Networking

SSID cloaking is not enough protection

I recently had a conversation with another security professional about relying on SSID cloaking to protect wireless networks in SMBs (small and medium businesses).  In many cases, these businesses can’t afford the infrastructure and services or don’t have the technical know-how necessary to deploy strong protection like 802.1x.  Instead, they have to implement controls more reasonable and appropriate for their individual situations.  I don’t believe, however, that SSID cloaking by itself is enough protection.

By default, wireless access points (APs) broadcast a Service Set Identifier (SSID) so wireless client devices can easily locate them.  The problem is that not only can authorized users find them, but potential attackers or bandwidth thieves can also see a broadcasted SSID in their lists of available wireless networks.  Cloaking involves configuring your APs not to broadcast your SSID. 

A cloaked SSID is not visible to the average war driver or the business next door that would rather use your AP instead of buying its own.  However, a determined attacker can try to guess the SSID or use tools like Kismet to locate “invisible” APs.  In this type of situation, cloaking won’t help protect your network if you haven’t changed the AP’s default settings or if additional controls aren’t in place.

The process of securing wireless networks is the same as for any other information resource; apply layers of controls that support each other.  The following is a list of controls to consider:

  • Change default settings – APs purchased by home users or SMBs typically have default administrator passwords and SSIDs that are easily available on the Internet.  Be sure to set these values to something that only you know.  Like passwords, SSIDs shouldn’t be labeled with anything that can be easily guessed by an attacker.  Examples include the name of the business, spouse names, pet names, children’s names, etc.
  • Turn off SSID broadcasting — Configure client workstations to connect without users having to refer to a list of available wireless networks.
  • Encrypt broadcast data – Ensure the data moving between client devices and APs are encrypted. 
  • Reduce the range of the APs – The radial distance traversed by an AP’s RF signal can often be adjusted.  This helps prevent someone on the street from being able to communicate in any way with the wireless network.  For APs without signal strength adjustment capabilities, consider placing them closer to the center of the building away from outside walls, doors, and windows.
  • Consider turning off DHCP on the APs – This prevents an attacker from obtaining an IP address.  However, authorized client workstations might have to be configured with static IP addresses.  This may not be a reasonable approach for organizations with a significant number of wireless client devices.
  • MAC filtering – You can always configure your APs to allow connections only from a specific list of MAC addresses.  Like turning off DHCP, this approach can cause a significant increase in network management effort if there are more than a few wireless client devices involved.
  • Consider turning off the APs – If no one accesses the APs after hours or on weekends, consider shutting them off during those times.

 

About

Tom is a security researcher for the InfoSec Institute and an IT professional with over 30 years of experience. He has written three books, Just Enough Security, Microsoft Virtualization, and Enterprise Security: A Practitioner's Guide (to be publish...

Editor's Picks