dslreports logo
 
    All Forums Hot Topics Gallery
spc
uniqs
10

KodiacZiller
Premium Member
join:2008-09-04
73368

KodiacZiller to norwegian

Premium Member

to norwegian

Re: Router security

said by norwegian:


2. Hide SSID and only show it to allow the connection to happen before hiding it, use WPA2 as well.

Hiding the SSID has zero benefit.

2. Set specific MAC addresses.

MAC filtering has little if any benefit.

The best steps you can take to secure a router are:

1) Set a strong WPA2 password.

2) Turn off any remote administering of the router unless you really need it.

norwegian
Premium Member
join:2005-02-15
Outback

norwegian

Premium Member

You have me a little curious on this.
said by KodiacZiller:

said by norwegian:


2. Hide SSID and only show it to allow the connection to happen before hiding it, use WPA2 as well.

Hiding the SSID has zero benefit.

Hiding the SSID does nothing?
said by KodiacZiller:

said by norwegian:

2. Set specific MAC addresses.

MAC filtering has little if any benefit.



Setting specific MAC address filtering is not worth a concern?
Can you elaborate on this, as setting MAC addressing was 1 of my "to do" jobs but you suggest I'm wasting my time, I gather because they can be spoofed?
said by KodiacZiller:

The best steps you can take to secure a router are:

1) Set a strong WPA2 password.

2) Turn off any remote administering of the router unless you really need it.

This I have done.

KodiacZiller
Premium Member
join:2008-09-04
73368

KodiacZiller

Premium Member

said by norwegian:

Hiding the SSID does nothing?

Absolutely nothing. Any war-driver with Backtrack can sniff hidden SSID's by default. Just about all war-driving software on any platform can do it.
said by norwegian:

Setting specific MAC address filtering is not worth a concern?
Can you elaborate on this, as setting MAC addressing was 1 of my "to do" jobs but you suggest I'm wasting my time, I gather because they can be spoofed?



What happens is an attacker will sit outside and use a tool like ethereal to sniff the traffic on your network. While he can't actually see the data (since it is encrypted) he can see other information like the MAC addresses of clients. So, once he determines what the legit MAC addresses are, he runs a tool like ifconfig and changes his own MAC to match yours. It's trivial and only takes a minute.

norwegian
Premium Member
join:2005-02-15
Outback

norwegian

Premium Member


Okay, this is where "Security by Obscurity" comes into play - if your firewall is ping able or not really makes no difference to the end result. Hidden or not you have to be track-able to some extent (without talking proxies).
norwegian

norwegian to KodiacZiller

Premium Member

to KodiacZiller
said by KodiacZiller:

said by norwegian:

Hiding the SSID does nothing?

Absolutely nothing. Any war-driver with Backtrack can sniff hidden SSID's by default. Just about all war-driving software on any platform can do it.

Interesting that you bought this up.

Found this interesting:-

»www.youtube.com/watch?v= ··· 5X1KlPDE

Juggernaut
Irreverent or irrelevant?
Premium Member
join:2006-09-05
Kelowna, BC

Juggernaut to norwegian

Premium Member

to norwegian
I make my router pingable. Why wouldn't I? It doesn't make a difference, anymore than hiding the SSID would. And, that is none.

StuartMW
Premium Member
join:2000-08-06

StuartMW to norwegian

Premium Member

to norwegian
said by norwegian:

Okay, this is where "Security by Obscurity" comes into play...

There's no such thing on the internet. It doesn't matter where you live, New York city or a shack in Siberia, you will be found,

rcdailey
Dragoonfly
Premium Member
join:2005-03-29
Rialto, CA

rcdailey

Premium Member

Yeah, everything I've read says that hiding SSID is useless. I have done it only to keep casual users from trying to connect, but that probably just ensures that the only attempts will be malicious or non-casual. The router wifi is secured anyway with a strong password in WPA2 and also the administrator name and password are unique and remote administration is disabled. There's really no need for remote administration for most people, anyway, is there?

The key remains LAN access, doesn't it. How does one log onto the LAN, users and user levels, passwords, etc? If it is easy to log onto the LAN locally, then once the wifi connection and strong password are known, logging onto the LAN will also be easy, won't it?