I have to second with coreplayer2.
Imagine a limo driver at the airport holding a sign with your name on it. This is SSID-Broadcast. Take away the broadcast and you have a limo driver (he stands out in his penguin suit) and he's holding a sign... it's just being held down so you can't see the words on it. For those out there who are curious, they look to "find" ways to read it.
Your router, access point(s), etc. all communicate on a set number of channels within a set bandwidth (ghz) so it's somewhat easy to tell if there's a limo driver within range just by "listening." Once you've filtered out all of the communication noise from "known" drivers, all that's left is yours. If you're
using the router while it's being scanned, it makes it that much easier to track down, localize and in many cases, just by "listening" you can determine the channel(s), and if you nab the packets you might even be able to grab the router's identifier (similar to a MAC address.)
I've tried planting decoy routers (broadcasting) to help mask our hidden ones... nada. I've tried implementing decoys which were not broadcasting, but just trying to send junk to a non-existent set of machines or to one-another... they get picked on more than my broadcasting decoys.
The only solid plan we came up with was to dual-firewall and dual-router.
Router #1 is the WAN. One LAN port on Router #1 connects to one LAN port on Router 2.
Both routers have the ability of IP banning.
On the firewall side, we have a set of baby-sitter scripts for if/when someone breaches a router. The first thing someone wants to do is scan the network, so we have decoy ports/daemons open who are waiting for connections. As soon as someone attempts to connect to port X on one of the baby-sitters, the IP is sent to the routers and access is dropped. (Inside the network and out.) Mind you, these are Cisco servers which have been revamped to serve this purpose, both having dual GBe network interfaces and wireless cards which support access points. The "WAN" is an old Cisco router (3600 series, I think) which guards the front door.
With all that in play, we have drive-by idiots still hitting the front (WAN) and back (WiFi) doors every day. In my opinion, this is the best wireless protection (and still probably not bullet-proof) but I don't know of any retail side wireless routers which consider those problems, let alone have the ability to ban folks in this fashion.
I haven't tried it yet, but TC might help make this a feasible option!! Gigabit (GBe) network cards are quite cheap these days. An old motherboard suited with a pair of network cards (or a dual card like we use here) and a wireless card (with AP mode) could easily replace a physical router, you launch IPtables (mangle) to create a router/forwarder/NAT and add DHCP/DNS (dnsmasq) and you're literally in control of what you're protecting without the weight of a main-stream OS. Fast... Small (software)... Versatile... even on an older 5x86 machine.
My main workstations don't require firewall software running thanks to this setup (if someone were accessing through the LAN... they're already inside... and if they already know the decoy concept, odds are they don't work here anymore!
)
Welcome
FAQ
Downloads
Wiki
