how do i secure a wireless network

I have been wondering some of these myself, I was wondering if perhaps someone could explain why it is claimed that disabling SSID Broadcast offers "zero security benefit"? I think there is possibly a different between 'zero benefit' and 'little benefit' and this might be one of those points, because although an attacker can get around the precaution it still has the potential to stop the less savvy (primarily script kiddie types) attackers from accessing your network.

I mean, it seems to me a bit drastic to state it doesn't have any security benefit, seems to me like telling someone "don't lock your doors, real crocks are gonna break-in through a window and disable your alarm anyway". I think there is something to be said for deterence ... however I was wondering if perhaps someone had some could shed some light on why there is zero security value to it, perhaps there are some technical considerations I am not aware of that might bring this to light?

Thanks, Robert

from this document you often cite,

Since a station always includes the SSID in the ASSOCIATE message, it can be forced to expose a hidden WLAN through a simple active attack. To do this, an attacker simply sends a forged DISASSOCIATE message to an active station, seemingly coming from the AP. Within seconds (at most 30), the station will REASSOCIATE, exposing the SSID. This simple attack means that the only WLAN that can be successfully hidden is one that is not being used.

thus, determining the hidden ssid requires action by the user (most will not bother) and can take up to thirty seconds! furthermore, this method only works if the network is actually being used. sounds like a huge plus to me.

it is not a myth. every little thing you can do to raise the bar helps.

"riggor9999" wrote in news: snipped-for-privacy@comcast.com:

Regretfully, the link provided by riggor9999 gives POOR ADVICE.

It contains the following steps, and I quote:

"1. Reset admin password

1. Reset default SSID
2. Disable SSID Broadcast
3. Change from default channel
4. Enable WEP with 128 bit key
5. Change Authentication Type to Shared"

Only TWO of these have any point, and the others are either misguided or dangerous (in that they actually REDUCE security).

The correct answer to the questions is: By implementing ENCRYPTION and AUTHENTICATION.

The best way to achieve this is by implement WPA. If you are a home user, the best way is likely to be WPA-PSK. If you are a corporate user or have the necessay kit and skills, then WPA with IEEE 802.1X authentication using a RADIUS server is best. If your equipment has the ability to use AES encryption, use this.

Next best if you cannot use WPA (either because the equipment does not support it, or the type of network - for example using WDS links

- makes it impractical) - is to use WEP. While it has known weaknesses, it is definitely the next best thing.

Just to pick up the points from the link:

- The best protection (using WPA) isn't mentioned at all!

- item 1 is sensible

- item 2 is sensible as it avoids confusing your own network with anyone else's, but offers zero security benefit

- item 3 offers zero security benefit and will stop certain things working

- item 4 offers no security benefit, but may be necessary to avoid interference from a nearby network

- item 5 is sensible, if WPA is not available

- item 6 is DANGEROUS. One of the weakest areas of WEP is that its Shared Key authentication involves a handshake involving plaintext and the corresponding encrypted text. Intercepting this transmission allows the key to be immediately deduced. Counterintuitively, WEP with Open System authentication is more secure. While there is no true authentication, traffic from a station which is either unencrypted or encrypted using an incorrect key will simply be dropped

Regretably, there are many myths surrounding wireless security - and Usenet propagates them endlessly...

Hope this helps

"Robert B. Phillips, II" wrote in news: snipped-for-privacy@4ax.com:

The SSID is *always* transmitted. It cannot be hidden. The option to disable SSID broadcast on some access points removes the SSID from beacon frames; it is however present in the management frames. Attempts to hide it will fail. Worse, by "hiding" it you will likely gain a false sense of security.

For a detailed explanation, have a read of this:

I believe that the myth that SSID hiding is somehow a 'good thing' came from the early days of wireless networks when things were less well understood. And the myth keeps being repeated and repeated and repeated...

Kind regards

All that has been said is good but also use MAC filtering.

nospam wrote in news:020320051418562418% snipped-for-privacy@nospam.invalid:

It's a well known document.

You quoted accurately, but not from the summary conclusions, which state: "Contrary to a common belief that the SSID is a WLAN security feature and its exposure a security risk, the SSID is nothing more than a wireless-space group label. It cannot be successfully hidden. Attempts to hide it will not only fail, but will negatively impact WLAN performance, and may result in additional exposure of the SSID to passive scanning. The performance impact of this misguided effort will be felt in multiple WLAN scenarios, including simple operations like joining a WLAN, and in significantly longer roaming times.

Trying to hide the SSID does not strengthen security in WLANs. The scarce resources of today?s WLAN administrator are better spent tuning WLAN performance and operations with full SSID usage, and enhancing WLAN security by deploying modern security technology, such as link-layer encryption, and IEEE 802.1X authentication."

The fact that you have an explanation of why the SSID cannot be hidden does not somehow make it a security measure.

My post in this thread was in response to security advice which contained a number of inaccuracies, and missed out the best protection of all.

It is important to understand what is strong security and what is weak. Encryption and authentication are Good Things. All other measures are considerably weaker. By all means use them as well - I'm not trying to dissuade anyone - but don't assume that they add additional security. They don't: they merely add a little - a very little - obscurity.

Kind regards

"Christian" wrote in news:ZsrVd.52873$uc.28132@trnddc08:

Hmmm... Again, this is a security function which is over-rated. While it does offer very limited protection, it is easy to overcome - far easier than cracking WEP, for example. MAC addresses are transmitted in the clear and can be readily spoofed. The simple Windows tools Airsnare and SMAC will soon demonstrate this...

However, a major argument against it is that it rapidly becomes extremely cumbersome to manage as the size of a network grows.

I have clusters of devices (typically 2 PCs, 1 printserver) connected behind a switch, with a single wireless client bridge device providing wireless connectivity. Since this is a WDS system, it is necessary to configure the Ethernet MAC address of every device behind the switch. In the example I give, that makes 4 MAC addresses. Now multiply this by five workgroup clusters, and add on a few roaming laptops and the odd iMac and that's a lot of MAC addresses :(

This, togther with the very weak security protection, is why I have now stopped using MAC address filtering on my network. And just think of the problems on a large scale network...

Hope this helps

Used alone, SSID hiding does provide a small security benefit in preventing less savvy attackers from accessing your network. Used with encryption, it provides essentially no added benefit: any attacker able to crack encryption will be able to see a "hidden" SSID immediately. So will the script kiddies: the software tools are easily available.

Hiding your SSID does have a potential cost: it makes it more difficult for other, honest wireless users to avoid interfering with your network. Widespread adoption of SSID hiding would *force* people to use cracking tools (that can see hidden networks) just to troubleshoot reception problems on their wireless networks. Once that happened, there wouldn't be any "less savvy" people left, and SSID hiding would literally have zero security value.

To use your locked door analogy, encryption is the strong lock that can thwart experienced burglars, while SSID hiding is a flimsy latch that might deter a nosy neighbor but won't even slow down a professional thief. Once you've got a strong lock, adding a flimsy lock to the same door is pointless.

It's worth the same as "security by obscurity" - i.e. not much.

It does make your network harder to find as there will be no activity when it is not in use, but I agree that during usage periods, it does nothing.

[Why harder to find? Because your network will ignore all packets that don't have the correct SSID, so they have to know (or guess) your SSID before they have a hit - else wait for activity.]