This is an article from information week. I would think that every CWSP candidate would already know this stuff.
Quick question: Which of these 4 tips is actually a bad idea that may make a WLAN less secure?
MAC Filters. What a great idea. What's next a steam powered engine?
Why MAC filters would make it less secure?
I think hidding SSID is a bad ideia, your clients will be more suscetible for softAP attacks.
There are many twists to this, so here is another good list?
Wi-Fi Network Security
Tweaks To Keep Visitors Out
Wireless home networks are wonderful things. They enable you to share Internet connections, files, and printers without the need for complex wiring, and they untether portable devices such as notebooks and media players.
Nevertheless, wireless networks can be perilous for the unwary. This is an issue for everyone, not just big companies with sensitive data. Even the smallest home network can be a target, not only of malicious data thieves, but also of nearby bandwidth snatchers who hijack your connection and use it to access the Internet, send spam, or attack other computers. Also, if unauthorized users piggyback on your network, your connection will be slower.
Furthermore, if one of your neighbors has an unsecured network, your improperly structured system may accidentally connect to it. This may sound innocuous, but if you are on your neighbor?¡é?€??s network, he could access personal information, such as your password.
The good news is that these issues are relatively easy to fix. It will take a little configuration, but the security and peace of mind you?¡é?€??ll gain will be worth it. Note that the instructions in this article assume at least one of your PCs is running Windows XP SP2 (Service Pack 2). If you are running Vista, the OS (operating system) will automate many of these tasks for you. If you are running another version of Windows on any of your PCs, most of this information still applies, but you won?¡é?€??t have access to the automation wizards we mention.
Avoid The Neighbors
On WinXP SP2 PCs, the wireless networking utility will not connect to a strange, unsecured network without permission. (If any PC on your network uses the wireless adapter?¡é?€??s networking utility, rather than the one in Windows, the Windows-specific instructions in this section won?¡é?€??t apply. However, the adapter card?¡é?€??s utility likely has parallel settings that you will manage in a similar fashion.) Furthermore, each time one of them connects, it will seek networks you have marked as preferred, in order of preference. However, during operation, the WinXP SP2 WZC (Wireless Zero Configuration) service periodically scans for the strongest signal.
If you have previously connected to available nearby networks from one or more of your PCs that support WZC (notebooks are likely culprits) and the signal on one of your home network PCs is weak or terminates suddenly, it?¡é?€??s possible that PC will connect to the stronger signal. Adjusting your settings to prevent automatic connection can ensure this doesn?¡é?€??t happen.
If your network router and adapter are WPA2 compatible (shown are the WPA2-compatible Belkin Wireless G Plus MIMO adapter and router), you?¡é?€??ll be able to use the most secure encryption technology available for home networks.
On any PC with which you?¡é?€??ve connected to other networks, click the Start menu, select Control Panel, and double-click Network Connections. Locate the wireless adapter in the list of network connections, right-click it, and select Properties. If you see a Wireless Networks tab, click it. (If you do not see a Wireless Networks tab, your adapter doesn?¡é?€??t support WZC and network hopping will not be a problem.)
Under Preferred Networks, if your home network is not listed in the first (most preferred) position, select it and click Move Up to rearrange it. Locate other networks on the Preferred list. If you do not want them, click the network and click Remove. Otherwise, click Properties and under the Connection tab, uncheck Connect When This Network Is In Range. (You?¡é?€??ll have to re-enable this option if you ever want automatic connection to the network.) For your home network, automatic connection should be enabled.
Return to the Wireless Networks tab and click the Advanced button. Ensure that Automatically Connect To Non-Preferred Networks is not checked. Selecting this option will let WinXP connect to any available network, unsecured or no, if not preferred network is available.
Wireless networks transmit using radio waves, just like an FM radio, and can be picked up easily. In the early days of Wi-Fi, lack of range was a problem. With newer routers (some of which can broadcast up to 1,000 feet), users must contend with ranges that are too extensive (and inviting).
Take your notebook or other portable connected device (your smartphone, if it has Wi-Fi, is the easiest option) outside and try to locate your network. If the device sees it out on the road, so can others. Fortunately, you can adjust the access points to minimize bandwidth leakage.
Position the router and/or access points so that wireless transmissions don?¡é?€??t travel outside the home region. If you have a large backyard, this could be near the center of the rear wall of the house. In communities with postage stamp-sized yards, the middle of the home, away from any windows, might be a better solution.
If your Internet connection enters your home in a highly exposed place such as the front of the house, the most secure, if slightly cumbersome, solution is to use a single, extended-length Ethernet cable between the modem and a securely positioned Wi-Fi router. If you add more access points for better coverage (indoor range when walls intervene is often 50 to 100 feet), keep the location rules in mind. This sounds like a bit of a hassle, and it is, but it will help secure your wireless network.
Your network equipment likely came with preset default identification settings. Two of these are the username and password, which you (or anyone who gains access) can use to reconfigure the network from the device?¡é?€??s Web-based administrative console. If you didn?¡é?€??t change the default username and password during setup, it?¡é?€??s important to do so ASAP or someone may have easy access to your devices. If you live in an area with a lot of traffic or close neighbors, consider changing these settings every few months.
Check your router?¡é?€??s documentation for instructions on changing the username and password. You?¡é?€??ll likely access an administrative console located on the Web site you visited during setup. Don?¡é?€??t use your birthday, name, or address as part of the username or password; do use a combination of numbers and letters. For strong security, the username and password should be at least eight characters long.
A third default setting is the SSID (Service Set Identifier; the name of your network) your network broadcasts. With early versions of Windows, experts instructed users to change their SSIDs and hide them from view. However, for reasons we?¡é?€??ll discuss under Shout It Out, hiding your SSID will not guarantee that it isn?¡é?€??t broadcast. Consequently, we don?¡é?€??t recommend that you hide the SSID, but it is a good idea to change it, and here?¡é?€??s why.
Remember the WZC service we mentioned earlier? Because large networks often use the same SSID for multiple routers, WZC assumes that two signals in range of each other with the same SSID belong to the same network. If it finds two same-name SSIDs, it only displays the stronger signal as an available network. If you and a neighbor both have networks with default SSIDs such as ?¡é?€??linksys?¡é?€?? or ?¡é?€??default,?¡é?€?? you could inadvertently connect to your neighbor?¡é?€??s network if it transmits a stronger signal.
Naming strength is not particularly important, although you shouldn?¡é?€??t use your name or address. Consider changing the SSID to something that sounds secure?¡é?€?¡±for example, incorporating a word such as ?¡é?€??private?¡é?€?? can discourage inadvertent connectors.
If you decide to change your SSID, you must change it globally on all network equipment and devices. WinXP SP2 computers with built-in Wi-Fi or whose network connector supports WinXP?¡é?€??s Windows Connect Now can use it to change the network SSID (and may have already done so during setup). You can access it via the Start menu; select Control Panel and double-click Wireless Network Setup Wizard. For PCs, routers, and adapters that do not support Windows Connect Now, the configuration utility will likely be on the Web and/or installed on the PCs in question. Consult the documentation that came with each piece of network equipment for assistance changing the SSID.
Note that you may not need (or might not be able) to change some device SSIDs. If printers or other wireless devices can connect directly to one of the network PCs and you can share that functionality with the network through that PC (using a method such as file and printer sharing), you won?¡é?€??t need to change the network name.
Shout It Out
During SSID reconfiguration, you may see an option to hide the SSID. Do not enable it. With a hidden SSID, your network will not broadcast its name, so users must know the SSID to connect. This sounds like a sensible precaution, but Microsoft recommends WinXP users against it, because this action will not completely conceal your SSID. In fact, it may even cause your devices to display your SSID at inopportune times as they send out frequent requests to join the network.
For example, the Wi-Fi adapter of a laptop associated with a hidden-SSID network will poll for the network periodically (whether or not the network is in range) and thus disclose the SSID to those who know how to pick it up. If the SSID is not hidden, the laptop will not poll for the SSID; it is able to connect to the network without searching for it. A notebook PC on a network with a hidden SSID can disclose your network?¡é?€??s SSID anytime the Wi-Fi antenna is operating, no matter where you are, making it less secure than simply displaying your SSID at home.
Restricting MAC access (shown on the Web-based administrative console of a Linksys router) is a good way of protecting your network from casual invaders.
Go For The Big MAC
For another layer of security (especially important if you live in an apartment and cannot restrict network transmissions to your personal space), you can implement MAC (Media Access Control) Address Filtering. Every network adapter or card has a unique hardware address, called the MAC address, that identifies it to the router. With MAC Address Filtering, your router only allows connections from devices whose MAC addresses the user has previously approved.
Check your router?¡é?€??s documentation to see if you can set up MAC Address Filtering. This will deter wardrivers and casual bandwidth thieves. It will not stop dedicated hackers, who can discover MAC addresses and mimic them.
Scramble It Up
All wireless equipment supports encryption, which scrambles transmissions to make them hard for hackers to decipher. No matter what type of encryption your network supports, enable it. If you are running WinXP SP2 and your network equipment supports Windows Connect Now, you can use it to turn on encryption or adjust settings. (See ?¡é?€??Use Windows XP?¡é?€??s Wireless Network Setup Wizard?¡é?€?? on page 28 for more information about using Windows Connect Now.)
In earlier versions of WinXP, you can use Wireless Network Properties (on the Wireless Networks tab; see the Avoid The Neighbors section of this article for instructions about how to access this tab) to change these settings. Otherwise, you?¡é?€??ll likely need to work with the utilities and/or Web interfaces of your various equipment.
Note that all equipment (including network access points, cards, PCs, wireless cameras, and other devices interacting with the network) must support the encryption type you choose (possibly through additional configuration or installation of drivers), which may limit your choices. Check your documentation for your options.
During initial encryption setup, you will likely choose a passphrase or a network key. Ensure this is strong using the criteria described previously. If you select a passphrase, the router may use it to generate network keys, either during setup or at login (depending on the encryption standard). Write down the passphrase you select and the first key generated, if any, as you may need them later.
The strongest form of encryption currently available is WPA2 (Wi-Fi Protected Access 2; consumers use the personal variant, called WPA2-Personal), but many network devices, as well as versions of Windows prior to WinXP SP2, do not support it. For a list of WPA2-certified products, visit certifications.wi-fi.org/wbcs_certified_products.php. Click Advanced Search and make WPA2 part of your search criteria.
To use WPA2, you may need to update your WinXP PCs (depending on the last update you installed). Find out more at support.microsoft.com/kb/893357. Some WPA2 routers support mixed (WPA2 and WPA, an earlier encryption standard) networks. If this is the case, you may be able to mix equipment that supports one technology or the other.
The weakest encryption technology is WEP (Wired Equivalent Privacy). Experts bemoan its flaws, but it is better than nothing. Optionally, you can purchase a Web-based encryption service, such as WiTopia?¡é?€??s SecureMyWiFi (www.witopia.net; starts at $9.99 per year). Determined hackers can penetrate any encryption standard, but most will stay away from encrypted networks, opting instead to pluck the low-hanging fruit of unprotected ones.
Ready To Roll
You?¡é?€??ve now done a lot to secure your network. (There are other, more advanced safeguards, but they are beyond the scope of this article.) Of course, you should also ensure your PC?¡é?€??s firewalls are working. As a final precaution, if you leave for vacation or any extended period, shut down your network. It?¡é?€??s no fun having bandwidth squatters take up residence while you are away.
by Jennifer Farwell
Taking the advice of a mechanical engineer on an RF question. 8)
To respond to your complete question, "Which of these 4 tips is actually a bad idea that may make a WLAN less secure?", the hiding of the SSID is the one that can technically make the WLAN less secure. In actuality, it makes the WLAN clients less secure more than the WLAN itself.
However, I would argue that a suggestion of using MAC filtering "may make a WLAN less secure" because of the human psychological issue of complacency. If you "think" it's secure, you won't keep up to date or do things that really make it secure.
Interestingly, in the CWNA Fourth Edition book, I cover the issues of MAC filtering and SSID hiding as "Common Security Myths" in Chapter 10. In Chapter 9, I cover the Windows client vulnerabilities mentioned by Compughter in an earlier reply.
I think the most important myth, however, that must be shattered is the myth that WLANs cannot be secured. In fact a WLAN that has implemented IEEE 802.11i with a secure EAP type is a magnitude of times more secure than most wired LANs that use no encryption at all. I'm amazed at how many environments I go into that have wired ports that are wide open in conference rooms and other places, but they have a policy against wifi because it can't be secured.
Say it with me, "Wi-Fi can be secure!"
Sorry... I'm getting all excited here ;-)
I'm amazed at how many environments I go into that have wired ports that are wide open in conference rooms and other places, but they have a policy against wifi because it can't be secured.
This is on point. The place I am working now is struggling with this same security issue of open ports on the wire. The networking operations team says it is too much work to enable Port Security (802.1X) and to costly to implement a NAC solution?
With our wireless we have WPA2 Enterprise enabled and it is secure, at least to the wire. I am pushing a NAC solution (end point security) for the wireless and most likely will get it.
BTW, nice work on the 4th Edition study Guide to joelb, Criss_Hyde_and yourself. My copy should be arriving through UPS any day now.