If I do not broadcast my SSID, am i secure from outsiders?

[jbaggins]

I have the Linksys wrt54g, and some users on here have reported that if you use one as a wireless ap, with another as the main router, you cannot use WPA security, only WEP.

Then i was informed WEP is weak and can be hacked easily.

What if I use WEP, but do not broadcast my SSID, and only allow the machines in our setup to access it? I won't allow anonymous logons.

I have about 5-6 computers that I can assign unique identifiers, then only allow these machines access to the network.

If i do this, and do not broadcast my SSID anymore, then won't I be safe from outsiders? I am not worried about anyone IN the place hacking, a) they are all middle aged women, that i know for a fact would not know how to do it, and b) i don't keep any real sensitive information, we just use the network to surf the net. I am more concerned about the apartment complex next door that has a lot of young people living in it.

thanks

 

[n0cmonkey]

Not broadcasting the SSID isn't really a big deal. They can still find your AP. :evil:

 

[Zugzwang152]

if someone wants to hack your wireless setup, they are going to do it anyway. don't broadcast your SSID, put on WEP, and you will discourage most casual "hackers." If you want you can monitor your router's logs and ban any MAC's that are connecting that shouldn't be.

 

[PCHPlayer]

I was at my neighbor's house the other day and was using their laptop. I did a wireless site survey and imagine my surprise when my network showed up with a blank SSID. Then there is WEP, which can be easily hacked. Tom's Hardware has a step-by-step guide to cracking WEP. MAC filtering is not much help either since you can spoof a MAC address. Bottom line, I agree with Zugzwang152. If you can use WPA that would be better.

 

[JackMDS]

May be this can Help.

Link to: Wireless Security.

Link to: WEP, WPA, and the Future (802.11i).

Link to: Network Segregation - Adding security to Wireless Network (or to any peer to peer Network).

:sun:

 

[HalfCrazy]

I'm using WEP on my wireless router. I live in a very small town where most are old people. So not many people here have computers and wireless access points.

Matter of fact I'm the only DSL customer with a static IP in our town. I know this for a fact since the local phone tech told me. The tech and me knows each other very well we talk to each other all the time. The few people that does have wireless routers here, it's funny seeing what they called their SSID. One person here has there wireless access point wide open. When ever I take my laptop in the back yard to surf the net. I all ways pickup that open access point.

 

[Nothinman]

Then there is WEP, which can be easily hacked.

Which only matters if yours is the only wifi network around. If you enabled WEP and your neighbor doesn't, do you really think someone's going to spend time cracking your key?

 

[dalmiroy2k]

Anyone using Netstumbler can see your SSID, channel and router name even if you are not broadcasting the SSID

 

[nweaver]

netstumbler cannot see SSID if you are not broadcasting it.

Netstumbler reports the broadcast beacons, and if you disable SSID broadcast, and take a sniff with a program like airopeek, you will se the beacon packet has a null value in it's SSID packet. You CAN sniff, because a computer that knows the SSID and makse an association request will have the SSID in it.

 

[mboy]

Originally posted by: Zugzwang152
if someone wants to hack your wireless setup, they are going to do it anyway. don't broadcast your SSID, put on WEP, and you will discourage most casual "hackers." If you want you can monitor your router's logs and ban any MAC's that are connecting that shouldn't be.

Most if not all of what you said is not true. 1st, their is impenetrable wifi. WPA with ultra strong password (preferrably usin AES) with strong radius authentication or even Ipsec VPN encryption you will not break.

WEP is worthless at any level as is your MAC filtering and No SSID broadcasting.

None of that will discourage a "casual" hacker as they now can now crack WEP easily.
It wikll onkly discourage the operson looking for an open access point, not someone looking to get into yours.

 

[Nothinman]

netstumbler cannot see SSID if you are not broadcasting it.

Netstumbler reports the broadcast beacons, and if you disable SSID broadcast, and take a sniff with a program like airopeek, you will se the beacon packet has a null value in it's SSID packet. You CAN sniff, because a computer that knows the SSID and makse an association request will have the SSID in it.

Which makes turning off SSID broadcasting pointless and if netstumbler won't show the SSID from the assoc request it should be fixed.

 

[nweaver]

netstumbler is basicly showing beacon packets....nothing more, nothing less. You have to sniff an association request from a valid client who already knows the ssid to find it. Netstumbler is not a sniffer.

And mboy, nothing is bulletproof. They said wep 128 was not hackable for a while too...

 

[nweaver]

also, not broadcasting ssid + 128 wep + mac authentication is probably enough for a home user. They COULD be hacked, but why would someone spend the time? It's corp networks, with technology and trade secrets that are worried about security. OP, I would think that if you have wep, no SSID, and mac filtering you are ok.

 

[Nothinman]

netstumbler is basicly showing beacon packets....nothing more, nothing less. You have to sniff an association request from a valid client who already knows the ssid to find it. Netstumbler is not a sniffer.

That's stupid, but I guess I'm spoiled by having tools like kismet handy.

 

[nweaver]

/shrug

Netstumbler was built to decode beacon packets to show nearby AP's and that is it. I like tools that have lots of goo to them as well, but netstumbler does what it's supposed to very well.

 

[Nothinman]

Finding APs by watching for assoc requests doesn't seem like goo, just seems like the next obvious feature since people started disabling SSID broadcasting.

 

[nweaver]

It sees the AP's just fine, it just doesn't display an SSID. SSID disabled AP's still broadcast beacons.

 

[JackMDS]

Hmm..

Lock your car with a key is useless, many people knows how to pick a lock.

Add the Club, and they know how to break it.

Put an Alarm and they know how to disconnect it.

Subtitute the word Car with Home and would get similar results.

So do not get a car and stay Home.

Viva La Unreasonable Paranoia of Ignorance.

:sun:

 

[Rottie]

very well said, Jack. I am impressive.

 

[HN]

Originally posted by: Rottie
I am impressive.

If you say so :laugh:

The better analogy would be if you have WPA enabled, not broadcasting your SSID would be like putting scotch tape across a bolted door.

 

[bluestrobe]

so whats the better WPA?

"shared key" or "Radius"?

 

[JackMDS]

Radius (Windows IAS).

:sun:

 

[spidey07]

rotated keys with 802.1x authentication works quite well.

In a truly secured wireless network they are all used together.

What is "better"? It all depends on how secure you want to be.

As mentioned the basic steps will stop all but the most determined intruder.

 

[Dogma420]

I think besides not broadcasting ssid, mac filtering, doing wep/wpa...


The best thing to do is narrow your DHCP scope. Lets say I have 3 computers....2 desktops and 1 wireless....the scope should be 4 computers in size...(includes the router) so the scope would be 192.168.0.1-4....that way they can't get an ip addy....if they can't get an IP addy what are they going to do?

Just a thought...might not completely prevent if you have a wireless notebook that isn't 'on' all the time...but you know right away what is going on if you try to connect with your notebook and can't get an ip addy....

This scope narrowing works great on a home network where there are constant wireless connections.

 

[ScottMac]

If "they" can't get an IP address from your DHCP, then "they" will manually configure one, and it'll work jus' fine.

DHCP just hands out addresses & config info. In an especially clever setup, DHCP might also report to the (local) DNS which device got which address.

DHCP, any flavor of DHCP, does nothing to add or subtract from the security of the setup.

Shutting down the SSID broadcast and / or putting in MAC filtering will only deter the casual cheapskate bandwidth thief in the neighborhood. A semi-serious cheapskate bandwidth thief will be taling to other s-scbt types and getting the necessary software to poach the signal.

The best bet for security is some flavor of WPA, implemented properly.

If you use WPA-PSK and use an easy password, you are also not very secure, as the password will be vulnerable to dictionary and brute-force attacks.

If you use WPA-PSK, then the password should be as long as you can tolerate, be a mixture of upper & lower case letters, and include some random numbers and non-alphanumeric characters (like dashes, underscores, "at signs" and the like) to break up the "normal" words and make them different from any word appearing in any list.

DO NOT use "Password," "secret" or a line of asterisks. Stuff like that is at the top of most crack lists.

DO NOT use 'leetspeak ... subbing an "@" for "a," 7 for "T" etc is also popular enough to be near the top of the lists.

Other bad practices: Your name, your address, your phone number, your SSN ...

If you use something like "Scott's Computer" .... change it to something like Sc3ott!s_CoM-9-putER! ... break up the words with non-letters, CAPS and lower case, toss in some non-alphanumerics.

It's still subject to brute force, but the longer you make it, the less likely it can be broken in any reasonable time.

You only have to input the key once per computer + the AP, take a minute and do it right.

If you're really concerned about it, and have a MS Server (and / or 'nix machine), then light up IAS or RADIUS and use it. If you're still nervous, light up self-signed certificate service and issue a cert to the server or/and each client and use WPA with EAP-TLS or PEAP.

Why would it worth all the trouble?

Because the legal precedent has already been set that ANYTHING originating from your network (whether you send it or someone else does by breaking in) is YOUR responsibility, and you'll take the consequences.

Secondary or equal to that is that any and all information you've passed through your computer on the current software load is likely to be still accessable (cache, swap, cluster/sector slack, etc) .... even if you've deleted it.

If someone wants it bad enough, getting by a weak (or absent) security system is trivial, and they'll get it.

It's easy enough to set up reasonable security these days, there's no excuse not to. Keeping WEP-only enabled NICs to save a few bucks is a bad idea, it can end up costing you much, much more.

FWIW

Scott