Securing Wireless Network Traffic (Part 3)

Introduction

In my previous article, I discussed the debate over whether or not you should change your wireless access point’s default password. In this article, I want to continue the discussion by talking about some of the other security settings that are typically built into wireless access points.

The SSID

One of the most common security recommendations regarding wireless networks is that you should disable SSID broadcasting. In case you aren’t familiar with this concept, SSID stands for Service Set Identifier. On the surface, an SSID appears as a word or a short phrase that can be used to identify a wireless network. For example, the SSID on my own wireless network is Posey.

The reason why so many IT professionals recommend disabling SSID broadcasting is because an SSID is more than just a label that you can use to identify a wireless network. The SSID is actually a shared secret that is used to restrict access to a wireless network. In other words, unless someone knows this shared secret, they are unable to attach to the wireless network.

Keep in mind that although an SSID is technically a shared secret, it is different from WEP keys or WPA keys, which are also shared secrets. I will talk more about WEP and WPA later on in this article series.

For right now though, I want to go back and explore the notion of the SSID being a shared secret key. If the SSID really is a secret key used to protect access to a wireless network, then why do most access points broadcast the SSID to the world?

I really think that the reason why the SSID is so commonly broadcast has to do with the evolution of wireless networking. Even though the SSID probably originated as a security mechanism, it quickly became apparent that the SSID made a handy mechanism for differentiating between wireless networks. Even the Windows operating system treats the SSID as though it were intended to advertise a wireless network’s existence.

So should you broadcast your SSID, or should you disable SSID broadcasting? Ultimately, disabling SSID broadcasting doesn’t do much to improve your network’s security. When you disable SSID broadcasting, the wireless access point refrains from broadcast in response to Beacon Frames and Probe Request Frames. In other words, the SSID will not be displayed on Windows’ list of available wireless networks.

While this may add some degree of security, the SSID is anything but secret. Even if you disable SSID broadcasting the SSID is still transmitted in Association and Re-association frames as well as in Probe Response frames. What this means is that it is child’s play for anyone with a packet sniffer to discover your wireless network’s SSID because any time a legitimate user connects to your wireless network the SSID is transmitted in clear text. All the hacker has to do is to sit back and wait.

Personally, I think that treating your SSID as a security mechanism is a bad idea because doing so provides a negligible improvement in security and it can create a false sense of security. More importantly though, most of the older wireless NIC drivers for Windows (and even some of the more current drivers) won’t work correctly when a user attempts to connect to a wireless network that is not broadcasting its SSID. As such, I recommend going ahead and treating your SSID as an identifying label for your wireless network rather than trying to use it as a security mechanism.

Having said that, I have seen some organizations use misleading SSID filters as a way of trying to confuse hackers. For instance, I once saw a financial services company use an SSID that identified their network as belonging to an area restaurant.

MAC Address Filtering

One of the more effective security techniques for securing wireless networks at the access point level is to use MAC address filtering. The basic idea behind this technique is that like a wired network card, all wireless NICs have a unique Media Access Control (MAC) address. MAC address filtering is a process by which you create a white list specifying which MAC addresses are authorized to connect to the access point.

The nice thing about this technique is that even if someone knows your wireless network’s SSID and your WEP or WPA passphrase, they will not be able to connect to your network unless they are using a network card that you have specifically authorized (by means of whitelisting the card’s MAC address).

So if MAC filtering is such a great security mechanism you might be wondering why you don’t hear more about it. One reason why MAC filtering isn’t more widely used on wireless networks is because there is a lot of administrative overhead involved in implementing and maintaining MAC filtering.

MAC filtering works really well in smaller organizations, but it just isn’t practical for use in large, enterprise class networks because every time a new network card is put into use, that card’s MAC address must be added to the MAC address filter. Likewise, whenever a laptop or a wireless card is decommissioned the administrator must figure out which MAC address belongs to that device and remove it from the whitelist.

Furthermore, it is common for large companies to occasionally have consultants, auditors, and other guests who need access to the wireless network. If you use MAC address filtering it can make it difficult for such guests to attach to your wireless network.

The process of managing the MAC filter list can be tedious, but the administrative overhead that I have just described might not be enough to stop some larger organizations from using it. However, there are two other issues that might prove to be more formidable barriers to using MAC filtering.

One such issue is that MAC address filtering is implemented at the access point level. While this might not be an issue for small and medium sized organizations, larger organizations may have dozens of physical and virtual wireless access points and managing the filter list for each individual device can be a monumental task.

Another barrier to using MAC address filtering has to with the fact that some access points require a reboot any time that a change is made to the filter list. These reboots can be extremely disruptive if an organization makes a lot of changes to the MAC filter list.

I realize that some would argue that all of the inconveniences are worth the effort if using MAC address filtering provides rock solid security. However, MAC address filtering isn’t fool proof.

Generally speaking, a hacker isn’t usually going to be able to modify their NIC to assign it a different MAC address. Likewise, a hacker isn’t going to be able to modify your filter list if your MAC filtering list prevents them from getting onto your network in the first place. The reason why MAC address filtering can’t be considered to be completely reliable is because there are ways of using software to spoof a MAC address. For example, I have even seen Windows drivers for wireless NICs that have a built in option to specify an alternate MAC address. If a hacker sniffs your wireless network they can easily get the MAC address of an authorized NIC. Once they have the address they can configure their computer to spoof that address and gain access to your network.

So does that mean that you shouldn’t use MAC address filtering? Of course not! No security feature is perfect. Good security is all about defense in depth. In other words, you should have so many security features in place that it becomes impractical for someone to break into your network. I do tend to think that MAC address filtering is impractical for larger organizations (at least if performed at the access point level), but filtering MAC addresses is a very viable option for small and medium sized organizations who want to improve their wireless security.

Conclusion

In this article, I have discussed the roles that SSID broadcasting and MAC address filtering play in wireless network security. In Part 4, I will discuss some of the other security options that are available to you.