Re: How to hide SSID and general security advise

Zahan Al-Rashid · ‎10-12-2012

Hi All

Just wanted to know if someone can explain or link me to an article that explains how to hide Wireless SSID via Wireless controllers (one I am using is 5505)

Currently anyone can attmept to login to it as i cant find any options to hide it! Screen shot below)

Also any advise on what measures I should take to secure the APS and from access would be great, currently considering port security and static mac addresses on ports; traffic is already got ACLS on its vlan. I would appreciate any other suggestion as I have little to no experience on Wireless devices.

Kind Regards

Zee

George Stefanick · ‎10-12-2012

Hi there ..

Its simple to hide the SSID actually. Click on the WLAN and look in the middle. You will see a check box that says "BROADCAST SSID". Simple uncheck this and the SSID is hidden.

__________________________________________________________________________________________
"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin

"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
___________________________________________________________

Zahan Al-Rashid · ‎10-15-2012

Thanks for your responses and advise all

Hi George,

I can't see the "hide broadcast" option you mentioned; I pressed WLANS and clicked advanced etc to see if it is in there but no joy

All I see is the options on screenshot above unfortunately, or could I be missing something?

Scott Fella · ‎10-12-2012

Just to add to George's great post! If you want to protect your lightweight AP from access, disable telnet and ssh access. You don't need to use port security or MAC address filter as that would break things. Wired is very different than wireless. These AP's don't hold any configurations if stolen like autonomous FAT AP's. I usually allow ssh access so I can do some troubleshooting. Don't go overboard or else you'll be troubleshooting and end up removing all your filter that you put in place.

Sent from Cisco Technical Support iPhone App

-Scott
*** Please rate helpful posts ***

Yahya Jaber · ‎10-13-2012

Hi,

well said scott,

and if you are thinking that hidding SSID is security...am afraid to tell you it is not, any sniffer can tell your SSID name, even if it is not broadcasted.

Wireless uses encryption..which would take light years to break, i found this on the internet

" Assuming that one could build a machine that could recover a DES key in a second (i.e., try 2

⁵⁵keys per second), then it would take that machine approximately 149 thousand-billion (149 trillion) years to crack a 128-bit AES key. To put that into perspective, the universe is believed to be less than 20 billion years old." " Assuming that one could build a machine that could recover a DES key in a second (i.e., try 2⁵⁵keys per second), then it would take that machine approximately 149 thousand-billion (149 trillion) years to crack a 128-bit AES key. To put that into perspective, the universe is believed to be less than 20 billion years old."

i think WLC uses 256-AES

so if am understanding your needs, your wireless LAN will be secured depending on the security type and encryption.

and you dont have to worry about the AP's, just disable telnet and SSH.

George Stefanick · ‎10-13-2012

To feed on Yahya post.

When a SSID is hidden it can still be seen with a sniffer is because of the fact that clients that connect to a hidden ssid need to PROBE for that SSID. Inside that PROBE is the name of the SSID. All you have to do is capture that clients PROBE and peek inside. Im surprised normal supplicants already havent used this as a tool to see hiden SSIDs. I mean clients spend more than 3/4 of their time RX anyway. They see the probe .. They should report on it ..

In fact, if you use AirMagnet Analyzer you will see the SSID pop up in the color red. This indicates the SSID was hidden.

As for light years. I dont know I would bet on that.

Also, the WLC does 128 no '?

__________________________________________________________________________________________
"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin

"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
___________________________________________________________

Yahya Jaber · ‎10-13-2012

George,

1 light year = 36,000 year.

i was reading the AES document from Cisco, the IOS software AES is configurable, but i think the WLC has 256, but i will check on that too.

George Stefanick · ‎10-13-2012

The other half would be, the client would need to support 256 as well. I would imagine 256 would add more overhead and clients might choke..

__________________________________________________________________________________________
"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
__________________________________________________________________________________________
‎"I'm in a serious relationship with my Wi-Fi. You could say we have a connection."

"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
___________________________________________________________

George Stefanick · ‎10-13-2012

BTW -- I bet in 10 years AES will be flawed to the point it will be replaced.

__________________________________________________________________________________________
"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
__________________________________________________________________________________________
‎"I'm in a serious relationship with my Wi-Fi. You could say we have a connection."

"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
___________________________________________________________

Yahya Jaber · ‎10-13-2012

Actually 20 years is the expected lifetime for AES.

i will make sure of the type if 128 or 256...becuase it is configurable on IOS.

Yahya Jaber · ‎10-16-2012

HI,

AES is 128-Bit