SSID Broadcasts (16.1.4)–Cisco Configure Network and Device Security

Cisco Network

One easy way to gain entry to a wireless network is through the network name, or Service Set Identifier (SSID). All computers connecting to the wireless network must be configured with or connect to the appropriate SSID. By default, wireless routers and access points broadcast SSIDs to all computers within the wireless range. With the SSID broadcast activated, any wireless client can detect the network and connect to it, if no other security features are in place.

The SSID broadcast feature can be turned off, as shown in Figure 16-7. When it is turned off, the fact that the network is there is no longer made public. Any computer trying to connect to the network must already know the SSID. Turning off the SSID broadcast alone does not protect the wireless network from experienced threat actors. The SSID can be determined by capturing and analyzing the wireless packets that are exchanged between the clients and the access point. Even with SSID broadcasting disabled, it is possible for someone to get into your network using the well-known default SSID. Additionally, if other default settings such as passwords and IP addresses are not changed, attackers can access an AP and make changes themselves. Default information should be changed to something more secure and unique.

   

Figure 16-7 Setting the SSID Broadcast Feature

Changing Default Settings (16.1.5)

What are default settings, and why are they there? Most wireless access points and routers are preconfigured with settings such as SSIDs, administrator passwords, and IP addresses. These settings make it easier for the novice user to set up and configure the device in a home LAN environment. Unfortunately, these defaults can also make it easy for an attacker to identify and infiltrate a network.

Changing the default settings on a wireless router does not protect your network by itself. For example, SSIDs are transmitted in plaintext. There are devices that can intercept wireless signals and read plaintext messages. Even with SSID broadcast turned off and default values changed, attackers can learn the name of a wireless network through the use of these devices that intercept wireless signals. This information will be used to connect to the network. It takes a combination of several methods to protect your WLAN.

In Figure 16-8, the threat actor can easily log in to the router using the default SSID and password.

   

Figure 16-8 Threat Actor Connects Using the Default Settings

In Figure 16-9, the threat actor can no longer access the router because the defaults have been changed.

   

Figure 16-9 Threat Actor Can No Longer Connect Using the Default Settings

MAC Address Filtering (16.1.6)

One way to limit access to the wireless network is to control exactly which devices are allowed on the wireless network (or, on some routers/APs, configuring what devices are not allowed) by filtering MAC addresses. If MAC address filtering is configured for devices that are allowed on the network, when a wireless client attempts to connect, or associate, with an AP, it sends MAC address information. The wireless router or AP looks up the MAC address of the connecting client and permits or allows the device onto the wireless network based on the configuration. In Figure 16-10, the laptop cannot authenticate because the router does not have the laptop‛s MAC address in its MAC address filter list.

   

Figure 16-10 MAC Address Filtering

There are some issues with this type of security. The person setting up the wireless router/AP has to enter MAC addresses, so this measure does not scale well. Additionally, it is possible for an attacking device to clone the MAC address of another device that has access.

Related Posts

Leave a Reply

Your email address will not be published. Required fields are marked *