Educause Security Discussion mailing list archives
Re: Wireless SSIDs (was Re: WEP)
From: Dean De Beer <ddb () PLAZACOLLEGE EDU>
Date: Wed, 13 Jul 2005 13:03:48 -0400
We do use separate SSIDs for faculty, staff, students and different departments but they are really to direct the user to the correct VLAN. Using the SSID to specify the VLAN is fine but as Chris stated it is easy to find a SSID that is not broadcast. When the AP is inactive no beacon frames are broadcast so any wireless NIC or active scanner won't find the SSID but if a notebook has associated with the AP on the "hidden" SSID any passive scanner/sniffer (kismet) will see the traffic and detect that SSID whether it's broadcast or not. Personally I think having all clients login through a Wireless Gateway/Portal using LDAP, Transparent NTLM or Radius for authentication is the easiest solution. You then don't have to worry about the user having a WPA or LEAP compliant NIC card. Cisco's BBSM or Bluesocket's offerings are good solutions for this. Cheers, Dean -----Original Message----- From: Christopher E. Cramer [mailto:chris.cramer () DUKE EDU] Sent: Wednesday, July 13, 2005 12:01 PM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] Wireless SSIDs (was Re: WEP) my understanding is that there is one single SSID for the campus which is broadcasted. there may be some other SSIDs that I am unaware of, but for the most part, we don't rely on the SSID for anything other than identifying/specifying which wireless network you have attached to. since we aren't relying on ssids for access control, this isn't a problem. on a related note, i was in a space that had wireless, but the ssid wasn't being broadcast. someone came in with a mac and it "helpfully" detected the non-broadcast ssid and attached itself to the wireless network. just something to consider :) -c On Wed, 13 Jul 2005, Jeff Kell wrote:
Christopher E. Cramer wrote:Regarding access control, it seemed to us that a "shared secret" between the 30,000+ people at the institution, wasn't much of a secret and so the access control capability wasn't too useful.On a more fundamental level, how do you have SSIDs setup? * Do you have separate SSIDs for "public", "student", "fac/staff", etc? * Do you broadcast all of them, or just certain ones. * How do you disseminate information about non-broadcast SSIDs to users? * Do you periodically change SSIDs of non-broadcast domains? We are currently debating this issue, haven't gotten around to encryption yet, but it is obviously on the table. Granted that a "shared secret" or a "private SSID" between numerous users is hardly a secret, but if you broadcast, isn't that somewhat akin to an open door? Jeff
Current thread:
- Re: Wireless SSIDs (was Re: WEP) Jeff Kell (Jul 13)
- <Possible follow-ups>
- Re: Wireless SSIDs (was Re: WEP) Willis Marti (Jul 13)
- Re: Wireless SSIDs (was Re: WEP) Information Security (Jul 13)
- Re: Wireless SSIDs (was Re: WEP) Information Security (Jul 13)
- Re: Wireless SSIDs (was Re: WEP) Willis Marti (Jul 13)
- Re: Wireless SSIDs (was Re: WEP) Christopher E. Cramer (Jul 13)
- Re: Wireless SSIDs (was Re: WEP) Dean De Beer (Jul 13)
- Re: Wireless SSIDs (was Re: WEP) Koerber, Jeff (Jul 15)
- Re: Wireless SSIDs (was Re: WEP) Mark S. Bruhn (Jul 15)
- Re: Wireless SSIDs (was Re: WEP) Dean De Beer (Jul 15)
- Re: Wireless SSIDs (was Re: WEP) Jeff Kell (Jul 15)
- Re: Wireless SSIDs (was Re: WEP) Koerber, Jeff (Jul 18)