Re: Wireless SSIDs (was Re: WEP)

[Dean De Beer <ddb () PLAZACOLLEGE EDU>]

Right now we do. We currently only allow HTTP, HTTPS & DNS traffic for the
guest VLAN. So far we have had no requests to be able to access POP3 & SMTP.


-Dean

-----Original Message-----
From: Mark S. Bruhn [mailto:mbruhn () INDIANA EDU] 
Sent: Friday, July 15, 2005 12:58 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] Wireless SSIDs (was Re: WEP)


Do you block 25/tcp on your unauthenticated wireless net?
Thx,
M.


> From: "Koerber, Jeff" <jkoerber () TOWSON EDU>
> Reply-To: The EDUCAUSE Security Discussion Group Listserv 
> <SECURITY () LISTSERV EDUCAUSE EDU>
> Date: Fri, 15 Jul 2005 09:19:05 -0500
> To: <SECURITY () LISTSERV EDUCAUSE EDU>
> Subject: Re: [SECURITY] Wireless SSIDs (was Re: WEP)
>
> We have a guest network that requires no authentication and the SSID 
> is broadcast and we have a authenticated network (for faculty, staff & 
> students), where the SSID isn't broadcast and you need to authenticate 
> via LEAP.  On the guest network, you can only surf the web, use most 
> popular IM clients and VPN into our network.  For more information: 
> http://wwwnew.towson.edu/adminfinance/OTS/NetworkCom/TowsonUnplugged.a
> sp.
>
> We have had problems with some wireless cards, that don't support LEAP 
> (e.g. Linksys), recognizing the guest network as a WEP encrypted 
> network.  It prompts for a WEP key and it won't allow you to bypass 
> the prompt.  If we manually configure the settings we sometimes can 
> get on the guest network for a few minutes, but then it reverts back 
> to prompting for a WEP key.  In these cases, we refer people to buy 
> our supported Dell Wireless card in the bookstore for about $40.
>
> With the limited amount of information that I know, if I was setting 
> up a wireless network, I would investigate using PEAP because it is 
> more secure and it appears to be supported natively in Windows XP SP2 
> (LEAP isn't natively supported; you have to hunt for a client that 
> supports it).
>
>
>
> Jeff Koerber
> Field Support Coordinator
> Office of Technology Services
> Towson University
> Towson, MD 
>
> -----Original Message-----
> From: Dean De Beer [mailto:ddb () plazacollege edu]
> Sent: Wednesday, July 13, 2005 1:04 PM
> To: SECURITY () LISTSERV EDUCAUSE EDU
> Subject: Re: [SECURITY] Wireless SSIDs (was Re: WEP)
>
> We do use separate SSIDs for faculty, staff, students and different 
> departments but they are really to direct the user to the correct 
> VLAN.
>
> Using the SSID to specify the VLAN is fine but as Chris stated it is 
> easy to find a SSID that is not broadcast. When the AP is inactive no 
> beacon frames are broadcast so any wireless NIC or active scanner 
> won't find the SSID but if a notebook has associated with the AP on 
> the "hidden" SSID any passive scanner/sniffer (kismet) will see the 
> traffic and detect that SSID whether it's broadcast or not.
>
> Personally I think having all clients login through a Wireless 
> Gateway/Portal using LDAP, Transparent NTLM or Radius for 
> authentication is the easiest solution. You then don't have to worry 
> about the user having a WPA or LEAP compliant NIC card. Cisco's BBSM 
> or Bluesocket's offerings are good solutions for this.
>
> Cheers,
>
> Dean
>
> -----Original Message-----
> From: Christopher E. Cramer [mailto:chris.cramer () DUKE EDU]
> Sent: Wednesday, July 13, 2005 12:01 PM
> To: SECURITY () LISTSERV EDUCAUSE EDU
> Subject: Re: [SECURITY] Wireless SSIDs (was Re: WEP)
>
>
> my understanding is that there is one single SSID for the campus which 
> is broadcasted.  there may be some other SSIDs that I am unaware of, 
> but for the most part, we don't rely on the SSID for anything other 
> than identifying/specifying which wireless network you have attached 
> to. since we aren't relying on ssids for access control, this isn't a 
> problem.
>
> on a related note, i was in a space that had wireless, but the ssid 
> wasn't being broadcast.  someone came in with a mac and it "helpfully" 
> detected the non-broadcast ssid and attached itself to the wireless 
> network.  just something to consider :)
>
> -c
>
> On Wed, 13 Jul 2005, Jeff Kell wrote:
>
> > Christopher E. Cramer wrote:
> >
> > > Regarding access control, it seemed to us that a "shared secret" 
> > > between the 30,000+ people at the institution, wasn't much of a 
> > > secret and so the access control capability wasn't too useful.
> >
> > On a more fundamental level, how do you have SSIDs setup?
> >
> > *  Do you have separate SSIDs for "public", "student", "fac/staff", 
> > etc?
> > *  Do you broadcast all of them, or just certain ones.
> > *  How do you disseminate information about non-broadcast SSIDs to 
> > users?
> > *  Do you periodically change SSIDs of non-broadcast domains?
> >
> > We are currently debating this issue, haven't gotten around to 
> > encryption yet, but it is obviously on the table.  Granted that a 
> > "shared secret" or a "private SSID" between numerous users is hardly 
> > a secret, but if you broadcast, isn't that somewhat akin to an open 
> > door?
> >
> > Jeff