 | This article's tone or style may not reflect the encyclopedic tone used on Wikipedia.(January 2014) |
Network cloaking is an attempt to provide network security by hiding the devices behind the network gateway.
| This article's tone or style may not reflect the encyclopedic tone used on Wikipedia.(January 2014) |
Network cloaking is an attempt to provide network security by hiding the devices behind the network gateway.
The theory is that if hackers cannot see or scan the devices, they cannot be attacked. To access the network behind the gateway, an authorized user must authenticate themselves to the gateway, and then the gateway allows them to see the devices they are permitted to by the security policy.
Network cloaking shields the devices behind the cloaking system. The system does not respond to scans, and the devices behind it cannot be discovered or analyzed, preventing known or zero-day vulnerabilities from being exploited. The internal devices cannot be accessed unless connected through a secure tunnel. This differs from a firewall, which allows specific types of traffic in, and is often exploited by hijacking connections or having the internal device call home through an allowed firewall rule.
Secondary Usage:
The term has also been used to refer to wireless security by hiding the network name (service set identifier) from being broadcast publicly. Many routers come with this option as a standard feature in the setup menu accessed via a web browser.
Network cloaking may stop inexperienced users from gaining access to a network but should otherwise be considered a minimal security measure. Network cloaking is less effective than static WEP (which itself is vulnerable, see Wired Equivalent Privacy).
More secure forms of wireless security include WPA (Wi-Fi Protected Access) and preferably WPA2. [1] WEP, WPA, WPA2, and other encryption technologies can be used in conjunction with hiding the SSID.
Hiding the network name may prevent less technically inclined people from connecting to the network, but will not deter a determined adversary. The use of WPA or WPA2 is recommended instead. Hiding the SSID removes it from beacon frames, but this is only one of several ways an SSID can be discovered. [1] When one chooses to hide the network name from the router's setup page, it will only set the SSID in the beacon frame to null, but there are four other ways that the SSID is transmitted. In fact, hiding broadcast of the SSID on the router may cause the Network interface controller (NIC) to constantly disclose the SSID, even when out of range. [2]
Hiding the network name improves the experience of users connecting to wireless networks in dense areas. When the network is not intended for public use and does not broadcast its SSID, it will not appear in a list of available networks on clients. This simplifies the choice for users.
Organizations may decide to cloak the Wi-Fi SSID intended to be used by employees and pre-configured on corporate devices while keep networks intended for visitors (i.e., “Guest networks”) broadcasting SSID. This way, authorized users will connect to the corporate network as pre-configured while visitors will only see the “Guest network” and will be less confused about what SSID to use.
Although network cloaking may add a small sense of security, it is common for people not to realize just how easy it is to discover hidden networks. Because of the various ways an SSID is broadcast, network cloaking is not considered a security measure. Using encryption, preferably WPA or WPA2, is more secure. Even WEP, while weak and vulnerable, provides more security than hiding the SSID. There are many programs that are able to scan for wireless networks, including hidden ones, and display their information such as IP addresses, SSIDs, and encryption types. These programs are capable of "sniffing" out any wireless networks in range by essentially eavesdropping and analyzing network traffic and packets to gather information about those specific networks. [3] [4] The reason these programs can sniff out the hidden networks is because when the SSID is transmitted in the various frames, it is displayed in cleartext (unencrypted format), and therefore able to be read by anyone who has found it. An eavesdropper can passively sniff the wireless traffic on that network undetected (with software like Kismet), and wait for someone to connect, revealing the SSID. Alternatively, there are faster (albeit detectable) methods where a cracker spoofs a “disassociate frame” as if it came from the wireless bridge, and it sends it to one of the clients connected; the client immediately re-connects, revealing the SSID. [5] [6] Some examples of these sniffing programs include the following:
Passive:
Active:
The downside of passive scanning is that in order to gather any information, a client already connected to that specific network needs to be generating and therefore providing network traffic to be analyzed. [7] These programs are then able to discover the cloaked networks and their SSIDs through picking through frames of information such as: [8]
Because of these multiple ways the network name is still being broadcast while the network is "cloaked”, it is not completely hidden from persistent hackers.
Worse still, because a station must probe for a hidden SSID, a fake access point can offer a connection. [10] Programs that act as fake access points are freely available; e.g. airbase-ng [11] and Karma. [12]
IEEE 802.11 is part of the IEEE 802 set of local area network (LAN) technical standards, and specifies the set of medium access control (MAC) and physical layer (PHY) protocols for implementing wireless local area network (WLAN) computer communication. The standard and amendments provide the basis for wireless network products using the Wi-Fi brand and are the world's most widely used wireless computer networking standards. IEEE 802.11 is used in most home and office networks to allow laptops, printers, smartphones, and other devices to communicate with each other and access the Internet without connecting wires. IEEE 802.11 is also a basis for vehicle-based communication networks with IEEE 802.11p.
A wireless LAN (WLAN) is a wireless computer network that links two or more devices using wireless communication to form a local area network (LAN) within a limited area such as a home, school, computer laboratory, campus, or office building. This gives users the ability to move around within the area and remain connected to the network. Through a gateway, a WLAN can also provide a connection to the wider Internet.
Wi-Fi is a family of wireless network protocols based on the IEEE 802.11 family of standards, which are commonly used for local area networking of devices and Internet access, allowing nearby digital devices to exchange data by radio waves. These are the most widely used computer networks, used globally in home and small office networks to link devices and to provide Internet access with wireless routers and wireless access points in public places such as coffee shops, hotels, libraries, and airports to provide visitors.
IEEE 802.1X is an IEEE Standard for port-based network access control (PNAC). It is part of the IEEE 802.1 group of networking protocols. It provides an authentication mechanism to devices wishing to attach to a LAN or WLAN.
Wired Equivalent Privacy (WEP) was a severely flawed security algorithm for 802.11 wireless networks. Introduced as part of the original IEEE 802.11 standard ratified in 1997, its intention was to provide data confidentiality comparable to that of a traditional wired network. WEP, recognizable by its key of 10 or 26 hexadecimal digits, was at one time widely used, and was often the first security choice presented to users by router configuration tools.
Wi-Fi Protected Access (WPA), Wi-Fi Protected Access 2 (WPA2), and Wi-Fi Protected Access 3 (WPA3) are the three security certification programs developed after 2000 by the Wi-Fi Alliance to secure wireless computer networks. The Alliance defined these in response to serious weaknesses researchers had found in the previous system, Wired Equivalent Privacy (WEP).
In IEEE 802.11 wireless local area networking standards, a service set is a group of wireless network devices which share a service set identifier (SSID)—typically the natural language label that users see as a network name. A service set forms a logical network of nodes operating with shared link-layer networking parameters; they form one logical network segment.
IEEE 802.11i-2004, or 802.11i for short, is an amendment to the original IEEE 802.11, implemented as Wi-Fi Protected Access II (WPA2). The draft standard was ratified on 24 June 2004. This standard specifies security mechanisms for wireless networks, replacing the short Authentication and privacy clause of the original standard with a detailed Security clause. In the process, the amendment deprecated broken Wired Equivalent Privacy (WEP), while it was later incorporated into the published IEEE 802.11-2007 standard.
A wireless distribution system (WDS) is a system enabling the wireless interconnection of access points in an IEEE 802.11 network. It allows a wireless network to be expanded using multiple access points without the traditional requirement for a wired backbone to link them. The notable advantage of WDS over other solutions is that it preserves the MAC addresses of client frames across links between access points.
A beacon frame is a type of management frame in IEEE 802.11 WLANs. It contains information about the network. Beacon frames are transmitted periodically; they serve to announce the presence of a wireless LAN and to provide a timing signal to synchronise communications with the devices using the network. In an infrastructurebasic service set (BSS), beacon frames are transmitted by the access point (AP). In ad hoc (IBSS) networks, beacon generation is distributed among the stations. For the 2.4 GHz spectrum, when having more than 15 SSIDs on non-overlapping channels, beacon frames start to consume significant amount of air time and degrade performance even when most of the networks are idle.
Wireless security is the prevention of unauthorized access or damage to computers or data using wireless networks, which include Wi-Fi networks. The term may also refer to the protection of the wireless network itself from adversaries seeking to damage the confidentiality, integrity, or availability of the network. The most common type is Wi-Fi security, which includes Wired Equivalent Privacy (WEP) and Wi-Fi Protected Access (WPA). WEP is an old IEEE 802.11 standard from 1997. It is a notoriously weak security standard: the password it uses can often be cracked in a few minutes with a basic laptop computer and widely available software tools. WEP was superseded in 2003 by WPA, a quick alternative at the time to improve security over WEP. The current standard is WPA2; some hardware cannot support WPA2 without firmware upgrade or replacement. WPA2 uses an encryption device that encrypts the network with a 256-bit key; the longer key length improves security over WEP. Enterprises often enforce security using a certificate-based system to authenticate the connecting device, following the standard 802.11X.
IEEE 802.11w-2009 is an approved amendment to the IEEE 802.11 standard to increase the security of its management frames.
SpeedTouch is the brand name of a line of networking equipment produced by Alcatel and Technicolor SA. Before 27 January 2010 Technicolor was known as Thomson SA.
AOSS is a system by Buffalo Technology which allows a secure wireless connection to be set up with the push of a button. AirStation residential gateways incorporated a button on the unit to let the user initiate this procedure. AOSS was designed to use the maximum level of security available to both connecting devices, including both Wired Equivalent Privacy (WEP) and Wi-Fi Protected Access (WPA).
Aircrack-ng is a network software suite consisting of a detector, packet sniffer, WEP and WPA/WPA2-PSK cracker and analysis tool for 802.11 wireless LANs. It works with any wireless network interface controller whose driver supports raw monitoring mode and can sniff 802.11a, 802.11b and 802.11g traffic. Packages are released for Linux and Windows.
Wi-Fi Protected Setup (WPS) originally, Wi-Fi Simple Config, is a network security standard to create a secure wireless home network.
Piggybacking on Internet access is the practice of establishing a wireless Internet connection by using another subscriber's wireless Internet access service without the subscriber's explicit permission or knowledge. It is a legally and ethically controversial practice, with laws that vary by jurisdiction around the world. While completely outlawed or regulated in some places, it is permitted in others.
Network detectors or network discovery software are computer programs that facilitate detection of wireless LANs using the 802.11b, 802.11a and 802.11g WLAN standards. Discovering networks may be done through active as well as passive scanning.
WiFi Explorer is a wireless network scanner tool for macOS that can help users identify channel conflicts, overlapping and network configuration issues that may be affecting the connectivity and performance of Wi-Fi networks.
A Wi-Fi deauthentication attack is a type of denial-of-service attack that targets communication between a user and a Wi-Fi wireless access point.
[...] the SSID is nothing more than a wireless-space group label. It cannot be successfully hidden. Attempts to hide it will not only fail, but will negatively impact WLAN performance, and may result in additional exposure of the SSID [...]
it is highly recommended that you do not use non-broadcast wireless networks.Note: Here the term "non-broadcast" means a network that does not broadcast its SSID or broadcasts a null-SSID instead of the actual SSID.
{{cite web}}: CS1 maint: numeric names: authors list (link) Demonstrates the use of "Karma" to respond to any probe request beacons.