The six dumbest ways to secure a wireless LAN

[dummkopf]

A member of this board was worried about wireless security and another member recommended to hide SSID. Please read this (original thread is locked):

http://blogs.zdnet.com/Ou/?p=43

[jdhurst]

That was not a particularly helpful article.

No one but me or my spouse has access to my computers, so no one ever sees the MAC list. So you can't spoof what you don't know. MAC filtering is a reasonable thing to do.

Turning off SSID broadcasting stops all but a determined few. I agree that this determined few can thwart my efforts, but they are not around where I live for the most part. Turning off SSID broadcasting is another reasonable thing to do.

I use a long reach Netopia router but it can't be seen very far from the house unless you have a high gain antenna. Again, people doing this are usually somewhere else.

I do agree with the author that WPA should be used as a minimum. I use all three techniques here and while no one is entirely sufficient by itself, taken altogether, I don't see any evidence whatever of penetration into my router. This is a home environment, after all, and not a business environment, so there is not much worth the effort to come after.
... JD Hurst

[Ground Loop]

That was not a particularly helpful article.

No one but me or my spouse has access to my computers, so no one ever sees the MAC list. So you can't spoof what you don't know. MAC filtering is a reasonable thing to do.

Why won't this idea die... Your MAC is a physical interface address, and it's included in every packet you transmit. It is by far, the EASIEST thing to sniff off the air. As soon as any blessed machine on your network sends one packet, I know a valid MAC address and can set my WiFi card to match.

The original article was correct, and MAC filtering presents no added security.

Turning off SSID broadcasting stops all but a determined few. I agree that this determined few can thwart my efforts, but they are not around where I live for the most part. Turning off SSID broadcasting is another reasonable thing to do.

More myth. "determined" just means someone who doesn't run the Windows XP Zero Config service. You are not hiding your SSID by turning off the beacon.

In my opinion, the article was particularly helpful because it attempts to deflate some of these bizzare notions of "security by speedbump".

[jdhurst]

Look at it from a different perspective.

The article at hand had no useful suggestions except (a) use WPA (which I do and (b) spend lots of money (which most homeowners don't want to do).

So I take it you suggest that we all leave SSID beaconing and to let any MAC address in? Why would we do this?

My point is different. Take and use all the reasonable options:
* Don't do silly things
* Use very strong passwords on all userids including administrator
* Scan for spyware and delete it daily
* Scan for viruses and delete them daily if they occur
* Use a software firewall
* Use a hardware firewall
* Turn off SSID broadcasting (well over 95 percent of users would never find you)
* Employ MAC filtering (well over 95 percent of users don't know how to spoof)
* Use WPA

Now none of these things by themselves will secure you. And I know that 1 percent of users run Linux and perhaps 10 percent of those users know how to use Airsnort. But by taking a broadbased approach and employing all available options you reduce the risk of attack significantly.

I know someone is out there who can beat me, and I never said different. But I can say that I have had a PC connected to the outside world from my home in some fashion since 1982 and I have not once ever been hacked or compromised and only once had a virus (that came on a new Windows 3.1 machine in 1994).

... JD Hurst

[Navck]

Yes, the IBM Access Connection STILL spots my WAP as a (NONE) (No name, signal and all). Infact, the INTEL utlity does just as good.

[jdhurst]

Strange indeed. I have SSID broadcasting turned off (in Netopia it is called a closed system). I have MAC filtering set only to allow specific MAC addresses. I knocked out my ThinkPad MAC from this list and rebooted the Netopia.

From the Laptop: Netstumbler can't see anything. CAIN can't see anything. And Access Connections / Windows does not see anything.

So why would your Access Connections see closed system? I know specialized tools can do this, but I would not have put Access Connections in that class.

Once again, I am not saying the foregoing is the best way to secure things. It is what I have available in my router and I combine this with other security.

... JD Hurst

[Ground Loop]

Look at it from a different perspective.

The article at hand had no useful suggestions except (a) use WPA (which I do and (b) spend lots of money (which most homeowners don't want to do).

The useful information in the article was to debunk some of the worthless notions being promoted as "security" when they are nothing of the sort. (a) and (b) above are indeed good ideas to secure your network. It's your own call if you want to implement them.

I'm not going to tell anyone else how to run their own network, and I have no real interest in how secure you feel about your arrangement, but the important thing is that we (technically literate folks) don't advise new users to use weak setups and expect the comfort of security.

So I take it you suggest that we all leave SSID beaconing and to let any MAC address in? Why would we do this?

Correct. This is what I am suggesting. Why would we do this? Because it does not weaken your security one bit, and it makes you think about real measures that would actually secure your Wireless access.

Maybe you live in a part of the country where you can name your SSID "Private-KeepOut" and that's enough to keep everyone friendly or otherwise off your network. I don't want to make that assumption here.

My point is different. Take and use all the reasonable options:
* Use very strong passwords on all userids including administrator

I'm interested in securing my network at the LAN/Packet level. If I have to rely on Windows password security to back up my WiFi, all is lost.

* Turn off SSID broadcasting (well over 95 percent of users would never find you)
* Employ MAC filtering (well over 95 percent of users don't know how to spoof)

Where do you come up with these numbers, 95%?

Let me assure you that anyone who has even a casual interest in finding or using your network, even as a digital vagabond, is within your imaginary "5%". The 95% you quote are the people blinking 12:00 on their VCR with their SSID set to "linksys".

* Use WPA

On this, we agree. WPA is reasonable security for a personal wireless LAN. If you rely on it, then it's also reasonable to keep abrest of security news to find out when it has been weakened and what alternatives are available.

And I know that 1 percent of users run Linux and perhaps 10 percent of those users know how to use Airsnort. But by taking a broadbased approach and employing all available options you reduce the risk of attack significantly.

96% of statistics are made up on the spot. A lot more than 10% of laptop Wifi Linux users have Airsnort, Kismet, or both.

All I'm saying is that we don't do anyone a favor by saying "here are some bogus ideas for security. Employ a few of them together, and you can rest easy that your data is safe." Nothing could be further from the truth. A secure and convenient network is a difficult thing to muster, even for professionals. With the advent of consumer WiFi, we're asking everyone to be their own knowledgable IT department because their network is now public. It's a tall order.

Please don't promote weak speedbumps (SSID Beacon off, MAC filtering..) as an advance in security. That's all I'm asking. If someone cares enough to take security measures, they should do it right. That requires reading, planning, and usually WPA or stronger.

[dummkopf]

So why would your Access Connections see closed system? I know specialized tools can do this, but I would not have put Access Connections in that class.

Have you ever played with Windows Explorer feature show/not to show hidden files? The files are not hidden indeed, they are barely marked hidden, and tools aware of the meaning 'hidden bit' do not show these files. The very same is here. The bradcast is indeed there, otherwise nobody could connect. It's just marked hidden for you, user. Hiding SSID and using MAC authentication are good measures to keep honest men honest. Malicious cracker may even not notice your SSID is hidden. Relying on these "security measures" is nothing but deceiving yourself.

[jdhurst]

Would dummkopf and Ground Loop please tell us:
1. What wireless routers they use in a home network? (Make and model)
and,
2. How they secure it above and beyond what is available in the majority of home wireless routers.

I don't differ at all with the theory of your points. I am looking at overall risk assessment and ways to mitigate it. Thanks in advance for responding. ... JD Hurst

[dummkopf]

Well...
There are two sides... The first thing is to recognize the problem. This is why I started this thread.
Solving the problem is another story. I sincerely do not think I can solve something what has been a headache for IT security specialists all around the world. WPA seems to be a way to go right now. I know, not all, in particular older equipment supports it.
Here is an interesting firmware for those with adventurous souls: http://openwrt.org/TableOfHardware