Why I use SSID

This is going to be a long one. It comes from a debate I had on irc a few days ago. I've heard this time and time again, to increase security, disable SSID broadcast. It's true, if you want to be absolute in your wifi network security, you should disable SSID broadcast. Now let me tell you why I don't.

I like things to work: Yes, in a nutshell this is my primary reason. I like it when I know my Wii can see my wifi network. I like it when my mother brings her iPod over and it works seamlessly. There is something to be said about technology doing what it was designed to do, making my life easier and improving the quality of it. I dislike having to stop what I am doing to troubleshoot a wifi connection, if the device can see the SSID, then I know the hardware is at least functioning somewhat properly. It saves time and effort, something geeks like to do.

How do I secure my wifi network? Simple steps will always work:

1. Change the default password on your router. 
 This should be the first thing you do. All it takes is determining the router type and someone can lookup the factory username and password. Once they get into your router, find your connected IP, turn off your SPI firewall, and lock you out, well, it's game over. Seriously speaking this keeps so much from happening. Usually you cannot change the default username, but make your password strong. Letters + Numbers + Capitals and for grins throw in a !@#$%& character or two. Make it more than 8 characters too.

2. Change the SSID broadcast name.
Do this as soon as you have changed the default password.

3. Set the radio encryption level to high.
It boils down to this, a wifi network still uses plain old fashioned radio waves for communication (which is why you have channels on your router). Just like regular radio waves they can be intercepted by anyone with the basic knowledge and equipment. Encryption of the radio signal is crucial! When you set the encryption of a router you are encrypting the radio transmission and reception, the information floating (waving) through the air is encrypted. This protects against interception. The current standard for high encryption is WPA2, go as high as you can. This will not stop a determined person, but it will make it extremely difficult, which is the basics of security.

4. Use MAC Filters.
Here is where I depart from the "standard". Each and every device which connects to a network uses a media access control address (MAC). Most modern routers allow a person to setup a list of MACs which will be allowed on the network. If the MAC isn't on the list, it is not allowed on. Now here is the problem with MACs, they can be spoofed, easily spoofed. Here is the counter argument. Most will not take the time to try and discover the connected MACs, they will move on to another target. Spoofing a MAC requires someone to take the time and effort to capture radio traffic, find the correct MAC, and spoof it. Remember if you have done the previous steps, this is just another road block in the way of a intruder. It is better to have it than to not have it. It should not be implemented on its own as a security plan, rather it should be implemented as a part of a security methodology.

5. Check your logs/activity.
So many people do not take the time to review their router. I do mine about once a month, but I take security very seriously. At least check it every few months. There are ways to set routers to email you when certain activity happens. Do so! Just like you check your windows and door by looking at them, do the same for your network.

Wardriving (whitehat of course)

Wednesday night, I thought I would kill two birds so to speak. I needed to pick up my lovely wife from the airport and at the same time, complete an assignment for my networking class regarding wardriving. Let me preface this by stating I know the difference between scanning for a network and connecting to it. I have done this many times in the past and I am not about to break the law now. So I fire up VIStumbler on my laptop, jump in my nifty car and drive 26.1 miles to DFW international airport. The results were more than interesting.

I found what I expected getting out of my neighborhood, lots of unsecured open wireless networks. On the drive to the highway I found plenty of businesses which would offer WiFi to their customers; McDonalds, Starbucks, Hyatt, even a KFC. Then I get some more than interesting hits; Bank of America, Wells Fargo, a local doctor's office. These were just a few of the businesses which I would think would at least encrypt their network. Leaving it open for access is one thing, it makes it easy for customers to connect, but traffic encryption should be a no quarter point of interest.

Having spent lots of time as a network and system admin, I would find it very unnerving to have an open and unsecured WiFi network for a doctor's office, bank, or any retail operation which accepts credit cards (and stores them locally). I understand that many businesses simply offer internet service to their customers, the local coffee shop for example. I have personally seen local businesses though, connect their POS system to their WiFi network. Here is where things can get tricky.

Here are some reasons why. For all those doctor's offices out there, HIPPA is no laughing matter. If the network inadvertently transmits HIPPA related patient information on an unsecured network and that transmission is intercepted...well good night Sally. This is a major issue. For businesses which accept credit cards, you must follow PCI-DSS standards for card data security set by VISA, MasterCard, Discover, and American Express (The PCI council). The fines you could receive for a breach could literally put the business down for the count.

Do not take WiFi security lightly. Set up encryption, use it, access points and wireless routers have it built in for a reason. Set up authentication when you can, again these access points come with this ability out of the box. For you data paranoid types (like me), use good encryption and authentication with a IDS setup on the inside of the network. None of this may stop a determined intruder, but it can slow them down and make them move on to a more viable target, which is what security is all about.