Are Wi-Fi security myths good for deterrence?

In response to my popular "The six dumbest ways to secure a Wireless LAN", Timothy wrote a letter to me asking if there was any legitimate deterrence value against the casual hacker to some of the common myths in securing a Wireless LAN such as "SSID suppression", "DHCP restrictions", and "MAC filtering".

Timothy writes:

I had some opinions on those specific items and I was curious what your thoughts were. My feeling is that most vulnerabilities to a network come from more subtle sources than a blatant hacker. While the three items mentioned will not keep out skilled hackers they may help secure a network from the malicious intent of a non-technically skilled disgruntled employee or contractor. I worked for a company with 20,000 employees and about 98% of them wouldn't even know the definition of the word hacker. That being said they may know how to bring in their home laptop and connect it to the wireless network. If MAC filtering is enabled along with DHCP restrictions or SSID broadcasts disabled this may help protect a network from the majority of less technically savvy users that have just enough knowledge to connect to a network and do harm.
I think these methods should be encouraged along with WPA and future wireless security standards.  What are your thoughts?
Respectfully,
Timothy

My response to Timothy:

This is the same question I get over and over again and I give the same answer over and over again.  I'm going to clear this issue once and for all.
Does MAC filtering offer any deterrence value?  Technically yes but you'd be extremely "stupid" (I don't know how else to describe it) to employ it.  The reason it's so "stupid" is that MAC filtering is 10 times harder to deploy than configuring WEP yet WEP is 10 times more difficult to break than MAC filtering.  So essentially you're getting 1/10th the deterrence value for 10 times the work.  If we ignored the security argument against MAC filtering, anyone who would prefer the less effective yet more painful solution can only be described as "stupid".  The same is true of SSID broadcast suppression and DHCP disabling.  If you think about it, MAC filtering and DHCP suppression makes WLAN management unbearable.  To "encourage" these methods is to engage in obfuscation of the truth and will only result in confusion.  I believe there needs to be a clear and simple answer on this, and the clear practical answer is a resounding NO.  "SSID suppression", "DHCP restrictions", and "MAC filtering" are a huge waste of time.  If you absolutely can't run good WPA security, just turn on WEP for some real deterrence.
Having said that, it's ironic that WPA-PSK security when used correctly has no known method of being cracked yet it's even easier to deploy than WEP which is breakable in a couple of minutes.  WEP on the other hand is much easier to deploy than MAC filtering which is breakable in a matter of seconds using freely available GUI tools that run on Linux.  These simple-to-use tools will actually scan the air in real-time and display hidden SSIDs in the clear, MAC address in the clear so you can cut-paste them in to the MAC spoofing utility, and IP schemes are clearly displayed.

Now since you mentioned you had 20,000 employees, MAC filtering management gets out of hand the minute there is more than 1 AP and more than 10 users.  With 20,000 users and maybe 100 Access Points, you're looking at 2 millions MAC addresses you need to enter across all the Access Points.  If you had a RADIUS server to manage the MAC addresses centrally, you'll cut that number down to 20,000 MAC addresses but it's still insanely difficult to manage.

Since this is an enterprise deployment and it's all but impossible to keep a static secret in the form of a WPA-PSK pass-phrase; you really should be deploying WPA Enterprise which ironically is even easier to deploy than WPA-PSK.  All you need is a RADIUS server which comes free on Linux and is included with Windows 2000 and 2003.  The RADIUS server in Windows 2003 easily integrates in to Active Directory (or NT domain) which in turn allows you to centrally manage certificate policies and client-side wireless configuration settings using Group Policies.  This means all 20,000 users (if they were Windows XP SP2) could be configured for WPA Enterprise mode in a matter of minutes!  So if we completely ignore the superior security argument, MAC filtering and all the other myths are a huge waste of time.