Network cloaking

Last updated

Network cloaking is a method of providing network security by hiding the devices behind the network gateway.

Contents

Overview

Network cloaking may provide more operational security through obscuring devices from hackers. To access a network behind a gateway, an authorized user must authenticate themselves to the gateway before it allows them to see the devices they are permitted to by the security policy.

Network cloaking obscures devices through the cloaking system. It differs from a firewall, which allows specific types of traffic in. The system does not respond to scans, and the devices behind it cannot be discovered or analyzed, preventing known or zero-day vulnerability exploitation. The internal devices cannot be accessed unless connected through a secure tunnel.

Secondary Usage:

The term has also been used to refer to wireless security by hiding the network name (service set identifier) from being broadcast publicly. Many routers come with this option as a standard feature in the setup menu accessed via a web browser.

Network cloaking may stop inexperienced users from gaining access to a network but should otherwise be considered a minimal security measure.

More secure forms of wireless security include WPA and WPA2. [1] WEP, WPA, WPA2, and other encryption technologies can be used in conjunction with hiding the SSID.

Advantages

Mild security benefit

Hiding the network name may not deter attackers from connecting to the network. Hiding the SSID removes it from beacon frames, but this is only one of several ways an SSID can be discovered. [1] When users chooses to hide the network name from the router's setup page, it will only set the SSID in the beacon frame to null, but there are four other ways that the SSID is transmitted. In fact, hiding broadcast of the SSID on the router may cause the Network interface controller (NIC) to constantly disclose the SSID, even when out of range. [2]

Usability improvement

Hiding the network name improves the experience of users connecting to wireless networks in dense areas. When the network is not intended for public use and does not broadcast its SSID, it will not appear in a list of available networks on clients. This simplifies the choice for users.

Organizations may decide to cloak the Wi-Fi SSID intended to be used by employees and pre-configured on corporate devices while keep networks intended for visitors (i.e., “Guest networks”) broadcasting SSID. This way, authorized users will connect to the corporate network as pre-configured while visitors will only see the “Guest network” and will be less confused about what SSID to use.

Disadvantages

False sense of security

Although network cloaking may add a small sense of security, it is common for people not to realize just how easy it is to discover hidden networks. Because of the various ways an SSID is broadcast, network cloaking is not considered a security measure. Using encryption, preferably WPA or WPA2, is more secure. Even WEP, while weak and vulnerable, provides more security than hiding the SSID. There are many programs that are able to scan for wireless networks, including hidden ones, and display their information such as IP addresses, SSIDs, and encryption types. These programs are capable of "sniffing" out any wireless networks in range by essentially eavesdropping and analyzing network traffic and packets to gather information about those specific networks. [3] [4] The reason these programs can sniff out the hidden networks is because when the SSID is transmitted in the various frames, it is displayed in cleartext (unencrypted format), and therefore able to be read by anyone who has found it. An eavesdropper can passively sniff the wireless traffic on that network undetected (with software like Kismet), and wait for someone to connect, revealing the SSID. Alternatively, there are faster (albeit detectable) methods where a cracker spoofs a “disassociate frame” as if it came from the wireless bridge, and it sends it to one of the clients connected; the client immediately re-connects, revealing the SSID. [5] [6] Some examples of these sniffing programs include the following:

Passive:

Active:

The downside of passive scanning is that in order to gather any information, a client already connected to that specific network needs to be generating and therefore providing network traffic to be analyzed. [7] These programs are then able to discover the cloaked networks and their SSIDs through picking through frames of information such as: [8]

Because of these multiple ways the network name is still being broadcast while the network is "cloaked”, it is not completely hidden from persistent hackers.

Worse still, because a station must probe for a hidden SSID, a fake access point can offer a connection. [10] Programs that act as fake access points are freely available; e.g. airbase-ng [11] and Karma. [12]

Related Research Articles

<span class="mw-page-title-main">IEEE 802.11</span> Wireless network standard

IEEE 802.11 is part of the IEEE 802 set of local area network (LAN) technical standards, and specifies the set of medium access control (MAC) and physical layer (PHY) protocols for implementing wireless local area network (WLAN) computer communication. The standard and amendments provide the basis for wireless network products using the Wi-Fi brand and are the world's most widely used wireless computer networking standards. IEEE 802.11 is used in most home and office networks to allow laptops, printers, smartphones, and other devices to communicate with each other and access the Internet without connecting wires. IEEE 802.11 is also a basis for vehicle-based communication networks with IEEE 802.11p.

<span class="mw-page-title-main">Wireless LAN</span> Computer network that links devices using wireless communication within a limited area

A wireless LAN (WLAN) is a wireless computer network that links two or more devices using wireless communication to form a local area network (LAN) within a limited area such as a home, school, computer laboratory, campus, or office building. This gives users the ability to move around within the area and remain connected to the network. Through a gateway, a WLAN can also provide a connection to the wider Internet.

<span class="mw-page-title-main">Wi-Fi</span> Wireless local area network

Wi-Fi is a family of wireless network protocols based on the IEEE 802.11 family of standards, which are commonly used for local area networking of devices and Internet access, allowing nearby digital devices to exchange data by radio waves. These are the most widely used computer networks, used globally in home and small office networks to link devices and to provide Internet access with wireless routers and wireless access points in public places such as coffee shops, hotels, libraries, and airports.

Wired Equivalent Privacy (WEP) is an obsolete, severely flawed security algorithm for 802.11 wireless networks. Introduced as part of the original IEEE 802.11 standard ratified in 1997, its intention was to provide data confidentiality comparable to that of a traditional wired network. WEP, recognizable by its key of 10 or 26 hexadecimal digits, was at one time widely used, and was often the first security choice presented to users by router configuration tools.

Wi-Fi Protected Access (WPA), Wi-Fi Protected Access 2 (WPA2), and Wi-Fi Protected Access 3 (WPA3) are the three security certification programs developed after 2000 by the Wi-Fi Alliance to secure wireless computer networks. The Alliance defined these in response to serious weaknesses researchers had found in the previous system, Wired Equivalent Privacy (WEP).

<span class="mw-page-title-main">Service set (802.11 network)</span> Group of all devices on the same wireless network

In IEEE 802.11 wireless local area networking standards, a service set is a group of wireless network devices which share a service set identifier (SSID)—typically the natural language label that users see as a network name. A service set forms a logical network of nodes operating with shared link-layer networking parameters; they form one logical network segment.

IEEE 802.11i-2004, or 802.11i for short, is an amendment to the original IEEE 802.11, implemented as Wi-Fi Protected Access II (WPA2). The draft standard was ratified on 24 June 2004. This standard specifies security mechanisms for wireless networks, replacing the short Authentication and privacy clause of the original standard with a detailed Security clause. In the process, the amendment deprecated broken Wired Equivalent Privacy (WEP), while it was later incorporated into the published IEEE 802.11-2007 standard.

A wireless distribution system (WDS) is a system enabling the wireless interconnection of access points in an IEEE 802.11 network. It allows a wireless network to be expanded using multiple access points without the traditional requirement for a wired backbone to link them. The notable advantage of WDS over other solutions is that it preserves the MAC addresses of client frames across links between access points.

<span class="mw-page-title-main">Beacon frame</span> Type of management frame

A beacon frame is a type of management frame in IEEE 802.11 WLANs. It contains information about the network. Beacon frames are transmitted periodically; they serve to announce the presence of a wireless LAN and to provide a timing signal to synchronise communications with the devices using the network. In an infrastructurebasic service set (BSS), beacon frames are transmitted by the access point (AP). In ad hoc (IBSS) networks, beacon generation is distributed among the stations. For the 2.4 GHz spectrum, when having more than 15 SSIDs on non-overlapping channels, beacon frames start to consume significant amount of air time and degrade performance even when most of the networks are idle.

<span class="mw-page-title-main">Wireless security</span> Aspect of wireless networks

Wireless security is the prevention of unauthorized access or damage to computers or data using wireless networks, which include Wi-Fi networks. The term may also refer to the protection of the wireless network itself from adversaries seeking to damage the confidentiality, integrity, or availability of the network. The most common type is Wi-Fi security, which includes Wired Equivalent Privacy (WEP) and Wi-Fi Protected Access (WPA). WEP is an old IEEE 802.11 standard from 1997. It is a notoriously weak security standard: the password it uses can often be cracked in a few minutes with a basic laptop computer and widely available software tools. WEP was superseded in 2003 by WPA, a quick alternative at the time to improve security over WEP. The current standard is WPA2; some hardware cannot support WPA2 without firmware upgrade or replacement. WPA2 uses an encryption device that encrypts the network with a 256-bit key; the longer key length improves security over WEP. Enterprises often enforce security using a certificate-based system to authenticate the connecting device, following the standard 802.11X.

IEEE 802.11w-2009 is an approved amendment to the IEEE 802.11 standard to increase the security of its management frames.

<span class="mw-page-title-main">SpeedTouch</span> Brand name of a line of networking equipment

SpeedTouch is the brand name of a line of networking equipment produced by Alcatel and Technicolor SA. Before 27 January 2010 Technicolor was known as Thomson SA.

AOSS is a system by Buffalo Technology which allows a secure wireless connection to be set up with the push of a button. AirStation residential gateways incorporated a button on the unit to let the user initiate this procedure. AOSS was designed to use the maximum level of security available to both connecting devices, including both Wired Equivalent Privacy (WEP) and Wi-Fi Protected Access (WPA).

<span class="mw-page-title-main">Aircrack-ng</span> Software suite

Aircrack-ng is a network software suite consisting of a detector, packet sniffer, WEP and WPA/WPA2-PSK cracker and analysis tool for 802.11 wireless LANs. It works with any wireless network interface controller whose driver supports raw monitoring mode and can sniff 802.11a, 802.11b and 802.11g traffic. Packages are released for Linux and Windows.

<span class="mw-page-title-main">Wi-Fi Protected Setup</span> Network security standard to create a secure wireless home network

Wi-Fi Protected Setup (WPS) originally, Wi-Fi Simple Config, is a network security standard to create a secure wireless home network.

Piggybacking on Internet access is the practice of establishing a wireless Internet connection by using another subscriber's wireless Internet access service without the subscriber's explicit permission or knowledge. It is a legally and ethically controversial practice, with laws that vary by jurisdiction around the world. While completely outlawed or regulated in some places, it is permitted in others.

Network detectors or network discovery software are computer programs that facilitate detection of wireless LANs using the 802.11b, 802.11a and 802.11g WLAN standards. Discovering networks may be done through active as well as passive scanning.

WiFi-Where was a tool that facilitated Wardriving and detection of wireless LANs using the 802.11b, 802.11a and 802.11g WLAN standards. Versions existed for the operating systems iOS and Palm OS. Originally created in June 2004 for the Palm OS by Jonathan Hays of Hazelware Software, the IP for WiFi-Where was licensed to 3Jacks Software in 2009. An iPhone version of the application was released in January 2010, but was pulled from the App Store by Apple in March 2010. The app was frequently listed as a common tool to facilitate Wardriving As of 2010, it is still available in the Jailbroken Cydia store.

<span class="mw-page-title-main">WiFi Explorer</span> Wireless network scanner tool for macOS

WiFi Explorer is a wireless network scanner tool for macOS that can help users identify channel conflicts, overlapping and network configuration issues that may be affecting the connectivity and performance of Wi-Fi networks.

A Wi-Fi deauthentication attack is a type of denial-of-service attack that targets communication between a user and a Wi-Fi wireless access point.

References

  1. 1 2 Riley, Steve. "Myth vs. reality: Wireless SSIDs" . Retrieved 27 January 2012.
  2. Davies, Joe. "Non-broadcast Wireless Networks with Microsoft Windows". Microsoft Tech Net. Retrieved 5 February 2012.
  3. Ritchey, Ronald; Brian O’Berry; Steven Noel (2002). "Representing TCP/IP Connectivity For Topological Analysis of Network Security". 18th Annual Computer Security Applications Conference, 2002. Proceedings. pp. 25–31. doi:10.1109/CSAC.2002.1176275. ISBN   0-7695-1828-1.
  4. Robert Moskowitz (2003-12-01). "Debunking the Myth of SSID Hiding" (PDF). International Computer Security Association . Retrieved 2011-07-10. [...] the SSID is nothing more than a wireless-space group label. It cannot be successfully hidden. Attempts to hide it will not only fail, but will negatively impact WLAN performance, and may result in additional exposure of the SSID [...]
  5. Joshua Bardwell; Devin Akin (2005). CWNA Official Study Guide (Third ed.). McGraw-Hill. p. 334. ISBN   978-0-07-225538-6.
  6. Vivek Ramachandran (2011-04-21). "WLAN Security Megaprimer Part 6: Pwning hidden SSIDs". SecurityTube. Retrieved 2011-07-10. Video demo of active and passive SSID uncloaking.
  7. Mateti, Prabhaker. "Hacking Techniques in Wireless Networks". Department of Computer Science and Engineering: Wright State University. Retrieved 13 February 2012.
  8. Ou, George. "The six dumbest ways to secure a wireless LAN" . Retrieved 28 January 2012.
  9. Geier, Jim. "Understanding 802.11 Frame Types" . Retrieved 2 February 2012.
  10. "Non-broadcast Network Behavior with Windows XP and Windows Server 2003". Microsoft Corporation. 2007-04-19. Retrieved 2011-07-10. it is highly recommended that you do not use non-broadcast wireless networks. Note: Here the term "non-broadcast" means a network that does not broadcast its SSID or broadcasts a null-SSID instead of the actual SSID.
  11. Vivek Ramachandran (2011-04-25). "WLAN Security Megaprimer 10: Hacking isolated clients". SecurityTube. Retrieved 2011-07-10. Demonstrates the use of "airbase-ng" to respond to any probe request beacons.
  12. Dookie2000ca (2009-06-13). "Karmetasploit ( Karma And Metasploit 3)" . Retrieved 2011-07-10.{{cite web}}: CS1 maint: numeric names: authors list (link) Demonstrates the use of "Karma" to respond to any probe request beacons.