Hide Your SSID? - Comments Page 1

New routers may include WPA2 which is even better than WPA. I've also heard that changing the channel to 5 or 11 may reduce the area interference, particularly if neighbors are using the default channel (usually 6). This does not improve security but can improve speed.

One important thing you might want to add is that the SSID should not be something that will make it easier for someone to figure out which house / apartment your network is from. In other words, use something easy to remember but not personally identifiable. Don't use your address!

And changing the default admin username and password is of the utmost importance, I actually locked one of my buddies out of his network because he did not. I only did it to show him he should have changed it, but what if it had not been me?

Whilst all the information you provided with reference to wireless connection security is good and valid, you failed to mention the 'MAC' address code which all wireless cards possess. You can set up the router to only accept a connection from other wireless linked computers, by defining the MAC address of the wireless card or cards, in the router's set-up procedure.
MAC addresses are unique to each wireless networking card and it is 'burned' into ROM during manufacture. This applies to either a separate card, or the networking hardware built-in to a laptop. The MAC address is normally a 48 bit code, which provides over 280 Trillion possible MAC addresses.
This being the case, it will make hacking in to a system very difficult, if not impossible, since only a wireless card, or cards, bearing a MAC address or addresses, which have been defined in the router set-up, will be able to establish a connection to the router.
The set-up procedure is very simple and the MAC address for each card is identified on the card, in the format xx:xx:xx:xx:xx:xx:xx:xx where 'x' is a hexadecimal digit.

EDITOR'S NOTE: It may not be a big deal for you to open a PC or laptop, find the network adapter, and copy down a long string of numbers and letters. But trust me... this is WAY beyond the comfort level of most computer users!

There is a fourth important step in securing a home wireless network. Most wireless routers support the enforcement of an Ethernet Media Access Control (MAC) Access Control List (ACL). Every ethernet device is assigned a unique MAC address by the manufacturer. It is usually printed somewhere on the outside of the device and it can also be determined by using the Windows command: ipconfig /all

When a MAC ACL is enforced in the router, only MAC addresses that have been added to the ACL can connect. A connection request by any device with a "foreign" MAC is denied. Admittedly, this fourth security step can be overcome by a sophisticated and determined hacker, but it is one more important layer of defense for the network owner.

I think Bob has forgotten that there's an easier way to view your network card's MAC - use "ipconfig /all" on Windows, and similar commands on other OSs. Restricting your WiFi network to known MACs is an excellent idea, IMO, and is definitely worth the trouble.

EDITOR'S NOTE: So noted!

Bob, I used this and the related article to improve the security of my wireless network. In so doing I had to contact my ISP since I had no router owner's manual. That was a learning experience! I ended up with 128 bit encryption. In the course of learning, I encountered the following message: "TKIP requires either 64 hexadecimal characters or an ASCII "pass phrase" between 8 and 63 alphanumeric characters". Please explain TKIP and compare that to 128 bit encryption. Is that something I can invoke on my own or is it dependent on hardware or software? [My ISP supports WEP-ONLY (not WPA).] Also, where can I find a list of ASCII characters to develop a "pass phrase", which I take to mean just a long password.

EDITOR'S NOTE: TKIP (Temporal Key Integrity Protocol) is a security protocol designed to replace the the older WEP standard, without the need to replace router hardware. In other words, it's better than WEP, not as good as WPA, but it's the best you can do on an older router whose hardware does not support WPA. ASCII characters are just plain text (A-Z and 0-9, with a few other special characters) so yes -- it's computerese for "long password phrase".

Sir, Is there any command to find the SSID of the Wireless network.

EDITOR'S NOTE: You can login to the router with your browser to see the SSID.

I have a PalmOne hand-held gadget, and I don't know the equivalent of the IPCONFIG command to find it's MAC address -- but there was an easy workaround. I set my wireless router to allow "anyone" to log on provided they know my (hidden) SSID and WPA passphrase. I logged on with the PalmOne, then used the browser on my PC to connect to the router and view the list of current connections, and it gave me the MAC address of my PalmOne. After adding that MAC address to the list, I reset the router to only accept connections from that list.

I agro with your analysis of hiding your SSID. I would like to make it clear that using the MAC ACL to deny access is about equally as fruitless as hiding your SSID. Cloning a MAC address is very simple in linux/unix. You take down your interface, issue a command to change it (dont recall off hand) and bring the interface back up. In Windows you can download a program that will change your MAC address for you. By using MAC ACLs, you should inform your user that they may lock themselves out if they type the MAC incorrect or have to change their network card for any reason. WEP can be broken in a matter of minutes. My suggestion as far as encryption goes is to not use WEP. Instead use WPA or WPA2. Additionally, if you have the option use AES instead of TKIP. AES is a NSA approved method for encrypting classified information so I think it is good enough for a wireless connection. Also, in some routers there is an option to make your wired network invisible to connections made through the wireless portion of the router. This can help to keep a less skilled hacker from getting to your wired computers once they have broke into your wireless network. The only method known for breaking WPA last I heard is to bruteforce the key. Therefor when you chose a WPA key, make it as random as you can and use all available keys to include special keys, and make it as long as possible as per the capability of your hardware.

In your instructions, you direct the reader to connect to the wireless device as the administrator using unencrypted HTTP. As you note, that is likely the default configuration (as well as username and password for Linksys products.) (Finding other administrator default usernames and passwords can be found on the various manufacturer websites, in the product manuals.)

If the user connects via wireless using HTTP and the admin password, then anyone else using that wireless connection could sniff the password from the air. Again, this is not something a casual hitchhiker would do, it takes knowledge and software. But if a malicious hitchhiker is already connected and watching for passwords, then you have defeated the entire purpose of making the network more secure! That malicious person can use the password to gain access to learn the encryption password, etc.

If the HTTPS is not available by default over the wireless for admin purposes, another possible idea is to connect only via a cable. It then depends on if the access point segments the traffic enough that it cannot be sniffed.

Tough chicken-and-egg situation, I wish manufacturers made HTTPS the default or only way to connect to their unit's web admin UI.