Network cloaking

Network cloaking is a method of providing network security by hiding the devices behind the network gateway.

Overview

Network cloaking may provide more operational security through obscuring devices from hackers. To access a network behind a gateway, an authorized user must authenticate themselves to the gateway before it allows them to see the devices they are permitted to by the security policy.

Network cloaking obscures devices through the cloaking system. It differs from a firewall, which allows specific types of traffic in. The system does not respond to scans, and the devices behind it cannot be discovered or analyzed, preventing known or zero-day vulnerability exploitation. The internal devices cannot be accessed unless connected through a secure tunnel.

Secondary Usage:

The term has also been used to refer to wireless security by hiding the network name (service set identifier) from being broadcast publicly. Many routers come with this option as a standard feature in the setup menu accessed via a web browser.

Network cloaking may stop inexperienced users from gaining access to a network but should otherwise be considered a minimal security measure.

More secure forms of wireless security include WPA and WPA2.[1] WEP, WPA, WPA2, and other encryption technologies can be used in conjunction with hiding the SSID.

Advantages

Mild security benefit

Hiding the network name may not deter attackers from connecting to the network. Hiding the SSID removes it from beacon frames, but this is only one of several ways an SSID can be discovered.[1] When users chooses to hide the network name from the router's setup page, it will only set the SSID in the beacon frame to null, but there are four other ways that the SSID is transmitted. In fact, hiding broadcast of the SSID on the router may cause the Network interface controller (NIC) to constantly disclose the SSID, even when out of range.[2]

Usability improvement

Hiding the network name improves the experience of users connecting to wireless networks in dense areas. When the network is not intended for public use and does not broadcast its SSID, it will not appear in a list of available networks on clients. This simplifies the choice for users.

Organizations may decide to cloak the Wi-Fi SSID intended to be used by employees and pre-configured on corporate devices while keep networks intended for visitors (i.e., “Guest networks”) broadcasting SSID. This way, authorized users will connect to the corporate network as pre-configured while visitors will only see the “Guest network” and will be less confused about what SSID to use.

Disadvantages

False sense of security

Although network cloaking may add a small sense of security, it is common for people not to realize just how easy it is to discover hidden networks. Because of the various ways an SSID is broadcast, network cloaking is not considered a security measure. Using encryption, preferably WPA or WPA2, is more secure. Even WEP, while weak and vulnerable, provides more security than hiding the SSID. There are many programs that are able to scan for wireless networks, including hidden ones, and display their information such as IP addresses, SSIDs, and encryption types. These programs are capable of "sniffing" out any wireless networks in range by essentially eavesdropping and analyzing network traffic and packets to gather information about those specific networks.[3][4] The reason these programs can sniff out the hidden networks is because when the SSID is transmitted in the various frames, it is displayed in cleartext (unencrypted format), and therefore able to be read by anyone who has found it. An eavesdropper can passively sniff the wireless traffic on that network undetected (with software like Kismet), and wait for someone to connect, revealing the SSID. Alternatively, there are faster (albeit detectable) methods where a cracker spoofs a “disassociate frame” as if it came from the wireless bridge, and it sends it to one of the clients connected; the client immediately re-connects, revealing the SSID.[5][6] Some examples of these sniffing programs include the following:

Passive:

  • KisMAC
  • Kismet
  • Prads
  • ESSID-Jack

Active:

The downside of passive scanning is that in order to gather any information, a client already connected to that specific network needs to be generating and therefore providing network traffic to be analyzed.[7] These programs are then able to discover the cloaked networks and their SSIDs through picking through frames of information such as:[8]

  • Probe request frames. Probe request frames are sent unencrypted by the client computer when trying to connect to a network. This unprotected frame of information, which can easily be intercepted and read by someone willing, will contain the SSID.
  • Probe response frames. In response to the probe request, the requested station will send back a frame of information also containing the SSID as well as other details about the network.
  • Association request frames. An association request frame is what begins the process of initializing a relationship between the computer and the access point. Once associated properly, the AP will be able to assign some of its resources to the network interface controller (NIC). Once again, through this process, the SSID is transmitted.
  • Re-association request frames. Re-association request frames are transmitted when a NIC notices a stronger signal from another access point and switches over from the previous one. This new access point will then "take over" and handle the data that may still be caught up in the previous session. The request of a new connection to a new beacon signal will of course require the transmission of a new SSID.[9]

Because of these multiple ways the network name is still being broadcast while the network is "cloaked”, it is not completely hidden from persistent hackers.

Worse still, because a station must probe for a hidden SSID, a fake access point can offer a connection.[10] Programs that act as fake access points are freely available; e.g. airbase-ng[11] and Karma.[12]

References

  1. ^ a b Riley, Steve. "Myth vs. reality: Wireless SSIDs". Retrieved 27 January 2012.
  2. ^ Davies, Joe (31 March 2010). "Non-broadcast Wireless Networks with Microsoft Windows". Microsoft Tech Net. Retrieved 5 February 2012.
  3. ^ Ritchey, Ronald; Brian O’Berry; Steven Noel (2002). "Representing TCP/IP Connectivity For Topological Analysis of Network Security". 18th Annual Computer Security Applications Conference, 2002. Proceedings. pp. 25–31. doi:10.1109/CSAC.2002.1176275. ISBN 0-7695-1828-1.
  4. ^ Robert Moskowitz (2003-12-01). "Debunking the Myth of SSID Hiding" (PDF). International Computer Security Association. Retrieved 2011-07-10. [...] the SSID is nothing more than a wireless-space group label. It cannot be successfully hidden. Attempts to hide it will not only fail, but will negatively impact WLAN performance, and may result in additional exposure of the SSID [...]
  5. ^ Joshua Bardwell; Devin Akin (2005). CWNA Official Study Guide (Third ed.). McGraw-Hill. p. 334. ISBN 978-0-07-225538-6.
  6. ^ Vivek Ramachandran (2011-04-21). "WLAN Security Megaprimer Part 6: Pwning hidden SSIDs". SecurityTube. Retrieved 2011-07-10. Video demo of active and passive SSID uncloaking.
  7. ^ Mateti, Prabhaker. "Hacking Techniques in Wireless Networks". Department of Computer Science and Engineering: Wright State University. Retrieved 13 February 2012.
  8. ^ Ou, George. "The six dumbest ways to secure a wireless LAN". ZDNet. Retrieved 28 January 2012.
  9. ^ Geier, Jim. "Understanding 802.11 Frame Types". Retrieved 2 February 2012.
  10. ^ "Non-broadcast Network Behavior with Windows XP and Windows Server 2003". Microsoft Corporation. 2007-04-19. Retrieved 2011-07-10. it is highly recommended that you do not use non-broadcast wireless networks. Note: Here the term "non-broadcast" means a network that does not broadcast its SSID or broadcasts a null-SSID instead of the actual SSID.
  11. ^ Vivek Ramachandran (2011-04-25). "WLAN Security Megaprimer 10: Hacking isolated clients". SecurityTube. Retrieved 2011-07-10. Demonstrates the use of "airbase-ng" to respond to any probe request beacons.
  12. ^ Dookie2000ca (2009-06-13). "Karmetasploit ( Karma And Metasploit 3)". Retrieved 2011-07-10.{{cite web}}: CS1 maint: numeric names: authors list (link) Demonstrates the use of "Karma" to respond to any probe request beacons.