Bad wireless security
Some myths about wireless security never die. The short-list of these includes the benefits from things like MAC filtering, using static IP addresses and hiding SSIDs. The perception is that using techniques like these actually adds some security to a wireless network. They don't, and there are even good reasons not to use them. Despite this, they're presented as "best practices" in a distressingly-large number of places.
Suppose that a hacker is going to try to hack your wireless network. The first thing that they'll do is run a wireless sniffer like Kismet against it. This will find all of those IP addresses and SSIDs very quickly. Spoofing MAC addresses is only slightly more difficult because you have to download a second utility like SMAC to do it.
Running these programs is probably the very first thing that a hacker will do because they tell you so much useful information about a network. So by spending the time and money to configure and support these techniques, you've slowed down the hacker by a total of roughly zero seconds. This means that these techniques don't provide another layer of security - they provide absolutely no security at all. On the other hand, they do have costs in terms of the time and effort required by your wireless network administrator to configure and maintain them. What the ROI for that investment?
Real wireless security gives you real protection and is what you should be using. Don't be fooled into thinking that you're getting any security at all from some of the easier techniques.
Interesting post, though I have to completely disagree. Saying that methods such as MAC filtering & SSID hiding "provide absolutely no security at all" is false. It's true they don't provide total security alone, but they are parts of a whole. Even security through obscurity is more secure than doing nothing. These methods are best practices for a reason, and when used in combination with other best practices such as implementing WPA2 security, a reasonable level of security can be obtained. While there are circumstances that would not be ideal for some of these methods, such as large corporate environments, smaller businesses and home users would be foolish to not implement them.
These sorts of discussions are definitely good to have in order to highlight weaknesses in security. I would be interested in you expanding your thoughts on what constitutes real wireless security.
Posted by: Clay | Wednesday, 25 March 2009 at 08:46 AM