It's been two years since I wrote "The six dumbest ways to secure a wireless LAN," and it's probably been one of my more successful blog entries ever, with two flashes on Digg. Since that time, I've written a free electronic book on enterprise wireless LAN security for anyone to use and download from TechRepublic. Since it has been two years, I'm going to update the information with more defined categories and better explain why they're so bad from an ROI (return on investment) and security perspective.
Waste of money, resources, time
- MAC filtering
- Disable DHCP and use Static IP addresses
- Signal suppression with expensive paint or antenna placement
Worse than no wireless security at all
Has nothing to do with security mechanisms
- Just use 802.11a or Bluetooth
The original blog has probably been read by more than a hundred thousand people, but I still can't kill these nasty urban legends because they are so engrained as "best practice." I was shocked and infuriated to find that even some security certifications, like the CISSP, and VISA payment processing compliance requirements, like PCI, are recommending most of these methods as "best practice."
Note that I recently attended the official CISSP boot camp training and in spite of this bad wireless LAN advice, I still recommend the CISSP certification and training. It really taught me how to better communicate to management and business people and align security and IT to the business. I have, however, asked them to fix their small section on wireless LAN best practices, and I hope they fix it.
The most common and misguided arguments I hear against my advice and in favor of implementing this nonsense are:
- What's the harm? It's a layered approach to security.
- It makes us harder to see and hack.
- We're a small company, and we can't afford real security.
The problem with these arguments is that they're based on some fundamentally wrong assumptions and an inadequate knowledge of how wireless LAN security works.
- These aren't layered approaches; they're more like buying overlapping warranty coverage, since any benefit against casual bandwidth thieves is already covered by real security measures. The harm is that people confuse these methods for the real thing, and they spend more money and resources on implementing the wrong security mechanisms and end up skimping on real security.
- They don't make you harder to hack. Kismet, which is a free utility, will reveal so-called hidden SSIDs, MAC addresses, and static IP schemes within seconds of scanning the airwaves, sending all that money and time spent on MAC address and static IP management down the toilet.
- If you have a limited budget with limited IT staff, it's all the more reason to use real wireless LAN security, because you certainly won't be able to afford the complexities of MAC filtering and static IP configuration. True wireless LAN security is far cheaper to implement and maintain.
Rock solid wireless LAN security for the home or small office can be summed up in a single paragraph. All you need to do is use WPA-PSK security with a random alpha-numeric pass-phrase that has a minimum of 10 characters. I estimated that a truly random alpha-numeric 10-character pass-phrase using modern single-core computers will take one thousand PCs working in parallel 500 years to crack. If your hardware doesn't support WPA mode, you can almost always get a free software/firmware upgrade to support it. If WPA mode absolutely can't be supported, you can run WEP (104 bit AKA 128) security, which might take a semi-skilled script kiddy using two PCs in an active attack configuration 10 minutes to break. WEP shouldn't ever be considered effective wireless LAN security, but it's hundreds of times harder to break than any of the myths. WEP can be considered an actual deterrent when nothing better like WPA is available, whereas these myths aren't even worthy of the deterrent title. The ROI for any of the first three wireless LAN security myths is essentially zero.
