On CBS MoneyWatch: Is There Gold in Fort Knox?
BNET Business Network:
BNET
TechRepublic
ZDNet

March 26th, 2007

Wireless LAN security myths that won't die

Posted by George Ou @ 2:26 am

Categories: Desktop, Infrastructure, Mobile/Wireless, Networking, Security, Vista

Tags:

In Focus » See more posts on: Wireless Networking

It's been two years since I wrote "The six dumbest ways to secure a wireless LAN," and it's probably been one of my more successful blog entries ever, with two flashes on Digg. Since that time, I've written a free electronic book on enterprise wireless LAN security for anyone to use and download from TechRepublic. Since it has been two years, I'm going to update the information with more defined categories and better explain why they're so bad from an ROI (return on investment) and security perspective.

Waste of money, resources, time

  • MAC filtering
  • Disable DHCP and use Static IP addresses
  • Signal suppression with expensive paint or antenna placement

Worse than no wireless security at all

  • LEAP (adding EAP-FAST to the list)
  • SSID Access Point beacon suppression (or "hiding")

Has nothing to do with security mechanisms

  • Just use 802.11a or Bluetooth

The original blog has probably been read by more than a hundred thousand people, but I still can't kill these nasty urban legends because they are so engrained as "best practice."  I was shocked and infuriated to find that even some security certifications, like the CISSP, and VISA payment processing compliance requirements, like PCI, are recommending most of these methods as "best practice."

Note that I recently attended the official CISSP boot camp training and in spite of this bad wireless LAN advice, I still recommend the CISSP certification and training. It really taught me how to better communicate to management and business people and align security and IT to the business. I have, however, asked them to fix their small section on wireless LAN best practices, and I hope they fix it.

The most common and misguided arguments I hear against my advice and in favor of implementing this nonsense are:

  • What's the harm? It's a layered approach to security.
  • It makes us harder to see and hack.
  • We're a small company, and we can't afford real security.

The problem with these arguments is that they're based on some fundamentally wrong assumptions and an inadequate knowledge of how wireless LAN security works. 

  • These aren't layered approaches; they're more like buying overlapping warranty coverage, since any benefit against casual bandwidth thieves is already covered by real security measures. The harm is that people confuse these methods for the real thing, and they spend more money and resources on implementing the wrong security mechanisms and end up skimping on real security.
  • They don't make you harder to hack. Kismet, which is a free utility, will reveal so-called hidden SSIDs, MAC addresses, and static IP schemes within seconds of scanning the airwaves, sending all that money and time spent on MAC address and static IP management down the toilet.
  • If you have a limited budget with limited IT staff, it's all the more reason to use real wireless LAN security, because you certainly won't be able to afford the complexities of MAC filtering and static IP configuration. True wireless LAN security is far cheaper to implement and maintain.

Rock solid wireless LAN security for the home or small office can be summed up in a single paragraph. All you need to do is use WPA-PSK security with a random alpha-numeric pass-phrase that has a minimum of 10 characters. I estimated that a truly random alpha-numeric 10-character pass-phrase using modern single-core computers will take one thousand PCs working in parallel 500 years to crack. If your hardware doesn't support WPA mode, you can almost always get a free software/firmware upgrade to support it. If WPA mode absolutely can't be supported, you can run WEP (104 bit AKA 128) security, which might take a semi-skilled script kiddy using two PCs in an active attack configuration 10 minutes to break. WEP shouldn't ever be considered effective wireless LAN security, but it's hundreds of times harder to break than any of the myths. WEP can be considered an actual deterrent when nothing better like WPA is available, whereas these myths aren't even worthy of the deterrent title. The ROI for any of the first three wireless LAN security myths is essentially zero.

[Next page - Worse than no wireless security at all]

Pages: 1 2

George Ou is Technical Director of ZDNet. See his full profile and disclosure of his industry affiliations.

Related Discussions on TechRepublic

Did you know you can take part in these discussions with your ZDNet membership?

  • Talkback
  • Most Recent of 113 Talkback(s)
SSID hiding makes you MORE vulnerable
SSID hiding makes you MORE vulnerable. Your base stations can't really be hidden and you force your clients to go around screaming your SSID making themselves vulnerable. SSID hiding should be banned because it decreases security.... (Read the rest)
Posted by: georgeou Posted on: 03/06/08 You are currently: a Guest | | Terms of Use
Does OS X probe for hidden SSIDs  mertt | 03/26/07
All OSes can do it. The question is whether it lets you disable.  georgeou | 03/26/07
OSX probing  techknowshaman@... | 03/27/07
As of OS X 10.4, the ability to turn off probing was removed  georgeou | 04/01/07
Can OSX 10.4.9 turn off probing  Punchinello | 05/08/07
So at home  mtgarden | 03/26/07
If you're already using WPA-PSK, SSID hiding is harmful to your laptop  georgeou | 03/26/07
Then,  mtgarden | 03/26/07
There is no such thing as hiding the AP  georgeou | 03/26/07
About the CISSP, I'm trying to get them to fix their training  georgeou | 03/26/07
So true...  PhilippeV | 03/27/07
Nope  ajmac2 | 03/26/07
No, I'm saying "hidden" SSID is dangerous for your laptop  georgeou | 03/26/07
Missing Something  TripleII | 03/26/07
No, here's why  georgeou | 03/26/07
I don't understand...  Kikaida | 03/27/07
SSID and spoofing  PhilippeV | 03/27/07
George - Updated ICSA whitepaper link - previous one is broken...  webgrokker | 03/28/07
Smart update  klumper | 03/28/07
Thanks, I updated the link  georgeou | 04/02/07
I use  none none | 03/26/07
That doesn't help. You should be using WPA  georgeou | 03/26/07
Re: That doesn't help. You should be using WPA  none none | 03/26/07
Priceless  TripleII | 03/26/07
It probably doesn't matter...  GW Mahoney | 03/26/07
I've seen performance hits for using WEP instead of WPA  georgeou | 03/26/07
Mac Address Filtering  TripleII | 03/26/07
No, it's a waste of time if you're using real security  georgeou | 03/26/07
Not entirely a waste  rpmyers1 | 03/26/07
When that sign costs more than a steel perimeter, it's a bad investment  georgeou | 03/26/07
WEP Only devices  rpmyers1 | 04/02/07
Update the device to WPA or be forced to run weak security  georgeou | 04/02/07
Re: Not entirely a waste  none none | 03/26/07
WPA PSK is MUCH easier  georgeou | 03/26/07
What's easier to manage?  Resuna | 03/27/07
MAC is not a legitimate way to block devices from a WLAN  georgeou | 03/27/07
"No further replies to this post will be accepted."  Resuna | 03/28/07
Corporations don't use PSK mode  georgeou | 03/28/07
Good point  GW Mahoney | 03/26/07
Oh but that's wrong, you CAN use an IP and MAC at the same time  georgeou | 03/26/07
Then I agree  TripleII | 03/26/07
Your laptop will always probe  georgeou | 03/26/07
How to disable probing in OS X 10.4.9?  unzdn | 03/26/07
If there's no security on your hidden SSID  georgeou | 03/26/07
Don't be so quick to agree...  Cornhead | 03/26/07
But no one's cracked WPA  georgeou | 03/26/07
Keep hammering the point  klumper | 03/27/07
Know your audience...  Cornhead | 03/26/07
Let me ask you some questions as a home user  georgeou | 03/26/07
Know thy enemy...  Cornhead | 03/26/07
That's called the "stick your head in the sand" approach  georgeou | 03/26/07
au contraire, mon frere...  Cornhead | 03/26/07
Don't know what your point is  georgeou | 03/26/07
Know your audience...  Cornhead | 03/27/07
Then again..  KWierso | 03/27/07
Calling Cornhead  klumper | 03/27/07
Thanks George, You Convinced me!  bka1959 | 03/26/07
No problem, I also hope I saved you some time on avoiding nonsense  georgeou | 03/26/07
Re: Let me ask you some questions as a home user  none none | 03/26/07
Breaking in to a home is a lot more risky  georgeou | 03/26/07
Re: Breaking in to a home is a lot more risky  none none | 03/26/07
Thank you  georgeou | 03/26/07
Not everybody talks WPA  bowman@... | 05/14/07
maybe better questions?  dick@... | 03/27/07
Re: Know your audience...  none none | 03/26/07
Pop Quiz time!  toadlife | 03/26/07
Assuming there's equal entropy in the PSK, they're equally secure  georgeou | 03/26/07
Come on George!  toadlife | 03/26/07
my answer is  w3nd13 | 03/26/07
hardwired is nice and easy but  dick@... | 03/27/07
without a doubt the answer is ....  thelemite | 03/28/07
lol  toadlife | 03/28/07
Only if you believe in fairy tales  georgeou | 03/28/07
Wireless Security myths .. yep  gmiller@... | 03/27/07
additional data  gmiller@... | 03/27/07
MAC filtering uses...  Resuna | 03/27/07
Proposition for you George  t00 m4d f00 | 03/27/07
Re: Proposition for you George  none none | 03/27/07
Nice one, lol  georgeou | 03/27/07
(nt)Maybe his house is made of concrete?  toadlife | 03/27/07
Quantify the exposure on WEP?  Resuna | 03/27/07
Look up active WEP attacks  georgeou | 03/27/07
How lucky do you feel?  klumper | 03/27/07
Lucky Enough.....  ruprick_z | 03/27/07
Don't give up quite yet  klumper | 03/28/07
PS  klumper | 03/28/07
Roku + WPA works  jmelnik | 04/05/07
distributed computing demos!  PhilippeV | 03/27/07
You don't need distributed or even a powerful PC for WEP  georgeou | 03/27/07
WPA-Enterprise is Easy and FREE  uberpinguin | 03/27/07
I've been using TinyPEAP, but you can also use openwrt with freeradius  georgeou | 03/27/07
Encryption  donthetech | 03/27/07
We can quantify the exposure of home users!  PhilippeV | 03/27/07
Wireless security  micallefman@... | 03/27/07
You've asked the right person  georgeou | 03/27/07
MAC filtering is useful  sdgeek | 03/27/07
You got that right  Krazyken39 | 03/29/07
A few corrections  klumper | 03/29/07
Maybe I should have said  Krazyken39 | 03/30/07
The unaccounted factor  klumper | 03/30/07
Good Report  fasthair | 03/29/07
In car talk  klumper | 03/29/07
Wow this is the post that never dies!  tschrock | 04/01/07
Drive by WiFi  D-cat | 04/01/07
Securing your AP with a unique MAC is useless and time consuming  jakesty | 04/01/07
MAC can be changed for all NICs, some easier than others  georgeou | 04/02/07
SSID broadcasting - your conclusion seems wrong to me  ivo_z | 04/05/07
Laptop is at much greater risk  georgeou | 04/05/07
SSID Hiding DOES provide value  robkraft@... | 07/20/07
SSID hiding makes you MORE vulnerable  georgeou | 03/06/08
You don't understand...  Jxn | 01/05/08
MAC address filtering  justincase@... | 01/10/08
It's easier on a smaller scale, but why bother if it's useless?  georgeou | 03/06/08

What do you think?

SponsoredWhite Papers, Webcasts, and Downloads

Click Here
advertisement

Recent Entries

Top Rated

    advertisement
    Click Here

    Archives

    ZDNet Blogs

    White Papers, Webcasts, and Downloads

    SmartPlanet

    Click Here