dslreports logo
site
 
    All Forums Hot Topics Gallery
spc

spacer




how-to block ads


Search Topic:
uniqs
3594
share rss forum feed


dfc888
Premium
join:2003-07-22
San Bruno, CA

SSID Broadcast Enable or Disable?

Is it better off the enable or disable SSID broadcast?
Linksys recommended to me that I turn off SSID broadcast if I was using my WLAN for private purposes only.

I have a Compaq 2806CL US, Linksys WRT54G router, Linksys WPC54G PCMCIA wireless adapter, and running "Zero Configuration" on Windows XP to connect to my WLAN. My current wireless security is WPA Shared Key on TKIP.

When I disable SSID broadcast, my laptop cannot access the internet at all, please help.

And also, what is the difference between TKIP and AES?

Thanks, LiTTo.
--
*O_O*


solaris99887

join:2003-07-25
Rockford, IL

Zero configuration in Windows XP only works when you broadcast the SSID. Turning it off means you'll have to manually enter the SSID into the Wireless Settings in XP. This is a trivial task, and once you do it, you'll be able to connect to the network.



Andrew J
Premium
join:2001-11-09
Lancaster, PA

I have ESSID disabled and have always connected fine with XP. No special settings required.
--
When your PC gives a little they give alot.»Team Discovery


DSLrgm
Premium,MVM
join:2002-08-22
Oak Park, MI
reply to dfc888

said by dfc888:
Is it better off the enable or disable SSID broadcast?
Linksys recommended to me that I turn off SSID broadcast if I was using my WLAN for private purposes only.
I am a recognized security expert, and I do NOT disable the SSID. A waste of effort and it severly impacts on performance in roaming between Access Points.

Vendor recommendations to disable the SSID is a knee-jerk reaction to ISS that claimed that the SSID is a password in the clear.

quote:
I have a Compaq 2806CL US, Linksys WRT54G router, Linksys WPC54G PCMCIA wireless adapter, and running "Zero Configuration" on Windows XP to connect to my WLAN. My current wireless security is WPA Shared Key on TKIP.
If you are actually using WPA with a decent EAP method (e.g. PEAP/MSCHAP or TLS), then there is no need to disable your SSID. Just don't put your GPS coordinates or company name in the SSID

quote:
When I disable SSID broadcast, my laptop cannot access the internet at all, please help.
The client MUST present the SSID in the ASSOCIATE management frame. If the SSID is not in the BEACON or the PROBE Response (the result of disabling the SSID on the AP), it MUST be entered into the client.

quote:
And also, what is the difference between TKIP and AES?

TKIP is an improved key scheduler and better IV for very much better WEP. It works on almost all the old hardware sold todate.

AES is the Advanced Encryption developed for NIST in an open compitition. It is good, strong, and fast. AES is used in CCMP, the new security protocol for WiFi. CCMP requires new hardware.


Anav
Sarcastic Llama? Naw, Just Acerbic
Premium
join:2001-07-16
Dartmouth, NS
kudos:5

Since most do not have WPA or AES etc, your excellent corporate advice is not yet germane to the home owner.

I disagree politely and that hiding the essid, by disabling the broadcast represents a small line of defence against a certain level of war driver. Of course it will not hinder more aggressive sorts. Hiding essid will remove a percentage of ppl (with nothing better to do) from looking at your wifi circuit. Adding WEP is another percentage removal step of annoying bandits. Those that have the capability can still get by it and look at your data packets, but now the field is more limited.

By the way, I recommend the ZyXEL wireless line ( actually used in the home arena, besides corporate) which has had the 802.1X protocol built-in from the get go. Add that to the mix and life is made a tad harder for the bad guys to access the wifi circuit and is superior to essid or mac address features. MD5 is not the strongest implementation but later with WPA and further AES it will come into its own.
--
Steve Martin: " If I only had one wish, it would be---> That all Linux users forget their root password!! "

[text was edited by author 2003-08-01 09:35:40]


DSLrgm
Premium,MVM
join:2002-08-22
Oak Park, MI

said by Anav:
Since most do not have WPA or AES etc, your excellent corporate advice is not yet germane to the home owner.
Anav,

Supprisingly, my concentration is more on the SOHO than corporate model. I am very aware of what vendors are planing for home and small office wireless. I talk to them at the bar at night after the meetings.

A SOHO operator wants simplicity, but adequate protection.

The draw of AdHoc meshes will be very strong to eliminate the channel selection problem, but that is a couple years off.

Setting WEP may be a challenge for some SOHO sites. If your risk is small (no one within 300' or totally surronded by trees), then yeah perhaps you can get by without WEP until a simple WPA offering is available, but then disable SSIDs.

But please try and set WEP, but then, don't be so concerned about disabling the SSID. Just one more thing to configure and manage.

Small things add up fast. Remember Senator Thrugood Marshall of the great state of Illinois?

What concerns me is the long shopping list of lock-down items recommended to SOHO installations. Start with WEP, go to WPA. Forget MAC filters and SSID hiding unless you are in a very bad environment or have a lot to hide.

For my corporate customers, I have a whole presentation....


Andrew J
Premium
join:2001-11-09
Lancaster, PA
Reviews:
·Comcast

I disagree politely and that hiding the essid, by disabling the broadcast represents a small line of defence against a certain level of war driver.
------------------------
I politely agree 100%. I have some nice belongings but don't put them in my windows for all passersby to see. I don't let valuables in plain site in my parked car either.
One year ago I checked the box on my WAP11 utility that read "disable ESSID broadcast". I've had no problems connecting with Linksys, Addtron, or Orinoco gear. Even my PPC connects perfectly every time.
--
When your PC gives a little they give alot.»Team Discovery



Anav
Sarcastic Llama? Naw, Just Acerbic
Premium
join:2001-07-16
Dartmouth, NS
kudos:5
reply to DSLrgm

DSLrgm, I view them as separate issues.

One is protecting the wifi circuit...ergo denying access to it, from weak to stronger ....... mac, essid, 802.1X MD5, 802.1X PEAP

Two is protecting the data packets (the info from being read) from weak to stronger..... none, wep, wpa, AES

I know its simplistic but its useful for the average joe like me to put the concepts and terminology into language that is palatable.
--
Steve Martin: " If I only had one wish, it would be---> That all Linux users forget their root password!! "



bbarrera
Premium,MVM
join:2000-10-23
Sacramento, CA
kudos:1
reply to Andrew J

said by Andrew J:
I politely agree 100%. I have some nice belongings but don't put them in my windows for all passersby to see. I don't let valuables in plain site in my parked car either.
I agree. Disable SSID broadcast. A small measure of security and works fine unless you have multiple APs and roaming between them. Security is about layers, go ahead and use this layer. Hiding your SSID is a very thin layer of protection, and if nothing else will stop neighbors using WinXP from spotting your network. Just don't think you have added real security to your network, someone interested in hacking your network will use tools to discover hidden SSIDs.

azarby

join:2003-07-03
Phoenix, AZ

Do like I did, By a Linksys WRT54G, and a WPC54G, Enable WPA with AES on both sides and forget it.

azarby



Anav
Sarcastic Llama? Naw, Just Acerbic
Premium
join:2001-07-16
Dartmouth, NS
kudos:5

That protects your data quite securely I think, but does not prevent others from accessing your wifi circuit. I believe you need 802.1X but not sure having not played with newer schemes
--
Steve Martin: " If I only had one wish, it would be---> That all Linux users forget their root password!! "


azarby

join:2003-07-03
Phoenix, AZ

802.1x is worthless without a hardwired server that can authenticate your certificate or password. Too expensive and complicated for home use. If they want to connect, just fine, but with AES, they won't go anywhere.

azarby



bbarrera
Premium,MVM
join:2000-10-23
Sacramento, CA
kudos:1

reply to Anav

said by Anav:
That protects your data quite securely I think, but does not prevent others from accessing your wifi circuit. I believe you need 802.1X but not sure having not played with newer schemes

WPA = 802.1x + TKIP
-or-
WPA = 802.1x + AES

Deciphered: WPA = strong authentication + strong encryption

Both TKIP and AES replace WEP encryption.

[text was edited by author 2003-08-01 12:33:39]


Anav
Sarcastic Llama? Naw, Just Acerbic
Premium
join:2001-07-16
Dartmouth, NS
kudos:5
reply to azarby

Azarby chance have you looked at the ZyXEL products. It has 802.1X with the option of a user database on the appliance, no need for an external database, Purrrrfect for home use.
Albeit it currently is only at the Md5 stage (better than nothing) but future PEAP should have something similar. Thus I am not sure if what your saying is completely true.
Mind you I do not know now from BBarreras post how WPA and 802.1X will be integrated or AES and 802.1X for that matter.
--
Steve Martin: " If I only had one wish, it would be---> That all Linux users forget their root password!! "


azarby

join:2003-07-03
Phoenix, AZ

My equipment is already up and running. No need to buy anything else now, unless something breaks.

azarby



bbarrera
Premium,MVM
join:2000-10-23
Sacramento, CA
kudos:1
reply to Anav

Anav, have you had a chance to look at Linksys, Belkin or Buffalo products with WPA? They get rid of WEP altogether and use TKIP (or AES). They also support 802.1x modes that are compatible with Windows XP (my primary wireless OS).

To understand WPA setup you don't need WPA gear to play around with. Just go over to »www.smallnetbuilder.com and check out the NeedToKnows.

Here is WPA-PSK setup in a Belkin router:
»www.timhiggins.com/Sections-arti···age8.php

Here is WPA Radius setup in a Belkin router:
»www.timhiggins.com/Sections-arti···age9.php

Here is WinXP setup for home user with WPA-PSK:
»www.timhiggins.com/Sections-arti···ge10.php

Here is WinXP setup for enterprise user with WPA using the 802.1x EAP-TLS or EAP-PEAP:
»www.timhiggins.com/Sections-arti···ge11.php


DSLrgm
Premium,MVM
join:2002-08-22
Oak Park, MI
reply to azarby

said by azarby:
802.1x is worthless without a hardwired server that can authenticate your certificate or password. Too expensive and complicated for home use. If they want to connect, just fine, but with AES, they won't go anywhere.
No.

802.1x mandates EAP, and only recommends RADIUS. RADIUS is only needed when the EAP server is NOT on the AP. Zyxel is one vendor that ships an EAP server built into the AP, thus no RADIUS needed. Problem comes here when you have 2 APs. You know have 2 EAP user databases to maintain.


bbarrera
Premium,MVM
join:2000-10-23
Sacramento, CA
kudos:1

And Zyxel currently only uses EAP-MD5 which has known security issues.


DSLrgm
Premium,MVM
join:2002-08-22
Oak Park, MI

said by bbarrera:
And Zyxel currently only uses EAP-MD5 which has known security issues.
Well just an offline dictionary attack!

Plus they still have to use the EAPOL-Key to send the key to the STA wrapped with some key....

hmmmmm.....

azarby

join:2003-07-03
Phoenix, AZ

I believe that for home users, without some sort of authentication database or Radius, etc., Microsoft recommends to use open authentication. That way you never broadcast any passwords or pre-shared keys. Someone may still be able to see you, and possibly connect, but they won't be able to access the network or any data. They say the only secure authentication is with validated certificates.

azarby



dfc888
Premium
join:2003-07-22
San Bruno, CA
reply to dfc888

I now use WPA - Preshared Key with TKIP. Is it possible that some "war driver" see (or steal/sniff) that PSK and use it against my WLAN?

Anyways, it was some wireless setting that I had, that screwed my laptop/router from transmitting data, and I got everything working fine now, with WPAPSK+TKIP and SSID Broadcast disabled.

Thanks for all your help.


DSLrgm
Premium,MVM
join:2002-08-22
Oak Park, MI

said by dfc888:
I now use WPA - Preshared Key with TKIP. Is it possible that some "war driver" see (or steal/sniff) that PSK and use it against my WLAN?

We discussed this at length last week. If the 4-way handshake is captured, it can be run through a dictionary attack, and if your pre-shared key is in the dictionary you are officially dead.

I am designing a new EAP method, shielded by Diffie-Hellman, that would address this. It will look a lot like IKEv2. But, then we have to convince vendors to deploy it.....


bbarrera
Premium,MVM
join:2000-10-23
Sacramento, CA
kudos:1

said by DSLrgm:
We discussed this at length last week. If the 4-way handshake is captured, it can be run through a dictionary attack, and if your pre-shared key is in the dictionary you are officially dead.
Is the 4 way handshake cleartext? As in capture with Ethereal and then run a dictionary attack?


Anav
Sarcastic Llama? Naw, Just Acerbic
Premium
join:2001-07-16
Dartmouth, NS
kudos:5
reply to bbarrera

I will look at those links eventually but do any other vendors offer 802.1X without the need for a radius server like ZyXEl in their new WPA/TKIP offerings??
--
Steve Martin: " If I only had one wish, it would be---> That all Linux users forget their root password!! "



bbarrera
Premium,MVM
join:2000-10-23
Sacramento, CA
kudos:1

Yes, Proxim offers internal database and external RADIUS in one of the Orinoco APs. I'll be surprised if you look at the links, it seems as though if it isn't Zyxel it isn't worth your attention. Of course, until Zyxel offers same feature.


DSLrgm
Premium,MVM
join:2002-08-22
Oak Park, MI
reply to bbarrera

said by bbarrera:
said by DSLrgm:
We discussed this at length last week. If the 4-way handshake is captured, it can be run through a dictionary attack, and if your pre-shared key is in the dictionary you are officially dead.
Is the 4 way handshake cleartext? As in capture with Ethereal and then run a dictionary attack?
No. It has in it a challenge/response that uses the PMK to encrypt known text, thus the offline dictionary attack when the PMK is a hash of a pre-shared secret....

If the PMK is the result of a strong EAP method or your pre-shared secret is a random number, you're OK.


Anav
Sarcastic Llama? Naw, Just Acerbic
Premium
join:2001-07-16
Dartmouth, NS
kudos:5
reply to bbarrera

Orinoco is too expensive and the others are sold by marketers who have no clue on what they are actually selling, yup will wait till zyxel makes it
--
Steve Martin: " If I only had one wish, it would be---> That all Linux users forget their root password!! "



AVD
Respice, Adspice, Prospice
Premium
join:2003-02-06
Onion, NJ
kudos:1
reply to Andrew J

said by Andrew J:

I politely agree 100%. I have some nice belongings but don't put them in my windows for all passersby to see. I don't let valuables in plain site in my parked car either.
\
Andrew:

Did you remove your house number and license plate from your car? Better yet, for security, remove all the street signs in a six block radius from your house and car.

Now thats security.