WiFi security and multiple AP's

[Discussion moved here from the Wanted: emonTH 2 sketch that handles many external ds1820Bs - I'll pay for it! - #38 by JustPlaying thread as it was drifting away from the original discussion]

for this i usually set up an AP with a second virtual AP (VAP), with a hidden SSID, and ACL to Deny Unknown MAC ( if you are paranoid about security) - then there are two SSIDs one that is visible for common use, that you can change password regularly and a second one that is hidden the denies all connection but known MACs… most good routers support this feature… if not, you can upgrade the firmware of your router with tomato, tomatoUSB, DD-WRT or a whole host of Custom firmwares that support virtual APs or if you want very stable wireless a wired router (or small managed switch) with DWL-2600AP connected ( it supports 16 VAP) as an access point

1 Like

For an alternative take a look at this → GitHub - martin-ger/esp_wifi_repeater: A full functional WiFi Repeater (correctly: a WiFi NAT Router)

Seems it would be a great repeater for your IoT devices. I haven’t tested it and haven’t looked at the code but for the cost of an ESP8266 board this would make a very cheap integrator for a number of ESP based systems of the kind being suggested here.

Simon

Just mentioning --problem with repeaters what ever your connection speed is it will be halved. To my understanding virtual AP degrades only ~2%- 3% for each additional SSID. ( but I could be wrong on that- but I am sure someone will correct me if I am )

I’ve never quite understood this unless you give the password out to lots of transient folk (like in a work environment with a Guest WiFi).

That looks very interesting. Good tip about the VAP.

My understanding is that the advice to change passwords regularly is out of date. I believe the present thinking is that you should have a random password (ideally generated and stored in a Password Safe) and only change it when there’s a suspicion that it has been compromised.

1 Like

Yes you are correct, the current school of thought is as you suggest - but the advice is aimed at individuals rather than a shared password like WIFI.

In a commercial environment, you may have a turn over of privileged IT staff who had access to the passwords, therefore they are likely to need to be changed regularly in line with staff movements.

Setting up hidden SSID’s (along with the necessary firewall rules) and the like is good advice however this also assumes a level of technical understanding which may not always be present - and hacking generally occurs through the simplest methods and gateways.

While is seems like good advice, it’s actually quite easy to circumvent.

Here’s why:

that assuming they did not use normal wifi security . hiding make it it less obvious, but if I remember correctly when hiding the SSID it windows machines that continuously broadcast hidden SSID. other platforms do not they only broadcast it once when the initially set up then do not broadcast it again. so while they could figure out the SSID eventually it might be a long while of waiting for a new device to be connected . MAC filtering can be effective. especial if the filtering includes assign and associated to IP. so while they might gain access to wifi . the device will be force to use a specific IP for it to have access. and a soon as it grabs the IP that it is assigned spanning protocols kick in and that block it . and even it it doesn’t two Devices with the same IP on the same network go to crap making both useless… but then again a good APs detects MAC spoofing and it not really an issue in the first place

I have a esp8266 collecting temperature and energy readings out of a solar tank living outside my house. I can scan nearby wifi networks and sometimes the ESP finds 30+ ssid’s! And i live in area not densely populated. To overcome interference of overlapping channels i had to place a second AP close to the ESP8266. Now imagine if all my neighbors do the same as me.
For a big monitoring system i’d probabily avoid wireless and try a wired system.

From the articles:

SSID hiding: There is no such thing as “SSID hiding”. You’re only hiding SSID beaconing on the Access Point. There are 4 other mechanisms that also broadcast the SSID over the 2.4 or 5 GHz spectrum. The 4 mechanisms are; probe requests, probe responses, association requests, and re-association requests. Essentially, youre talking about hiding 1 of 5 SSID broadcast mechanisms.

While a MAC address sounds great to keep people out of your connection, there is one gaping flaw that will have you cursing all the time you spent setting it up. All a decent hacker needs is a wireless network analyser, which will let him see all the MAC addresses you have authorised.
Once they change their own MAC address to match one of the ones on the list, you’re pretty much left wide open.

no worries Bill
but if you got the gist of my original post I was not saying not to USE normal WPA encryption … I was just saying on top of encryption and VAP you can add MAC filtering to the SECONDARY VAP to only allow MAC of certain devices to connect to that VAP on top of your password …

by the way I operate an manage a small wireless ISP with 200 customers and 9 AP spread over radius of 16 KM … currently I do not even encrypt my wireless access point any more… the radios themselves have a slight variation the 2.4 formal that normal wireless device can see them but they can not talk to them, but for those APs that still allow normal connection each client is automatically assigned to fixed IP and if that fixed IP does not match that specific MAC they are denied access… then on top of that each AP is on it own VLAN and client isolated at AP… so even if they figured out how to get access to the AP and connect… they are client Isolated and stuck in a VLAN that goes no where… and see nothing

so if you are worried about security I would say
use a managed switch an a AP
-use VAP configure one for normal user ( if you wish to change your password regularly) and a secondary VAP for your IOT devices
turn on spanning protocol and client isolation on your AP
configure one of your ports on your manage switch/router to use VLAN , set up a specific range on that VLAN and enable DHCP for it. And then enable VLAN on the AP and plugin to VLAN port . if your router/switch/AP detects Mac spoofing turn that on… if not then you can use pfsense and build your own manage switch/router with older computer or suitable “Pi” device… then install snort and setup VLAN the same way as above. point snort to monitor you wireless VLAN ports. if snort detects spoofing it will quickly disable the connection for that MAC. send you an email. and will either re enable device at specified timelimit or until you re-enable it again… if using pfsense , router or manage switch you can also reduce the max download and upload speed of your specific esp device IP/MAC/range to say <10kb per device enough to transmit data but pretty brutal if you are trying to do anything else …

lets face it those who would like to hack your wifi connection are not looking for your data they are wanting free internet so they can get their Facebook fix . if they can not have it they simply do not care to go further

All I’m saying is what the Pros are saying. i.e. hiding an SSID and using MAC filtering is little more than a false sense of security.

and all i am saying that’s not necessarily true. that it is a false sense of security. it all depends on what you do and how you do it… as to the pros articles they are in reference to using MAC ACL and hiding the SSID instead of using WPA/WPA2 ( which is very hackable as well today for that matter–ie Aircrack and Hashcat. ) adding more layers to make it more difficult is always a good thing - such as for mentioned AP isolation, MAC Control (ACL on the AP ,captive portal/radius ,STATIC DHCP mapping) on a VLAN monitored for MAC spoofing

I thought I show the difference with hidden SSID and non hidden SSID. say someone using the common AirCrack-ng which is included now in most linux repositories.

Enabled SSID will provide this result.

Screenshot_20180126_090638

Disabled SSID it will provide this:

Screenshot_20180126_091542

while there are still ways to crack hidden SSID the WPA/WPA2 even with aircrack-ng you made it several steps harder for someone to do… so as I said hiding your SSID is still effective deterrent . in reducing who will attempt to hack your Wifi because with AirCrack-ng and similar you can be into someone wireless network in matter of minutes depending on the type of password used. so with that one can say WPA/WPA2 is also provides a “false sense of security” not nearly as bad as WEP but getting there

and one last note to hidden SSID and differing platform using aircrack-ng to hunt for hidden SSID

based on DWL-2600AP that used in my house –

the first station is a windows Machine specifically windows 7- it is horrible security wise, as soon a i disconnected from “internet” SSID it starts broadcasting every SSID i have connected too. also as soon as I connect to the unknown “IOT” it is found by aircrack-ng

the second station is a linux based it sees that I am connected to the AP but did not reveal the IOT SSID when connected

the third station is my esp temperature sensor - I have rebooted the esp device several time and is has connect successfully and not once has the aircrack or kismet detected the hidden SSID. even after hours on monitoring it – so even if they deautherize attack the ESP it would not reveal the SSID for the most common ways of retrieving hidden SSID. it might eventually detect it but that will be a very long while of monitoring it or possibly they might retrieve it after a power outage and the AP reboots and its memory is flushed as I never tried that…