Re: Wireless SSIDs (was Re: WEP)

[Information Security <infosecurity () UTPA EDU>]

Jeff Kell wrote:

> Christopher E. Cramer wrote:
>
>
>
> > Regarding access control, it seemed to us that a "shared secret" between
> > the 30,000+ people at the institution, wasn't much of a secret and so the
> > access control capability wasn't too useful.
>
> On a more fundamental level, how do you have SSIDs setup?
>
> *  Do you have separate SSIDs for "public", "student", "fac/staff", etc?
> *  Do you broadcast all of them, or just certain ones.
> *  How do you disseminate information about non-broadcast SSIDs to users?
> *  Do you periodically change SSIDs of non-broadcast domains?
>
> We are currently debating this issue, haven't gotten around to encryption yet, but it is obviously on the table.  Granted that a "shared 
> secret" or a "private SSID" between numerous users is hardly a secret, but if you broadcast, isn't that somewhat akin to an open 
> door?

Only if you treat SSID as an authentication mechanism, which it isn't.
You need one of the
auth mechanisms already discussed in this thread (or a captive portal,
which no-one has mentioned
yet).  SSIDs will leak.  Even hidden ones.  They have no value
whatsoever, except perhaps
for user-level selection of the desired service group when you don't
have the facilities to
allocate them to one automatically.

My preference is for captive portal and application-level encryption
(https, ssh etc), although
we are implementing a wireless infrastructure right now and it will also
support WPA (I hope v2, I'm
still waiting to hear from the vendor) and 802.11x

G