Hardening Wireless LAN Connections Part 1 - Securely Configuring the Service Set Identifier (SSID)

(Page 7 of 11 )

The service set identifier (SSID) is a unique identifier used in the packet header of wireless packets as a password for authenticating the client. The SSID is also known as the network name. By default, most WAPs will broadcast the SSID so that wireless clients can identify the WAP to which they should connect. This creates an obvious security vulnerability, however, because anyone with a wireless client can immediately determine a WAP is in the area by using a tool such as NetStumbler.

To address this issue, it is recommended that you disable the SSID broadcast.

---

Heads Up!

In my experience, I have found that some wireless clients will not connect to a WAP that is not broadcasting the SSID. This is particularly true of Microsoft PocketPC 2003 devices using the SanDisk SDIO WiFi NIC (or any other NIC based on the Socket chipset and driver). I have, as of yet, been unable to determine why this is, though my suspicion is that it’s due primarily to the immaturity of the SDIO cards and drivers.

---

Another problem with the SSID is that many people configure it with a value that makes it easy to locate where the WAP is physically located. This is both good and bad. It is good in the sense that it allows you to quickly identify where a WAP is. It is bad, however, in that it can let hackers know that they have connected to a WAP at their target company. As a result, when you configure the SSID, you should never include any information that might identify your company, location, or brand of WAP.

The last aspect of SSID hardening you should configure is the beacon interval, which is the amount of time that transpires before the WAP advertises the SSID via broadcast. By setting the beacon interval to its maximum setting, you increase the difficulty of performing passive scanning. It is important to understand that disabling SSID broadcast or increasing the SSID beacon interval is not an end-all security solution. In fact, Microsoft claims that this is not a security measure at all. This is due to the fact that even if the SSID is not broadcast, it can still be determined if someone is using a sniffer in the area where a WAP is in operation. Changing these settings is still an effective method of obscuring your WAP from casual threats, however. All these SSID settings can be configured as follows.

The Cisco Aironet 1200 uses a default SSID of “tsunami” in what is called guest mode, which means the SSID is broadcast in the beacon. The default SSID should be removed and replaced with a new one for your environment. This can be done at the Security | SSID Manager screen shown next. If you want to make sure the SSID is not broadcast, ensure that no SSID is configured in the Guest Mode field in the “Global Radio0-802.11B SSID Properties” section of the SSID Manager screen. When you are finished, click Apply.

For the Linksys WAP54G, you can configure the SSID at the Setup | Basic Setup screen, shown next. When you are finished, click Save Settings.

The beacon interval can be configured at the Advanced | Advanced Wireless screen, shown next. When you are finished, click Save Settings.

For the Dell TrueMobile 2300, you can configure the SSID and the beacon interval at the Advanced Setting | Advanced Wireless screen, as shown next. To turn off the SSID broadcast, check the box labeled Hide My Wireless Network. When you are finished, click Submit.