Educause Security Discussion mailing list archives
Re: Wireless SSIDs (was Re: WEP)
From: "Mark S. Bruhn" <mbruhn () INDIANA EDU>
Date: Fri, 15 Jul 2005 11:58:05 -0500
Do you block 25/tcp on your unauthenticated wireless net? Thx, M.
From: "Koerber, Jeff" <jkoerber () TOWSON EDU> Reply-To: The EDUCAUSE Security Discussion Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU> Date: Fri, 15 Jul 2005 09:19:05 -0500 To: <SECURITY () LISTSERV EDUCAUSE EDU> Subject: Re: [SECURITY] Wireless SSIDs (was Re: WEP) We have a guest network that requires no authentication and the SSID is broadcast and we have a authenticated network (for faculty, staff & students), where the SSID isn't broadcast and you need to authenticate via LEAP. On the guest network, you can only surf the web, use most popular IM clients and VPN into our network. For more information: http://wwwnew.towson.edu/adminfinance/OTS/NetworkCom/TowsonUnplugged.asp. We have had problems with some wireless cards, that don't support LEAP (e.g. Linksys), recognizing the guest network as a WEP encrypted network. It prompts for a WEP key and it won't allow you to bypass the prompt. If we manually configure the settings we sometimes can get on the guest network for a few minutes, but then it reverts back to prompting for a WEP key. In these cases, we refer people to buy our supported Dell Wireless card in the bookstore for about $40. With the limited amount of information that I know, if I was setting up a wireless network, I would investigate using PEAP because it is more secure and it appears to be supported natively in Windows XP SP2 (LEAP isn't natively supported; you have to hunt for a client that supports it). Jeff Koerber Field Support Coordinator Office of Technology Services Towson University Towson, MD -----Original Message----- From: Dean De Beer [mailto:ddb () plazacollege edu] Sent: Wednesday, July 13, 2005 1:04 PM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] Wireless SSIDs (was Re: WEP) We do use separate SSIDs for faculty, staff, students and different departments but they are really to direct the user to the correct VLAN. Using the SSID to specify the VLAN is fine but as Chris stated it is easy to find a SSID that is not broadcast. When the AP is inactive no beacon frames are broadcast so any wireless NIC or active scanner won't find the SSID but if a notebook has associated with the AP on the "hidden" SSID any passive scanner/sniffer (kismet) will see the traffic and detect that SSID whether it's broadcast or not. Personally I think having all clients login through a Wireless Gateway/Portal using LDAP, Transparent NTLM or Radius for authentication is the easiest solution. You then don't have to worry about the user having a WPA or LEAP compliant NIC card. Cisco's BBSM or Bluesocket's offerings are good solutions for this. Cheers, Dean -----Original Message----- From: Christopher E. Cramer [mailto:chris.cramer () DUKE EDU] Sent: Wednesday, July 13, 2005 12:01 PM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] Wireless SSIDs (was Re: WEP) my understanding is that there is one single SSID for the campus which is broadcasted. there may be some other SSIDs that I am unaware of, but for the most part, we don't rely on the SSID for anything other than identifying/specifying which wireless network you have attached to. since we aren't relying on ssids for access control, this isn't a problem. on a related note, i was in a space that had wireless, but the ssid wasn't being broadcast. someone came in with a mac and it "helpfully" detected the non-broadcast ssid and attached itself to the wireless network. just something to consider :) -c On Wed, 13 Jul 2005, Jeff Kell wrote:Christopher E. Cramer wrote:Regarding access control, it seemed to us that a "shared secret" between the 30,000+ people at the institution, wasn't much of a secret and so the access control capability wasn't too useful.On a more fundamental level, how do you have SSIDs setup? * Do you have separate SSIDs for "public", "student", "fac/staff", etc? * Do you broadcast all of them, or just certain ones. * How do you disseminate information about non-broadcast SSIDs to users? * Do you periodically change SSIDs of non-broadcast domains? We are currently debating this issue, haven't gotten around to encryption yet, but it is obviously on the table. Granted that a "shared secret" or a "private SSID" between numerous users is hardly a secret, but if you broadcast, isn't that somewhat akin to an open door? Jeff
Current thread:
- Re: Wireless SSIDs (was Re: WEP) Jeff Kell (Jul 13)
- <Possible follow-ups>
- Re: Wireless SSIDs (was Re: WEP) Willis Marti (Jul 13)
- Re: Wireless SSIDs (was Re: WEP) Information Security (Jul 13)
- Re: Wireless SSIDs (was Re: WEP) Information Security (Jul 13)
- Re: Wireless SSIDs (was Re: WEP) Willis Marti (Jul 13)
- Re: Wireless SSIDs (was Re: WEP) Christopher E. Cramer (Jul 13)
- Re: Wireless SSIDs (was Re: WEP) Dean De Beer (Jul 13)
- Re: Wireless SSIDs (was Re: WEP) Koerber, Jeff (Jul 15)
- Re: Wireless SSIDs (was Re: WEP) Mark S. Bruhn (Jul 15)
- Re: Wireless SSIDs (was Re: WEP) Dean De Beer (Jul 15)
- Re: Wireless SSIDs (was Re: WEP) Jeff Kell (Jul 15)
- Re: Wireless SSIDs (was Re: WEP) Koerber, Jeff (Jul 18)