Disabling the SSID
Many security experts think that broadcasting your SSID, which identifies your WiFi LAN to all of your wireless neighbors, creates a substantial security risk to your LAN. This concept is similar to the justification of stealthing your IP address, as I discussed in Security By Obscurity.
You can disable the broadcast of the SSID in the beacon. This will make your AP invisible, as long as there are no stations associating with it. As soon as any stations (wireless computers) associate with the AP, the SSID will be out there for everybody to see.
Associating with an AP, with SSID beacon disabled, can be done, as long as the SSID is known to the station wishing to associate. But the process is complex, and generates a lot of excess traffic. This traffic exposes your SSID even more than if you had been broadcasting the SSID in the first place.
- DSLReports Forums provides 2 FAQs - Disabling SSID, and What happens when I disable SSID Broadcast?, both discussing this topic.
- ICSA Labs did a detailed study of SSID disabling, and wrote a white paper Debunking the Myth of SSID Hiding exploring the pros and cons.
- Jesper Johansson, MS-MVP Security, in Regulatory Silliness, points out that hiding your SSID may make your clients susceptible to connecting to rogue access points, and possibly to man-in-the-middle hijacks.
- Microsoft (KB811427): Wireless Zero Config does not support disabling the SSID in the beacon, and notes that doing so is useless.
Disabling SSID broadcasts is not a sufficiently strong method for securing a wireless network.
And, as I said above, you can hide yourself, as long as there is nobody connecting to you. But what's the purpose of having a AP with no clients? And as soon as you have clients, you'll be visible again. Only the truly lame script kiddies don't know about NetStumbler. You won't be invisible to NetStumbler, or similar tools.
Disabling SSID beaconing MAY make you invisible in normal WiFi client manager displays. This is both good, and bad.
- The upside is that your neighbour, who knows barely enough to find the Ethernet port ("big fat phone plug thingy") on his cable modem, won't know that you're there. You're safe from him trying to hack your WLAN.
- The downside is that your neighbour doesn't know that you're there. If he picks the same channel that you're using, and your bandwidth suffers because you have to share the channel, you can only blame yourself. Your neighbour will probably end up taking his WiFi Access Point back to the store, because "it doesn't work right". That, too, will be your fault. He won't even know that you're in the area, and come ask for advice, because you're "invisible".
- A second downside is that you won't be invisible to your neighbour's son, the l33t hax0r. Any script kiddie, or true hacker with any experience, will know about NetStumbler and similar products. He'll scan the channels, and make a list of Access Points, and their SSIDs.
- APs with SSID "Linksys", "Netgear", "My Network". Ho hum, so many of those. Check them out when I'm really bored.
- APs with obscure SSIDs. Probably well protected - stay away.
- And here's an AP with no SSID. This tells Mr L33t Hax0r two things.
- The owner doesn't want to be seen, so he has something to hide.
- The owner thinks he can't be seen. If he's that dumb, I'll bet he won't have his AP properly protected either.
The reason for having channel number and relative signal strength, in the client manager (WZC and similar products) displays, is to allow your neighbour, when he sets up his WiFi LAN, to pick a channel that is less used. If your neighbour can't see your Access Point on the channel, because you want to be invisible, how is he going to, reliably, pick a less used channel?
Did you ever see the movie The Invisible Man? What were some of the first things that Nick Halloway learned from experience?
- Don't wear clothes in public, if you want to be invisible.
- Don't expect folks not to run into you, if you want to walk around in a crowd.
If you think about it, both practices are pretty antisocial. Walking around naked, and walking around invisible, are not keeping to social norms. Neither is using WiFi "naked" (without proper security), or "invisible" (SSID beaconing disabled).
>> Top
0 comments:
Post a Comment