Re: Wireless SSIDs (was Re: WEP)

["Mark S. Bruhn" <mbruhn () INDIANA EDU>]

Do you block 25/tcp on your unauthenticated wireless net?
Thx,
M.


> From: "Koerber, Jeff" <jkoerber () TOWSON EDU>
> Reply-To: The EDUCAUSE Security Discussion Group Listserv
> <SECURITY () LISTSERV EDUCAUSE EDU>
> Date: Fri, 15 Jul 2005 09:19:05 -0500
> To: <SECURITY () LISTSERV EDUCAUSE EDU>
> Subject: Re: [SECURITY] Wireless SSIDs (was Re: WEP)
>
> We have a guest network that requires no authentication and the SSID is
> broadcast and we have a authenticated network (for faculty, staff & students),
> where the SSID isn't broadcast and you need to authenticate via LEAP.  On the
> guest network, you can only surf the web, use most popular IM clients and VPN
> into our network.  For more information:
> http://wwwnew.towson.edu/adminfinance/OTS/NetworkCom/TowsonUnplugged.asp.
>
> We have had problems with some wireless cards, that don't support LEAP (e.g.
> Linksys), recognizing the guest network as a WEP encrypted network.  It
> prompts for a WEP key and it won't allow you to bypass the prompt.  If we
> manually configure the settings we sometimes can get on the guest network for
> a few minutes, but then it reverts back to prompting for a WEP key.  In these
> cases, we refer people to buy our supported Dell Wireless card in the
> bookstore for about $40.
>
> With the limited amount of information that I know, if I was setting up a
> wireless network, I would investigate using PEAP because it is more secure and
> it appears to be supported natively in Windows XP SP2 (LEAP isn't natively
> supported; you have to hunt for a client that supports it).
>
>
>
> Jeff Koerber
> Field Support Coordinator
> Office of Technology Services
> Towson University
> Towson, MD
>
> -----Original Message-----
> From: Dean De Beer [mailto:ddb () plazacollege edu]
> Sent: Wednesday, July 13, 2005 1:04 PM
> To: SECURITY () LISTSERV EDUCAUSE EDU
> Subject: Re: [SECURITY] Wireless SSIDs (was Re: WEP)
>
> We do use separate SSIDs for faculty, staff, students and different
> departments but they are really to direct the user to the correct VLAN.
>
> Using the SSID to specify the VLAN is fine but as Chris stated it is easy to
> find a SSID that is not broadcast. When the AP is inactive no beacon frames
> are broadcast so any wireless NIC or active scanner won't find the SSID but if
> a notebook has associated with the AP on the "hidden" SSID any passive
> scanner/sniffer (kismet) will see the traffic and detect that SSID whether
> it's broadcast or not.
>
> Personally I think having all clients login through a Wireless Gateway/Portal
> using LDAP, Transparent NTLM or Radius for authentication is the easiest
> solution. You then don't have to worry about the user having a WPA or LEAP
> compliant NIC card. Cisco's BBSM or Bluesocket's offerings are good solutions
> for this.
>
> Cheers,
>
> Dean
>
> -----Original Message-----
> From: Christopher E. Cramer [mailto:chris.cramer () DUKE EDU]
> Sent: Wednesday, July 13, 2005 12:01 PM
> To: SECURITY () LISTSERV EDUCAUSE EDU
> Subject: Re: [SECURITY] Wireless SSIDs (was Re: WEP)
>
>
> my understanding is that there is one single SSID for the campus which is
> broadcasted.  there may be some other SSIDs that I am unaware of, but for
> the most part, we don't rely on the SSID for anything other than
> identifying/specifying which wireless network you have attached to.
> since we aren't relying on ssids for access control, this isn't a problem.
>
> on a related note, i was in a space that had wireless, but the ssid wasn't
> being broadcast.  someone came in with a mac and it "helpfully" detected
> the non-broadcast ssid and attached itself to the wireless network.  just
> something to consider :)
>
> -c
>
> On Wed, 13 Jul 2005, Jeff Kell wrote:
>
> > Christopher E. Cramer wrote:
> >
> > > Regarding access control, it seemed to us that a "shared secret"
> > > between the 30,000+ people at the institution, wasn't much of a
> > > secret and so the access control capability wasn't too useful.
> >
> > On a more fundamental level, how do you have SSIDs setup?
> >
> > *  Do you have separate SSIDs for "public", "student", "fac/staff",
> > etc?
> > *  Do you broadcast all of them, or just certain ones.
> > *  How do you disseminate information about non-broadcast SSIDs to users?
> > *  Do you periodically change SSIDs of non-broadcast domains?
> >
> > We are currently debating this issue, haven't gotten around to
> > encryption yet, but it is obviously on the table.  Granted that a
> > "shared secret" or a "private SSID" between numerous users is hardly a
> > secret, but if you broadcast, isn't that somewhat akin to an open
> > door?
> >
> > Jeff