Guarding a Wireless LAN

How useful are media access control (MAC) address filtering and turning off the advertisement of Service Set Identifiers (SSIDs) for securing wireless LANs (WANs)?

Both options protect against only casual, unskilled attackers. It's easy to find unadvertised WLANs with programs such as NetStumbler.

MAC filtering requires you to maintain on your wireless Access Points (APs) a list of the unique MAC address of each Wi-Fi device on your network. Moreover, to defeat MAC filtering, all an attacker has to do is eavesdrop long enough to collect some MAC addresses and wait for one of the devices to go offline. At that point, the attacker can assume that MAC address, and the AP is none the wiser.

Also, don't forget that all the information transmitted over a WLAN is subject to eavesdropping unless it's encrypted by using Wired Equivalent Privacy (WEP) or Wi-Fi Protected Access (WPA). To protect against any but the most unskilled individual, you should implement WPA, which provides authentication and encryption for WLANs. You can base WPA authentication on either a single key shared among all devices on your WLAN, or you can leverage the user accounts in your Windows domain. For more information about WLAN security, see "A Secure Wireless Network Is Possible," May 2004, InstantDoc ID 42273, and "Using Certificates to Secure Your WLAN," August 2004, InstantDoc ID 43086.