Myth vs. reality: Wireless SSIDs

re: Myth vs. reality: Wireless SSIDs

Catemaco — Sat, 25 Apr 2009 03:44:40 GMT

I agree with Mark Coleman. Most people are NOT tech savvy. They don't know what a MAC address, so they're not going to spoof it, and they have no idea how to capture packets on a network. But if they are sitting outside my condo, and see my network SSID, they might just decide to take advantage of it.

And if I've had some problem where I've had to reset my wireless router, and have forgotten to enable encryption, or if I'm like my neighbor, who doesn't seem to know anything about encryption, then I'm in trouble.

Can someone address the question of performance? Does broadcasting or not broadcasting the SSID affect performance? I can pick up, no kidding, 10 different SSID's from my neighbors. Don't their SSID broadcasts increase the interference to my signal?

re: Myth vs. reality: Wireless SSIDs

cray — Sat, 18 Apr 2009 17:52:20 GMT

@Mark Coleman: Hiding the SSID and using MAC filtering does not increase your security. Sure, you prevent "non-technical" people from seeing your network, but would those non-technical people have had a chance of accessing your network if you employed WPA2? Of course not.

It's like hiding the bank vault only from people who have no idea how to crack a safe in the first place. Those who do know how to crack it can find it. What's the point?

So how did you increase security with these measures?

Hiding the SSID is useless (and harmful). MAC filtering is arguably useful not as a security measure, but as an access control method, assuming the users you're controlling access for are "non-technical" (i.e. stupid in-laws)!

re: Myth vs. reality: Wireless SSIDs

Mark Coleman — Thu, 09 Apr 2009 19:47:26 GMT

What I think others are trying to point out, as am I, is that not broadcasting SSID's and MAC filtering DO increase security to a degree. When non-technical staff try to find wireless access near them, they simply search with things like Windows WZC- which out of the box ignores non-broadcasting SSID's. So if say 5 in 10 people are non-technical, you've reduced the chance that NON-TECHNICAL people will find your network by AT LEAST 50%. And I'd rather have 50% less people know of it's existence then be "curious" and pursue access to my network. I'm not saying you need to agree with me, it's just my $.02.

re: Myth vs. reality: Wireless SSIDs

Khürt Williams — Wed, 04 Mar 2009 19:18:38 GMT

I use WPA2 with a strong pre-shared key on my wireless network. I DO broadcast the SSID and do NOT use MAC address filtering because I saw little value in the security provided. It also made it a lot easier for my family to use my network when visiting.

re: Myth vs. reality: Wireless SSIDs

TechNet Archive — Mon, 12 Jan 2009 21:44:19 GMT

Let's define what "increase security" means. I'll use two definitions:

Reduce the attack surface by eliminating additional potential targets of intrusion
Eliminate a vulnerability or reduce the likelihood of a vulnerability being exploited

When you secure a wireless network with WPA2 using RADIUS or a strong pre-shared key, you have secured that network against all known threats. It is completely unnecessary to hide SSIDs and filter MAC addresses at this point: these additional efforts do not increase security beyond what you've done with WPA2.

And as I have said before, you aren't really hiding anything with these approaches. SSIDs are available in clear-text in 802.11 association frames even if the access points aren't broadcasting their SSIDs. And MAC addresses are always clear-text and are unsigned, therefore they can be spoofed and you'll never know it.

Just because you can do a thing that smells like security, it doesn't mean that you're actually reducing threats.

re: Myth vs. reality: Wireless SSIDs

Carl — Mon, 12 Jan 2009 13:53:27 GMT

I don't see why hiding the SSID and using Mac-filtering does not increase the security if you also - as the most important step - use encryption. IMO all extra measures will increase the security - it's one more thing to pass before you hack init someone's network. I don't have wireless network for anyones use but me - so I use encryption and SSID hiding.

re: Myth vs. reality: Wireless SSIDs

TechNet Archive — Mon, 05 Jan 2009 21:32:48 GMT

@Brad and Matt-- nowhere did I say that hiding an SSID is the *only* security measure. I'm arguing against the notion that hiding an SSID is a good idea at all. If you use the proper security measure -- that is, WPA2 (or WPA if your devices don't support WPA2) -- then that is sufficient for protecting your traffic and keeping people from using your wireless network.

The 802.11 specifications mandate that SSIDs be broadcast. Access point manufacturers added support for hiding SSIDs a long time ago because people were too lazy to do the right thing (use encryption) and demanded the ability to hide. Well, you can't truly hide an AP. So by dropping support in Windows for something that actually breaks the protocol, it helps to improve overall security -- more people will use encryption.

re: Myth vs. reality: Wireless SSIDs

James — Mon, 05 Jan 2009 19:44:06 GMT

@Brad,

You don't need to "guess" an SSID, so hiding it is pointless.

re: Myth vs. reality: Wireless SSIDs

Matt — Wed, 31 Dec 2008 16:00:18 GMT

Great article Steve but equally great point @brad, I currently have my SSID hidden and I've also given it some obscure name whilst enabling WPA2, whilst this is not currently possible with VISTA SP1 (if it is I've not found ways to make it work), it is possible with the VISTA SP2 (Beta mind you), I have vista SP2 installed and so far so good.

re: Myth vs. reality: Wireless SSIDs

brad — Thu, 25 Dec 2008 18:30:19 GMT

Wait a mo - who said that hiding an SSID is the *only* security measure to be used? Hiding the SSID, changing it's name to something not easily guessed, *AND* enabling WPA2 (at least) security are *all* necessary steps to keeping folks from leeching off of your WAP

The *real* security issue here is M$oft's refusal to make it easy for folks to hide their SSID. Linux and MAC OS X don't have this onerous requirement, only the morons at M$oft, who also brought you Internet Exploiter, and every single security compromise ever dreamt of, in one, easy-to-use package (Windows).