Protected WLAN

James McKenzie jjmckenzie51 at gmail.com
Wed May 18 03:36:50 UTC 2011 

On 5/17/11 6:20 PM, Marko Vojinovic wrote:
> I didn't say that cracking wpa2-ps/aes is easy. I was saying that, 
> whatever
> the security algorithm you are trying to crack, having a hidden SSID and
> filtered MAC is not going to make it *any* harder than having a public SSID and
> no MAC filtering. That data is essentially publicly available to anyone in
> range, and can be obtained with no effort at all. One doesn't even need the
> know-how, one can just type a single command in the terminal and have all that
> "hidden" stuff displayed on the screen. And that command is something you would
> type anyway if you want to crack a wireless network.
>
> In other words, hiding SSID and filtering MACs adds absolutely *nothing* to the
> security of the network. It is not even an extra step that one would need to
> deal with while cracking. It is literally equivalent to "please don't open me"
> sign on the door. Using a serious security algorithm is essential for a
> wireless network, but saying that hiding SSID and filtering MAC addresses adds
> an additional layer of security is just plain wrong.
>
However, for the causal observer, like the casual thief, not having an 
immediately visible door sends them elsewhere.

I'll try to make this simple for JD.
1.  Hidden SSID.  Standard practice.
2.  MAC filtering.  Standard practice.
3.  WPA-2/AES with a well-though out passphrase.  Standard practice.
4.  WEP.  Don't even think of it.
5.  WPA.  Don't even think of it.
6.  Minimal power.  Standard practice.  (If I can't read your network, 
then I cannot hack it.)
7.  Changing the channel.  Standard practice and it prevents interference.

There are other things like network segregation and even logging into 
the router (I've seen both.)

However, the most IMPORTANT part is using WPA-2/AES.  Your traffic can 
only then be sniffed by folks if they gain access to the wireless 'box' 
and manage to put the port into promiscuous mode. (WAP GAP.)  That is 
why I love folks that leave their wireless router open and never change 
the default user/password.  I managed to troubleshoot why a wireless 
system was not working at a business that way.  Marko, is correct in 
that there are tools that will discover the SSID and the MAC addresses 
of computers on the network.  However, if you try to use my MAC address 
while I'm connected the call to IT would be most interesting.

The point is that without encryption and total security, wireless is 
wide open.  I've been making this analogy.  Put a deadbolt on your 
doors, pin locks on your windows and do all the right things.  It takes 
a determined thief to break in.  Then you know you have something that 
someone wants...

The first part of security is knowing what NOT TO do, not what TO do.

James McKenzie

More information about the users mailing list