Protected WLAN
James McKenzie
jjmckenzie51 at gmail.com
Wed May 18 03:36:50 UTC 2011
On 5/17/11 6:20 PM, Marko Vojinovic wrote:
> I didn't say that cracking wpa2-ps/aes is easy. I was saying that,
> whatever
> the security algorithm you are trying to crack, having a hidden SSID and
> filtered MAC is not going to make it *any* harder than having a public SSID and
> no MAC filtering. That data is essentially publicly available to anyone in
> range, and can be obtained with no effort at all. One doesn't even need the
> know-how, one can just type a single command in the terminal and have all that
> "hidden" stuff displayed on the screen. And that command is something you would
> type anyway if you want to crack a wireless network.
>
> In other words, hiding SSID and filtering MACs adds absolutely *nothing* to the
> security of the network. It is not even an extra step that one would need to
> deal with while cracking. It is literally equivalent to "please don't open me"
> sign on the door. Using a serious security algorithm is essential for a
> wireless network, but saying that hiding SSID and filtering MAC addresses adds
> an additional layer of security is just plain wrong.
>
However, for the causal observer, like the casual thief, not having an
immediately visible door sends them elsewhere.
I'll try to make this simple for JD.
1. Hidden SSID. Standard practice.
2. MAC filtering. Standard practice.
3. WPA-2/AES with a well-though out passphrase. Standard practice.
4. WEP. Don't even think of it.
5. WPA. Don't even think of it.
6. Minimal power. Standard practice. (If I can't read your network,
then I cannot hack it.)
7. Changing the channel. Standard practice and it prevents interference.
There are other things like network segregation and even logging into
the router (I've seen both.)
However, the most IMPORTANT part is using WPA-2/AES. Your traffic can
only then be sniffed by folks if they gain access to the wireless 'box'
and manage to put the port into promiscuous mode. (WAP GAP.) That is
why I love folks that leave their wireless router open and never change
the default user/password. I managed to troubleshoot why a wireless
system was not working at a business that way. Marko, is correct in
that there are tools that will discover the SSID and the MAC addresses
of computers on the network. However, if you try to use my MAC address
while I'm connected the call to IT would be most interesting.
The point is that without encryption and total security, wireless is
wide open. I've been making this analogy. Put a deadbolt on your
doors, pin locks on your windows and do all the right things. It takes
a determined thief to break in. Then you know you have something that
someone wants...
The first part of security is knowing what NOT TO do, not what TO do.
James McKenzie
More information about the users
mailing list