Yesterday I talked about the myth of the "software firewall" and how the term "software firewall" is misused to communicate what is actually known as a host-based firewall. The term "software firewall" is a network newbie term, and relates to misconceptions and lack of understand of how things work. Of course, if you're a reader of this security blog, you now know the that all firewalls run on software and that they are correctly categorized as network and host-based firewalls.
That discussion made me think of another common network newbie error -- again an error made because popular radio and print "computer writers" advocate it -- disabling SSID broadcasting for wireless access points.
Did you know that turning off SSID broadcasting is actually in violation of the design specifications for IEEE 802.11? That's right. You're actually breaking the rules of the 802.11abgn protocols when you turn it off.
OK, suppose you don't care if you're breaking the rules of the protocol. The fact is that that you're not really protecting yourself by disabling SSID broadcasting. The reason for this is, even though you may enable encryption on your wireless connections to the WAP, there are still unencrypted frames transmitted that include the WAP's SSID. Any half-talented hacker can install a network sniffer that can read these encrypted frames and find out the SSID of your WAP.
Along the same lines, forget about MAC address control. It never ceases to amazing me how often people advocate MAC address control, whether it's for firewall access or WAP access. It's very easy to change the MAC address of a computer. And the same hacker with the sniffer that finds out the SSID of your WAP will also be able to find out the MAC addresses of the machines that are connecting to your WAP.
Whether its a WAP or a Firewall, the only way to secure access is to use authentication and a strong encryption protocol. That's where WPA2 comes in. Windows XP, Windows Vista, Windows 2003 and Windows 2008 allow support WPA2. You can use WPAv2 with a long pre-shared key (WPA2-PSK) or you can use certificate authentication if you have a RADIUS server in place.
For a very nice discussion of these issues, check out http://technet.microsoft.com/en-us/library/bb726942.aspx
Thomas W Shinder, M.D.
GET THE NEW BOOK! Go to http://tinyurl.com/2gpoo8
Email: [email protected]
MVP - Microsoft Firewalls (ISA)