NSA Guidance for Personal Computing Security

Saw this link over on Larry Seltzer’s site. the NSA has published a “best practices” datasheet for keeping your home secure.  

Looks like good stuff.   I’m thinking it’s geared toward those who are computer literate but it isn’t their day job.  

I do have an issue with the enhanced protection recommendations at the end.   I thought these were all now understood to be wireless security myths that aren’t worth following.   It is as if they read George Ou’s article The Six Dumbest ways to secure a wireless lan (3/18/2005)and published it as legitimate advice.   George had a followup post in March 2007.   I doublechecked the date of publication on this NSA datasheet because the wireless advice is so outdated.

The article does state this section is worthless.   Even so when all it can do is offere a false sense of security via added complexity, I think it is a bad idea.

Hardware Address Filtering
This is a belt and suspenders solution.   WPA2 is your security protection.   Adding an extra layer of hardware address filtering is unnecessary.

If the network were not encrypted, it would take an attacker seconds to find valid HW/MAC addresses to use.  So the real security is in the wireless encryption in WPA2.

Lower the power on your antenna
You can lower your profile by trying to limit the reach of your wireless network.   However if you were specifically targeted the attacker would be using directional antennas with signal boosters.  

Your protection is in WPA2 not in trying to stop the signal. (that’s right a Serenity reference)
SSID Cloaking

The stated purpose is to avoid detection of the SSID by wardrivers.   As Josh Wright mentions in a 2007 Network World article, this is simply a false sense of security.   Tools like Kismet are still able to determine the SSID by observing traffic.  

Worse yet, the client will now need to probe for the SSID causing it to essentially beacon your SSID no matter where it is at.

Josh says cloaking the SSID actually makes it less secure. 

Disable DHCP or Use a smaller DHCP Pool

Again, with an unencrypted network, the attacker would find your address range in seconds and pick an address.   WPA2 is what prevents people from connecting to your network.  

If the attacker has the ability to compromise your WPA2 what makes you think they will be tripped up by a DHCP server with no available IP addresses.

Better Advice

The NSA document covers this in an earlier section.

1.  Use WPA2. 
2.  Use a very very long password with WPA2.   (32+ random characters)
 Automatic setup makes it easy to configure WPA2 with a long password.   If it doesn’t, I would generate a very long encryption key, and cut and paste it on to every system needing wireless.   For phones, if you have secure email enabled (IMAP/s and SMTP/s) you could mail the key to the device and then cut and paste.
3.  Many modern home access points allow you to have a “guest”wireless  network which goes to the internet but does not access your home network.    Do not be tempted to leave this unencrypted.   I would create it with a shorter 12 character passphrase.

One Comment

  1. “The following security mechanisms do not protect against the experienced attacker, but are very effective against a less experienced attacker.”

    That bit aside, I agree with you; you’re really anchored in your wireless security by the encryption part.

    I do, however, disagree with the SSID cloaking part. This should always be footnoted that SSID cloaking is not useful *if there is always traffic present.* If you’re talking to home users, there may be large chunks of time where their wireless network has zero traffic, which means SSID cloaking is useful. Most enterprises probably always have someone on the network, which will always reveal the SSID in beacon frames, so yes it is useless there. Even if an attacker can find your SSID, yes, she can’t just waltz in. But at least you’re not sitting it out there to be revealed. Sort of like the pseudo-privacy around usernames. They’re not really private, but if you can keep them somewhat private, you’ve gained some value.

Comments are closed.