Does hiding the SSID broadcase really offer any wireless protection?

I read with interest an article that says to turn off the broadcast of your
SSID. Guess what? My two-computer home wireless network stopped working as
soon as I booted one of WinXP PCs with the Linksys router turned off.

To recover, I had to go through the entire setup process all over again
just to get the WinXP Wireless Zero Service to again understand the SSID.

What is going on?
Is it really feasible to turn off the broadcast of the SSID?
Or is it so much BS from folks who need to write something to stay in
business?

Is there any way to tell the WinXP PC to look for a certain SSID that isn't
broadcast without having to reconfigure the router every single time?

Confused,
barb

No, disabling the broadcast of your network SSID offers little to no
security and may cause connectivity issues as you discovered. Your much
better off using proper security measures like...

....encrypting your network with a strong WPA2 or WPA key

....changing the SSID to a unique and easily identifiable one

....changing the wireless access points default admin password to a strong
password

Personally I broadcast my unique network SSID and use WPA-PSK (AES) with a
63-character random ASCII key to encrypt my home wireless network...

http://www.kurtm.net/wpa-pskgen/

If you can't use WPA2/WPA then at a minimum use 128-bit WEP...

http://www.warewolflabs.com/portfolio/programming/wlanskg/wlanskg.html

Here are some articles of interest regarding the non-broadcast of your
network SSID...

http://www.microsoft.com/technet/itsolutions/network/evaluate/hiddennet.mspx

http://support.microsoft.com/kb/811427/en-us

http://support.microsoft.com/kb/907405/en-us

http://www.broadbandreports.com/faq/11468

http://www.dslreports.com/faq/10907

Show quoteHide quote

On Sun, 6 Aug 2006 07:11:48 -0500, Sooner Al [MVP] wrote:
Hi Sooner Al,

Wow. That was quick. I didn't even see my post posted when I saw your
reply. Since I lost my connection the minute I booted with the router off,
and since I had to reconnect with the wire, log into the router, change the
settings to broadcast the SSID, then connect with the Windows XP computer,
then log back into the router, change the settings back to not broadcast
the SSID, and only then did I get back to where I started. Whew.

Are we the only ones who read these so-called security hints and say "I
don't know what I'm talking about but the guys who write these articles
know even less than I do".

barb

On Sun, 6 Aug 2006 07:11:48 -0500, Sooner Al [MVP] wrote:
If I have one older computer which doesn't support WPA (only WEP) and one
newer computer which does support WPA and a router which does support WPA,
can I use WPA?

I thought we had to have all home computers on the same "standard"
encryption which means only WEP would work in my home network due to the
older computer.

Am I wrong?
Can I use WEP on one computer and WPA on the other?

barb

On Sun, 6 Aug 2006 07:11:48 -0500, Sooner Al [MVP] wrote:
If I have one older computer which doesn't support WPA (only WEP) and one
newer computer which does support WPA and a router which does support WPA,
can I use WPA?

I thought we had to have all home computers on the same "standard"
encryption which means only WEP would work in my home network due to the
older computer.

Am I wrong?
Can I use WEP on one computer and WPA on the other?

barb

barb wrote:
Show quoteHide quoteno. either update the drivers to the wep pc or just use wep. if your
card cannot support wpa, then purchase a new wireless card.

On Sun, 06 Aug 2006 08:26:50 -0400, Jeff Prater wrote:
I don't have a wireless card, per se. It's built in. I tried setting up WPA
and it said the card doesn't support it.

Is there a definitive way to test if a wireless card supports WPA?

barb

You have to check with the manufacturer of the laptop to see if they offer
driver/firmware upgrades that support WPA2/WPA. If they don't you could
disable the onboard/integrated WiFi hardware and purchase a WPA2/WPA capable
wireless card. Wireless cards are pretty cheap now adays...

Show quoteHide quote

barb wrote:
Show quoteHide quoteno. either update the drivers to the wep pc, purchase a wireless nic
which supports wpa, or just use wep.

On 08/06/06 07:23, barb wrote:
Yes, you can use WPA between the newer computer and the router.  However
you will not be able to use WPA to communicate with the older computer.  I
also think that there are some commercial APs out there that can
communicate WEP and WPA at the same time.

Yes, for all the computes to be able to communicate with standard (read non
expensive) equipment you will all need to be on WEP in this case.

No.

Not likely with the equipment that you have.



Grant. . . .

barb wrote:
I found that my older computer, router, and PCMCIA wireless network card
all offered WPA as an option after downloading and installing updates.
You might try this if you haven't.

On 6 Aug 2006 12:24:21 GMT, Ansgar -59cobalt- Wiechers wrote:
Likewise with limiting to the known MAC IDs.

Couldn't a hacker simply sniff out the MAC ID used in every packet and
simply spoof that MAC ID?

barb

On Sun, 06 Aug 2006 12:35:30 GMT, barb wrote:

Likewise with chaning to a static IP as suggested in this article on
wireless network security:

http://www.extremetech.com/article2/0,1697,1152933,00.asp
which says: "Many wireless routers default to the 192.168.1.0 network
            and use 192.168.1.1 as the default router.
            We discovered one network that didn't give us an IP address,
            but we assumed that they were using the defaults.
            We were right. We configured our notebook with an IP
            address in the 192.168.1.0 network using 192.168.1.1
            as the router address, and we had access to the
            Internet through their network."

What I don't get is you'd have to change the entire class of addresses(ie
subnet mask) to stop someone from connecting wouldn't you? For example, if
I changed the Linksys router IP address from 192.168.1.1 to 192.168.1.66,
anyone could STILL connect from a foreign PC simply by choosing any IP
address in the range of 192.168.1.[0 to 255].

Even if I change the subnet mask from 255.255.255.0 to 255.255.0.0, doesn't
that just open up MORE IP addresses that can connect to my network?

I'm so confused by these articles on wireless security. Can you help me
make sense of their recommendations to sort out the snake oil from the
practical?

thanks,
barb

On Sun, 06 Aug 2006 11:54:38 GMT, barb wrote:
Here is an O'Reilly article that says to hide your SSID and to change your
broadcast channel for added security.
http://www.windowsdevcenter.com/pub/a/windows/2005/04/19/WiFiHacks.html

Is this snake oil?

For example, as I already stated, if I change my SSID and then boot up
without the router powered on, there is no way (that I know of) to tell my
WinXP wireless applet the SSID (or am I missing something).

Likewise, if I were to change my channel, I mean how many channels are
there? Wouldn't anyone who wanted to get onto my network just scroll down
to the next channel? Are there an infinite number of channels or a finite
number of channels?

All this seems like snake oil to me.

QUESTION 1:
Once I stop broadcasting my SSID, how do I tell WinXP to use that SSID?

QUESTION 2:
If I change my channel, how long would it take a hacker to figure out
which channel I changed it to?

Thanks in advance for your advice,
barb

Changing your channel does nothing for security. Changing your channel *AND*
broadcasting your SSID may keep others from causing interference, and the
resulting connectivity issues, with your wireless access point.

For example channels 1, 6, and 11 will not interfere with other channels
like 3, 4, 5, etc. The default for many wireless access points is channel 6.
When I moved into our new home last month I did a quick site survey using
NetStumbler to find out what channels my neighbors were using. I walked
around a two block area near my home and deiced to use channel 1 since only
one other neighbor was using that channel and they were almost two blocks
away.

http://theillustratednetwork.mvps.org/ScreenShots/Netstumbler/Neighborhood_Survey07262006.JPG

My network is "N42RF" in the illustration. My immediate neighbor is
"sstehno". Note that NetStumbler does not show WPA only WEP for encrypted
networks. That is a function of the program...

I have no connectivity issues at all with my two wireless clients, ie. a
laptop and a desktop...

http://theillustratednetwork.mvps.org/LAN/TheIllustratedNetworkLAN.htm

Show quoteHide quote

On 08/06/06 07:15, barb wrote:
No.  These are just some of the many steps that can, and some should, be
taken to secure wireless networks.

This is twice (once in your former post) that you have stated that you do
not have the router on.  There are ways that you can tell your computer the
SSID of the wireless network.  However, if you have your AP powered off
telling your computer the SSID will do no good as it will not be able to
reach the AP.

Changing channels is more a performance preference than it is a security
setting.  The reason you should change your channel is so that your AP is
not as likely to be on the same channel as all the other APs in your
vicinity.  There are 11 use able channels in the US, and there are 13 in
the rest of the world.  I believe the FCC has blocked out channels 12 and
13 in the US for some reason unknown to me.

No this is not snake oil.

Per the articles direction, you tell XP that your network is a preferred
network.  Windows XP (presumably) will try to connect to the preferred
networks before other networks.  Though I have no experience with this.

Not long at all.  However as I stated this is more a performance setting
than it is a security setting.



Grant. . . .

In comp.security.firewalls barb <bwa***@cox.net> wrote:
No.

cu
59cobalt

On 6 Aug 2006 12:24:21 GMT, Ansgar -59cobalt- Wiechers wrote:
Likewise with limiting to the known MAC IDs.

Couldn't a hacker simply sniff out the MAC ID used in every packet and
simply spoof that MAC ID?

barb

On Sun, 06 Aug 2006 12:35:30 GMT, barb wrote:

Likewise with chaning to a static IP as suggested in this article on
wireless network security:

http://www.extremetech.com/article2/0,1697,1152933,00.asp
which says: "Many wireless routers default to the 192.168.1.0 network
            and use 192.168.1.1 as the default router.
            We discovered one network that didn't give us an IP address,
            but we assumed that they were using the defaults.
            We were right. We configured our notebook with an IP
            address in the 192.168.1.0 network using 192.168.1.1
            as the router address, and we had access to the
            Internet through their network."

What I don't get is you'd have to change the entire class of addresses(ie
subnet mask) to stop someone from connecting wouldn't you? For example, if
I changed the Linksys router IP address from 192.168.1.1 to 192.168.1.66,
anyone could STILL connect from a foreign PC simply by choosing any IP
address in the range of 192.168.1.[0 to 255].

Even if I change the subnet mask from 255.255.255.0 to 255.255.0.0, doesn't
that just open up MORE IP addresses that can connect to my network?

I'm so confused by these articles on wireless security. Can you help me
make sense of their recommendations to sort out the snake oil from the
practical?

thanks,
barb

If you use proper encryption, etc then the unauthorized user will never gain
access to your network. If you don't use proper encryption and the
unauthorized user gains access to your network then it doesn't matter what
address range you use. Once their on your network their on... That's the
bottom line...

Show quoteHide quote

barb wrote:
Show quoteHide quoteif you're so concerned about security, use wpa2 for encryption and a
radius server and certificate for authentication (peap, pki, etc.) if
you have access to a windows server, this should be a walk in the park.

On 08/06/06 07:45, barb wrote:
Show quoteHide quoteIndeed.  You can safely and freely use any network in the following ranges:

10.0.x.y - 10.255.x.y
172.16.x.y - 172.31.x.y
192.168.0.x - 192.168.255.x

Yes.  You really want to change the subnet, not the subnet mask.  There
really are multiple parts to an IP address that have to do with the binary
address structure.  With out going in to what is likely more detail than
you want to know, there are three basic network sizes:

Class A:  N.H.H.H (16,777,216 host addresses on this network)
Class B:  N.N.H.H (    65,536 thousand hosts addresses on this network)
Class C:  N.N.N.H (       256 host addresses on this network.

For the record, here is how many different networks of each type there can be:

Class A:         256 networks
Class B:      65,536 networks
Class C:  16,777,216 networks

Now if you take a Class B network, which a university might use, there
needs to be a way to SUB divide the network in to more manageable portions.
  This is where SUB-netting and the SUBnet mask comes in.  The subnet mask
is a way to sub divide the larger networks in to multiple smaller logical
networks.  Very seldom is this done any more, but it does occasionally
happen.  In short, the subnet mask is ANDed with the host portion of an IP
address to determine if two hosts are on the same subnet.  I.e. if the
portion of the IP addresses that are ANDed with the subnet mask match they
are on the same subnet.

So rather than changing the subnet mask of a host, you would really want to
change the network.  However, if you really want to get paranoid you could
make your subnet smaller to only be big enough to allow the number of
computers you wanted on the network to be in the same subnet.  In other
words if you had a home network of 2 computers and a router you could
shrink your subnet to the point that only 4 IPs were in your subnet, one
for each computer and one for the router leaving one open.  If you don't
advertise your IP address and subnet mask via DHCP and it is small enough,
it will be even harder for the average cracker to figure it out and thus
exploit your network.  However, this is beyond what most technicians will
ever need / want to do in their life time.  Usually you will find that
networking professionals (i.e. people that set up the network that the
servers and workstations use) will do things like this.

Back to your question / statement, you would need to change the network
that you are on, from 192.168.1.x to 192.168.144.x to make your network all
that much less likely to be predicted.  However, 144 might not be the best
value, as it is 24 less than 168 which is also 24 less than 192, which by
the way is how I chose 144.

None of what you have read is snake oil.  Each of the security tips
suggested are small steps that help in the over all picture to help protect
your network.  Really what you are reading is more steps to make your
network more obscure and as such much harder to predict and much more
likely to be secure.  However there are ways to defeat just about any
security measure that is out there.  There is a phrase "There has not been
an lock built that can not be picked.", which is very true.  The goal is to
make it not worth the time for people to pick your network's lock.  Usually
you just have to be more secure than the guy down the street for people to
move on.



Grant. . . .

barb wrote:
just like the key to the front door of your home or the door to your
car, these are useful to help honest people stay honest.  Internet
security 'features' just add extra hoops for the buggers to jump thru
--- the more you present, the more time they spend, and if not extremely
motivated (ie: they know what they're after and know that you have it)
-- soon they will just give up and go down the street where there are
zero hurtles to get access.

there is no such thing as a silver bullet security padlock which can be
guaranteed to 'keep you safe'.

On 08/09/06 18:41, Jeff B wrote:
Yes there is.  Of course it is usually black or grey.  It's called the
power cord.  Unplug it and leave the system turned off and disconnected
from the everything.  Of course this sort of defeats the usability of a system.



Grant. . . .

P.S.  I guess you could say the prongs of the cord are silver....

Since nobody has actually spoken up about this I thought I should chime
in. Hiding the SSID is a bad idea for several reasons, the first of which
is that it breaks the spec and can actually cause performance problems:
http://www.icsalabs.com/icsa/docs/html/communities/WLAN/wp_ssid_hiding.pdf

-Gary

In comp.security.firewalls barb <bwa***@cox.net> wrote:
Yes.

And if you already set a Followup-To, don't go and crosspost again.

cu
59cobalt

On 08/06/06 07:35, barb wrote:
MAC address filtering is a basic way to say that only the computer with
these known finger prints is allowed to get on to the network.  This type
of filtering is usually fairly difficult to effectively get around.  That
is not to say that it can not be done, but usually it is not worth the effort.

Yes, a cracker (hackers tend to be more white hat than crackers) could
spoof your MAC address.  However when they did this your computer that they
were spoofing would most likely start experiencing VERY weird network
symptoms and not work very reliably at all.



Grant. . . .

You should try posting to the microsoft.public.windowsxp.network_web
newsgroup.  This newsgroup supports Microsoft's Broadband Networking
hardware and software only.

Disabling the SSID broadcast is a waste of time, if the network gets
used more then on occasion.  This is because the SSID is broadcast in
every packet outside of the encrypted portion of the packet.  This means
that a program as simple as NetStumbler can find your network.  You can
only use one type of encryption also.  This means you can have clients
connecting via WEP & WPA to the same wireless network.  You could
segment the networks, but have them connect via a wired connection.  Yes
you can tell it to connect to a network that isn't broadcasting it's
SSID if you know the SSID.  Just remember that SSIDs are case sensitive.

barb wrote:
Show quoteHide quote

No that is not correct. This group supports "windows wireless networking"...

You may be thinking of the "microsoft.public.broadbandnet.hardware" news
group or one of the other Microsoft hardware news groups...

Show quoteHide quote

On 08/06/06 06:54, barb wrote:
Yes, it does add some limited measure of protection.

Do not turn off the router its self, just stop it from broadcasting the SID.

Depending on what wireless client configuration software you are using, yes.

No, this is not BS.  However I do not believe that it is good advice for
SOHO users.

I have been told that this is possible.  But seeing as how I don't run
Windows if I can help it, I have no experience doing such.



Grant. . . .

wireless network connection setup...cant bridge to wired network
Xp won't connect to other members of workgroup but can ping?
Limited or No Connectivity - HELP!!!
Good Newtork Connection, but no internet
File Sharing Issue
PCAMPR5 NDIS Protocol Driver
Wireless help please??
dialup ISP, computers sharing one connection
Internet Gateway Icon disappears after repairing connection
question about EAP-TLS