Review: Pure Networks Network Magic Pro 4.8

Even with the new Network and Sharing Center of Windows Vista, non-technical users (and sometimes even computer geeks) can have a tough time figuring out how to configure computers to share files, troubleshoot network problems, and set security settings on wireless gear. In most cases, users must decipher acronyms like WPA-PSK, ASCII, and MAC to set up a secure wireless network. Additionally, Windows networking tools don't do the best job of explaining terms and features, and detecting and warning users of possible security risks of their network.

Pure Networks' mission behind the Network Magic software is to help users in homes and small businesses set up and manage their network quickly and easily. Of course, when users have networking questions or problems they can browse sites for information, reference a book, or call their closet computer nerd. However, Network Magic sets out to automate the networking experience, so the ordinary user can connect, secure, share and troubleshoot with ease.

For this review we put the software through the ropes to see if it delivers on its promises.

Installation and setup

The first step is to install Network Magic on all your computers. After a quick download of the free or trial version from the company Web site, start the Setup Wizard. After an uneventful install, our Web browser opened to a Web page that explained Pure Networks' participation in the seemingly popular TrialPay program — great for networking on a budget.

When Network Magic opened, it launched a wizard, which required some initial configuration. Right away, it detected an issue — Internet Connection Sharing (ICS) was enabled on the Windows XP machine, and Network Magic can't do its magic with this Windows feature on. This likely won't be an issue for you since ICS is typically used on networks without a router. However, it can be used, as in the case we were testing out for another project, to extend the network connection of a computer wirelessly connected to the network to another computer nearby (without a wireless card) via an Ethernet cable. This way, you do not have to purchase another wireless card or run Ethernet cabling all the way to the router to get the non-wireless PC on the network.

The Network Magic wizard also steps through setting up the basic settings, like names for your computers (called Friendly Names), the folders and printers to be shared, and whether you want to receive an Internet and computer activity report automatically each day.

Connecting to wireless networks

Once we had Network Magic ready to go, it was easy to connect to wireless networks. You connect to and manage available and favorite networks through the Wireless Network Manager component, accessible via Network Magic's wireless signal icon in the system tray and from the main Network Tasks screen of Network Magic. To our delight, we noticed there was a way to connect to hidden networks. This way you can disable the broadcasting of your wireless network's SSID (or Network Name) for another layer of protection.

Troubleshooting wizards

Pure Networks boasts about how Network Magic can "quickly troubleshoot, pinpoint and repair Internet connection problems" and aid in general networking and wireless issues. So we set off to see how well the software works with simulated network problems a user might experience.

First, we hit the stand-by button on the cable modem which cuts off the Internet connection for the wireless router. On the computers Network Magic prompted us that the Internet connection was lost, and we began using the troubleshooting wizard to see if this would help pinpoint the issue. First, it ran a series of automated tasks, disabling and re-enabled the network connection and requesting a new IP address. Then, it had us perform a few tasks and checks on the router and modem. Just before we exhausted the wizard's steps, we were instructed to check the status lights of the modem. This helps determine what brought down the Internet connection — the modem was in stand-by mode and you must hit the stand-by button.

Next, we wanted to see what Network Magic might do when we have a fight on the network. In technical terms, this is referred to as an IP address conflict: Two computers or devices connected to the network have the same "unique" identifying address. The devices involved in a conflict usually encounter problems like not being able to reach the Internet.

To force such a conflict, we manually assigned one of the computer's IP address to an address already in use by another computer. Just after we hit apply, Windows prompted us about the conflict — not Network Magic. Furthermore, when we ran the troubleshooting wizard in Network Magic it didn't pinpoint the problem, but Network Magic would have still helped you in this situation. The first task was for us to power-cycle the router, making all the computers (with DHCP or automatic addressing) request new IP addresses; which in turn broke up the network battle.

The final test was a simulated loss of sharing on one of the computers. We simply went into the Network Connection Properties window on one of the computers and unchecked the File and Printer Sharing option, thus preventing the computers from accessing the folders it was sharing. When we went to another computer to try to access one of its shared folders, it was not possible.

Sadly, Network Magic is unable to help with this issue. As the software recommends, firewalls typically cause this inability to access shared folders; however, there was no mention of checking the Windows File and Printer Sharing settings. Furthermore, even if Windows Firewall caused this sharing issue, the software did not automate the fix.

Advisor, security, and alert functions

Network Magic's most beneficial advisor functionality is from the Health and Security Alerts and Wireless Protection feature. You are alerted of potential security risks, for example not being connected to an encrypted wireless network and even when critical Windows updates are not installed on PCs. Another impressive feature we found is the ability to set up two wireless security techniques, MAC address filtering (called Network Lock) and disabling SSID (Network Name) broadcasting, right from Network Magic when using a support router.

We were not, however, very impressed with the intrusion detection feature Network Magic provides. When someone joins the network, a pop-up window appears on each computer loaded with Network Magic to alert users that someone has joined. If the computer that joins is unrecognized, you can view the Network Map, right-click on the computer's icon, and select Track as Intruder. However, Network Magic doesn't come out and recommend enabling the Network Lock feature or any other feature to help protect the network.

Resource sharing and network map

You should find it fairly easy to share and access folders and printers on computers loaded with Network Magic, although you can't specify advanced sharing permissions or exactly who can access and edit the folders. Remote access to shared folders using the Net2Go feature is easily enabled when using a supported router. This makes it very useful to share files with others or to have access to files when away from your home or office.

The Network Map provides a useful diagram of the network and details of each computer or device, such as signal strength for wireless connections and IP and MAC addresses. Computers even have a link for quick remote desktop access. Clicking the router's icon gives you quick access to the Web-based configuration utility, support information, links to settings on the router and more.

Review: Pure Networks Network Magic Pro 4.8

Even with the new Network and Sharing Center of Windows Vista, non-technical users (and sometimes even computer geeks) can have a tough time figuring out how to configure computers to share files, troubleshoot network problems, and set security settings on wireless gear. In most cases, users must decipher acronyms like WPA-PSK, ASCII, and MAC to set up a secure wireless network. Additionally, Windows networking tools don't do the best job of explaining terms and features, and detecting and warning users of possible security risks of their network.

Pure Networks' mission behind the Network Magic software is to help users in homes and small businesses set up and manage their network quickly and easily. Of course, when users have networking questions or problems they can browse sites for information, reference a book, or call their closet computer nerd. However, Network Magic sets out to automate the networking experience, so the ordinary user can connect, secure, share and troubleshoot with ease.

For this review we put the software through the ropes to see if it delivers on its promises.

Installation and setup

The first step is to install Network Magic on all your computers. After a quick download of the free or trial version from the company Web site, start the Setup Wizard. After an uneventful install, our Web browser opened to a Web page that explained Pure Networks' participation in the seemingly popular TrialPay program — great for networking on a budget.

When Network Magic opened, it launched a wizard, which required some initial configuration. Right away, it detected an issue — Internet Connection Sharing (ICS) was enabled on the Windows XP machine, and Network Magic can't do its magic with this Windows feature on. This likely won't be an issue for you since ICS is typically used on networks without a router. However, it can be used, as in the case we were testing out for another project, to extend the network connection of a computer wirelessly connected to the network to another computer nearby (without a wireless card) via an Ethernet cable. This way, you do not have to purchase another wireless card or run Ethernet cabling all the way to the router to get the non-wireless PC on the network.

The Network Magic wizard also steps through setting up the basic settings, like names for your computers (called Friendly Names), the folders and printers to be shared, and whether you want to receive an Internet and computer activity report automatically each day.

Connecting to wireless networks

Once we had Network Magic ready to go, it was easy to connect to wireless networks. You connect to and manage available and favorite networks through the Wireless Network Manager component, accessible via Network Magic's wireless signal icon in the system tray and from the main Network Tasks screen of Network Magic. To our delight, we noticed there was a way to connect to hidden networks. This way you can disable the broadcasting of your wireless network's SSID (or Network Name) for another layer of protection.

Troubleshooting wizards

Pure Networks boasts about how Network Magic can "quickly troubleshoot, pinpoint and repair Internet connection problems" and aid in general networking and wireless issues. So we set off to see how well the software works with simulated network problems a user might experience.

First, we hit the stand-by button on the cable modem which cuts off the Internet connection for the wireless router. On the computers Network Magic prompted us that the Internet connection was lost, and we began using the troubleshooting wizard to see if this would help pinpoint the issue. First, it ran a series of automated tasks, disabling and re-enabled the network connection and requesting a new IP address. Then, it had us perform a few tasks and checks on the router and modem. Just before we exhausted the wizard's steps, we were instructed to check the status lights of the modem. This helps determine what brought down the Internet connection — the modem was in stand-by mode and you must hit the stand-by button.

Next, we wanted to see what Network Magic might do when we have a fight on the network. In technical terms, this is referred to as an IP address conflict: Two computers or devices connected to the network have the same "unique" identifying address. The devices involved in a conflict usually encounter problems like not being able to reach the Internet.

To force such a conflict, we manually assigned one of the computer's IP address to an address already in use by another computer. Just after we hit apply, Windows prompted us about the conflict — not Network Magic. Furthermore, when we ran the troubleshooting wizard in Network Magic it didn't pinpoint the problem, but Network Magic would have still helped you in this situation. The first task was for us to power-cycle the router, making all the computers (with DHCP or automatic addressing) request new IP addresses; which in turn broke up the network battle.

The final test was a simulated loss of sharing on one of the computers. We simply went into the Network Connection Properties window on one of the computers and unchecked the File and Printer Sharing option, thus preventing the computers from accessing the folders it was sharing. When we went to another computer to try to access one of its shared folders, it was not possible.

Sadly, Network Magic is unable to help with this issue. As the software recommends, firewalls typically cause this inability to access shared folders; however, there was no mention of checking the Windows File and Printer Sharing settings. Furthermore, even if Windows Firewall caused this sharing issue, the software did not automate the fix.

Advisor, security, and alert functions

Network Magic's most beneficial advisor functionality is from the Health and Security Alerts and Wireless Protection feature. You are alerted of potential security risks, for example not being connected to an encrypted wireless network and even when critical Windows updates are not installed on PCs. Another impressive feature we found is the ability to set up two wireless security techniques, MAC address filtering (called Network Lock) and disabling SSID (Network Name) broadcasting, right from Network Magic when using a support router.

We were not, however, very impressed with the intrusion detection feature Network Magic provides. When someone joins the network, a pop-up window appears on each computer loaded with Network Magic to alert users that someone has joined. If the computer that joins is unrecognized, you can view the Network Map, right-click on the computer's icon, and select Track as Intruder. However, Network Magic doesn't come out and recommend enabling the Network Lock feature or any other feature to help protect the network.

Resource sharing and network map

You should find it fairly easy to share and access folders and printers on computers loaded with Network Magic, although you can't specify advanced sharing permissions or exactly who can access and edit the folders. Remote access to shared folders using the Net2Go feature is easily enabled when using a supported router. This makes it very useful to share files with others or to have access to files when away from your home or office.

The Network Map provides a useful diagram of the network and details of each computer or device, such as signal strength for wireless connections and IP and MAC addresses. Computers even have a link for quick remote desktop access. Clicking the router's icon gives you quick access to the Web-based configuration utility, support information, links to settings on the router and more.

Review: Pure Networks Network Magic Pro 4.8

Even with the new Network and Sharing Center of Windows Vista, non-technical users (and sometimes even computer geeks) can have a tough time figuring out how to configure computers to share files, troubleshoot network problems, and set security settings on wireless gear. In most cases, users must decipher acronyms like WPA-PSK, ASCII, and MAC to set up a secure wireless network. Additionally, Windows networking tools don't do the best job of explaining terms and features, and detecting and warning users of possible security risks of their network.

Pure Networks' mission behind the Network Magic software is to help users in homes and small businesses set up and manage their network quickly and easily. Of course, when users have networking questions or problems they can browse sites for information, reference a book, or call their closet computer nerd. However, Network Magic sets out to automate the networking experience, so the ordinary user can connect, secure, share and troubleshoot with ease.

For this review we put the software through the ropes to see if it delivers on its promises.

Installation and setup

The first step is to install Network Magic on all your computers. After a quick download of the free or trial version from the company Web site, start the Setup Wizard. After an uneventful install, our Web browser opened to a Web page that explained Pure Networks' participation in the seemingly popular TrialPay program — great for networking on a budget.

When Network Magic opened, it launched a wizard, which required some initial configuration. Right away, it detected an issue — Internet Connection Sharing (ICS) was enabled on the Windows XP machine, and Network Magic can't do its magic with this Windows feature on. This likely won't be an issue for you since ICS is typically used on networks without a router. However, it can be used, as in the case we were testing out for another project, to extend the network connection of a computer wirelessly connected to the network to another computer nearby (without a wireless card) via an Ethernet cable. This way, you do not have to purchase another wireless card or run Ethernet cabling all the way to the router to get the non-wireless PC on the network.

The Network Magic wizard also steps through setting up the basic settings, like names for your computers (called Friendly Names), the folders and printers to be shared, and whether you want to receive an Internet and computer activity report automatically each day.

Connecting to wireless networks

Once we had Network Magic ready to go, it was easy to connect to wireless networks. You connect to and manage available and favorite networks through the Wireless Network Manager component, accessible via Network Magic's wireless signal icon in the system tray and from the main Network Tasks screen of Network Magic. To our delight, we noticed there was a way to connect to hidden networks. This way you can disable the broadcasting of your wireless network's SSID (or Network Name) for another layer of protection.

Troubleshooting wizards

Pure Networks boasts about how Network Magic can "quickly troubleshoot, pinpoint and repair Internet connection problems" and aid in general networking and wireless issues. So we set off to see how well the software works with simulated network problems a user might experience.

First, we hit the stand-by button on the cable modem which cuts off the Internet connection for the wireless router. On the computers Network Magic prompted us that the Internet connection was lost, and we began using the troubleshooting wizard to see if this would help pinpoint the issue. First, it ran a series of automated tasks, disabling and re-enabled the network connection and requesting a new IP address. Then, it had us perform a few tasks and checks on the router and modem. Just before we exhausted the wizard's steps, we were instructed to check the status lights of the modem. This helps determine what brought down the Internet connection — the modem was in stand-by mode and you must hit the stand-by button.

Next, we wanted to see what Network Magic might do when we have a fight on the network. In technical terms, this is referred to as an IP address conflict: Two computers or devices connected to the network have the same "unique" identifying address. The devices involved in a conflict usually encounter problems like not being able to reach the Internet.

To force such a conflict, we manually assigned one of the computer's IP address to an address already in use by another computer. Just after we hit apply, Windows prompted us about the conflict — not Network Magic. Furthermore, when we ran the troubleshooting wizard in Network Magic it didn't pinpoint the problem, but Network Magic would have still helped you in this situation. The first task was for us to power-cycle the router, making all the computers (with DHCP or automatic addressing) request new IP addresses; which in turn broke up the network battle.

The final test was a simulated loss of sharing on one of the computers. We simply went into the Network Connection Properties window on one of the computers and unchecked the File and Printer Sharing option, thus preventing the computers from accessing the folders it was sharing. When we went to another computer to try to access one of its shared folders, it was not possible.

Sadly, Network Magic is unable to help with this issue. As the software recommends, firewalls typically cause this inability to access shared folders; however, there was no mention of checking the Windows File and Printer Sharing settings. Furthermore, even if Windows Firewall caused this sharing issue, the software did not automate the fix.

Advisor, security, and alert functions

Network Magic's most beneficial advisor functionality is from the Health and Security Alerts and Wireless Protection feature. You are alerted of potential security risks, for example not being connected to an encrypted wireless network and even when critical Windows updates are not installed on PCs. Another impressive feature we found is the ability to set up two wireless security techniques, MAC address filtering (called Network Lock) and disabling SSID (Network Name) broadcasting, right from Network Magic when using a support router.

We were not, however, very impressed with the intrusion detection feature Network Magic provides. When someone joins the network, a pop-up window appears on each computer loaded with Network Magic to alert users that someone has joined. If the computer that joins is unrecognized, you can view the Network Map, right-click on the computer's icon, and select Track as Intruder. However, Network Magic doesn't come out and recommend enabling the Network Lock feature or any other feature to help protect the network.

Resource sharing and network map

You should find it fairly easy to share and access folders and printers on computers loaded with Network Magic, although you can't specify advanced sharing permissions or exactly who can access and edit the folders. Remote access to shared folders using the Net2Go feature is easily enabled when using a supported router. This makes it very useful to share files with others or to have access to files when away from your home or office.

The Network Map provides a useful diagram of the network and details of each computer or device, such as signal strength for wireless connections and IP and MAC addresses. Computers even have a link for quick remote desktop access. Clicking the router's icon gives you quick access to the Web-based configuration utility, support information, links to settings on the router and more.

Define Wireless Network Security Policies

With a wireless network, you must consider security policies that will protect resources from unauthorized people. Let’s take a look at what you should include in a wireless network security policy for an enterprise. Consider the following recommendations:

Activate 802.11 encryption to make data unintelligible to unauthorized users. WEP has weaknesses, making it inadequate for protecting networks containing information extremely valuable to others. There are some good hackers out there who can crack into a WEP-protected network using freely-available tools. The problem is that 802.11 doesn’t support the dynamic exchange of WEP keys, leaving the same key in use for weeks, months, and years. For encryption on enterprise networks, aim higher and choose WPA, which is now part of the 802.11i standard. Just keep in mind that WPA (and WEP) only encrypts data traversing the wireless link between the client device and the access point. That may be good enough if your wired network is physically secured from hackers. If not, such as when users are accessing important information from Wi-Fi hotspots, you’ll need more protection.

Utilize IPSec-based Virtual Private Network (VPN) technology for end-to-end security. If users need access to sensitive applications from Wi-Fi hotspots, definitely utilize a VPN system to provide sufficient end-to-end encryption and access control. Some companies require VPNs for all wireless client devices, even when they’re connecting from inside the secured walls of the enterprise. A “full-throttle” VPN solution such as this offers good security, but it becomes costly and difficult to manage when there are hundreds of wireless users (mainly due to the need for VPN servers). As a result, consider implementing 802.11 encryption when users are operating inside the enterprise and VPNs for the likely fewer users who need access from hotspots.

Utilize 802.1x-based authentication to control access to your network. There are several flavors of 802.1x port-based authentication systems. Choose one that meets the security requirements for your company. For example, EAP-TLS may be a wise choice if you have Microsoft servers.

Establish the wireless network on a separate VLAN. A firewall can then help keep hackers located on the VLAN associated with the wireless network from having easy access to corporate servers located on different, more secured VLANs (i.e., not accessible from the wireless network). In this manner, the wireless network is similar to a public network, except you can apply encryption and authentication mechanisms to the wireless users.


Ensure firmware is up-to-date in client cards and access points. Vendors often implement patches to firmware that fix security issues. On an ongoing basis, make it a habit to check that all wireless devices have the most recent firmware releases.

Ensure only authorized people can reset the access points. Some access points will revert back to factory default settings (i.e., no security at all) when someone pushes the reset button on the access point. We’ve done this when performing penetration testing during security assessments to prove that this makes the access point a fragile entry point for a hacker to extend their reach into the network. As a result, provide adequate physical security for the access point hardware. For example, don’t place an access point within easy reach. Instead, mount the access points out of view above ceiling tiles. Some access points don’t have reset buttons and allow you to reset the access point via an RS-232 cable through a console connection. To minimize risks of someone resetting the access point in this manner, be sure to disable the console port when initially configuring the access point.

Disable access points during non-usage periods. If possible, shut down the access points when users don’t need them. This limits the window of opportunity for a hacker to use an access point to their advantage as a weak interface to the rest of the network. To accomplish this, you can simply pull the power plug on each access point; however, you can also deploy power-over-Ethernet (PoE) equipment that provides this feature in a more practical manner via centralized operational support tools.

Assign “strong” passwords to access points. Don’t use default passwords for access points because they are also well known, making it easy for someone to change configuration parameters on the access point to their advantage. Be sure to alter these passwords periodically. Ensure passwords are encrypted before being sent over the network.

Don’t broadcast SSIDs. If this feature is available, you can avoid having user devices automatically sniff the SSID in use by the access point. Most current computer operating systems and monitoring tools will automatically sniff the 802.11 beacon frames to obtain the SSID. With SSID broadcasting turned off, the access point will not include the SSID in the beacon frame, making most SSID sniffing tools useless. This isn’t a foolproof method of hiding the SSID, however, because someone can still monitor 802.11 association frames (which always carry the SSID, even if SSID broadcasting is turned off) with a packet tracer. At least shutting off the broadcast mechanism will limit access.

Reduce propagation of radio waves outside the facility. Through the use of directional antennas and RF shielding, you can direct the propagation of radio waves inside the facility and reduce the “spillage” outside the perimeter. This not only optimizes coverage, it also minimizes the ability for a hacker located outside the controlled portion of the company to eavesdrop on user signal transmissions and interface with the corporate network through an access point. This also reduces the ability for someone to jam the wireless LAN - a form of denial-of-service attack - from outside the perimeter of the facility. In addition, consider setting access points near the edge of the building to lower transmit power to reduce range outside the facility. This testing should be part of the wireless site survey.

Implement personal firewalls. If a hacker is able to associate with an access point, which is extremely probable if there is no encryption or authentication configured, the hacker can easily access (via the Windows operating system) files on other users’ devices that are associated with an access point on the same wireless network. As a result, it’s crucial that all users disable file sharing for all folders and utilize personal firewalls. These firewalls are part of various operating systems, such as Windows XP and Vista, and 3rd party applications as well.

Control the deployment of wireless LANs. Ensure that all employees and organizations within the company coordinate the installation of wireless LANs with the appropriate information systems group. Forbid the use of unauthorized access points. Mandate the use of approved vendor products that you’ve had a chance to verify appropriate security safeguards. Maintain a list of authorized radio NIC and access point MAC addresses that you can use as the basis for identifying rogue access points.

With these recommendations in mind, you have a basis for forming a solid security policy. When deciding on which techniques to implement, however, be sure to consider actual security needs.

Define Wireless Network Security Policies

With a wireless network, you must consider security policies that will protect resources from unauthorized people. Let’s take a look at what you should include in a wireless network security policy for an enterprise. Consider the following recommendations:

Activate 802.11 encryption to make data unintelligible to unauthorized users. WEP has weaknesses, making it inadequate for protecting networks containing information extremely valuable to others. There are some good hackers out there who can crack into a WEP-protected network using freely-available tools. The problem is that 802.11 doesn’t support the dynamic exchange of WEP keys, leaving the same key in use for weeks, months, and years. For encryption on enterprise networks, aim higher and choose WPA, which is now part of the 802.11i standard. Just keep in mind that WPA (and WEP) only encrypts data traversing the wireless link between the client device and the access point. That may be good enough if your wired network is physically secured from hackers. If not, such as when users are accessing important information from Wi-Fi hotspots, you’ll need more protection.

Utilize IPSec-based Virtual Private Network (VPN) technology for end-to-end security. If users need access to sensitive applications from Wi-Fi hotspots, definitely utilize a VPN system to provide sufficient end-to-end encryption and access control. Some companies require VPNs for all wireless client devices, even when they’re connecting from inside the secured walls of the enterprise. A “full-throttle” VPN solution such as this offers good security, but it becomes costly and difficult to manage when there are hundreds of wireless users (mainly due to the need for VPN servers). As a result, consider implementing 802.11 encryption when users are operating inside the enterprise and VPNs for the likely fewer users who need access from hotspots.

Utilize 802.1x-based authentication to control access to your network. There are several flavors of 802.1x port-based authentication systems. Choose one that meets the security requirements for your company. For example, EAP-TLS may be a wise choice if you have Microsoft servers.

Establish the wireless network on a separate VLAN. A firewall can then help keep hackers located on the VLAN associated with the wireless network from having easy access to corporate servers located on different, more secured VLANs (i.e., not accessible from the wireless network). In this manner, the wireless network is similar to a public network, except you can apply encryption and authentication mechanisms to the wireless users.


Ensure firmware is up-to-date in client cards and access points. Vendors often implement patches to firmware that fix security issues. On an ongoing basis, make it a habit to check that all wireless devices have the most recent firmware releases.

Ensure only authorized people can reset the access points. Some access points will revert back to factory default settings (i.e., no security at all) when someone pushes the reset button on the access point. We’ve done this when performing penetration testing during security assessments to prove that this makes the access point a fragile entry point for a hacker to extend their reach into the network. As a result, provide adequate physical security for the access point hardware. For example, don’t place an access point within easy reach. Instead, mount the access points out of view above ceiling tiles. Some access points don’t have reset buttons and allow you to reset the access point via an RS-232 cable through a console connection. To minimize risks of someone resetting the access point in this manner, be sure to disable the console port when initially configuring the access point.

Disable access points during non-usage periods. If possible, shut down the access points when users don’t need them. This limits the window of opportunity for a hacker to use an access point to their advantage as a weak interface to the rest of the network. To accomplish this, you can simply pull the power plug on each access point; however, you can also deploy power-over-Ethernet (PoE) equipment that provides this feature in a more practical manner via centralized operational support tools.

Assign “strong” passwords to access points. Don’t use default passwords for access points because they are also well known, making it easy for someone to change configuration parameters on the access point to their advantage. Be sure to alter these passwords periodically. Ensure passwords are encrypted before being sent over the network.

Don’t broadcast SSIDs. If this feature is available, you can avoid having user devices automatically sniff the SSID in use by the access point. Most current computer operating systems and monitoring tools will automatically sniff the 802.11 beacon frames to obtain the SSID. With SSID broadcasting turned off, the access point will not include the SSID in the beacon frame, making most SSID sniffing tools useless. This isn’t a foolproof method of hiding the SSID, however, because someone can still monitor 802.11 association frames (which always carry the SSID, even if SSID broadcasting is turned off) with a packet tracer. At least shutting off the broadcast mechanism will limit access.

Reduce propagation of radio waves outside the facility. Through the use of directional antennas and RF shielding, you can direct the propagation of radio waves inside the facility and reduce the “spillage” outside the perimeter. This not only optimizes coverage, it also minimizes the ability for a hacker located outside the controlled portion of the company to eavesdrop on user signal transmissions and interface with the corporate network through an access point. This also reduces the ability for someone to jam the wireless LAN - a form of denial-of-service attack - from outside the perimeter of the facility. In addition, consider setting access points near the edge of the building to lower transmit power to reduce range outside the facility. This testing should be part of the wireless site survey.

Implement personal firewalls. If a hacker is able to associate with an access point, which is extremely probable if there is no encryption or authentication configured, the hacker can easily access (via the Windows operating system) files on other users’ devices that are associated with an access point on the same wireless network. As a result, it’s crucial that all users disable file sharing for all folders and utilize personal firewalls. These firewalls are part of various operating systems, such as Windows XP and Vista, and 3rd party applications as well.

Control the deployment of wireless LANs. Ensure that all employees and organizations within the company coordinate the installation of wireless LANs with the appropriate information systems group. Forbid the use of unauthorized access points. Mandate the use of approved vendor products that you’ve had a chance to verify appropriate security safeguards. Maintain a list of authorized radio NIC and access point MAC addresses that you can use as the basis for identifying rogue access points.

With these recommendations in mind, you have a basis for forming a solid security policy. When deciding on which techniques to implement, however, be sure to consider actual security needs.

Define Wireless Network Security Policies

With a wireless network, you must consider security policies that will protect resources from unauthorized people. Let’s take a look at what you should include in a wireless network security policy for an enterprise. Consider the following recommendations:

Activate 802.11 encryption to make data unintelligible to unauthorized users. WEP has weaknesses, making it inadequate for protecting networks containing information extremely valuable to others. There are some good hackers out there who can crack into a WEP-protected network using freely-available tools. The problem is that 802.11 doesn’t support the dynamic exchange of WEP keys, leaving the same key in use for weeks, months, and years. For encryption on enterprise networks, aim higher and choose WPA, which is now part of the 802.11i standard. Just keep in mind that WPA (and WEP) only encrypts data traversing the wireless link between the client device and the access point. That may be good enough if your wired network is physically secured from hackers. If not, such as when users are accessing important information from Wi-Fi hotspots, you’ll need more protection.

Utilize IPSec-based Virtual Private Network (VPN) technology for end-to-end security. If users need access to sensitive applications from Wi-Fi hotspots, definitely utilize a VPN system to provide sufficient end-to-end encryption and access control. Some companies require VPNs for all wireless client devices, even when they’re connecting from inside the secured walls of the enterprise. A “full-throttle” VPN solution such as this offers good security, but it becomes costly and difficult to manage when there are hundreds of wireless users (mainly due to the need for VPN servers). As a result, consider implementing 802.11 encryption when users are operating inside the enterprise and VPNs for the likely fewer users who need access from hotspots.

Utilize 802.1x-based authentication to control access to your network. There are several flavors of 802.1x port-based authentication systems. Choose one that meets the security requirements for your company. For example, EAP-TLS may be a wise choice if you have Microsoft servers.

Establish the wireless network on a separate VLAN. A firewall can then help keep hackers located on the VLAN associated with the wireless network from having easy access to corporate servers located on different, more secured VLANs (i.e., not accessible from the wireless network). In this manner, the wireless network is similar to a public network, except you can apply encryption and authentication mechanisms to the wireless users.


Ensure firmware is up-to-date in client cards and access points. Vendors often implement patches to firmware that fix security issues. On an ongoing basis, make it a habit to check that all wireless devices have the most recent firmware releases.

Ensure only authorized people can reset the access points. Some access points will revert back to factory default settings (i.e., no security at all) when someone pushes the reset button on the access point. We’ve done this when performing penetration testing during security assessments to prove that this makes the access point a fragile entry point for a hacker to extend their reach into the network. As a result, provide adequate physical security for the access point hardware. For example, don’t place an access point within easy reach. Instead, mount the access points out of view above ceiling tiles. Some access points don’t have reset buttons and allow you to reset the access point via an RS-232 cable through a console connection. To minimize risks of someone resetting the access point in this manner, be sure to disable the console port when initially configuring the access point.

Disable access points during non-usage periods. If possible, shut down the access points when users don’t need them. This limits the window of opportunity for a hacker to use an access point to their advantage as a weak interface to the rest of the network. To accomplish this, you can simply pull the power plug on each access point; however, you can also deploy power-over-Ethernet (PoE) equipment that provides this feature in a more practical manner via centralized operational support tools.

Assign “strong” passwords to access points. Don’t use default passwords for access points because they are also well known, making it easy for someone to change configuration parameters on the access point to their advantage. Be sure to alter these passwords periodically. Ensure passwords are encrypted before being sent over the network.

Don’t broadcast SSIDs. If this feature is available, you can avoid having user devices automatically sniff the SSID in use by the access point. Most current computer operating systems and monitoring tools will automatically sniff the 802.11 beacon frames to obtain the SSID. With SSID broadcasting turned off, the access point will not include the SSID in the beacon frame, making most SSID sniffing tools useless. This isn’t a foolproof method of hiding the SSID, however, because someone can still monitor 802.11 association frames (which always carry the SSID, even if SSID broadcasting is turned off) with a packet tracer. At least shutting off the broadcast mechanism will limit access.

Reduce propagation of radio waves outside the facility. Through the use of directional antennas and RF shielding, you can direct the propagation of radio waves inside the facility and reduce the “spillage” outside the perimeter. This not only optimizes coverage, it also minimizes the ability for a hacker located outside the controlled portion of the company to eavesdrop on user signal transmissions and interface with the corporate network through an access point. This also reduces the ability for someone to jam the wireless LAN - a form of denial-of-service attack - from outside the perimeter of the facility. In addition, consider setting access points near the edge of the building to lower transmit power to reduce range outside the facility. This testing should be part of the wireless site survey.

Implement personal firewalls. If a hacker is able to associate with an access point, which is extremely probable if there is no encryption or authentication configured, the hacker can easily access (via the Windows operating system) files on other users’ devices that are associated with an access point on the same wireless network. As a result, it’s crucial that all users disable file sharing for all folders and utilize personal firewalls. These firewalls are part of various operating systems, such as Windows XP and Vista, and 3rd party applications as well.

Control the deployment of wireless LANs. Ensure that all employees and organizations within the company coordinate the installation of wireless LANs with the appropriate information systems group. Forbid the use of unauthorized access points. Mandate the use of approved vendor products that you’ve had a chance to verify appropriate security safeguards. Maintain a list of authorized radio NIC and access point MAC addresses that you can use as the basis for identifying rogue access points.

With these recommendations in mind, you have a basis for forming a solid security policy. When deciding on which techniques to implement, however, be sure to consider actual security needs.

Quick Review of Network Access Control (NAC) for Wireless Network

IT Division of International Islamic University (IIUM) has conducted series of Proof of Concept (PoC) by tested out five different Network Access Control (NAC) products to demonstrate its feasibility deployment on their heterogeneous wireless network. This project lead by Mr. Jaiz Anuar basically aim to determine the best solution to overcome the common technical problem facing by them, such as how to integrate and indirectly to control two different network segmentation. It also measures certain throughput which been used to identify the best solution that suit to their environment. In fact, the NAC features evaluated by them normally must able to protect their wireless network from any possible technique to perform network attacks.

The tested product during the PoC were Consentry, Infoexpress, Aruba ECS, Bradford and Juniper

Bridging provide an ad-hoc connection for the attacker be inside of any secure cooperate network. Since the network bridging technique capable to bypass the gateway security, it become the most critical feature need to be include in tested NAC. The NAC solutions must be able to detect the network bridging activities running by the users as follows:

• bridging via UTP cable
• bridging via Bluetooth
• bridging via GPRS, Edge, 3G, HSDPA and 
• other possible method of bridging such as via firewire, USB, PCMCIA etc.

The team also include other requirement as follows

• the system must be able to quarantine or disconnect or isolate the users from the wireless network once they activate the bridging processes. .

In fact, most of the bridging activities is able to create a back door to any secure network. That’s why this feature is really really important to them

In addition, the overall design of network infrastructure in IIUM network considered as a heterogeneous network. They have add another important requirement for the test NAC appliance must be able to support multiple protocol such as 802.1x and non 802.1x including multiple OS platform: e.g Windows, Mac OS X and Linux Clients.

Finally after the PoC, Mr. Jaiz and his team conclude that, non of those 5 NAC 100% meet their requirement but they have rank all those product after taking into consideration a few aspect according to their network environment and end user experiences.

1. Infoexpress
2. Juniper
3. Aruba ECS
4. Bradford
5. Consentry

What’s So Great About Deploying NAC in IIUM ?

The planning deployment of Network Access Control (NAC) technology aims to protect IIUM heterogeneous wireless networks from the public back door (possibly done through 3G, bluetooth, firewire, UTP, USB etc), and often dangerous, Internet. It also provides protection from viruses and other types of malware that may be resident on the mobile gadgets that staff, students and visitors connected into IIUM wireless networks. NAC places a virtual shield around a network by guarding its endpoints, the places where heterogeneous wireless networks mesh with the outside world.

A survey conducted earlier this year by Infonetics, a technology research firm located in San Jose, Calif., found that enterprises acquire NAC technology for various reasons, including blocking viruses (86 percent), intercepting external attacks (80 percent), stopping spyware/malware (73 percent) and blocking e-mail attacks (70 percent). Other motivations cited by the respondents included regulatory compliance (54 percent), adding LAN security (45 percent), blocking internal attacks (38 percent) and meeting customer and business partner demands (36 percent).

Much of NAC’s overall appeal comes from its simplicity, as well as its ability to provide enhanced security and more sanitized networks with little or no negative impact on the community productivity especially in IIUM. In fact, many instituition that have adopted NAC technology report improved productivity. By deploying this, IIUM Community are now free to use devices that were formerly banned from any other enterprises networks due to security concerns. By deploying NAC, ITD is trying to secure the wireless connection even browsing via smartphone or PDA since this devices is not really have a good antivirus software. The Symbian OS has been infected by mobile virus.

NAC often arrives on customer premises in the form of a network appliance. This approach is appealing to many enterprises, and the solution that ITD is looking for: the appliance must simply be plugged into the wireless network, providing fast, painless, out-of-the-box security and avoid changes to the existing configuration. Many NAC appliances are multifunction security devices, offering capabilities such as network-based virus scanning and intrusion prevention systems (IPSs) along with NAC capabilities. The appliance must be capable to integrate with the existing equipments.

Non-appliance-based approaches to NAC are more complex and tend to require a bit more hands-on work. The available alternate choices are to enforce NAC with functionality that’s built into network devices, such as switches, or to enforce NAC using SSL VPN gateways.

No network is airtight—malware continues to get in, whether via mobile gadget (PDA, smartphone), staff, student or guest laptops, or end users downloading dodgy content. Antivirus software at the gateway or on the desktop helps with computers under your control, but guests and unmanaged servers remain problematic. And let’s face it: Sometimes attackers are just smarter than we are. Even companies following best practices get hit.

Deploying NAC don’t just mean just security best practices, either. Protecting the network from malicious hosts is, ultimately, a desktop management function. NAC is what puts teeth in our policies, providing an enforcement mechanism that helps ensure computers are properly configured. By weighing such factors as whether a user is logged in; their computer’s patch level; and if anti-malware or desktop firewall software is installed, running and current, ITD can decide whether to limit access to network resources based on condition. A host that doesn’t comply with your defined policy could be directed to remediation servers, or put to the quarantine VLAN.

Remember Slammer? If a company could have determined that a host was running an unpatched version of MSDE 2000 and denied access until it was patched, Slammer would have had a much less dramatic effect.

With all the available choices, settling on the right NAC technology from the right vendor requires a significant amount of research. The final selection usually boils down to finding the product that most closely matches the IIUM’s NAC goals and the network’s size, complexity, budget and configuration