Wireless security question

Discussion in 'A+' started by soundian, Jan 15, 2009.

  1. soundian

    soundian Gigabyte Poster

    1,460
    71
    107
    Meyers states (p.969) that "Configuring a unique SSID name is the very least you should do to secure a wireless network."
    Am I missing something or is that like me changing the PIN number for my bank card and then placing the new PIN number, in 20 foot high neon letters, in my front garden?
     
    Certifications: A+, N+,MCDST,MCTS(680), MCP(270, 271, 272), ITILv3F, CCENT
    WIP: Knuckling down at my new job
  2. Boycie
    Honorary Member

    Boycie Senior Beer Tester

    6,281
    85
    174
    I just skimmed over that page. I think what Mike is getting at here, is "widely availible online". Meaning, if someone hasn't bothered to give the AP a unique name, the chances are the credentials are as it left the factory also.

    Simon
     
    Certifications: MCSA 2003, MCDST, A+, N+, CTT+, MCT
  3. Qs

    Qs Semi-Honorary Member Gold Member

    3,081
    70
    171
    Yep, Boyce is correct.

    Standard wireless setups may leave the name of the connection as the connection's pass-phrase which is pretty damn stupid, but there you go.

    Qs
     
    Certifications: MCT, MCSE: Private Cloud, MCSA (2008), MCITP: EA, MCITP: SA, MCSE: 2003, MCSA: 2003, MCITP: EDA7, MCITP: EDST7, MCITP: EST Vista, MCTS: Exh 2010, MCTS:ServerVirt, MCTS: SCCM07 & SCCM2012, MCTS: SCOM07, MCTS: Win7Conf, MCTS: VistaConf, MCDST, MCP, MBCS, HND: Applied IT, ITIL v3: Foundation, CCA
  4. Gingerdave

    Gingerdave Megabyte Poster

    990
    44
    74
    Not quite, its the difference between calling it Dlink 7283d and Soundian. Unless so one knows you personally you have taken away a piece of information reguarding your network, they still know there is a wireless network there but you are making them work for the make and model of the router.

    Edit I open a couple of tabs, take a call or two and there are already replies. Must type faster - bad dave
     
    Certifications: A+,MCP, MCDST, VCP5 /VCP-DV 5, MCTS AD+ Net Inf 2008, MCSA 2008
    WIP: MCSA 2012
  5. soundian

    soundian Gigabyte Poster

    1,460
    71
    107
    But if you haven't disabled SSID broadcast as well, aren't you just handing out the new SSID on a plate?
     
    Certifications: A+, N+,MCDST,MCTS(680), MCP(270, 271, 272), ITILv3F, CCENT
    WIP: Knuckling down at my new job
  6. BosonMichael
    Honorary Member Highly Decorated Member Award 500 Likes Award

    BosonMichael Yottabyte Poster

    19,183
    500
    414
    Meyers is right - changing the SSID is the VERY LEAST you should do. Naming your network something OTHER than your name is a BETTER step to helping secure your network.

    Boyce is right in the logic: if your SSID is unchanged, h4x0rz are going to reason that you've left the default values (password, IP ranges, etc.) as well. If you've changed the SSID, then h4x0rz are going to reason that, since you know how to change the SSID from the default, you're not a total n00b, and you're more likely to have changed the default values.

    Remember, you don't have to outrun the lion... you only have to outrun the people around you.
     
    Certifications: CISSP, MCSE+I, MCSE: Security, MCSE: Messaging, MCDST, MCDBA, MCTS, OCP, CCNP, CCDP, CCNA Security, CCNA Voice, CNE, SCSA, Security+, Linux+, Server+, Network+, A+
    WIP: Just about everything!
  7. BosonMichael
    Honorary Member Highly Decorated Member Award 500 Likes Award

    BosonMichael Yottabyte Poster

    19,183
    500
    414
    Yes... but pay close attention to the wording: "...very least you should do".
     
    Certifications: CISSP, MCSE+I, MCSE: Security, MCSE: Messaging, MCDST, MCDBA, MCTS, OCP, CCNP, CCDP, CCNA Security, CCNA Voice, CNE, SCSA, Security+, Linux+, Server+, Network+, A+
    WIP: Just about everything!
  8. r.h.lee

    r.h.lee Gigabyte Poster

    1,011
    52
    105
    soundian,

    By default, the 802.11 standard will permit ANY wireless client to associate with a wireless access point as long as they are communicating on the same frequency (2.4 GHz or 5 GHz) without authentication. By assigning an SSID to the wireless access point, you make the wireless access point relatively "more secure" because the wireless client must attempt to authenticate with the wireless access point using the assigned SSID. Yes, there are other methods to make the wireless network more secure than assigning an SSID but relative to the basic "no authentication" allowance in the 802.11 standard, assigning an SSID is more secure.

    As far as your bank card and PIN analogy, that's not correct. In order for your analogy to work, the base situation is that your bank card does NOT have a PIN associated with it so that anyone with your bank card can withdraw funds from your account as they please. The usage of an SSID is like establishing a PIN on your bank card so only those who know your PIN can withdraw funds from your account.

    Did this post help?
     
    Certifications: MCSE, MCP+I, MCP, CCNA, A+
    WIP: CCDA
  9. BosonMichael
    Honorary Member Highly Decorated Member Award 500 Likes Award

    BosonMichael Yottabyte Poster

    19,183
    500
    414
    Eh? SSID != authentication. It requires no more configuration to connect to a wireless router with an SSID of Panera than it does to connect to a wireless router with a default SSID of Linksys.
     
    Certifications: CISSP, MCSE+I, MCSE: Security, MCSE: Messaging, MCDST, MCDBA, MCTS, OCP, CCNP, CCDP, CCNA Security, CCNA Voice, CNE, SCSA, Security+, Linux+, Server+, Network+, A+
    WIP: Just about everything!
  10. r.h.lee

    r.h.lee Gigabyte Poster

    1,011
    52
    105
    BosonMichael,

    You're assuming the wireless access point is beaconing the SSID. Without wireless access point SSID beaconing, the SSID must be distributed to authorized users on a "pre-shared key" basis. Yes, I know there's wireless sniffer tools available to steal SSIDs for wireless access points but that's beyond the scope of the OP. Go review the wireless association process before you claim "...SSID != authentication..."
     
    Certifications: MCSE, MCP+I, MCP, CCNA, A+
    WIP: CCDA
  11. Evilwheato

    Evilwheato Kilobyte Poster

    414
    4
    20
    From what I get from it- changing the default SSID is the very least you can do- since this can give potential attackers an additional piece of information about your network. However, on top of this, you can choose NOT to broadcast your SSID, change the default admin password, enable MAC filtering etc..
     
  12. greenbrucelee
    Highly Decorated Member Award

    greenbrucelee Zettabyte Poster

    14,292
    265
    329
    basically Meyers is saying that changing the SSID is the least you can do, so he is assuming that you will change that aswell as the other setting like passwords etc.
     
    Certifications: A+, N+, MCDST, Security+, 70-270
    WIP: 70-620 or 70-680?
  13. BosonMichael
    Honorary Member Highly Decorated Member Award 500 Likes Award

    BosonMichael Yottabyte Poster

    19,183
    500
    414
    Yes, I am assuming the wireless access point is beaconing the SSID. Again, read the statement carefully: "Configuring a unique SSID name is the very least you should do to secure a wireless network." The very least. Meaning, you haven't done ANYTHING else. Nothing. Not MAC filtering, not disabling SSID beaconing, not anything.

    Go review a reading comprehension course before you tell me to go review ANYTHING... this isn't the first time you've misunderstood something that was said, and this certainly won't be the last. :rolleyes:
     
    Certifications: CISSP, MCSE+I, MCSE: Security, MCSE: Messaging, MCDST, MCDBA, MCTS, OCP, CCNP, CCDP, CCNA Security, CCNA Voice, CNE, SCSA, Security+, Linux+, Server+, Network+, A+
    WIP: Just about everything!
  14. soundian

    soundian Gigabyte Poster

    1,460
    71
    107
    Maybe I should've made it clearer.
    Default settings, straight out of the box:
    SSID=default
    SSID broadcast=yes
    encryption=no
    MAC filtering=no

    So, if I only change the SSID ("the very least that you should do") I can't see how that makes my network any more secure.



    BosonMichael, if that particular lion has a taste for soundian meat it doesn't matter how fast the people around me are running.
     
    Certifications: A+, N+,MCDST,MCTS(680), MCP(270, 271, 272), ITILv3F, CCENT
    WIP: Knuckling down at my new job
  15. Sparky
    Highly Decorated Member Award 500 Likes Award

    Sparky Zettabyte Poster Moderator

    10,718
    543
    364
    As already said if sometime tries to connect to your network and it is broadcasting as NETGEAR a quick Google will get you default username and password for the router. That means someone can be on your wireless network and in the config page of your router - bad news!
     
    Certifications: MSc MCSE MCSA:M MCSA:S MCITP:EA MCTS(x5) MS-900 AZ-900 Security+ Network+ A+
    WIP: Microsoft Certs
  16. Boycie
    Honorary Member

    Boycie Senior Beer Tester

    6,281
    85
    174
    Also, looking at the entire page of 969, there is an "Exam Tip" which perhaps should replace the line in question here.

    Exam Tip - Changing the default SSID for the WAP is the first step in setting up a new wireless network.

    Simon
     
    Certifications: MCSA 2003, MCDST, A+, N+, CTT+, MCT
  17. soundian

    soundian Gigabyte Poster

    1,460
    71
    107
    I didn't realise you could access the config page with a wireless connection. None of the wireless devices I've used allow that, and it's such a bloody stupid idea I didn't think any would.
     
    Certifications: A+, N+,MCDST,MCTS(680), MCP(270, 271, 272), ITILv3F, CCENT
    WIP: Knuckling down at my new job
  18. Gingerdave

    Gingerdave Megabyte Poster

    990
    44
    74
    some do, but only after the first setup.
     
    Certifications: A+,MCP, MCDST, VCP5 /VCP-DV 5, MCTS AD+ Net Inf 2008, MCSA 2008
    WIP: MCSA 2012
  19. Boycie
    Honorary Member

    Boycie Senior Beer Tester

    6,281
    85
    174
    Some do provide the facility to do so, although as you say: a potential security hole and best avoided.

    Simon
     
    Certifications: MCSA 2003, MCDST, A+, N+, CTT+, MCT
  20. zebulebu

    zebulebu Terabyte Poster

    3,748
    330
    187
    Whoa - why is it any more of a security risk for the router's admin page to be visible to wireless after its been secured and configured? Provided you haven't enabled remote management via the admin page (i.e. from teh internetz) then anyone who manages to access it already HAS the keys to the kingdom - as they'd be doing so from inside your LAN!

    Provided you've secured the router properly, with WPA2-PSK with a spiteful passphrase, you have nothing to worry about for the foreseeable future. Of course, if you went ahead and enabled remote access to your router's admin page, then you'd be a twonk.
     
    Certifications: A few
    WIP: None - f*** 'em

Share This Page

Loading...
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.