New here, wanted to say hi, and ask a SSID question.
Last Post: November 1, 2005:
The CWNP Program's stance on SSID hiding and use of strong authentication/encryption is exactly as stated by Criss Hyde. Just thought I would chime in.
OOPS, that must be one of the reasons I am behind the power curve. I am guilty of hiding my SSID, and I am not from the great state of Arkansas. :)
I work for a wireless internet service provider. I have never seen a subscriber with anything but an 802.11b or 802.11g AP, so other security methods (included in 802.11i) are not available. During a standard installation we only disable SSID Broadcast. Any further security approaches are at the discretion of the subscriber, and we do not support the setup.
It seems to me it may be a long time for the average SOHO user to adopt 802.11i, especially considering that most do not use the (not so) security features available to them. Maybe 802.11i will become commonplace sometime after big box stores stop even selling 802.11b or 802.11g products, or at least offer them at comparable prices. Now, a corporate or business environment may be another story...
Hi Novo of Canada:
One of the several reasons your customers will start using the WPA and WPA2 features in their 802.11b and 802.11g access points is that you stop acting like disabling their SSID broadcast is helping them.
All Wi-Fi branded equipment entering the market since late 2003 includes at least WPA. Some access point equipment and much client equipment vended before that can be field updated for WPA. (Granted updating firmware is not something most non-Apple Wi-Fi customers want to do.)
You will be doing your customers a great service to tell them to do at least this:
1. Don't operate a WLAN without at least WPA-Personal enabled.
2. Use a secret WLAN passphrase of at least twenty characters of jumbled alphabet, numerals, and punctuation.
3. Don't even think of using WEP or hiding the SSID. Buy newer faster equipment if necessary; it is cheap.
And when your customers find that using a WLAN with proper SSID is easier than with hidden SSID, you will sell more service!
I hope this helps. Thanks. /criss
Remember, lots of stations still don't support WPA or WPA2. If you use a mobile station (handheld or phone), forget about WPA2. Most phones don't even support WPA.
In my opinion WEP and disabling the broadcast of SSIDs should continue to be supported by vendors indefinitely. People are always going to want to hold onto legacy devices as long as possible and if you want to make money catering to these people, then you have to allow them to use as much security as their stations will allow.
Like it or not, disabling the SSID broadcast and/or using WEP makes a Wi-Fi network more secure than leaving it open.
Security by obscurity is not something you want to promote if there's a stronger alternative.
WEP and WPA use the same stream cipher, and TKIP (in WPA) uses scarcely more horsepower than static WEP. Even Cisco's phones support LEAP, and if they support LEAP, they can support WPA-Personal or WPA-Enterprise very easily. It's simply a matter of Cisco taking the time to make it happen.
I think vendors should discontinue use and support of static WEP immediately. This would force immediate upgrades to all kinds of equipment. We know that this is true because WPA was born out of security necessity practically overnight.
I can agree that it might be a while before we see WPA2 in a phone or PDA, but WPA-Personal and WPA-Enteprprise are quite strong and should be used if WPA2 cannot due to hardware limitations.
It's easy to tell people to trash all of their devices that can't support WPA and/or WPA2. It's far more difficult to make that happen in reality. Remember, the number one job of a network person is to SUPPORT the end-users. Networking people should strongly RECOMMEND a switch to WPA or WPA2. When you say things like, "I think vendors should discontinue use and support of WEP immediately," you make yourself look like a guy who sits around theorizing all day without actually considering the situation in the real world.
On the contrary, by taking this stance I look like the guy who knows a little something about WLAN security. I deal with large organizations that have hundreds of these "WEP only" type devices. I'm not saying to trash those devices, but what I am saying is that they should DEMAND that the vendor make WPA upgrades available for those devices. Vendors will usually comply with the wishes of customers with this type of buying power.
Many customers care not a whit about security. They need neither WEP nor hidden SSIDs to help them feel better. Open is fine with them.
Many customers care about security. Knowing that WEP is broken and hiding SSIDs is a joke they will use WPA even if it means spending some money.
Many customers care just a whit or two about security. It is these customers who are most disserviced by the idea that WEP with hidden SSIDs is an ok alternative to WPA with convenient SSIDs, even if the later costs money.
Regarding Devin's post, I think vendors are well advised for the time being to continue selling WEP/WPA capable equipment while customers are well advised to ignore WEP and insist on WPA. Don't go home (or to the office) without it.
I hope this helps. Thanks. /criss
I agree with what Devin wrote in his last post. My only question is, What do you do when the handheld maker doesn't move on supporting WPA? Junk the device or use WEP? My opinion is that you strongly encourage management to make a migration plan away from those WEP-only handhelds. If management balks, however, you still have to support it.
You forgot about another category of Wi-Fi users. Those who think that anyone who uses any security on a Wi-Fi network are security Nazis. There are lots of folks who feel that Wi-Fi internet access should be free to everyone. (Trust me, I'm not defending these people. I just am telling you they exist.)