Will the real Wireless security procedure please stand up?

[James Colbert]

When I set up my (only on when needed) wireless network, I researched many tutorials, security schemes and 'expert' opinions. So how can it be that what some say are essential steps to truly securing your wireless network, others say are myths and, in fact, detrimental to security?

Having read the information at the links provided, I've come to believe the latter.

First, a tutorial on these forums:

http://www.sevenforums.com/tutorials/105015-wireless-security-how-protect-your-network.html

Note the recommendations to disable SSID broadcasting, use MAC filtering and turning off DHCP.

Even Linksys endorses some of these practices:

Linksys | Learning Center

Now read the information at these links (below). They not only contradict these methods, but condemn them as 'security suicide':

The six dumbest ways to secure a wireless LAN | ZDNet

Wireless LAN security guide - By George Ou

How to break MAC filtering (wifi security)

MAC filtering seems to be the largest security vulnerability here...It seems that any MAC address entered in the permit filter is automatically allowed in...no password authentication required!(?) With the right freeware, anyone can determine your MAC address and spoof it. One article analogizes this to using an ID card which anyone can steal and walk right in the front door with no one to stop them.

One wonders, if the 'accepted' practices of filtering, SSID disabling, etc are so detrimental to security, why do thes "myths" continue unabated?

I myself have disabled MAC filtering. SSID broadcast disabling doesn't seem to be a large issue, so I'll wait to re-enable that when more data is in.

Not mentioned yet is a strong password. This may be the best defense, coupled with a strong security protocol (such as WPA, WPA2) and encryption. Is there more?

I'd be interested in hearing form the security experts amongst us. Any other links or information (on wireless or CAT5 networks) are very welcome!

James

 

[logicearth]

Use both MAC Filtering and a strong Password. The SSID doesn't matter, it won't have an impact on security one way or the other. Turning off or on DHCP will not affect security. DHCP just manages handing out IP addresses (and other network information) so you don't have to do it manually.

But yes, use both MAC filtering and a strong Password/Encryption the strongest your Wireless Hub/Card can support.

 

[James Colbert]

use both MAC filtering and a strong Password/Encryption the strongest your Wireless Hub/Card can support.

But doesn't MAC filtering leave one susceptible to MAC spoofing? From what I've read (and admittedly, this doesn't seem clear), MAC filtering authenticates a MAC address and thus does not require the password. Is this correct?

 

[Barman58]

The way I understand this to work is that if using mac filtering you must be on the allowed list and enter the password - this is the way it has always worked on the many different routers that I have used in the last 30+ years.

as for the non display of the SSID this is a simple but effective security system - If a potential hacker cannot see the network as existing then they are less likely to try to hack it

 

[James Colbert]

The way I understand this to work is that if using mac filtering you must be on the allowed list and enter the password - this is the way it has always worked on the many different routers that I have used in the last 30+ years.

Hi Barman,

That's the way it should work, but in my readings, there seem to be vague implications, but nothing that outrightly states that permitted MACs must also use pw authentication. Seems a no-brainer, but I'd really like to see a definitive statement on the matter rather than set up wireless networks only to find out later that I left a gaping security hole. I just can't seem to find an authorative article plainly stating that (likely) reality.

as for the non display of the SSID this is a simple but effective security system - If a potential hacker cannot see the network as existing then they are less likely to try to hack it

That's what I thought, until I found this MS article last night (incidentally, I have SSID set to hidden, also MAC filters and strong, strong password and encryption passphrase):

Non-broadcast Wireless Networks with Microsoft Windows

 

[logicearth]

That's the way it should work

It comes down to how you configure it and if your hardware allows you to do. Having both MAC Filtering and a strong password is security in depth. However, as far as I know all of them support MAC Filtering and Passwords because that Password is part of the encryption key. Without it the encryption will fail. And no the Wireless HUB never sends the full-encryption key to any computer.

Now as for SSID, you only are hiding one part of it. There are several ways to actually see a wireless network. Just because it doesn't broadcast an SSID does not make it invisible. Any serious attacker will get around that in a jiffy.

 

[Barman58]

All that anyone can do with regards to data security is to assess the level of protection applied, potential loss involved and likelihood of attack. No system is 100% secure all we need to do is make the system more difficult to break than the next persons system, so that the hacker movs on to the easier target.

Home users are unlikely to be targeted directly by the professional hacker, the potential return is just not there. It is more likely that the security discussed here will deter the casual opportunist looking for free wireless access, (these are unlikely to be using network sniffers,in any case).

The use of limited accounts protected with secure passwords at the file level, firewalls, and the best available wireless security should suffice to prevent all but the most determined attack.

in a business environment the stakes are higher as is the likelihood of attack, and then the more advanced systems are viable. I have worked with systems where all data drives were physically removed from site outside of working times, so the security levels can vary tremendously.

 

[James Colbert]

Thanks Barman and logicearth. I appreciate the input. I'm going to play around with some neighbors wireless networks (with permission, of course ) just to see what I come up with. I'll post back if anything of interest is discovered.

James

 

[James Colbert]

Just updating for those who may turn up this thread in google...as mentioned, mac filtering is an additional layer of security rather than a free pass in for spoofers (i.e., passphrase still necessary).

Here is a pretty good primer on wireless security:

Wireless Wi-Fi network security tutorial 101 (part 1)

Note that it is 4 parts. The link to part two is near the end of the article, with subsequent links in subsequent parts.

Here also is a link to the Technologies branch of this site, which contains a lot of good info:

Technologies (IT & IS)

James