Protected WLAN

Marko Vojinovic vvmarko at gmail.com
Tue May 17 18:54:39 UTC 2011 

On Tuesday 17 May 2011 18:11:03 James McKenzie wrote:
> On Tue, May 17, 2011 at 9:36 AM, Frank Murphy <frankly3d at gmail.com> wrote:
> > On 17/05/11 14:30, Misha Shnurapet wrote:
> >> Which WLAN protection method would you recommend?
> >> * Shared key
> >> * WPA-Personal
> >> * WPA2-Personal
> > 
> > Also if it's your home wLan, hide it, don't broadcast the ssid.
> > So those in your neighbourhood won't even know you have a wireless.
> 
> Yes, they will.  However, not broadcasting the SSID is a good step,
> but not necessarily all you should do.  When a client connects to the
> network, it inquiries if the network is available.  A patient
> wardriver will pick this up.  However, they will not be able to get
> easily and will move on in most cases if they see WPA2.
> 
> The next step is MAC restricting and a lot more.  However, just
> employing security and hidden SSID is a great start.  Most people do
> not do this.

Hiding the SSID will stop only a casual bystander getting on to your network 
by accident. Those who actually want to crack into a wireless network would 
use some tool like airodump-ng (yum install aircrack-ng) to list any and all 
wireless networks within reach, hidden or otherwise, and then pick which one 
to crack.

In other words, hiding SSID can be compared to a person putting an "I am 
invisible" sticker on their forehead, and hoping that others would read it and 
ignore him.

Hiding SSID is a matter of convenience, not security. Things like removing the 
clutter from user's list of available networks, avoiding accidental 
connections by mobile devices, etc.

For security you need to implement some WPA-related stuff and a strong firewall, 
possibly with MAC-filtering etc. And for sure don't even try to use WEP 
"security". It's commonly compared to a paper wall, and I've seen it being 
cracked within 10 minutes using aircrack suite above. I even did it myself 
once on my own router, just to see how difficult/easy it was. Reading relevant 
man pages was the hardest part, it took me 20 minutes. Cracking the WEP 
passphrase took 5 more. I can even sketch you the steps if you like. ;-)

In a nutshell, hiding SSID is a "please don't connect to my network" security. 
WEP is "the door is closed but not locked" security, while WPA is "guess my 
passphrase" security. Therefore, WPA is the only one that provides the 
potential cracker some reasonable headache.

HTH, :-)
Marko

More information about the users mailing list