here. If compatibility is most important, use dynamic WEP. If you can’t support using a RADIUS server, use Wi-Fi Protected Access (Pre-Shared Key) (WPA-PSK). This means you might need to upgrade your wireless hardware and client operating systems.
Dynamic WEP with 802.1X+EAP is a combination of protocols that addresses some of the flaws in static WEP. Dynamic WEP uses a combination of the 802.1X and EAP protocols (along with a RADIUS server) to authenticate the user and optionally the computer, create a unique WEP encryption key for each associated computer, and rotate all keys at a time interval you specify. How often? Because WEP is still the foundation for encryption, you need to consider the 500,000-frame problem described before. So your time interval would be eight minutes or two minutes (or less), depending on your hardware.
One exceptionally cool thing about dynamic WEP with 802.1X+EAP is that, in Windows XP SP1 and later, it integrates with the domain logon process. Domain-joined computers are often configured with Active Directory group policies that are applied when the computer logs on, before the user does. It’s important that your wireless infrastructure permit the same behavior. In the supplicant built into Windows XP, 802.1X+EAP handles the domain logon process and allows group policy to apply. Keep this in mind when evaluating wireless security alternatives.
You have a choice of authentication methods with 802.1X+EAP. EAP-TLS and protected EAP (PEAP) are the most popular. EAP-TLS requires digital certificates on all clients and on all RADIUS servers. These certificates are used for computer and user authentication. PEAP allows the use of computer and user domain accounts (IDs and passwords) for authentication, though in this case the RADIUS server still presents a digital certificate to the client.
Dynamic WEP is better than static WEP because it eliminates most of the conditions that make static WEP so unsafe. Although 802.1X+EAP can do some cool things, know that dynamic WEP never became a true standard, and should be avoided if possible because it doesn’t eliminate all flaws. 802.1X+EAP combined with WPA (discussed next) is really where you should be heading.
WPA is the next generation of wireless encryption technologies. It’s both more secure and easier to configure than WEP, but most network cards made before mid-2003 won’t support it unless the manufacturer has produced a firmware update. WPA replaces WEP with an improved encryption algorithm called Temporal Key Integrity Protocol (TKIP). TKIP supplies each client with a unique key and uses much longer keys that are rotated at a configurable interval. WPA also includes an encrypted message integrity check field in the packet to prevent denial-of-service and spoofing attacks, something that neither static nor dynamic WEP can do. WPA operates both with and without a RADIUS server.
WPA-Personal uses a preshared authentication key that is configured on each device. Unlike WEP, this can be any alphanumeric string and is used only to negotiate the initial session with the AP. Because both the client and the AP already possess this key, WPA provides mutual authentication, and the key is never transmitted over the air.
WPA-Enterprise uses 802.1X+EAP for authentication, but again replaces WEP with the more advanced TKIP encryption. No preshared key is used here, but you will need a RADIUS server. And you get all the other benefits 802.1X+EAP provides, including integration with the Windows login process and support for EAP-TLS and PEAP authentication methods.
WPA2 is the latest thing on the scene. Instead of WEP, it uses Advanced Encryption Standard (AES), the government standard for security. If it’s good enough for the Pentagon, it’s probably good enough for you! Like WPA, the newer WPA2 can be used in either Personal or Enterprise modes, and has so far proven difficult to attack.
Wireless security is just as critical for your business as having a lock on the front door, and finding the balance between security, accessibility, and cost of ownership can be tricky. Consider your needs carefully, and don’t put it off. Every day that you run your network open is another day you’re at risk. Well-designed and implemented security involves minimal hassle and a whole lot of peace of mind, and that’s good for you and your customers.
________________________________________
Rajiv Chaudhri is the CEO of Hitek Australia in Sydney, Australia. You can reach him at rajiv@hitekaustralia.com.au
________________________________________
Every business has information that must be kept private. Trade secrets, source code, or even the company’s accounting books can find their way into nefarious hands all too easily. If you have customer data stored on your network, it’s even more imperative to lock down access. A few credit card numbers escaping into the wild can permanently damage your customers’ trust; just the possibility of credit card number theft can trigger regulatory disclosure procedures in some states. And wireless network access doesn’t stop at your business’s walls; if your network is open, anyone can squat in your parking lot and hop online.
The Threat
Know your enemy! There are three basic types of bad guys you need to guard your network against: thrill seekers and war drivers, bandwidth thieves, and knowledgeable attackers.
Thrill seekers and casual war drivers are the folks who drive around with a laptop, looking for wireless networks to hop on to. They often don’t do any damage; they’re motivated by the thrill of trespassing electronically. The simplest of security measures is usually enough to deter them, particularly if there are other open networks around.
Bandwidth thieves know exactly what they want. Maybe they’re sending bucketsful of spam, maybe they’re downloading pirated movies or porn. Whatever they’re doing, there’s a reason they want to do it on your network instead of their own—they don’t have to worry about being traced, they don’t have to bear liability for their actions, and they don’t have to pay for the bandwidth they use. Because they profit from intrusion, they’re more willing to crack their way into your network, but just like the thrill seekers, they’re looking for the easiest option available.
Serious, knowledgeable attackers are rare, but scary. Either they want the data on your network or they’re looking to cause you harm. They won’t be deterred by casual security measures because they aren’t looking for easy targets. They want valuable information that only you have, they expect it to be at least lightly guarded, and they’re prepared to work hard to gain access or even to break your network completely.
It’s easy for bad guys to become even more evil in a hurry, and network security is only as strong as its weakest link. In a recent case that got a lot of publicity, three war drivers discovered that a national retail chain store in the Midwest was using wireless pricing scanners. There was no human client access, just automated data transfer from the point of sale system. However, the transactions weren’t encrypted, and the AP used the default administration password, so the attackers were able to access the store’s general network. They installed a small program on one of the corporate servers that would capture credit card numbers to a text file, which they could easily retrieve from the parking lot. The three thieves were eventually caught and sentenced for fraud, but you don’t want your business to gain this kind of publicity.
Three Sample Scenarios
Coffee Shop with Hotspot Access
1 You’re setting up a network as a service to your customers, to get them to come more often, stay longer, and drink more coffee. Your users can be anyone who stops in with a laptop, so ease of use is most important. Because you’re operating a public network that you want people to connect to, there’s really not a whole lot you can or need to do. Trying to configure any form of authentication or encryption will drive away customers. You certainly don’t want the hassle of maintaining a user database and requiring people to log in. Recommended solution: get an AP that supports client isolation to help protect clients from each other. And keep this network completely separate from your internal store network, if you have one.
Small Accounting Firm
2 You’re setting up a network so that your three employees can easily share work and files. Your users are those three employees, plus you, so a little client configuration isn’t an issue. In addition to wardrivers and bandwidth thieves, you need to protect your customers’ financial data. Recommended solution: make sure all your wireless equipment is new and supports the latest features and protocols, then configure WPA-Personal. Choose something other than a dictionary word for your preshared authentication key.
Our rubric is to choose a passphrase—a complex sentence (with upper and lower case letters, numbers, and special characters) that is easy remember but difficult for others to guess. For example, "To be, or not to be? That is the question." Also, make sure your AP has an option to turn off client isolation, or the collaborative side of your network will be lost.
Law Firm with Guest Access
3 Your back office has wireless so that all the lawyers, paralegals, and assistants can easily share files and work on cases together. You are also offering guest access so that visiting clients or attorneys can easily access their own files. Security here is unbelievably vital; if your clients' legal records get out, you won’t just lose business, you can be disbarred or suffer criminal legal consequences. Recommended solution: build two wireless infrastructures. Use high-quality APs that support WPA2-Enterprise and dual Service Set Identifiers (SSIDs), one for your back office and one for guest access.
Configure the employee side to use WPA2-Enterprise for authentication and encryption. You'll need a RADIUS server (just run Internet Authentication Services on your domain controllers for simplicity) and updated client software (Windows XP SP2, at least). If you use EAP-TLS for authentication, you’ll need digital certificates too.
Configure the guest side as an open public network. Again, your guests won't be able to easily integrate with protocols like WPA-Personal or WPA-Enterprise, so save them (and yourself) the trouble. Make sure that you permit outbound Virtual Private Networking (VPN) through the guest side, so that they can connect back to their own corporate networks to retrieve data.
The Basics
Wireless network security isn’t a one-size-fits-all proposition. Before you can even think of implementing a security design, you have to consider several questions.
Who are your users? Are they your employees or your customers? How much configuration will users be willing to go through? Will they always be the same people, or will you have different people using the network every day?
Why are you installing a wireless network? Do you want to share files between employees? Do you want a gateway to the Internet? Do you want to be able to offer wireless access to your customers to get them through the door? Are you looking to replace an aging Token Ring cable plant in your facility?
What are you trying to protect? You don’t need to have security that the Pentagon would envy. What you need is enough security that breaking into your network is more trouble than the data inside is worth. Credit card numbers, source code, medical or legal records—those are all worth a lot. The employee handbook or the shift schedule? You might think these have little value, but to someone engaged in social engineering these resources contain highly useful information about the practices of your organization and the habits of your employees. Even your bandwidth is valuable. But remember that clever intruders can find their way to unexpected places, so make sure you aren’t putting more at risk than you think you are.
Before we get into the ins and outs of authentication servers and encryption protocols, there are some very basic, very easy steps to take that can substantially reduce your risk of intrusion.
Change your passwords It’s been said before, but it’s worth repeating: change your AP’s default administrator password, particularly if it’s "admin," "password," or null. Do it for every AP, every time. These passwords are widely known, and if you give someone administrator access to your AP, you might as well just leave printouts of your company data in a cardboard box on the curb.
Change IP addresses Different brands of APs use different WLAN IPs and different DHCP ranges. These are also user-configurable, and you can change them from the default to something that’s less likely used. Again, it gives less information about your AP to someone who’s up to no good. It doesn’t gain you very much security, but it’s easy to do and has no negative impact on your users, so it’s worth considering. Note, however, that your choice of addresses must work with the addressing scheme you’ve used in the rest of your network. If you aren’t responsible for maintaining IP addresses, work with the people in your organization who are. You can’t just randomly choose any IP address and expect it to work.
Use client isolation Some APs include a feature that prevents wireless clients from communicating with each other. Typically, in a corporate environment or in a workgroup, you’ve already instituted other mechanisms to either allow or prevent client-to-client communications, so this feature wouldn’t be important to you. But if you’re building a wireless hotspot or other public wireless network, look for APs that support client isolation and be sure to enable it. This helps keep poorly configured computers from attacking other computers on the network.
How Not to Secure a Wireless Network
There is a lot of bogus wireless security advice circulating the Internet. It gets repeated often in articles and seminars because, well, "it sounds good." Let’s dispel a couple common wireless security myths right now.
Hide your SSID The Service Set Identifier (SSID) in your AP is nothing more than a name. It was never intended to be a password, yet people have turned it into one by disabling its broadcast, thinking this makes their network more secure. This couldn’t be less true. Every time a client associates to an AP it includes the SSID in the association message—in clear text, visible to anyone with a wireless sniffer. So go ahead and let the SSID broadcast. Windows® XP zero configuration requires it, the 802.11 specification mandates it, and the kind of good wireless security we recommend here makes it such that it doesn’t matter that the SSID is visible.
Filter MAC addresses Media Access Control (MAC) address filtering sounds great in theory. Every network device in the world has a unique MAC address, so by restricting which MAC addresses can associate with your wireless network, you’re eliminating the possibility of intruders, right? No. The problem is that the MAC address is sent with the header of every packet, outside any encryption that’s being used, and packet analyzers are widely available, as are MAC spoofing applications. It’s also a hassle from the administrative end, since every new device that connects to the network has to be entered into the AP by the systems administrator. Save yourself the hassle and just avoid this so-called feature.
Access Control
After you’ve taken care of the basics, you can start looking at how you’re going to control access to your network. Start at the physical layer. Don’t make the AP physically available. It’s all too easy to reset the AP to its default settings. Once you know the make and model of the AP, the defaults are simple to figure out—often they’re printed on the bottom of the AP itself.
Some APs offer basic username/password authentication within the AP itself. Setting it up is simple; just enter your username/password pairs in the AP, or upload them from a text file on another machine. Access control is per-user, not per-device. These APs are easy to use, but are often substantially more expensive than standard equipment and may not support more than about 15 or 20 different users. They also lack integration with any directory system you’re using (such as Active Directory®), so requiring users to remember yet another ID and password won’t go over too well.
For more robust per-user access control than you can get within an AP, look to an external server authentication solution like Remote Authentication Dial-In User Service (RADIUS). By itself RADIUS won’t do anything to help you. But because advanced wireless security protocols like Wi-Fi Protected Access (WPA) (see the section on encryption that follows) can use RADIUS for user authentication, you can start to build an environment that integrates more smoothly with the rest of your network. RADIUS servers don’t necessarily have to be costly to set up. Internet Authentication Service (IAS), included in Windows 2003, is ideal for companies using Microsoft software.Server
As fast as access control solutions appear, ne’er-do-wells attempt to find ways to get around them. One of the most successful and frightening has been labeled the evil twin problem. In this scenario, someone sits out in your parking lot with a laptop running a Web server and an AP with a high-powered antenna on it. The thief configures the AP with your SSID, and configures the Web server to proxy and log transmitted information. The evil twin probably has a stronger signal because of the high-gain antenna, so users will associate with the false SSID instead of the true one. And any clear-text Web traffic, say logging into something that isn’t protected with secure sockets layer (SSL) will be visible to the attacker.
Now is this really a problem? It depends on what security measures you have in place. If you rely on plain old Wired Equivalent Privacy (WEP) then this is a problem. But if you’re using more sophisticated protocols, like dynamic WEP or WPA, then the problem goes away. These protocols incorporate a principle called mutual authentication. Not only does the client authenticate to the network, but the network authenticates to the client—either with a digital certificate from the RADIUS server or by the AP’s knowledge of an authentication key. Because the attacker can’t get access to the certificate or the key, your clients will refuse to connect to the evil twin. The attacker has created a denial of service problem, but can’t intercept your traffic.
Encryption
Now we can get to the nitty-gritty of security—protecting your data transmission with encryption. There are a lot of different encryption algorithms available, each with their advantages and disadvantages, and they’re not all interchangeable. The more you know, the more easily you can pick the right solution to suit your needs.
Static WEP is the first that comes to mind when people think of wireless encryption. It’s an old standard, supported by just about every wireless network device out there, so there are no worries about compatibility. It has two big disadvantages, though. The first is that it requires every user and every device to enter a long hexadecimal string to make connections. (Some devices support ASCII passkeys, but not all.) The second is that it’s become trivially easy to crack. With modern attack tools it takes only about 500,000 captured frames to perform statistical analysis against the data and recover the key. Given a fully utilized AP processing 1,500-byte frames (the typical size), you can capture 500,000 frames from an 802.11b network in just over eight minutes, and from an 802.11a or 802.11g network in less than three minutes.
Despite its pervasiveness in nearly all wireless equipment, static WEP has reached the end of its productive life. Don’t use it. Instead, choose from one of the alternatives described here. If compatibility is most important, use dynamic WEP. If you can’t support using a RADIUS server, use Wi-Fi Protected Access (Pre-Shared Key) (WPA-PSK). This means you might need to upgrade your wireless hardware and client operating systems.
Dynamic WEP with 802.1X+EAP is a combination of protocols that addresses some of the flaws in static WEP. Dynamic WEP uses a combination of the 802.1X and EAP protocols (along with a RADIUS server) to authenticate the user and optionally the computer, create a unique WEP encryption key for each associated computer, and rotate all keys at a time interval you specify. How often? Because WEP is still the foundation for encryption, you need to consider the 500,000-frame problem described before. So your time interval would be eight minutes or two minutes (or less), depending on your hardware.
One exceptionally cool thing about dynamic WEP with 802.1X+EAP is that, in Windows XP SP1 and later, it integrates with the domain logon process. Domain-joined computers are often configured with Active Directory group policies that are applied when the computer logs on, before the user does. It’s important that your wireless infrastructure permit the same behavior. In the supplicant built into Windows XP, 802.1X+EAP handles the domain logon process and allows group policy to apply. Keep this in mind when evaluating wireless security alternatives.
You have a choice of authentication methods with 802.1X+EAP. EAP-TLS and protected EAP (PEAP) are the most popular. EAP-TLS requires digital certificates on all clients and on all RADIUS servers. These certificates are used for computer and user authentication. PEAP allows the use of computer and user domain accounts (IDs and passwords) for authentication, though in this case the RADIUS server still presents a digital certificate to the client.
Dynamic WEP is better than static WEP because it eliminates most of the conditions that make static WEP so unsafe. Although 802.1X+EAP can do some cool things, know that dynamic WEP never became a true standard, and should be avoided if possible because it doesn’t eliminate all flaws. 802.1X+EAP combined with WPA (discussed next) is really where you should be heading.
WPA is the next generation of wireless encryption technologies. It’s both more secure and easier to configure than WEP, but most network cards made before mid-2003 won’t support it unless the manufacturer has produced a firmware update. WPA replaces WEP with an improved encryption algorithm called Temporal Key Integrity Protocol (TKIP). TKIP supplies each client with a unique key and uses much longer keys that are rotated at a configurable interval. WPA also includes an encrypted message integrity check field in the packet to prevent denial-of-service and spoofing attacks, something that neither static nor dynamic WEP can do. WPA operates both with and without a RADIUS server.
WPA-Personal uses a preshared authentication key that is configured on each device. Unlike WEP, this can be any alphanumeric string and is used only to negotiate the initial session with the AP. Because both the client and the AP already possess this key, WPA provides mutual authentication, and the key is never transmitted over the air.
WPA-Enterprise uses 802.1X+EAP for authentication, but again replaces WEP with the more advanced TKIP encryption. No preshared key is used here, but you will need a RADIUS server. And you get all the other benefits 802.1X+EAP provides, including integration with the Windows login process and support for EAP-TLS and PEAP authentication methods.
WPA2 is the latest thing on the scene. Instead of WEP, it uses Advanced Encryption Standard (AES), the government standard for security. If it’s good enough for the Pentagon, it’s probably good enough for you! Like WPA, the newer WPA2 can be used in either Personal or Enterprise modes, and has so far proven difficult to attack.
Wireless security is just as critical for your business as having a lock on the front door, and finding the balance between security, accessibility, and cost of ownership can be tricky. Consider your needs carefully, and don’t put it off. Every day that you run your network open is another day you’re at risk. Well-designed and implemented security involves minimal hassle and a whole lot of peace of mind, and that’s good for you and your customers.
________________________________________
Rajiv Chaudhri is the CEO of Hitek Australia in Sydney, Australia. You can reach him at rajiv@hitekaustralia.com.au
________________________________________
Eight Reasons You Need a Server
Based on these analysts' feedback and others', here are eight reasons to buy a server for your small business, rather than doing without or relying on peer-to-peer networking.
1. You can create order from chaos. By centralizing data on a server, you can better manage business-critical information. Sharing files and other data across PCs becomes much easier, as does migrating data from one PC to another. And as DiDio points out, older PCs can get new life if their files and data are off-loaded onto a server. "A lot of people are buying servers and opting not to dump their old PCs and laptops," she says.
2. You can protect your data by making backups easier. Two features of Windows Small Business Server 2003, for example, enable users to better protect their data assets by simplifying backups and the restoration of critical data. The features are the Backup Configuration Wizard and Volume Shadow Copy.
3. You can collaborate better as a business. Not only is data sharing easier with a server-based network, but Windows Small Business Server 2003 comes with Windows SharePoint Services, which is software that enables your employees and other team members to collaborate via the Web. With SharePoint, you get a company intranet portal with a user-friendly interface to organize and share information. It comes pre-populated with help documents and resources. A server also is a must if you want to run line-of-business applications, such as accounting solutions from Microsoft Business Solutions, on multiple PCs.
4. You can accommodate a mobile work force. Servers enable authorized out-of-office workers to have remote access to your network, enabling data sharing among those who travel, telecommute or work in off-site locations. Through Remote Web Workplace, users of Windows Small Business Server 2003 can get access to server data via the Internet. Out-of-office workers also can connect to the company intranet via SharePoint.
5. You can share high-speed broadband access. "A real catalyst to server sales among small businesses is in providing high-speed Internet access across a network," says IDC's Boggs. "If I'm running a business now that has three or more dial-up accounts, it's time to get a server and go broadband." The return on investment will come quickly in the form of higher productivity, he says.
6. You can set up new computers, add users and deploy new applications more quickly and easily. Expect to grow? By managing your data from a central location, you can better coordinate the addition of new PCs, software licenses and software applications. You can also better manage firewalls and monitor threats to your data, and more easily deploy virus protection and intrusion detection.
7. You can get more processing power. A server can supercharge your network, storing large chunks of data, freeing up memory and enabling individual PCs to perform better. Small business today need that additional processing power to run Web services, manage Web sites, do e-mail newsletters, and use more sophisticated tools and applications, DiDio says. (Boggs says he foresees more and more households buying servers to accommodate students using their PCs as educational labs and teenagers who buy online games and other sophisticated applications.)
8. You can look more professional — and connect better with your customers. Server software such as Windows Small Business Server 2003 enables you to consolidate your e-mail accounts (AOL, Yahoo!, Hotmail, etc.) into a single, company-hosted e-mail account, enhancing your image to customers and partners. "You could have several aliases from one root e-mail address," Harry Brelsford (from SMB Nation) says. "A server can make a lot of businesses look bigger than they are." Adds DiDio, "It not only gives you more bang for your buck; it makes you look more professional to those you want to do business with."
How you know it's time to buy a server?
• You have two or more dial-up accounts in your business.
• You need to centralize and organize your data (you can't always find what you need when you need it).
• You need to share hardware such as printers and fax machines for two or more PCs (peer-to-peer networks mean lots of cords and wires to trip over).
• You need to simplify backups to keep your data more secure.
• You have employees who travel, frequently telecommute, or work off-site, and want to connect to a network.
• You could benefit from an intranet (your employees who travel and telecommute don't always remember to tell you).
• You have high storage needs (and your loaded-down PCs wince and groan when you add more data).
• You'd like to run accounting software or other line-of-business application on more than one PC.
• Your company's growing and plans to add new computers and employees (congrats!).
• You mean business: You want to look professional (and bigger than you are).
• Your PCs are old, old, old, and you want to get rid of them. A server makes migration easier.
• Your PCs are old, old, old, and you want to keep them. A server takes a load off the PCs.
1. You can create order from chaos. By centralizing data on a server, you can better manage business-critical information. Sharing files and other data across PCs becomes much easier, as does migrating data from one PC to another. And as DiDio points out, older PCs can get new life if their files and data are off-loaded onto a server. "A lot of people are buying servers and opting not to dump their old PCs and laptops," she says.
2. You can protect your data by making backups easier. Two features of Windows Small Business Server 2003, for example, enable users to better protect their data assets by simplifying backups and the restoration of critical data. The features are the Backup Configuration Wizard and Volume Shadow Copy.
3. You can collaborate better as a business. Not only is data sharing easier with a server-based network, but Windows Small Business Server 2003 comes with Windows SharePoint Services, which is software that enables your employees and other team members to collaborate via the Web. With SharePoint, you get a company intranet portal with a user-friendly interface to organize and share information. It comes pre-populated with help documents and resources. A server also is a must if you want to run line-of-business applications, such as accounting solutions from Microsoft Business Solutions, on multiple PCs.
4. You can accommodate a mobile work force. Servers enable authorized out-of-office workers to have remote access to your network, enabling data sharing among those who travel, telecommute or work in off-site locations. Through Remote Web Workplace, users of Windows Small Business Server 2003 can get access to server data via the Internet. Out-of-office workers also can connect to the company intranet via SharePoint.
5. You can share high-speed broadband access. "A real catalyst to server sales among small businesses is in providing high-speed Internet access across a network," says IDC's Boggs. "If I'm running a business now that has three or more dial-up accounts, it's time to get a server and go broadband." The return on investment will come quickly in the form of higher productivity, he says.
6. You can set up new computers, add users and deploy new applications more quickly and easily. Expect to grow? By managing your data from a central location, you can better coordinate the addition of new PCs, software licenses and software applications. You can also better manage firewalls and monitor threats to your data, and more easily deploy virus protection and intrusion detection.
7. You can get more processing power. A server can supercharge your network, storing large chunks of data, freeing up memory and enabling individual PCs to perform better. Small business today need that additional processing power to run Web services, manage Web sites, do e-mail newsletters, and use more sophisticated tools and applications, DiDio says. (Boggs says he foresees more and more households buying servers to accommodate students using their PCs as educational labs and teenagers who buy online games and other sophisticated applications.)
8. You can look more professional — and connect better with your customers. Server software such as Windows Small Business Server 2003 enables you to consolidate your e-mail accounts (AOL, Yahoo!, Hotmail, etc.) into a single, company-hosted e-mail account, enhancing your image to customers and partners. "You could have several aliases from one root e-mail address," Harry Brelsford (from SMB Nation) says. "A server can make a lot of businesses look bigger than they are." Adds DiDio, "It not only gives you more bang for your buck; it makes you look more professional to those you want to do business with."
How you know it's time to buy a server?
• You have two or more dial-up accounts in your business.
• You need to centralize and organize your data (you can't always find what you need when you need it).
• You need to share hardware such as printers and fax machines for two or more PCs (peer-to-peer networks mean lots of cords and wires to trip over).
• You need to simplify backups to keep your data more secure.
• You have employees who travel, frequently telecommute, or work off-site, and want to connect to a network.
• You could benefit from an intranet (your employees who travel and telecommute don't always remember to tell you).
• You have high storage needs (and your loaded-down PCs wince and groan when you add more data).
• You'd like to run accounting software or other line-of-business application on more than one PC.
• Your company's growing and plans to add new computers and employees (congrats!).
• You mean business: You want to look professional (and bigger than you are).
• Your PCs are old, old, old, and you want to get rid of them. A server makes migration easier.
• Your PCs are old, old, old, and you want to keep them. A server takes a load off the PCs.
Saturday, May 8, 2010
Gareth McCray's views on Hitek Australia
2CH breakfast personality Gareth McCray began working in the Media in 1980 having worked on air at 2GB, 2CH, 2UE, 2SM, 2KM and 2KY.
Gareth was the Drive announcer for Radio 2SM up until July 2003. Prior to this he was Programme Director & Breakfast Announcer at 2KY on a news and current affairs show. He was also responsible for setting up a nostalgia radio station for the Labor Council of NSW.
For some time, Gareth was Head of the Radio Department and The Australian Film Radio & Television School. He has an A.Mus.A. from the Conservatorium, has lectured in English for the University of Sydney, as well as running Media courses with the Australian Catholic University.
Gareth also did some training at the Ensemble Theatre under the tutelage of Hayes Gordon. He was also national publicist for the Papal Tour during the Beatification of Mary MacKillop in January 1995. He has been awarded a Citation from the United Nations for the Media peace Awards.
You can hear Gareth along with Mardi as they present our breakfast show Monday to Friday morning between 5 and 9am and between 6.00am and 12 noon on Sunday as part of our Stress Free weekends
Subscribe to:
Posts (Atom)