You're likely to get some bad wireless security advice from the guy at your local electronics superstore who sold you your router, because many of the commonly recommended wireless security tips floating around out there aren't actually all that useful and may even do more harm than good by lulling the end-user into a false sense of security.
Hiding the SSID
The SSID (Service Set Identifier) is an identification code (typically a simple name) broadcast by a wireless router. If a wireless device detects multiple SSIDs from multiple access points (APs), it will typically ask the end-user which one it should connect to. Telling a router not to broadcast its SSID may prevent basic wireless access software from displaying the network in question as a connection option, but it does nothing to actually secure the network. Any time a user connects to a router, the SSID is broadcast in plaintext, regardless of whether or not encryption is enabled. SSID information can also be picked up by anyone listening to the network in passive mode.
Changing the SSID
This is sometimes touted as a security measure. It isn't. Changing your access point's SSID will change the identification code the router is broadcasting, but it won't change anything else. It doesn't prevent the router from being detected, snooped, or hacked in any way.
Disable DHCP
Switching DHCP off and using static IP addressing is no defense against hacking. Anyone snooping the network can usually figure out the pattern that has been used to assign the IP addresses in question and then make a specific request accordingly.
Filtering MAC addresses
In theory, this sounds great. Every NIC has its own unique MAC address, and wireless access points can be configured to block all but a handful of specified NICs. The problem with filtering by MAC address, however, is that these addresses are easily faked and readily detected by anyone using appropriate monitoring software. In addition, this approach requires a great deal of overhead in corporate environments, and even for a large home network with multiple machines and gadgets (consoles, phones, and consumer electronics) it quickly becomes untenable.
Of the above bogus "security" measures, filtering MAC addresses is the only one with even a minimal level of value. MAC address filtering can keep obnoxious and non-tech-savvy neighbors from easily freeloading on your wireless network, but it won't do much else. To keep more determined intruders off of your network, you'll have to use encryption.
Hiding the SSID
The SSID (Service Set Identifier) is an identification code (typically a simple name) broadcast by a wireless router. If a wireless device detects multiple SSIDs from multiple access points (APs), it will typically ask the end-user which one it should connect to. Telling a router not to broadcast its SSID may prevent basic wireless access software from displaying the network in question as a connection option, but it does nothing to actually secure the network. Any time a user connects to a router, the SSID is broadcast in plaintext, regardless of whether or not encryption is enabled. SSID information can also be picked up by anyone listening to the network in passive mode.
Changing the SSID
This is sometimes touted as a security measure. It isn't. Changing your access point's SSID will change the identification code the router is broadcasting, but it won't change anything else. It doesn't prevent the router from being detected, snooped, or hacked in any way.
Disable DHCP
Switching DHCP off and using static IP addressing is no defense against hacking. Anyone snooping the network can usually figure out the pattern that has been used to assign the IP addresses in question and then make a specific request accordingly.
Filtering MAC addresses
In theory, this sounds great. Every NIC has its own unique MAC address, and wireless access points can be configured to block all but a handful of specified NICs. The problem with filtering by MAC address, however, is that these addresses are easily faked and readily detected by anyone using appropriate monitoring software. In addition, this approach requires a great deal of overhead in corporate environments, and even for a large home network with multiple machines and gadgets (consoles, phones, and consumer electronics) it quickly becomes untenable.
Of the above bogus "security" measures, filtering MAC addresses is the only one with even a minimal level of value. MAC address filtering can keep obnoxious and non-tech-savvy neighbors from easily freeloading on your wireless network, but it won't do much else. To keep more determined intruders off of your network, you'll have to use encryption.
Comments