[Updated to reference Microsoft article on non-broadcast wireless networking]
I read an article the other day in Information Week, by Preston Galla. The name rang a bell, and I remembered that he used to review shareware for ZDNet. The fact that I remember his name suggests that I disagreed strongly with what he wrote about my software 🙂
The article basically says that you can secure wireless networks by a few simple steps:
- Hide your network ID (disable SSID broadcasts)
- Use Encryption “WEP is probably enough”
- Filter out MAC addresses
- Limit the number of IP addresses offered by your DHCP server
- Sniff for intruders using a tool like AirSnare
- Install host-based firewalls on all systems
Let’s contrast that with a ZDNet blog article by George Ou on “The Six Dumbest Ways to secure a Wireless LAN“, along with a quick parenthetical summarisation of what I believe George is saying:
- MAC filtering (an attacker can fake a MAC if he intercepts a packet)
- SSID hiding (an attacker can read the SSID from many other packets)
- LEAP authentication (CISCO screwed up)
- Disabling DHCP (an attacker can easily steal another host’s IP address)
- Antenna placement (search on “Pringles can” and “wireless”)
- Use only 802.11a / Bluetooth (oh, because hackers don’t have those?)
Dishonourable mention: WEP encryption – “it takes only a few minutes to break a WEP based network which makes WEP completely ineffective”.
I make that three out of six of Preston’s recommendations on how to secure wireless networks line up in George Ou’s “dumbest six ways”. I have to agree with George.
The DHCP one is a classic – to try and limit the hackers, you make it easier for them to engage in a denial of service attack on you?
Even Microsoft, a company known for allowing people to make decisions that don’t exactly help security (hello, account lockout?) without comment, has documentation on disabling SSID broadcast as being a bad idea – note the tone of the article says “we’re trying to make it easier to do this, but really, it’s a bad idea to begin with”.