Why install Windows wireless security. Information security and wireless networks

This article is devoted to the issue of security when using wireless WiFi networks.

Introduction - WiFi Vulnerabilities

The main reason why user data is vulnerable when this data is transmitted over WiFi networks is that the exchange occurs over radio waves. And this makes it possible to intercept messages at any point where a WiFi signal is physically available. Simply put, if the signal from an access point can be detected at a distance of 50 meters, then interception of all network traffic of this WiFi network is possible within a radius of 50 meters from the access point. In the next room, on another floor of the building, on the street.

Imagine this picture. In the office, the local network is built via WiFi. The signal from this office's access point is picked up outside the building, for example in a parking lot. An attacker outside the building can gain access to the office network, that is, unnoticed by the owners of this network. WiFi networks can be accessed easily and discreetly. Technically much easier than wired networks.

Yes. To date, means of protecting WiFi networks have been developed and implemented. This protection is based on encrypting all traffic between the access point and the end device that is connected to it. That is, an attacker can intercept a radio signal, but for him it will be just digital “garbage”.

How does WiFi protection work?

The access point includes in its WiFi network only the device that sends the correct password (specified in the access point settings). In this case, the password is also sent encrypted, in the form of a hash. The hash is the result of irreversible encryption. That is, data that has been hashed cannot be decrypted. If an attacker intercepts the password hash, he will not be able to obtain the password.

But how does the access point know whether the password is correct or not? What if she also receives a hash, but cannot decrypt it? It's simple - in the access point settings the password is specified in its pure form. The authorization program takes a blank password, creates a hash from it, and then compares this hash with the one received from the client. If the hashes match, then the client’s password is correct. The second feature of hashes is used here - they are unique. The same hash cannot be obtained from two different sets of data (passwords). If two hashes match, then they were both created from the same set of data.

By the way. Thanks to this feature, hashes are used to control data integrity. If two hashes (created over a period of time) match, then the original data (during that period of time) has not been changed.

However, despite the fact that the most modern method of securing a WiFi network (WPA2) is reliable, this network can be hacked. How?

There are two methods for accessing a network protected by WPA2:

1. Selection of a password using a password database (so-called dictionary search).
2. Exploitation of a vulnerability in the WPS function.

In the first case, the attacker intercepts the password hash for the access point. The hashes are then compared against a database of thousands or millions of words. A word is taken from the dictionary, a hash is generated for this word and then this hash is compared with the hash that was intercepted. If a primitive password is used on an access point, then cracking the password of this access point is a matter of time. For example, an 8-digit password (8 characters long is the minimum password length for WPA2) is one million combinations. On a modern computer, you can sort through one million values ​​in a few days or even hours.

In the second case, a vulnerability in the first versions of the WPS function is exploited. This feature allows you to connect a device that does not have a password, such as a printer, to the access point. When using this feature, the device and access point exchange a digital code and if the device sends the correct code, the access point authorizes the client. There was a vulnerability in this function - the code had 8 digits, but only four of them were checked for uniqueness! That is, to hack WPS you need to search through all the values ​​that give 4 digits. As a result, hacking an access point via WPS can be done in just a few hours, on any weakest device.

Setting up WiFi network security

The security of the WiFi network is determined by the settings of the access point. Several of these settings directly affect network security.

WiFi network access mode

The access point can operate in one of two modes - open or protected. In case of open access, any device can connect to the access point. In the case of protected access, only the device that transmits the correct access password is connected.

There are three types (standards) of WiFi network protection:

• WEP (Wired Equivalent Privacy). The very first standard of protection. Today it actually does not provide protection, since it can be hacked very easily due to the weakness of the protection mechanisms.
• WPA (Wi-Fi Protected Access). Chronologically the second standard of protection. At the time of creation and commissioning, it provided effective protection for WiFi networks. But at the end of the 2000s, opportunities were found to hack WPA protection through vulnerabilities in the security mechanisms.
• WPA2 (Wi-Fi Protected Access). The latest protection standard. Provides reliable protection when certain rules are followed. To date, there are only two known ways to break WPA2 security. Dictionary password brute force and a workaround using the WPS service.

Thus, to ensure the security of your WiFi network, you must select the WPA2 security type. However, not all client devices can support it. For example, Windows XP SP2 only supports WPA.

In addition to choosing the WPA2 standard, additional conditions are required:

Use AES encryption method.

The password to access the WiFi network must be composed as follows:

1. Use letters and numbers in the password. A random set of letters and numbers. Or a very rare word or phrase that is meaningful only to you.
2. Not use simple passwords like name + date of birth, or some word + a few numbers, for example lena1991 or dom12345.
3. If you need to use only a digital password, then its length must be at least 10 characters. Because an eight-character digital password is selected using a brute force method in real time (from several hours to several days, depending on the power of the computer).

If you use complex passwords in accordance with these rules, then your WiFi network cannot be hacked by guessing a password using a dictionary. For example, for a password like 5Fb9pE2a(random alphanumeric), maximum possible 218340105584896 combinations. Today it is almost impossible to select. Even if a computer were to compare 1,000,000 (million) words per second, it would take almost 7 years to iterate over all the values.

WPS (Wi-Fi Protected Setup)

If the access point has the WPS (Wi-Fi Protected Setup) function, you need to disable it. If this feature is required, you must ensure that its version is updated to the following capabilities:

1. Using all 8 PIN code characters instead of 4, as was the case in the beginning.
2. Enable a delay after several attempts to send an incorrect PIN code from the client.

An additional option to improve WPS security is to use an alphanumeric PIN code.

Public WiFi Security

Today it is fashionable to use the Internet via WiFi networks in public places - in cafes, restaurants, shopping centers, etc. It is important to understand that using such networks may lead to theft of your personal data. If you access the Internet through such a network and then log in to a website, your data (username and password) may be intercepted by another person who is connected to the same WiFi network. After all, on any device that has passed authorization and is connected to the access point, you can intercept network traffic from all other devices on this network. And the peculiarity of public WiFi networks is that anyone can connect to it, including an attacker, and not only to an open network, but also to a protected one.

What can you do to protect your data when connecting to the Internet via a public WiFi network? There is only one option - to use the HTTPS protocol. This protocol establishes an encrypted connection between the client (browser) and the site. But not all sites support the HTTPS protocol. Addresses on a site that supports the HTTPS protocol begin with the https:// prefix. If the addresses on a site have the http:// prefix, this means that the site does not support HTTPS or does not use it.

Some sites do not use HTTPS by default, but have this protocol and can be used if you explicitly (manually) specify the https:// prefix.

As for other cases of using the Internet - chats, Skype, etc., you can use free or paid VPN servers to protect this data. That is, first connect to the VPN server, and only then use the chat or open website.

WiFi Password Protection

In the second and third parts of this article, I wrote that when using the WPA2 security standard, one of the ways to hack a WiFi network is to guess the password using a dictionary. But there is another opportunity for an attacker to obtain the password to your WiFi network. If you store your password on a sticky note glued to the monitor, this makes it possible for a stranger to see this password. And your password can be stolen from a computer connected to your WiFi network. This can be done by an outsider if your computers are not protected from access by outsiders. This can be done using malware. In addition, the password can be stolen from a device that is taken outside the office (house, apartment) - from a smartphone, tablet.

Thus, if you need reliable protection for your WiFi network, you need to take steps to securely store your password. Protect it from access by unauthorized persons.

If you found this article useful or simply liked it, then do not hesitate to financially support the author. This is easy to do by throwing money at Yandex Wallet No. 410011416229354. Or on the phone +7 918-16-26-331 .

Even a small amount can help write new articles :)

via 802.11 radio channel. Topologically, such networks can be divided into two types: with access point(via a server with a radio device simultaneously connected to the radio network), ad hoc(clients communicate directly without an access point).

Consider a wireless network with an access point implemented according to any commercial standard 802.11 (a, b, g, i), except 802.1x. Regardless of the number of access points, a wireless network segment is identified by a single identifier (SSID). There are three built-in security mechanisms to protect wireless networks: authentication, encryption, WPA.

Authenticity is verified by two mechanisms: open check(restrictions on the MAC addresses of wireless network devices are set on the access point), private key(Wireless network users are given a password, which they enter manually when establishing a connection).

Encryption in wireless networks is carried out using the RC4 algorithm. Encryption supports two types of keys: global And sessional. The global key is used to protect multicast and broadcast outgoing traffic on the access point, and the session key is used to protect unicast outgoing traffic on the access point, as well as multicast and broadcast incoming traffic on the access point. Both types of keys are distributed between network clients and are entered manually.

WPA provides improved encryption over the TKIP protocol, which controls and data integrity. Authentication is checked by the IAP protocol.

The following types of attacks can be carried out through wireless networks:

• traffic interception,
• hacking ARP protocol addresses,
• attacks of viruses that entered the network from a hacker’s computer,
• redirection (in this case, hacking is carried out at the SSL level. The attacker forges the MAC address of the access point and sends the user a request to accept the credentials of a new server controlled by him.),
• unauthorized connections (you can connect to any wireless network by approaching a sufficient distance. Using an open identification system, anyone can access the corporate network.),
• connection of unauthorized access points (users can install the necessary equipment themselves without enabling protective mechanisms on it), network overload (DoS attack),
• radio interference.

To enhance the security of your wireless network:

• change factory SSID,
• disable SSID broadcast,
• encryption with unique keys must be used,
• protect the SSNP protocol (change the default community for this protocol, consider protection from PROTOS),
• use MAC address filtering by setting it in the list of allowed wireless clients,
• Together with the enterprise security service, it is necessary to combat the installation of unauthorized access points (it is necessary to check what equipment is brought into the enterprise and detect access points using SSNP agents.

Of course, it is necessary to pay attention to the selection and installation of antennas at access points. If possible, you should use directional antennas or short-range transmitters so as not to expand the territorial boundaries of the wireless network. It is wise to consider the access point to be part of a demilitarized zone or untrusted network. Therefore, it is recommended to separate access points from wired networks with a firewall.

The 802.1x standard is a quantum leap in wireless network security. It allows for the most secure authentication of wireless clients and secure encrypted data transfer. This standard uses dynamic keys for encryption, which do not need to be set manually. However, to implement this standard, three things are necessary:

1. To authenticate wireless network clients, you must configure a RADIUS server with a special remote access policy for wireless networks;
2. The organization must implement a public key system, because The 802.1x standard uses the EAP-TLS protocol for authentication;
3. The access point can only be organized under WS2003, and wireless clients must be managed by Windows XP SP1 or higher.

Thus, the implementation of a RADIUS server may require a fundamental change in the topology of the corporate network. Implementation of a Public Key System will require either the deployment of your own hierarchy of certification authorities, or the acquisition of certificates from third-party companies. The implementation of the 802.1x standard provides the maximum level of wireless network security, but requires a lot of administrative configuration and financial costs.

Encryption of data in wireless networks receives so much attention due to the very nature of such networks. Data is transmitted wirelessly using radio waves, generally using omnidirectional antennas. Thus, everyone hears the data, not just the person for whom it is intended. Of course, the distances over which wireless networks operate (without amplifiers or directional antennas) are small - about 100 meters in ideal conditions. Walls, trees and other obstacles greatly dampen the signal, but this still does not solve the problem.

Initially, only SSID (network name). But the SSID is transmitted in clear text and no one prevents an attacker from eavesdropping on it and then substituting the correct one in his settings. Not to mention that (this applies to access points) the broadcast mode for the SSID can be enabled, i.e. it will be force-broadcast to everyone listening.

Therefore, there was a need for data encryption. The first such standard was WEP – Wired Equivalent Privacy. Encryption is carried out using a 40 or 104-bit key (stream encryption using the RC4 algorithm on a static key). The key itself is a set of ASCII characters with a length of 5 (for a 40-bit) or 13 (for a 104-bit key) characters. The set of these characters is translated into a sequence of hexadecimal digits, which are the key. Drivers from many manufacturers allow you to enter hexadecimal values ​​(of the same length) directly instead of a set of ASCII characters. Algorithms for converting from an ASCII character sequence to hexadecimal key values ​​may differ among manufacturers, therefore, if the network uses heterogeneous wireless equipment and setting up WEP encryption using an ASCII key phrase does not work, you must enter the key in hexadecimal notation instead.

In reality, data encryption occurs using a key length of 40 or 104. But in addition to the ASCII phrase (static component of the key), there is also such a thing as Initialization Vector (IV) – initialization vector. It serves to randomize the rest of the key. The vector is selected randomly and changes dynamically during operation. In principle, this is a reasonable solution, since it allows you to introduce a random component into the key. The vector length is 24 bits, so the total key length ends up being 64 (40+24) or 128 (104+24) bits.

The encryption algorithm used (RC4) is currently not particularly strong - if you really want, you can find a key by brute force in a relatively short time. But still, the main vulnerability of WEP is associated precisely with the initialization vector. The IV is only 24 bits long. This gives approximately 16 million combinations - 16 million different vectors. In real work, all possible key options will be used in a period from ten minutes to several hours (for a 40-bit key). After this, the vectors will begin to repeat. An attacker just needs to collect a sufficient number of packets by simply listening to the wireless network traffic and find these repetitions. After this, selecting the static component of the key (ASCII phrase) does not take much time.

Many manufacturers build into the software (or hardware of wireless devices) a check for such vectors, and if similar ones are found, they are silently discarded, i.e. I am not involved in the encryption process.

To increase the security of wireless networks, the WPA (Wi-Fi Protected Access) protocol was developed. The WPA protocol was designed to close the weak points of wireless networks that use WEP. The specification requires that network elements be equipped with dynamic key generation capabilities and use an advanced RC4 data encryption scheme based on TKIP (Temporal Key Integrity Protocol- short-term key integrity protocol). In this way, it was possible to increase the security of packets and ensure backward compatibility with WEP, even at the expense of additional load on network channels. Additionally, WPA cryptographic checksums are calculated using a new method called Michael. Each 802.11 frame contains a special eight-byte message integrity code, the verification of which allows you to repel attacks using forged packets.

All WPA-enabled devices require 802.1x authentication using the EAP (Extensible Authentication Protocol - extended authentication protocol). In this case, the server is used RADIUS (Remote Authentication Dial- In User Service - remote user authentication service via dial-up lines) or a pre-shared key.

802.1x authentication is based on a client-server architecture and uses three elements: a client supplicant, an authenticator, and an authentication server. The widespread use of this technology in corporate wireless LANs is facilitated by its centralized security management model and the ability to integrate with existing corporate authentication schemes.

For most organizations, using WPA will require installing new firmware and clients and integrating them with their authentication systems. Small and medium-sized businesses that do without an authentication server will have to first install a shared key on each client and access point.
WPA is already supported in operating systems.

Not long ago, a new standard 802.11i was released, aimed at increasing the security of wireless networks: it involves the use of encryption AES (Advanced Encryption standard) with a key length of 128, 192 or 256 bits and is used with 802.11b and 802.11g devices.

The 802.11i standard, designed to provide information security to WLANs of large enterprises and small offices, is designed to improve the security functions of the 802.11 standard. However, this standard, which provides for data encryption and control of its integrity, is characterized by increased implementation complexity and may be incompatible with existing wireless equipment.

The 802.11i security standard provides an intermediate specification for the so-called transitional secure network -Transitional Security Network (TSN), which allows for the simultaneous use of RSN solutions and legacy WEP systems. However, the wireless network will not be as well protected.

The default data privacy mechanism of the IEEE 802.11i standard is based on the AES block cipher. The security protocol that uses it is called Counter-Mode CBC MAC Protocol, or CCMP. At the lower layers of the OSI model, where encryption and decryption of transmitted data occurs, AES uses three temporary encryption keys. AES (Advanced Encryption Standard - an improved encryption standard) differs from the RC4 implementation included in WEP in a much more robust cryptographic algorithm, but it places increased demands on the throughput of communication channels, so the transition to a new standard will require upgrading network equipment. In addition, AES is not backward compatible with current WPA and WEP equipment.

For enterprise access points to work with 802.11i network security, they must support RADIUS user authentication and be able to quickly re-authenticate users after a network connection is lost. This is especially important for the normal functioning of real-time applications (for example, voice over WLAN).

If the RADIUS server used to control access of wired network users supports the required EAP authentication methods, then it can be used to authenticate wireless network users. Otherwise, it is worth installing a WLAN RADIUS server that will interact with the existing RADIUS server as a proxy server. The WLAN RADIUS server works by first checking the user's authentication information (against the contents of its database of user IDs and passwords) or their digital certificate, and then causing the access point and client system to dynamically generate encryption keys for each communication session. The IEEE 802.11i standard does not specify any specific EAP authentication methods. The choice of the EAP authentication method is determined by the specifics of the client applications and the network architecture.

The new standard has acquired several relatively little-known properties. One of them - key-caching - records information about him unnoticed by the user, allowing him to not enter all the information about himself again when leaving the wireless network coverage area and then returning to it.

The second innovation is pre-authentication. Its essence is as follows: from the access point to which the user is currently connected, a pre-authentication packet is sent to another access point, providing this user with pre-authentication even before registering at the new point and thereby reducing authorization time when moving between access points .

For laptops and PDAs to work with 802.11i network security, they must be equipped with client programs that support the 802.1x standard. Cisco has included it in its Aironet Client Utility. Microsoft has provided support for the 802.1x standard in Windows XP, Vista, Seven. Unfortunately, these client programs, which are pre-included in the OS and other tools, usually do not support all EAP authentication methods, Table 4.8

Table 4.8 - Data encryption standards.

Standard	Security Features	Advantages	Flaws
WEP	RC4 encryption, static keys, 802.1x authentication – custom made	At least some kind of protection; WEP support on most 802.11 devices	Too many gaps to exploit in a corporate environment; Additional tools such as virtual private networks are often used to protect wireless LANs
WPA	TKIP, dynamic keys, Michael, mandatory 802.1x authentication (EAP and RADIUS or pre-shared key)	Backwards compatible with WEP; Possibility of integration into existing wireless networks with a simple firmware update.	A temporary solution for the transition period until the more reliable 802.11i standard is approved.
802.11i	AES encryption, CCMP, WRAP, 802.11i key management, 802.1x authentication.	Stronger than WEB encryption; secure key management scheme	Need for new hardware and chipsets; incompatibility with older Wi-Fi equipment

5 Fault-tolerant data storage systems:
RAID - arrays

The problem of increasing the reliability of information storage and simultaneously increasing the performance of a data storage system has been on the minds of computer peripheral developers for a long time. Regarding increasing the reliability of storage, everything is clear: information is a commodity, and often very valuable. To protect against data loss, many methods have been invented, the most famous and reliable of which is information backup.

RAID - is a redundant array of independent disks (Redundant Arrays of Independent Discs) , which is tasked with ensuring fault tolerance and increasing performance. Fault tolerance is achieved through redundancy. That is, part of the disk space capacity is allocated for official purposes, becoming inaccessible to the user.

Increased performance of the disk subsystem is ensured by the simultaneous operation of several disks, and in this sense, the more disks in the array (up to a certain limit), the better.

The joint operation of disks in an array can be organized using either parallel or independent access.

With parallel access, disk space is divided into blocks (strips) for recording data. Similarly, information to be written to disk is divided into the same blocks. When writing, individual blocks are written to different disks (Figure 5.1), and several blocks are written to different disks simultaneously, which leads to increased performance in write operations. The necessary information is also read in separate blocks simultaneously from several disks (Figure 5.2).

Figure 5.1 - Record structure	Figure 5.2 - Readout structure

This also increases performance in proportion to the number of disks in the array.

It should be noted that the parallel access model is implemented only if the size of the data write request is larger than the size of the block itself. Otherwise, it is simply impossible to implement parallel recording of several blocks. Let's imagine a situation where the size of an individual block is 8 KB, and the size of a request to write data is 64 KB. In this case, the source information is cut into eight blocks of 8 KB each. If you have a four-disk array, you can write four blocks, or 32 KB, at a time. Obviously, in the example considered, the write and read speeds will be four times higher than when using one disk. However, this situation is ideal, since the request size is not always a multiple of the block size and the number of disks in the array.

If the size of the recorded data is less than the block size, then a fundamentally different access model is implemented - independent access. Moreover, this model can also be implemented in the case when the size of the written data is larger than the size of one block. With independent access, all data from a single request is written to a separate disk, that is, the situation is identical to working with one disk. The advantage of the parallel access model is that if several write (read) requests arrive simultaneously, they will all be executed independently, on separate disks (Figure 5.3). A similar situation is typical, for example, in servers.

In accordance with different types of access, there are different types of RAID arrays, which are usually characterized by RAID levels. In addition to the type of access, RAID levels differ in the way they accommodate and generate redundant information. Redundant information can either be placed on a specially allocated disk, or shuffled between all disks. There are several more ways to generate this information. The simplest of them is complete duplication (100 percent redundancy), or mirroring. In addition, error correction codes are used, as well as parity calculations.

Currently, there are several standardized RAID levels: from RAID 0 to RAID 5. In addition, combinations of these levels are used, as well as proprietary levels (for example, RAID 6, RAID 7). The most common levels are 0, 1, 3 and 5.

RAID level 0, strictly speaking, is not a redundant array and, accordingly, does not provide reliable data storage. Nevertheless, this level is widely used in cases where it is necessary to ensure high performance of the disk subsystem. This level is especially popular in workstations. When creating a RAID level 0 array, information is divided into blocks, which are written to separate disks, that is, a system with parallel access is created (if, of course, the block size allows this). By allowing simultaneous I/O from multiple disks, RAID 0 provides the fastest data transfer speeds and maximum disk space efficiency because no storage space is required for checksums. The implementation of this level is very simple. RAID 0 is mainly used in areas where fast transfer of large amounts of data is required.

RAID 1 (Mirrored disk)

RAID Level 1 is an array of disks with 100 percent redundancy. That is, the data is simply completely duplicated (mirrored), due to which a very high level of reliability (as well as cost) is achieved. Note that to implement level 1, it is not necessary to first partition the disks and data into blocks. In the simplest case, two disks contain the same information and are one logical disk. If one disk fails, its functions are performed by another (which is absolutely transparent to the user). In addition, this level doubles the speed of reading information, since this operation can be performed simultaneously from two disks. This information storage scheme is used mainly in cases where the cost of data security is much higher than the cost of implementing a storage system.

RAID Level 2 is a data redundancy scheme using Hamming code for error correction. The written data is not formed on the basis of a block structure, as in RAID 0, but on the basis of words, and the word size is equal to the number of disks for recording data in the array. If, for example, the array has four disks for writing data, then the word size is equal to four disks. Each individual bit of a word is written to a separate disk in the array. For example, if an array has four disks for recording data, then a sequence of four bits, that is, a word, will be written to the array of disks in such a way that the first bit will be on the first disk, the second bit on the second, etc.

In addition, an error correction code (ECC) is calculated for each word and written to dedicated disks to store control information. Their number is equal to the number of bits in the control word, and each bit of the control word is written to a separate disk.

RAID 2 is one of the few levels that allows you not only to correct single errors on the fly, but also to detect double ones. Moreover, it is the most redundant of all levels with correction codes. This data storage scheme is rarely used because it does not handle large numbers of requests well, is complex to organize, and has few advantages over RAID 3.

RAID Level 3 is a fault-tolerant array with parallel I/O and one additional disk on which control information is written. When recording, the data stream is divided into blocks at the byte level (although possibly at the bit level) and is written simultaneously to all disks of the array, except for the one allocated for storing control information. To calculate the control information (also called a checksum), an exclusive-or operation (XOR) is applied to the data blocks being written. If any disk fails, the data on it can be restored using control data and data remaining on healthy disks.

RAID Level 3 has much less redundancy than RAID 2. By dividing data into blocks, RAID 3 has high performance. When reading information, the disk is not accessed with checksums (unless there is a failure), which happens every time a write operation occurs. Since each I/O operation accesses virtually all the disks in the array, processing multiple requests simultaneously is not possible. This level is suitable for applications with large files and low access frequency. In addition, the advantages of RAID 3 include a slight decrease in performance in the event of a failure and rapid recovery of information.

RAID Level 4 is a fault-tolerant array of independent disks with one drive for storing checksums. RAID 4 is in many ways similar to RAID 3, but differs from the latter primarily in the significantly larger block size of the data being written (larger than the size of the data being written). This is the main difference between RAID 3 and RAID 4. After writing a group of blocks, a checksum is calculated (in the same way as in the case of RAID 3), which is written to the disk allocated for this purpose. With a larger block size than RAID 3, multiple read operations can be performed simultaneously (independent access design).

RAID 4 improves the performance of small file transfers (by parallelizing the read operation). But since recording must calculate the checksum on the allocated disk, simultaneous operations are impossible here (there is an asymmetry of input and output operations). The level under consideration does not provide speed advantages when transmitting large amounts of data. This storage scheme was designed for applications in which data is initially split into small blocks, so there is no need to further split it. RAID 4 is a good solution for file servers where information is primarily read and rarely written. This data storage scheme has a low cost, but its implementation is quite complex, as is data recovery in case of failure.

RAID level 5 is a fault-tolerant array of independent disks with distributed storage of checksums (Figure 5.4). Data blocks and checksums, which are calculated in the same way as in RAID 3, are written cyclically to all disks of the array, that is, there is no dedicated disk for storing checksum information.

Figure 5.4 - RAID 5 structure

In the case of RAID 5, all disks in the array are the same size, but the total capacity of the disk subsystem available for writing becomes exactly one disk smaller. For example, if five disks are 10 GB in size, then the actual size of the array is 40 GB because 10 GB is allocated for control information.

RAID 5, like RAID 4, has an independent access architecture, that is, unlike RAID 3, it provides a large size of logical blocks for storing information. Therefore, as in the case of RAID 4, such an array provides the main benefit when processing several requests simultaneously.

The main difference between RAID 5 and RAID 4 is the way the checksums are placed.

The presence of a separate (physical) disk storing information about checksums, here, as in the three previous levels, leads to the fact that read operations that do not require access to this disk are performed at high speed. However, each write operation changes the information on the control disk, so RAID 2, RAID 3, and RAID 4 do not allow parallel writes. RAID 5 does not have this disadvantage because checksums are written to all disks in the array, allowing multiple reads or writes to be performed simultaneously.

Practical implementation

For the practical implementation of RAID arrays, two components are required: the hard drive array itself and the RAID controller. The controller performs the functions of communicating with the server (workstation), generating redundant information when writing and checking when reading, distributing information across disks in accordance with the algorithm

The main function of a RAID array is not to increase the capacity of the disk subsystem (as can be seen from its design, the same capacity can be obtained for less money), but to ensure reliable data storage and increase performance. For servers, in addition, there is a requirement for uninterrupted operation, even if one of the drives fails. Uninterrupted operation is ensured by hot swapping, that is, removing a faulty SCSI disk and installing a new one without turning off the power. Because the disk subsystem remains operational (except for level 0) when one drive fails, hot swapping provides recovery that is transparent to users. However, the transfer speed and access speed with one non-working disk are noticeably reduced due to the fact that the controller must recover data from redundant information. True, there is an exception to this rule - RAID systems of levels 2, 3, 4, when a drive with redundant information fails, they begin to work faster! This is natural, since in this case the level “on the fly” changes to zero, which has excellent speed characteristics.

CONCLUSION: Considering the specifics of the enterprise, the best option for using the array is a RAID 5 array because it has a fairly high read-write speed (read speed is lower than RAID 4) and low redundancy, i.e. it is economical.

Password and MAC address filtering should protect you from hacking. In fact, safety largely depends on your caution. Inappropriate security methods, uncomplicated passwords, and a careless attitude toward strangers on your home network provide attackers with additional attack opportunities. In this article, you will learn how to crack a WEP password, why you should abandon filters, and how to secure your wireless network from all sides.

Protection from uninvited guests

Your network is not secure, therefore, sooner or later, an outsider will connect to your wireless network - perhaps not even on purpose, since smartphones and tablets can automatically connect to unsecured networks. If he just opens several sites, then, most likely, nothing bad will happen except for the consumption of traffic. The situation will become more complicated if a guest starts downloading illegal content through your Internet connection.

If you have not yet taken any security measures, then go to the router interface through a browser and change your network access data. The router address usually looks like: http://192.168.1.1. If this is not the case, then you can find out the IP address of your network device through the command line. In the Windows 7 operating system, click on the “Start” button and enter the “cmd” command in the search bar. Call up the network settings with the “ipconfig” command and find the “Default gateway” line. The specified IP is the address of your router, which must be entered in the address bar of the browser. The location of your router's security settings varies by manufacturer. As a rule, they are located in a section with the name “WLAN | Safety".

If your wireless network uses an unsecured connection, you should be especially careful with content that is located in shared folders, since if it is not protected, it will be available to other users. At the same time, in the Windows XP Home operating system, the situation with shared access is simply catastrophic: by default, passwords cannot be set here at all - this function is present only in the professional version. Instead, all network requests are made through an unsecured guest account. You can secure your network in Windows XP using a small manipulation: launch the command line, enter “net user guest YourNewPassword” and confirm the operation by pressing the “Enter” key. After restarting Windows, you will be able to access network resources only if you have a password; however, finer tuning in this version of the OS, unfortunately, is not possible. Managing sharing settings is much more convenient in Windows 7. Here, to limit the number of users, just go to the “Network and Sharing Center” in the Control Panel and create a password-protected home group.

The lack of proper protection in a wireless network is a source of other dangers, since hackers can use special programs (sniffers) to identify all unprotected connections. This way, it will be easy for hackers to intercept your identification data from various services.

Hackers

As before, the two most popular security methods today are MAC address filtering and hiding the SSID (network name): these security measures will not keep you safe. In order to identify the network name, an attacker only needs a WLAN adapter, which switches to monitoring mode using a modified driver, and a sniffer - for example, Kismet. The attacker monitors the network until a user (client) connects to it. It then manipulates the data packets and thereby kicks the client off the network. When the user reconnects, the attacker sees the network name. It seems complicated, but in fact the whole process only takes a few minutes. Bypassing the MAC filter is also easy: the attacker determines the MAC address and assigns it to his device. Thus, the connection of an outsider remains unnoticed by the network owner.

If your device only supports WEP encryption, take immediate action - such a password can be cracked even by non-professionals in a few minutes.

Particularly popular among cyber fraudsters is the Aircrack-ng software package, which, in addition to the sniffer, includes an application for downloading and modifying WLAN adapter drivers, and also allows you to recover the WEP key. Well-known hacking methods are PTW and FMS/KoreK attacks, in which traffic is intercepted and a WEP key is calculated based on its analysis. In this situation, you have only two options: first, you should look for the latest firmware for your device, which will support the latest encryption methods. If the manufacturer does not provide updates, it is better to refuse to use such a device, because in doing so you are jeopardizing the security of your home network.

The popular advice to reduce Wi-Fi range only gives the appearance of protection. Neighbors will still be able to connect to your network, but attackers often use Wi-Fi adapters with a longer range.

Public hotspots

Places with free Wi-Fi attract cyber fraudsters because huge amounts of information pass through them, and anyone can use hacking tools. Public hotspots can be found in cafes, hotels and other public places. But other users of the same networks can intercept your data and, for example, take control of your accounts on various web services.

Cookie Protection. Some attack methods are truly so simple that anyone can use them. The Firesheep extension for the Firefox browser automatically reads and lists the accounts of other users, including Amazon, Google, Facebook and Twitter. If a hacker clicks on one of the entries in the list, he will immediately have full access to the account and will be able to change the user's data at his discretion. Firesheep does not crack passwords, but only copies active, unencrypted cookies. To protect yourself from such interceptions, you should use the special HTTPS Everywhere add-on for Firefox. This extension forces online services to always use an encrypted connection via HTTPS if supported by the service provider's server.

Android protection. In the recent past, widespread attention has been drawn to a flaw in the Android operating system, due to which scammers could gain access to your accounts in services such as Picasa and Google Calendar, as well as read your contacts. Google fixed this vulnerability in Android 2.3.4, but most devices previously purchased by users have older versions of the system installed. To protect them, you can use the SyncGuard application.

WPA 2

The best protection is provided by WPA2 technology, which has been used by computer equipment manufacturers since 2004. Most devices support this type of encryption. But, like other technologies, WPA2 also has its weak point: using a dictionary attack or the bruteforce method, hackers can crack passwords - however, only if they are unreliable. Dictionaries simply go through the keys stored in their databases - as a rule, all possible combinations of numbers and names. Passwords like “1234” or “Ivanov” are guessed so quickly that the hacker’s computer doesn’t even have time to warm up.

The bruteforce method does not involve using a ready-made database, but, on the contrary, selecting a password by listing all possible combinations of characters. In this way, an attacker can calculate any key - the only question is how long it will take him. NASA, in its security guidelines, recommends a password of at least eight characters, and preferably sixteen. First of all, it is important that it consists of lowercase and uppercase letters, numbers and special characters. It would take a hacker decades to crack such a password.

Your network is not yet fully protected, since all users within it have access to your router and can make changes to its settings. Some devices provide additional security features that you should also take advantage of.

First of all, disable the ability to manipulate the router via Wi-Fi. Unfortunately, this feature is only available on certain devices, such as Linksys routers. All modern router models also have the ability to set a password for the management interface, which allows you to restrict access to settings.

Like any program, the router firmware is imperfect - small flaws or critical holes in the security system are not excluded. Usually information about this instantly spreads across the Internet. Check regularly for new firmware for your router (some models even have an automatic update feature). Another advantage of flashing firmware is that it can add new functions to the device.

Periodic analysis of network traffic helps to recognize the presence of uninvited guests. In the router management interface you can find information about which devices connected to your network and when. It is more difficult to find out how much data a particular user has downloaded.

Guest access - a means of protecting your home network

If you protect your router with a strong password using WPA2 encryption, you will no longer be in any danger. But only until you share your password with other users. Friends and acquaintances who, with their smartphones, tablets or laptops, want to access the Internet through your connection are a risk factor. For example, the possibility that their devices are infected with malware cannot be ruled out. However, you won't have to refuse your friends because of this, since top-end router models, such as the Belkin N or Netgear WNDR3700, provide guest access specifically for such cases. The advantage of this mode is that the router creates a separate network with its own password, and the home one is not used.

Security Key Reliability

WEP (WIRED EQUIVALENT PRIVACY). Uses a pseudo-random number generator (RC4 algorithm) to obtain the key, as well as initialization vectors. Since the latter component is not encrypted, it is possible for third parties to intervene and recreate the WEP key.

WPA (WI-FI PROTECTED ACCESS) Based on the WEP mechanism, but offers a dynamic key for extended security. Keys generated using the TKIP algorithm can be cracked using the Bek-Tevs or Ohigashi-Moriya attack. To do this, individual packets are decrypted, manipulated, and sent back to the network.

WPA2 (WI-FI PROTECTED ACCESS 2) Uses the reliable AES (Advanced Encryption Standard) algorithm for encryption. Along with TKIP, the CCMP protocol (Counter-Mode/CBC-MAC Protocol) has been added, which is also based on the AES algorithm. Until now, a network protected by this technology could not be hacked. The only option for hackers is a dictionary attack or “brute force method”, where the key is guessed by guessing, but with a complex password it is impossible to guess it.

Wireless networks are more convenient than wired ones, but they can also be vulnerable to hackers and malware (such as worms). Because wireless networks use radio waves that can pass through walls, the network signal can travel outside the home.

If you don't try to secure your network, computer users nearby will be able to access data stored on computers on your network and use your Internet connection. By setting a security key on your wireless network, you can protect against unauthorized access.

Ways to secure your wireless network

The wireless network should be configured so that only selected users have access to it.

Several wireless security options are described below:

Wi-Fi Protected Access Technology (WPA and WPA2)

Wi-Fi Protected Access Technology encrypts information and checks that the network security key has not been changed. Additionally, Wi-Fi Protected Access technology authenticates users to ensure that only authorized users can access the network.

There are two types of WPA authentication: WPA and WPA2.

WPA type is designed to work with all wireless network adapters, but it is not compatible with older routers or access points. Type WPA2 is more secure than WPA, but is not compatible with some older network adapters.

WPA technology is designed for use with an 802.1x authentication server, which creates a different key for each user. Then it is called WPA-Enterprise or WPA2-Enterprise. It can also be used in Pre-Shared Key (PSK) mode, where each user receives the same passphrase. Then it is called WPA-Personal or WPA2-Personal.

Wired Equivalent Privacy (WEP) Protocol

WEP as an old network security method is still available to support older devices, more use is not recommended. Enabling WEP sets a network security key. This encryption key is sent across a network from one computer to another. However, WEP security is relatively easy to hack.

Attention! It is recommended to use WPA2 whenever possible. WEP is not recommended. WPA or WPA2 is more secure. If you try to run WPA or WPA2 and it does not work, it is recommended that you update your network adapter to work with one of the working WPA or WPA2 technologies.

802.1x authentication

802.1x authentication can enhance the security of 802.11 wireless and Ethernet networks. 802.1x authentication uses an authentication server to verify users and grant permission to access the network. On wireless networks, 802.1x authentication can be used with WPA, WPA2, or WEP protocol keys. This type of authentication is typically used to connect to a workplace network.