How does hiding the 802.11 SSID offer any security at all?

Here is an O'Reilly article that says to hide your SSID and to change your broadcast channel for added security.

Is this snake oil?

For example, as I already stated, if I change my SSID and then boot up without the router powered on, there is no way (that I know of) to tell my WinXP wireless applet the SSID (or am I missing something).

Likewise, if I were to change my channel, I mean how many channels are there? Wouldn't anyone who wanted to get onto my network just scroll down to the next channel? Are there an infinite number of channels or a finite number of channels?

All this seems like snake oil to me.

QUESTION 1: Once I stop broadcasting my SSID, how do I tell WinXP to use that SSID?

QUESTION 2: If I change my channel, how long would it take a hacker to figure out which channel I changed it to?

Thanks in advance for your advice, barb

If I have one older computer which doesn't support WPA (only WEP) and one newer computer which does support WPA and a router which does support WPA, can I use WPA?

I thought we had to have all home computers on the same "standard" encryption which means only WEP would work in my home network due to the older computer.

Am I wrong? Can I use WEP on one computer and WPA on the other?

barb

Likewise with limiting to the known MAC IDs.

Couldn't a hacker simply sniff out the MAC ID used in every packet and simply spoof that MAC ID?

barb

Likewise with chaning to a static IP as suggested in this article on wireless network security:

says: "Many wireless routers default to the 192.168.1.0 network and use 192.168.1.1 as the default router. We discovered one network that didn't give us an IP address, but we assumed that they were using the defaults. We were right. We configured our notebook with an IP address in the 192.168.1.0 network using 192.168.1.1 as the router address, and we had access to the Internet through their network."

What I don't get is you'd have to change the entire class of addresses(ie subnet mask) to stop someone from connecting wouldn't you? For example, if I changed the Linksys router IP address from 192.168.1.1 to 192.168.1.66, anyone could STILL connect from a foreign PC simply by choosing any IP address in the range of 192.168.1.[0 to 255].

Even if I change the subnet mask from 255.255.255.0 to 255.255.0.0, doesn't that just open up MORE IP addresses that can connect to my network?

I'm so confused by these articles on wireless security. Can you help me make sense of their recommendations to sort out the snake oil from the practical?

thanks, barb

What kind of wild multiple posts with cross posting do we have here?

I seen a lot of crazy posting but this one about tops my list. :)

Duane :)

*nod* The OP has taken some flack for it in microsoft.public.windows.networking.wireless too.

Grant. . . .

Yes.

Use a network sniffer, and you're getting the SSID by sniffing traffic from other hosts.

Yes.

You need a driver, which supports this.

Seconds to minutes.

Yours, VB.

If no other hosts are running, this could actually limit impact of exposure. Anyway, the same can already be achieved by using proper cryptographic protocols (IEE 802.11i with the well-known subsets WPA and WPAv2, or IEEE 802.1X).

Yes, you missed the "Advanced configuration" button. Still with no SSID being broadcasted, Windows won't try to connect automatically.

As this has to be implemented by every such NIC, it's pretty clear that it's not a driver issue.

My gold'ol AMD 772 PCMCIA card (Prism2 chipset) has a channel change period of about 20 ms. Catches channel hopings within a 1/4 second.

You should have cross posted the reply. Maybe, that's the only way she'll see it. ;-)

Duane :)

Hiding the SSID is bad practice. Not only does it break the spec but it's also a futile effort and, in some cases, can cause performace problems.

The only reason you'll want to change to one of the other 11 U.S. WLAN channels is to avoid conflict with neighboring APs. Otherwise, I strongly recommend using personal or pre-shared key WPA2 if your access device is new enough to include it. WinXP, however, will need a hotfix installed: Depending on your access point, it is sometimes possible to run WPA and WEP concurrently. Feel free to write me off-group if you have further questions.

-Gary

humbug! document stays all: 'The Role of SSIDs in supporting Roaming'.

My WiFi router (hopefully) is not in the habbit of Roaming! My laptop is in my front room with me -- also present and accounted for!

Anyone 'roaming' attempting to access MY router is by definition, unknown and thus must be considered an aggressor.

Jeff B

Perhaps you should read the rest of the whitepaper before dismissing it:

"A network that has only one AP is still faced with roaming behavior and active scanning if SSIDs are hidden. The same events mentioned above still can occur even if there is only one AP. Even with only one AP and even if it is configured to use channel 1, the station will still scan all channels checking for other APs. In the end, the station will ASSOCIATE with its original AP, exposing the SSID."

Tried to respond privately to 'barb' but alas, email address rejects email. Go figure.