Security → The Six Dumbest Ways to Secure a Wireless LAN

My apologies if this has been linked before. (And it was).
It is an interesting article on Wireless Security:
»blogs.zdnet.com/Ou/index ··· php?p=43

Thanks for the link!:)

i like the antenna placement section heh.

There mention of WEP was good - not a way to secure a corporate network, but is effective in keeping 95% of your neighbors from leaching internet from your home connection.

I also liked the following, which was linked from one of the other articles on "Ou" blog:
»www.securityfocus.com/in ··· cus/1814

It shows some test results from how long it takes to crack WEP keys...after that, I agree it's good only to keep out the clueless nosy neighbors who have their own unsecured WLAN.

A THG article already made front page news as well: »www.tomsnetworking.com/S ··· age1.php

That section was half done, as were most of his points. Sure his article is technically correct but it fails to live in the real world.

If I placed an antenna (AP) in a faraday cage, would the network be more secure? If the answer is yes, then we are talking a matter of degree and the answer is analog and not digital.

The problem I see with such security experts who are on a crusade to "enlighten" the rest of us mere mortals is that they live in an ivory tower somewhere.

From his article: For the last three years, I’ve been meaning to put to rest once and for all the urban legends and myths on wireless LAN security. May I ask, all by himself?

For these "ivory tower" security experts all security issues are either black, or white and there are no gray areas. Reality doesn't work that way. In a real world sometimes it is important not just to secure your network, but also to hide your network. When it is important to hide your network, antenna placement becomes excruciatingly important.

Let's have a look at WEP. WEP was once considered the technical solution to network security. The experts were certain that WEP was what the acronym expands as. Unfortunately WEP was implemented poorly and subsequently broken and the security it afforded was severly constrained. What is there to stop that from happening again and again? Not a darn thing. It has been happening again and again since Samuel F. B. Morse invented the telegraph, and even before that.

Regarding the techniques that he decries, they are understood. Their flaws are known. They can be relied upon to function exactly as expected. IOW, if you use them, you know exactly what you can and can not stop. Now let us suppose that you don't use those 'useless' techniques. Instead you only rely upon the latest "HFWLDDP" (Humpty Frumpty Whamma Lamma Ding Dong Privacy") encryption. Let's say you install five hundred SOHO networks using HFWLDDP over the next two years. Since the experts told you that was all you should do and nothing else was worth using, that was all that you did do and then someone broke it. Now don't you wish you had gone ahead and done the extra 'due diligence'?

Clearly Ou has an academic understanding of security but has never had to apply that in a real world. If for example he found himself in a third world country, required to build a "stealthy" link with old 802.11b hardware, what would he do to set it up? He would do nothing as nothing he could do would be worth the trouble.

Clearly Ou has missed some of the critical points.

DaDogs Your points against the article are fair enough, but lets remember the audience.

Yes, the real world is not black and white, but the audience for this (the layman that knows nothing about security or rf signals) does not need nor want to be bothered by the details, and are likely to be put off if articles digress into details about the 'grey areas'.

I submit that the author likely knows all of the things you have said, but has chosen to suppress these with the goal of getting some very basic points across.

When I'm asked by laypeople about netork security or computer issues, I tend to oversimplfy, as if I do not (and this from experience) there eyes gloss over and I might as well be talking greek to them. Heaven forbid if someone were to post mortem what I said in such a manner, as I will have glossed over a good many details and cherry picked certain ideas to get across to them. But I do have a good general understanding of the issues, it's just that I did not present all the nuances so as to retain the users limited attention and get at least some headway with them

I totally agree with DaDogs.

I'm of the school that believes if it's effortless to implement than why not do it? It may not stop somebody who knows what they’re doing but it will keep some of the script kiddies out.

MAC Filtering, and SSID Hiding are no more involved than checking a little box on your configuration. It will only keep out the 25% of the dumbest crackers out but that’s 25% you don’t have to deal with now. Then you run WPA, complex passwords, and authentication servers on top of that for the rest.

It’s like if when designing airplanes somebody put locks on the cockpit doors. Sure it’s made of thin wood and you could still shoot a bullet through it, but it would have made such a difference against box cutters.

Thanks for the article - it does summarize misconceptions in an easy to read format for less technical users, but shouldn't be taken to mean that the measures should not be implemented at all.

I agree with jaa that they can't hurt and can provide some minimal benefit. I'd put them in the the category of being ineffective against determined piggybackers or intruders with some technical knowledge, but at the same time reducing the accidental hookups or casual attempts by nontechnical users(there are lots of these as we know! ) to access the typical home wireless network. I don't have wireless at home but if I did it would include network segmenting and layered security in addition to the "easy" stuff in the article.

Profoundly well spoken...

OT: The cockpit doors were locked/lockable. They simply let the hijackers in to protect passengers from those box cutters. Protection is only good if you use what you are given to work with.

If that is the case, they certainly did not use what God gave them to work with ... namely their brains. Aw, well, that said...

Aye, use what you have the best way you are able. If all you have is MAC address filtering and hiding the SSID, use it. If you have newer hardware and access to a layer three encryption system by all means use that as well

... or ...

If you choose not to secure your systems, know what your liabilities are, and do as you choose. In the case of the pilots, they obviously did not understand their liabilities or they would have told those men with box cutters to start in first class. The end result of that decision would be that a dozen passengers would have beaten the sheite out of the hijackers before they got to the second person.

Common sense applies in all cases and in cases where it is not applied one can predict certain failure.

there were metal detectors and x-ray machines to protect pilots from bullets

The user doesn't know the difference between SSID hiding, MAC filtering, IP filtering, WEP, WPA-PSK, or Short Preambles.

When I was new to wi-fi, I was somewhat familiar with networks (including some amateur wireless networks). My first security choice: mac filtering.

My brother, who does tech support but not on anything heavily network-based, had no security set at all. He was satisfied as soon as he was connected to the internet. (Problem solved).

We are not clueless or careless people. We simply did not know better and the installation instructions (D-Link's) seemed to encourage plug-and-play, no configuration necessary.

I knew that face looked familiar.

»Wi-Fi Hardware and False Advertising

Where did this self-important putz come from, anyway?

-- B

There is only one 100% method to secure a wireless LAN. Keep the radio turned off, keep the network disconnected from the Internet, and don't allow any user to log in. Everything else is risk management. As long as the radio is on there is no such thing as 100% security. As long as there is a live Internet connection there is no such thing as 100% security. As long as users can log in there is no such thing as 100% security.

Agreed, but the question is, what are you trying to secure anyway?