Top 5 Myths for Securing a Wifi network

Disclaimer: Nothing is unbreakable

Given enough computer resources and enough time, even the most hardened networks can be broken. Our job then is to make it as solid as we can—enough that most attackers will simply give up after a few days of getting nowhere—and not fall prey to outdated tactics that are simply ineffective.

Myth 1. Hide the SSID.

"If you can't see it, you can't hack it," or so goes the old way of thinking. Having your Wifi access point transmit its name a few times a second is normal. Turning that off is not normal. Some mobile devices and all laptops running Windows 7 will still see the Wifi network. Hiding the SSID is a big red flag that you are trying to hide something!

Network sniffing tools like Kismet will find a hidden SSID in no time. These tools are now so readily available that even people with just a passing interest in breaking network security can download them and find a hidden Wifi network.

Myth 2. Enable MAC address filtering.

Every mobile device has a unique MAC (Media Access Control) address. It is how computers tell computers apart. In the old days, setting up a filter so that only MAC addresses you know could connect to the Wifi might have kept out a few people, but not any more.

Using Kismet (mentioned above) will show the MAC address of every computer connected to the network, and it is trivial to change your Wifi adapter's MAC address to match one that you see on the network.

Myth 3. Limit/disable the Wifi DHCP server.

The thinking here is that if your Wifi access point does not automatically hand out an IP address, you make it harder for someone to connect, as they will have to put an address into their wireless adapter. Anyone who has spent any time working with networks knows how to do this, and it only takes a few seconds.

If you limit the number of Wifi clients that connect, the thinking is that you can limit or block any attacks. See myth 2 for why this will not work. (Hint: simply wait for the other guy's Wifi to disconnect.)

Myth 4. It does not matter what encryption you use.

WEP (Wireless Encryption Protocol) was released in 1999, broken in 2001 and deprecated in 2004. You should NOT be using WEP as your main encryption type on any Wifi networks. (If you have old devices that only can use WEP, look around for some solutions and workarounds--but do not use WEP for your whole network just for these old devices.)

As successor to WEP, WPA (Wi-Fi Protected Access) was put into place to quickly buy some time from the WEP issues, but it too has been found to be vulnerable to attack. WPA2 is a better encryption protocol. However, WPA2-AES (Wi-Fi Protected Access 2 - Advanced Encryption Standard) is currently the strongest encryption that most people can easily use.

If you are in a corporate network that is running a RADIUS server, then there is no question that you should be using that encryption; it is the strongest off-the-shelf Wifi encryption available at the moment.

Myth 5. The Wifi password is the least of our worries.

This could not be further from the truth, and is nicely summed up at the end of this article by Arstechnica on the WEP/WPA woes:

".....the basics of network security are still valid, too: for WPA with TKIP or AES, choosing a long network key, perhaps 20 characters that are relatively random, can defeat all known brute-force key cracking methods."

Please check out last week's blog for more information about this critical aspect of Wifi security.

The bottom line:

Wifi networks can be made secure. By using solid encryption and a very strong (i.e., long) passphrase, you can rest easy at night.

The weak link will always be people. For example, there should be very strong company-wide guidelines to avoid writing ANY passphrase down on a post-it note and sticking it on the side of the computer!