Monday, December 31, 2007

Disabling SSID broadcasts and wireless MAC address filtering

With security I would always see the benefits in relations to the downsides. Some people think that you should "add" as much security as possible to gain the "highest" security. I kind of doubt that this simple math really applies to security and the actual level of security you have in a wireless network.

I think disabling SSID broadcasts just like the wireless MAC address filter list provides very little security and causes a lot of problems at best. Both are transmitted unencrypted. This means they are easily captured. Also remember even without the SSID broadcast the router will still send out the beacon signal which is used to measure the signal strength. The disabled broadcast will just change the SSID in the beacon to null. Depending on where you live this will still allow someone to quickly locate the presence of the router in your home.

Disabling SSID broadcasts is known to cause numerous problems with a variety of wireless cards. The wireless card must actively connect to the SSID to find out if it is there or not. On Windows XP with a longer list of preferred networks this can be power and time consuming task. On Vista you have to remember to configure the network correctly. Some cards have trouble connecting at all, loosing the connection at times, sometimes changing connections when another broadcast SSID in the list of preferred networks comes up.

The wireless MAC address filtering is quickly forgotten after the initial setup. Then, a year later people just did not remember that when they want to add another wireless device to their network.

In case you have two or more wireless access points/routers with which you could built a roaming wireless network that won't work with SSID broadcast disabled because wireless clients are not able to passively detect a stronger signal of the second access point. The current connection must get disconnected before the client can check for the presence of the other AP.

Thus disabling SSID broadcasts and the MAC filtering may prevent someone from accidentally connecting to your network but anyone who wants to attack your wireless network (or any teenager desperate to find wireless internet because parents try to limit internet access) will quickly find it. With WPA and a strong passphrase your network is well protected. Disabling the broadcast is like adding a tiny little fence in front of a huge wall protecting your home. It also "adds" security by adding another hurdle.

If someone tries to attack an WPA encrypted network this requires either a sophisticated attack which usually captures a lot of frames to analyze the encryption (that is how you can crack WEP) and sometimes even inject some frames. This kind of attack will immediately reveal the SSID and all you (active) wireless MAC addresses.

A dumber attack would be a simple brute-force or dictionary attack against the passphrase. But with a strong passphrase in place this will not succeed in any reasonable time.

On the other hand, with enabled SSID broadcasts anyone in your proximity can quickly scan the environment for other wireless networks which can give you an idea how much interference you have to expect when you set up a new access point. I think many tools for wireless also show the channel number of those wireless networks (Windows unfortunately does not do so) which will help you to choose a channel not so crowded even with a simple passive scan.

I think for disabling SSID broadcast and the wireless MAC address filter list the disadvantages by far outweigh the advantages. In particular the disabled SSID broadcast can cause all kinds of problems even if it may work well for many setups. And anyone who really wants to attack your network will find it anyway. If you have something to hide, disabling the SSID broadcast won't hide it from someone curious. But with WPA and a strong passphrase he won't succeed.