Page 790 - (ISC)² CISSP Certified Information Systems Security Professional Official Study Guide
P. 790

If multiple base stations or wireless access points are involved in the
               same wireless network, an extended station set identifier (ESSID) is

               defined. The SSID is similar to the name of a workgroup. If a wireless
               client knows the SSID, they can configure their wireless NIC to
               communicate with the associated WAP. Knowledge of the SSID does
               not always grant entry, though, because the WAP can use numerous
               security features to block unwanted access. SSIDs are defined by
               default by vendors, and since these default SSIDs are well known,
               standard security practice dictates that the SSID should be changed to

               something unique before deployment.

               The SSID is broadcast by the WAP via a special transmission called a
               beacon frame. This allows any wireless NIC within range to see the
               wireless network and make connecting as simple as possible. However,
               this default broadcasting of the SSID should be disabled to keep the
               wireless network secret. Even so, attackers can still discover the SSID
               with a wireless sniffer since the SSID must still be used in

               transmissions between wireless clients and the WAP. Thus, disabling
               SSID broadcasting is not a true mechanism of security. Instead, use
               WPA2 as a reliable authentication and encryption solution rather than
               trying to hide the existence of the wireless network.



                  Disable SSID Broadcast



                  Wireless networks traditionally announce their SSID on a regular
                  basis within a special packet known as the beacon frame. When the
                  SSID is broadcast, any device with an automatic detect and
                  connect feature not only is able to see the network but can also
                  initiate a connection with the network. Network administrators
                  may choose to disable SSID broadcast to hide their network from

                  unauthorized personnel. However, the SSID is still needed to direct
                  packets to and from the base station, so it is still a discoverable
                  value to anyone with a wireless packet sniffer. Thus, the SSID
                  should be disabled if the network is not for public use, but realize
                  that hiding the SSID is not true security because any hacker with
                  basic wireless knowledge can easily discover the SSID.
   785   786   787   788   789   790   791   792   793   794   795