WelcomeWelcome | FAQFAQ | DownloadsDownloads | WikiWiki

Author Topic: wifi.tcz security concerns...  (Read 11843 times)

Offline coreplayer2

  • Hero Member
  • *****
  • Posts: 3020
Re: wifi.tcz security concerns...
« Reply #15 on: January 27, 2015, 06:40:32 PM »
nitram  I hope you find this myth debunking article interesting.. 

Hiding your SSID serves no useful purpose. As seen in this thread it only makes the task of connecting more difficult for the legitimate user.  with almost any wifi tool a hidden SSID is always instantly discoverable,  see here
http://www.howtogeek.com/howto/28653/debunking-myths-is-hiding-your-wireless-ssid-really-more-secure/

I'd go so far as to say there is no such thing as a totally secure WiFi,  I think WiFi security falls into two categories,  the easy to access and the more difficult to access.  Ideally we want our WiFi networks to fall into the more difficult category such as with WPA2 + a strong pass-phrase.  No other feature is going to help here.

enjoy..

Offline CentralWare

  • Retired Admins
  • Hero Member
  • *****
  • Posts: 764
Re: wifi.tcz security concerns...
« Reply #16 on: January 28, 2015, 01:50:19 AM »
I have to second with coreplayer2.

Imagine a limo driver at the airport holding a sign with your name on it.  This is SSID-Broadcast.  Take away the broadcast and you have a limo driver (he stands out in his penguin suit) and he's holding a sign...  it's just being held down so you can't see the words on it.  For those out there who are curious, they look to "find" ways to read it.

Your router, access point(s), etc. all communicate on a set number of channels within a set bandwidth (ghz) so it's somewhat easy to tell if there's a limo driver within range just by "listening."  Once you've filtered out all of the communication noise from "known" drivers, all that's left is yours.  If you're using the router while it's being scanned, it makes it that much easier to track down, localize and in many cases, just by "listening" you can determine the channel(s), and if you nab the packets you might even be able to grab the router's identifier (similar to a MAC address.)

I've tried planting decoy routers (broadcasting) to help mask our hidden ones...  nada.  I've tried implementing decoys which were not broadcasting, but just trying to send junk to a non-existent set of machines or to one-another...  they get picked on more than my broadcasting decoys.

The only solid plan we came up with was to dual-firewall and dual-router.

Router #1 is the WAN.  One LAN port on Router #1 connects to one LAN port on Router 2.
Both routers have the ability of IP banning.

On the firewall side, we have a set of baby-sitter scripts for if/when someone breaches a router.  The first thing someone wants to do is scan the network, so we have decoy ports/daemons open who are waiting for connections.  As soon as someone attempts to connect to port X on one of the baby-sitters, the IP is sent to the routers and access is dropped.  (Inside the network and out.)  Mind you, these are Cisco servers which have been revamped to serve this purpose, both having dual GBe network interfaces and wireless cards which support access points.  The "WAN" is an old Cisco router (3600 series, I think) which guards the front door.
     With all that in play, we have drive-by idiots still hitting the front (WAN) and back (WiFi) doors every day.  In my opinion, this is the best wireless protection (and still probably not bullet-proof) but I don't know of any retail side wireless routers which consider those problems, let alone have the ability to ban folks in this fashion.

I haven't tried it yet, but TC might help make this a feasible option!!  Gigabit (GBe) network cards are quite cheap these days.  An old motherboard suited with a pair of network cards (or a dual card like we use here) and a wireless card (with AP mode) could easily replace a physical router, you launch IPtables (mangle) to create a router/forwarder/NAT and add DHCP/DNS (dnsmasq) and you're literally in control of what you're protecting without the weight of a main-stream OS.  Fast...  Small (software)...  Versatile...  even on an older 5x86 machine.

My main workstations don't require firewall software running thanks to this setup (if someone were accessing through the LAN...  they're already inside...  and if they already know the decoy concept, odds are they don't work here anymore! :) )

Offline nitram

  • Hero Member
  • *****
  • Posts: 1054
Re: wifi.tcz security concerns...
« Reply #17 on: January 29, 2015, 01:50:27 PM »
Thanks for the feedback coreplayer2 and centralware. The article and article comments were informative. You two are way ahead of the curve with wireless security. There's still a part of me that prefers my wireless to remain hidden. My vehicle has a good alarm and anti-theft system but i still prefer to park it out of sight in the garage.

The linked article comments have valid arguments for and against. These comments summarize my thoughts on this:
Quote
The fact that someone has to be running specific software within a broadcast range of a client in order to even know that said WiFi exists is a bonus security feature for me. I don't mind a few extra steps when I only have to set it up once. I know it's not literally more secure, however it is relatively more secure.

Quote
Guys, hiding your SSID just isn't worth it so the article is quite correct. No bull here. It's as useful as hiding a Sherman tank with a napkin. You are just making life more difficult. People just love doing outdated stuff just cos it makes them feel more 'Tech'.

...and response:
No, it's like hiding a Sherman tank with a cloaking device. You will have to install an infrared scope and search in the right area to realize it exists.

Questions i plan to google, unless someone knows off-hand. Can a hidden wireless signal be sniffed if the wireless router is turned on but all wireless devices are powered off? What about if the router and laptop are both turned on but no data is actively being sent back/forth? My router stats typically show 99% inactive, probably typical for home users that minimize streaming and large downloads.

Closing in on tinfoil hat territory. Hidden or not, i take more precautions than most and probably don't have much to worry about:
- WPA2 security
- strong password
- periodically change password
- confirm SSID connection
- disable network manager auto-connect features
- turn off computers when not in use (no 24/7 type systems)
- turn off router at night and when leaving the house

Offline CentralWare

  • Retired Admins
  • Hero Member
  • *****
  • Posts: 764
Re: wifi.tcz security concerns...
« Reply #18 on: January 29, 2015, 07:30:50 PM »
Router on + wifi devices off -- generally speaking, the broadcast would have been the only real activity.  As long as your router isn't set up with WDS, there shouldn't be enough of anything to focus in on to sniff the router, so the only other way to detect the router would be with a wireless hardware scanner (A physical device which scans the 2.xGhz range looking for devices with antennas - there may not be any bandwidth traffic to sniff, but it WILL show an active radio device.  I imagine with some decent amount of work a computer could be made to do the same job, but that's likely a lot of work.)

Router on + device on, but no "user use" -- Based on the operating system validating its connection every so often AND based on key expiration, there is still going to be use even when not in Network use between the two devices.  You can set the device's wireless power savings to maximum to reduce the validation, and set your key expiration to a high value, but this doesn't mute it - only reduces its frequency.  Reducing validation should be done when screen savers (idle) are launched, otherwise it'll also likely interfere with your active use.  Note also your DEVICES themselves are also "detectable" as their radios are also turned on.

Offline nitram

  • Hero Member
  • *****
  • Posts: 1054
Re: wifi.tcz security concerns...
« Reply #19 on: January 29, 2015, 11:07:25 PM »
Enlightening -thanks very much for sharing that knowledge centralware.