Neighborhood networks

When you set up your network on your Airport Base Station, there is the option to make your network a closed network. This means that the only way that you can connect to it is if you know the name of the network. So for example, if a friend came over and wanted to use your internet on their laptop and you had a private network. When they go to search for the available network it would not show up. They would have to go to "other" network and type the name of the network in and any associated password.
I don't think that this is set-up as a standard thing. The closed network option is not the default.
Usually once a computer has been able to connect to the closed network it is able to connect to it again. So for example, if I take my MacBook on travel with me, and use a different network on travel and then return, my MacBook is able to find my home closed network again. Occasionally if it can't, then I just have to type it in again and then everything is fine. If you need more information http://manuals.info.apple.com/en/DesigningAirPort_Networks_Using_AirPortUtility.pdf

If your neighbors are not "hiding" their networks then conceivably anyone within range of their networks could see them. The reason that sometimes you see them and sometime you don't could be a number of reasons. It could be that they are most of the time out of range but sometimes interference drops down low enough or the conditions are right for it to show up. Also it could be that their network is only on when they use it and they may not use it that much....there are a bunch of reason, but by no means should you be alarmed that you can see their networks. However, this also means that if you are not making your network a "private" network, anyone within range of yours could see it.

If your neighbors are not "hiding" their networks then conceivably anyone within range of their networks could see them.

Even if they are "hiding" their network the network name is broadcast between base station and every connected client. Therefore you can discover the network and it's name within just a few seconds.

"hiding" a network is useless and usually causes you even more problems.

Captain Maniac wrote:
I assume my network has already been set up to be private -- how would I check to see if it is indeed private?

I would be interested in knowing this as well. I just bought an AirPort Extreme and will be setting it up soon. The internet connection is about 50ft away from my iMac in my wife's office near her Mac mini. I've noticed several networks in my neighborhood that come and go, one that I found that I can actually use to access the internet! I'd rather not do that though and when my network is set-up I'd like to keep others from doing the same.

One thing I noted -- while I may use that "other" network to access the internet, I can't see any of the computers or drives associated with it.

A "closed" network does NOT do what it claims. With this option enabled the network name is still broadcast between the base station and every connected client. Therefore anyone can learn the network name in a matter of seconds.

Also a "closed" network does absolutely nothing to protect your data. Your data is sent in the clear and therefore anyone can read it.

Forget about using a "closed" network or MAC address filtering.

If you want a secure wireless network use WPA2 or WPA wireless encryption with a non-dictionary password.

The response above is correct but not totally accurate in a sense. Hiding the SSID and only allowing certain mac addresses are a part of network security but there is no such thing as being totally secure. However, if you combine hiding the SSID with mac address requirements along with WPA for encryption, you are less likely to have someone snooping around as they will move on to another less secure network. The idea is to tighten your network down and all of those tools work together to make it a little better. You should try to use all three rather than just relying on WPA or WEP for security. The tighter you make it the better off you are.

"Hiding the SSID" is not possible. The option to disable the broadcast of the SSID or "closing" the network still broadcasts the SSID in the clear between any connected client and the base station.

Similarily the MAC addresses of connected clients are broadcast between the connected clients and base stations.

Therefore the SSID and an allowable MAC address are easily discovered. Cloning MAC addresses is easily done.

Therefore these options provide no security... only a slight annoyance.

If you rely on either of these for security you are doing nothing other than lulling yourself into a false sense of security.

It is like removing the number from the outside of your house or apartment. It is still easily discovered and located.

The best wireless security you can use is WPA2 with a long non-dictionary password. WPA2 is extremely secure and only broken when weak passwords are discovered through brute force methods.

Duane wrote:
The best wireless security you can use is WPA2 with a long non-dictionary password. WPA2 is extremely secure and only broken when weak passwords are discovered through brute force methods.

Where can I read about setting this up on my network? Will it cause any issues for me as I just want to network two Macs so that I can have both use the same internet connection?
Thanks.
~Kort

Duane,

Are you serious? There is security value in the items mentioned and I find it hard to believe that you can't see that.

First. Selecting the closed network only disables the broadcasting of the SSID. I never said this was total security. All it does is keep the router from identifying itself. Without the SSID, it is a bit harder to figure out how to connect to it. No, it is not total security but as I mention earlier, it helps. BTW, if your router is still broadcasting the SSID when you turn it off, then you have a faulty router. Mine does not show up at all and I had to tell it the network was there.

Secondly, if I set the router to only allow certain MAC addresses and you, the outsider don't know which ones that I have allowed, you can try to spoof them all day long. Once again, this is not total security but it is a part of the overall security of a network.

As you mentioned, everything is still in cleartext which is where WPA comes into play to add encryption to the mix. Even with this you are not totally secure to a good hacker.... Trust me.

Anyway, my point in all of this is that all of these features done together provides a more robust security over just running one thus making it tighter but hey, all those security professionals out there are idiots.

There is more to security than just encryption of data.

Message was edited by: William Potere

I thought that I would post this up for everyone to read. This is a trusted site that has been around for a long time and it goes with what I am saying.

http://www.practicallynetworked.com/support/wireless_secure.htm

Bottom line is that you should use many features as you can to tighten up your security. It is a lot like not only locking the door, but putting a chain and dead bolt on as well. Hope this helps.

BTW, if your router is still broadcasting the SSID when you turn it off, then you have a faulty router. Mine does not show up at all and I had to tell it the network was there.

Every so often someone argues this point until they prove it to themselves. Download and install KisMAC. Ensure that your base station is set so that it does not broadcast the SSID. Ensure that another wireless computer is accessing the base station. Operate KisMAC in passive mode. You will see the network name used by your base station appear on the list of detected networks within a few seconds.

Secondly, if I set the router to only allow certain MAC addresses and you, the outsider don't know which ones that I have allowed, you can try to spoof them all day long.

I'll restate the information. Any outsider merely needs to intercept the traffic between a connected client and the base station. Then they will have the MAC address of that client. Since that client is talking to the base station, that client is on the "allowed" MAC list. Now the outsider merely has to configure his machine to clone that MAC address and the outsider is attached to your network.

Several years ago it was believed that these items added security. That is probably when the article on practicallynetworked was written. In today's world neither add security.

If they make you feel better, use them. But they offer no more protection than putting a sheet over your base station. It's kind of like when young children cover their eyes and believe that they are invisible. It just ain't so... no matter how hard you believe it.

Duane,

Steve Riley is controversial at best in the industry with his opinions and views, this is nothing new. Obviously the folks that teach CISSP and Security+ believe that it is still a very valid resource to security to continue to teach it and certify people on it.

It seems that you continually miss my point. I never said that these alone are secure. I have always mentioned that WPA-2 (or even WEP) should be used to encrypt but that the others are a simple way to tighten it down further. I say it as well as 99.9 (minus you and Steve) percent of the industry. It seems that you think that hacker, crackers, black hatters all come in one flavor and skill level. If by hiding the SSID, I keep one kid from seeing my network and trying to get in, then it has earned it's right to be in place and it was a whole click of a box to put it there.

If you are going to give information out, you should give all of it then inject your opinion so that the user can make an informed decision.

Certainly it is not just 2 people who realize this. A Google search turns up many similar postings. O'Reilly Network also has a posting dispelling the myth of closed/hidden networks and MAC address filtering.

It is a (mostly) free world so you can disagree with me and believe what you want.

If you are going to give information out, you should give all of it then inject your opinion so that the user can make an informed decision.

If you look back at my first post in this thread I explained exactly why closed/hidden networks offer no real security.