Wireless Access

Reply

[Technote]Hide SSID it is really worth it?

A whie ago i saw a good article on microsoft blog which does refer to this

 

Many of us does think that by hidding the SSID its a security feature when its not.   The SSID was not designed to be hidden, so it wont provide you security.

 

We all know that finding a SSID is an easy task.   You can always use Network stumbler, or other tools like this, and you will find it

 

When you hide your SSID and you click in here

hidessid.JPG

 

Connect even if the network is not broadcasting  and it tells you warning you can put your privacy at risk and thats exactly what happens

So what will happen is that your laptop or iphone or whatever device will try to keep connecting even if he cannot see the SSID, so let say you are at a coffe shop, someone with the tools can figure out you are trying to connect to test SSID even if the test ssid is on your  work place.

 

Wireless security consists of two main elements: authentication and encryption. Authentication controls access to the network and encryption ensures that malicious users cannot determine the contents of wireless data frames. Although having users manually configure the SSID of a wireless network in order to connect to it creates the illusion of providing an additional layer of security, it does not substitute for either authentication or encryption.

A non-broadcast network is not undetectable. Non-broadcast networks are advertised in the probe requests sent out by wireless clients and in the responses to the probe requests sent by wireless APs. Unlike broadcast networks, wireless clients running Windows XP with Service Pack 2 or Windows Server® 2003 with Service Pack 1 that are configured to connect to non-broadcast networks are constantly disclosing the SSID of those networks, even when those networks are not in range.

Therefore, using non-broadcast networks compromises the privacy of the wireless network configuration of a Windows XP or Windows Server 2003-based wireless client because it is periodically disclosing its set of preferred non-broadcast wireless networks. When non-broadcast networks are used to hide a vulnerable wireless network—such as one that uses open authentication and Wired Equivalent Privacy—a Windows XP or Windows Server 2003-based wireless client can inadvertently aid malicious users, who can detect the wireless network SSID from the wireless client that is attempting to connect. Software that can be downloaded for free from the Internet leverages these information disclosures and targets non-broadcast networks.

 So at the end i dont think its a good idea to hide the SSID anymore after reading those articles.

 

Here are the sources

 

http://technet.microsoft.com/en-us/library/bb726942.aspx#EDAA

 

http://blogs.technet.com/b/steriley/archive/2007/10/16/myth-vs-reality-wireless-ssids.aspx

 

Any thoughs on this are welcome.

 

Cheers

Carlos

 

 

----------------------------------------------------
Product Manager - Aruba Networks
Alternetworks Corp
MVP

Re: [Technote]Hide SSID it is really worth it?

You're exactly right for mobile devices in the sense of "travel all over the place"

 

In our stores and warehouses we have devices which travel all over the building, but not to the local coffee shop or Airports etc.

 

If no device in our store is on the air, and we aren't broadcasting the SSID, then there's no SSID in the air for a badguy to collect and use for nefarious purposes.

 

We don't expect the devices to leave the location, so they aren't broadcasting and open to compromise due to the announcement of the SSID they're looking for, and the SSID in our locations are only in the air for a few hours while we're using them, and not for the rest of the day.

 

Not that the APs still beacon, just not with our SSID, so BadGuy still knows that there's a wireless signal in the area, just not what to call it until one our our devices is turned on.

--Matthew

if I've helped, please give kudos
if I've provided a solution, please mark the solution so others can find it

Re: [Technote]Hide SSID it is really worth it?

Thanks for your input Matthew

 

i did  write this article because we have many clients in which their security deparment as requirement ask us to hide  the SSID as if it were  a security mesuare but is not.(Many of their laptops go outside the company)  

What some of them need to actually do to help with the security is getting a PKI infraestructure and upgrade the authentication to EAP TLS.   

 

As i explained in previews post with the hide ssid they are even doing otherwise and  might be creating vulnerabilities instead of getting rid of them, which is my point.    

 

It was really interesting to me when i did read this for first time, just make me realize how little i know  about wifi :) 

 

Cheers

Carlos

----------------------------------------------------
Product Manager - Aruba Networks
Alternetworks Corp
MVP

Re: [Technote]Hide SSID it is really worth it?

It's mostly a confusion of what risk you wish to mitigate.

 

A (Windows) host will beacon to the world the SSID it last used when it first comes up, and also any "hidden" networks it might want to use. This doesn't directly compromise anything, but it helps BadGuy enumerate your network.

 

It also tells BadGuy what SSID to present if he wants to attempt to compromise your host - in or out of your environment (but of course you'll use RAPIDS to keep it from working in your airspace)

 

The only security it provides is to make it harder for BadGuy to enumberate your WLAN while it's not in use. These days that's not much of a security posture.

--Matthew

if I've helped, please give kudos
if I've provided a solution, please mark the solution so others can find it

Re: [Technote]Hide SSID it is really worth it?

All true Matthew!

 

The thing is that i have been asked soo many times to hide the SSID as a security measure   instead of thinking in using something like EAP TLS which is something that will actually give them security.

Sadly if i think most of clients would use something like WPA2 psk even if you tell them: that  is a home networking authentication method, and is not an enterprise grade authentication.

 

Cheers

Carlos

 

 

 

----------------------------------------------------
Product Manager - Aruba Networks
Alternetworks Corp
Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: