When a technology blossoms in usability and affordability, its popularity often makes its design errors painfully obvious. At the same time, such widespread scrutiny can lead to misapprehension regarding the technology's design features, which may then get lumped in with the list of its errors. Today's poster-child technology for this affliction is WLANs (wireless LANs) based on the IEEE 802.11b standard (for more on WLANs, see our cover story). The standard's effort at WEP (Wired Equivalent Privacy) has some serious design flaws. Nope, it's not equivalent to a wired network, since anyone within a 1,500-foot reception range of your APs (access points) can break into your network in about two hours. Along with all the attention on the inadequate security for wireless networks, another 802.11 feature called the SSID (Service Set Identifier) has been deemed poorly designed. However, the SSID is misunderstood--in fact, it works quite well for its intended purpose.
Most WLAN deployments center around an AP, creating a hub communication system. Even if two stations are close together and have better signal quality, all traffic between them goes through the AP. The IEEE 802.11 Handbook: A Designer's Companion (IEEE, 1999) offers a good discussion about the challenges you'll face in WLAN construction. WLANs are designed to find components in your network and ignore components in other networks. Components in a WLAN find each other through special beacon frames that are part of MAC (Media Access Control) management. These beacon frames contain information about a particular WLAN, including its SSID. Since beacon frames are public, unencrypted frames, the SSID is exposed to all listeners. Many in the security and media communities have maligned this design, claiming a wide-open SSID exposes a network to potential attack. Before melting into hysteria, let's examine exactly why we have SSIDs, why they're exposed and how they might be managed.
Company A and Company B are on the same floor of an office building. Each company needs only one AP and places that AP on its east wall. Company B's east wall is Company A's west wall, and Company A has a number of workstations along its west wall (still with me?). If the two APs are configured the same way, are from the same vendor and are using the same default settings, for example, Company A's workstations that are positioned closer to Company B's AP will associate with Company B's AP--to the dismay of both companies. This is where SSIDs come in. Both companies must override the vendor SSID default and enter an appropriate and unique string (up to 32 bytes) into their respective AP and workstations. Workstations will ignore beacons with SSIDs not found in a list of supported SSIDs. This is how we manage two or more WLANs with overlapping coverage. The role played by the SSID in managing WLAN workstations and APs requires it be a public field.
SSIDs are not about privacy. Their role is strictly for discovery and association. A SSID is a public string. With the availability of tools such as Netstumbler, combined with a GPS (Global Positioning System), obfuscation using a randomly named SSID will not hide your network. In fact, SSID discovery and enumeration is built into Microsoft Windows XP; XP lets a station try every SSID it discovers. Once you understand the role of the SSID, you'll set it for every WLAN you deploy, even the one in your home, especially if you live in an apartment. You never know when someone will deploy a WLAN that overlaps with yours.
Cryptographers and WLAN engineers are doing some serious redesigning to develop a replacement privacy protocol for WLANs that will fit into existing 802.11 cards (of course, there is no guarantee they will succeed or that a new privacy protocol will work on all existing WLAN cards). Most important right now is for you to understand today's wireless security risks and tools, which means use SSIDs only for their intended purpose and let your expectations stop there.
Robert Moskowitz is a senior technical director at TruSecure Corp. Send your comments on this column to him at rgm@htt-consult.com.
REPORTS
Analyize In-Line NAC strategies and products.
ANALYTICS Plan and design your enterprise blade server deployments
InformationWeek U.S. IT Salary Survey 2008
Salaries for business technology professionals are falling. Here's what you need to know in order to make good hiring decisions and personal career choices. Download Today
Most WLAN deployments center around an AP, creating a hub communication system. Even if two stations are close together and have better signal quality, all traffic between them goes through the AP. The IEEE 802.11 Handbook: A Designer's Companion (IEEE, 1999) offers a good discussion about the challenges you'll face in WLAN construction. WLANs are designed to find components in your network and ignore components in other networks. Components in a WLAN find each other through special beacon frames that are part of MAC (Media Access Control) management. These beacon frames contain information about a particular WLAN, including its SSID. Since beacon frames are public, unencrypted frames, the SSID is exposed to all listeners. Many in the security and media communities have maligned this design, claiming a wide-open SSID exposes a network to potential attack. Before melting into hysteria, let's examine exactly why we have SSIDs, why they're exposed and how they might be managed.
REPORTS
ANALYTICS
Follow 
