Stupid wireless security advice

George Ou repeats his comments about dumb wireless security advice. Unfortunately I have to disagree, much of this advice isn't stupid. It's just needs to be taken in context.

While he's right that WPA-PSK is the most fundamental part of securing your network, not everybody uses strong passwords. What's more, many old units don't support WPA or turn off encryption to get a performance boost. It doesn't help that many wireless routers don't come with WPA enabled.

MAC Filtering
We tend to do this because it does add another layer of security. If the customer turns off encryption (and the buggers do) they are still protected from the next door neighbour. I would agree that administering a large network with MAC filtering would be a pain, but most of our customers only have a handful of wireless devices.

SSID hiding
I'll agree with George here, SSID hiding is pointless as most wireless software will still show the network, albeit without a name. To make matters worse, many devices won't work properly without the SSID. We find Netgear equipment loathes hidden SSIDs.

LEAP authentication
I don't know much about LEAP, we've never had to deal with this. So I'll have to defer to George's superior knowledge.

Disable DHCP
Like MAC filtering, this would be a pain if you had a large network. In smaller networks, it's a pain if you have laptop users moving to different locations. Generally we recommend restricting DHCP ranges and reserving IP the addresses within that range to specific machines.

Antenna placement
This one we don't often do because usually we're just thankful we can get a signal and we're loathe to play with the bugger. Restricting leakage makes sense to me though. Why put out more signal than you need?

George misses a number of points. Firstly, the biggest problem with wireless networks is casual hitchhikers. All of these aspects stop them.

He also assumes WPA is near impossible to crack, while this might be so it's still possible for a determined hacker or intruder to find the password using other means. What's worse is disaffected employees or disposed laptops might still have the keys saved.

His example of the doorman is instructive of George's view: Sure, a doorman ticking off names won't stop a Frank Abagnale, Kevin Mitnick or George Ou getting in, but it will stop 99% of the potential gatecrashers. What's more, ticking off lists might alert management to the presence of gatecrahsers.

What we have to accept is that wireless networks are not as secure as wired networks. Wireless networks are convenient but that convenience comes at a cost.