The six dumbest ways to secure a wireless LAN

The six dumbest ways to secure a wireless LAN

Summary: [Updated 4/2/2007 - follow-up article here] For the last three years, I've been meaning to put to rest once and for all the urban legends and myths on wireless LAN security. Every time I write an article or blog on wireless LAN security, someone has to come along and regurgitate one of these myths.

SHARE:
TOPICS: Networking
102

[Updated 4/2/2007 - follow-up article here] For the last three years, I've been meaning to put to rest once and for all the urban legends and myths on wireless LAN security. Every time I write an article or blog on wireless LAN security, someone has to come along and regurgitate one of these myths. If that weren't bad enough, many "so called" security experts propagated these myths through speaking engagements and publications and many continue to this day. Many wireless LAN equipment makers continue to recommend many of these schemes to this day. One would think that the fact that none of these schemes made it in to the official IEEE 802.11i security standard would give a clue to their effectiveness, but time and time again that theory is proven wrong. To help you avoid the these schemes, I've created the following list of the six dumbest ways to secure your wireless LAN.

Wireless LAN security hall of shame

MAC filtering: This is like handing a security guard a pad of paper with a list of names. Then when someone comes up to the door and wants entry, the security guard looks at the person's name tag and compares it to his list of names and determines whether to open the door or not. Do you see a problem here? All someone needs to do is watch an authorized person go in and forge a name tag with that person's name. The comparison to a wireless LAN here is that the name tag is the MAC address. The MAC address is just a 12 digit long HEX number that can be viewed in clear text with a sniffer. A sniffer to a hacker is like a hammer to a carpenter except the sniffer is free. Once the MAC address is seen in the clear, it takes about 10 seconds to cut-paste a legitimate MAC address in to the wireless Ethernet adapter settings and the whole scheme is defeated. MAC filtering is absolutely worthless since it is one of the easiest schemes to attack. The shocking thing is that so many large organizations still waste the time to implement these things. The bottom line is, MAC filtering takes the most effort to manage with zero ROI (return on investment) in terms of security gain.

SSID hiding: There is no such thing as "SSID hiding". You're only hiding SSID beaconing on the Access Point. There are 4 other mechanisms that also broadcast the SSID over the 2.4 or 5 GHz spectrum. The 4 mechanisms are; probe requests, probe responses, association requests, and re-association requests. Essentially, youre talking about hiding 1 of 5 SSID broadcast mechanisms. Nothing is hidden and all youve achieved is cause problems for Wi-Fi roaming when a client jumps from AP to AP. Hidden SSIDs also makes wireless LANs less user friendly. You dont need to take my word for it. Just ask Robert Moskowitz who is the Senior Technical Director of ICSA Labs in his white paper Debunking the myth of SSID hiding.

LEAP authentication: The use of Cisco LEAP authentication continues to be the single biggest mistake that corporations make with their wireless LAN because they leave themselves wide open to attack. Cisco still tells their customers that LEAP is fine so long as strong passwords are used. The problem is that strong passwords are an impossibility for humans to deal with. If you doubt this, try a password audit of all the users in your organization and see how long it takes to crack 99% of all passwords. 99% of organizations will flunk any password audit for most of their users within hours. Any attempt to enforce strong passwords will result in passwords written on sticky notes. Since Joshua Wright released a toolthat can crackLEAP with lighting speed, Cisco was forced to come out with a better alternative to LEAP and they came up with an upgradeto LEAP calledEAP-FAST. Unfortunately, EAP-FAST still falls short in security with its default installation. Although Cisco makes LEAP and EAP-FAST freely available to partners for the client end, the same is not true for Access Points.LEAP and EAP-FAST are essentially two proprietary protocolsthat Cisco employs as a strategy to monopolize the Access Point market. There are open standards based EAP mechanisms like EAP-TLS, EAP-TTLS, and PEAP which are all much more secure than either LEAP or EAP-FAST and they work on all Access Points and client adapters, not just Cisco. Cisco does support open standard EAPs just like everyone else so you should always use open EAP standards to get better security and avoid the hardware lock-in.

Disable DHCP: This is much more of waste of time than it is a security break. DHCP allows the automatic assignment of IP addresses and other configurations. Disabling DHCP has zero security value and just wastes time. It would take a hacker about 10 seconds to figure out the IP scheme of any network and simply assign their own IP address. Anyone who tells you that this is a way to secure your wireless LAN doesn't know what they're talking about.

Antenna placement: I've heard the craziest thing from so called security experts that actually tell people to only put their Access Points in the center of their building and put them at minimal power. Antenna placement does nothing to deter hackers. Remember, the hacker will always have a bigger antenna than you which can home in on you from a mile away. Making a wireless LAN so weak only serves to make the wireless LAN useless. Antenna placement and power output should be designed for maximum coverage and minimum interference. It should never be used as a security mechanism.

Just use 802.11a or Bluetooth: Fortunately, I haven't heard this one for a while. There were so called security experts that went around telling people that they simply needed to switch to 802.11a or Bluetooth to secure their wireless LAN. 802.11a refers to a physical transport mechanism of wireless LAN signals over the air, it does not refer to a security mechanism in any way.

Dishonorable mention:  Some of you might be wondering why I didn't put WEP in as one of the six dumbest ways to secure a wireless LAN. In light of recent developments within the last 6 months, it takes only a few minutes to break a WEP based network which makes WEPcompletely ineffective and a good potential future candidate for the wireless LAN security hall of shame.  Where it currently fails to be in the hall of shame is that it still holds up for a few minutes, requires a little skill to launch the packet injection attacks, and isn't propagated as an urban legend for a secure wireless LAN.  The top six require no skills, takes less than a minute to crack, and are propagated asurban legend.  However, that doesn't mean you should use WEP in any form or shape.

This blog wasn't just meant to be funny, it's serious business that so many organizations waste their time and money on worthless security schemes that give them a dangerous false sense of security.  If you fall in to any of these six categories, it's time to wake up and implement some real wireless LAN security.  For those interestested in some simple advice for their homes and small offices, check out my last blog.

Topic: Networking

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

102 comments
Log in or register to join the discussion
  • Great blog

    It's sad that alleged infromation security professionals need to be told this. Hopefully some will wake up and take your advice.
    Real World
    • Thanks mjb

      It is indeed sad. I know many consultants that still go around telling people to implement some of these things. Hardware makers still post these recommendations on their website. The biggest culprit in the enterprise is LEAP.
      george_ou
      • But still

        By your blog, you almost suggest to use no security at all, cause no matter what it's all hackable. Or just don't go wireless at all. Sure given enough time and resources all of your 6 items can be hacked, but locking the door is better than nothing.
        doylebob
    • Interesting

      I think it's even more sad that alleged wannabe's like you need to be corrected after reading articles like this. MAC filtering, No SSID broadcasting, and static IP assignment are not meant to prevent would-be hackers, but to deter most of them. The real preventation comes with the encryption and authentication back end.

      MAC cloning requires intelligence and knowledge of how wireless packets are sniffed and analyzed, something that hacker wannabe's really don't have a lot of intelligence in.

      Finding a hidden SSID requires the person to actually know what programs to use and the willingness to even pursue it. Most would-be hackers will go after easy targets, not ones that may have barriers.

      Lastly, static IP's are assigned by the router. If only 4 systems are on the network, only 4 IPs need to be assigned -- no more. It doesn't matter if the would-be hacker knows the IP scheme, a good IDPS would catch an attempt to spoof one of the assigned IP addresses (especially if it's OSSEC).

      Antenna placement more or less has advantages. If it's on low power, the wanna be attacker needs to be in closer proximity to the WAP, which raises the possibility of getting caught. Any attacker will say they'll always prefer a strong signal over a weekend due to speed, proximity, and realibility.
      Blox82
  • Good Story that needs telling

    Great overview of the myths of wlan security. But if everyone followed your advise how would the rest of us get free access to the Internet??? :-)

    the security blog at www.threatchaos.com
    stiennon
    • Free access

      Just wait for the WiMAX steamroller - Free access ANYWHERE for ANYONE!
      Roger Ramjet
      • Who said WiMAX will be free?

        I've heard much hype about WiMAX. Free is not one of them.
        george_ou
        • i think he means...

          i think he means it will be just as easy to hack into
          doh123
          • Only if they don't authenticate correctly

            If they implement proper authentication with something like 802.1x/PEAP, user credentials are protected and it can't be spoofed by evil twins.

            For something like WiMAX which is a wireless ISP technology, it is critical that they not make the same mistakes as Wi-Fi hotspots. If they do, I'll be talking about it.
            george_ou
    • Right on!

      That is EXACTLY what I tell people that I help. They tell me one of these myths, and I tell them, "do exactly that so I can use your wifi whenever I want!" They usually get the message.

      Great blog, by the way... I wish more people would figure these things out.
      Martin Marvinski
  • We get the point!

    Lord, just another stupid article on how unsecure 802.11 is. We get it! You're not getting the point, most of the 'dumb' things you talk about are good enough for the average user. Of course any of the six ways you talk about won't protect you against a determined hacker...but come on, stop spreading FUD. When there are so many hot spots out there, having a few "security" features set will make most hackers pass your connection up for a more easily obtainable connection. Mr. Ou, please stop playing into the fears of your readers. Find a new topic.

    WBG Links
    www.wbglinks.net
    wbglinks
    • I am actually

      not an expert on 802.11 wireless! Imagine that! This article is very helpful to me, since I am setting up my first 802.11 network. Thanks George, you're a lifesaver. :)
      Roger Ramjet
      • WLan tip

        As the article said: Don't use WEP! WEP can be cracked in about 45 seconds using a Treo. Use WPA-PSK (for home, if RADIUS is not an option). It's easy to set up, and the "shared secret" key is as secure as it needs to be.

        Good luck going wireless. It should be easy for you.
        Real World
    • Security through anonymity?

      That's what you're suggesting, it seems. I think there is merit to genuine security. WPA, for instance, is easy to set up, and is a decent standard. Your post would have had merit a year ago, but no longer. I've tried it. It is now faster for me to sit there and crack someone's WEP and capture their MAC address than to find another hot spot.
      Martin Marvinski
      • So you break the law?

        Nice, real nice attitude.
        Just amazing the people that continue to post on Zdnet and are allowed to post on Zdnet!

        How long will Zdnet allow people to post comment adovcating breaking the law.

        Well, gee, it's easier for me to copy Office than to buy. It's easier for me to steal money then to work for it.
        doylebob
    • No, you don't get it.

      Even if all you do is enable WEP, it's much easier than implementing any of these myths and it will hold up longer. If you followed the advice from my previous blog on using WPA-PSK which is even easier than WEP, you most likely can't be hacked through your home wireless LAN.

      What I can?t understand is what part of hard to use but easy to crack don?t you understand. What part of ?a waste of time? don?t you understand? As Mr. Marvinski says, it?s faster to crack your WLAN than it is to move to another ?hotspot?. I can assure you that he isn?t exaggerating.

      This article is intended for your benefit but it?s clear that you don?t ?get the point?. But then again, it?s a free country and you?re free to provide free internet access and free access to all of your private information.
      george_ou
  • Question for you from a total novice

    I have a DSL line with built-in wireless AP on a Windows 2000 PC. How should I disable it totally? I have a firewall on my PC. Could someone wirelessly connect to my PC and access my files? I am planning to buy a laptop. In that case, how do I set the system so that I can use it while a hacker cannot ...

    Regards - Alok

    ** My opinion does not necessarily reflect that of my employer **
    alokgovil
    • What do you mean built-in AP?

      An Access Point is an Access Point. It never comes built in on a DSL line. A Windows 2000 PC or any PC for that matter can have built in Wireless LAN adapters. If you want to turn it off, simply go to the network properties page and right click on the wireless adapter, and disable it.

      For more home advice, read my previous blog. It gives you the optimum advice for homes.
      george_ou
      • More help please to the total novice

        See, I told you I am a novice! Maybe the DSL modem has a wireless adapter/router built-in. My visiting cousin was able to wirelessly use the internet connection.

        At no place in Windows 2000 did I find anything for a wireless-adapter. I checked "My Network Places" on the desktop, "Networks and Dialup Connections" in the control panel.

        Regards - Alok Govil
        alokgovil
        • You need Windows 2000 SP4

          Upgrade to service pack 4 for Windows 2000. It's still not as good as WinXP SP1 or SP2, but it's a start.

          Also, here is a free add-on for Windows 2000 that makes it work with WPA-PSK mode.
          http://www.wirelesssecuritycorp.com/wsc/public/WPAAssistant.do
          george_ou