Frequency of Changing SSID Password

Unanswered Question
Jun 11th, 2007

How often would you change the passwords for Guest and Employee SSID's? Would you change them every 6 months? What method do you use to notify Guests and Employees that the passwords for SSID have been changed? For Guest, would you place the document at the front lobby? For employees, would you notify them through email?

Thank you.

Diane

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
scottmac Mon, 06/11/2007 - 18:36

This is kind of a tricky question. There are a boatload of variables that would determine what's "right" for your organization.

For example, if your policy is to change pre-shared keys every 90 days ... what about is an employee is terminated two days after you change? DO you change again, or just hope that the discharged employee goes away and never bothers your network again?

How vulnerable are your other resources? Would it be any bother to your system is someone malicious crashed your resources after sucking all of the information from them?

If you accept the above to be true and / or reasonable, I'd offer the following as very broad and general suggestions:

Don't put a sign out, not even for guest networks.

Think about possibly using something like a "Captve Portal" (at least for guests) so that they can get their "easy" access, but it also permits you to get them to acknowledge your security policy (you ***DO** have a security policy, don't you ?), and you have some sort of audit trail (traveling laptops have a way for picking up trojans, virus, worms, and other malware).

The portal can also act as a proxy, to help prevent folks from doing things on your network or going to places they shouldn't be going.

There are commercial captive portals (like Cisco's BBSM) and there are free captive portals (like "nocat" which runs on Linux).

The portal might also work for your employees ... again, there are many variables.

Emailing the new Keys around the network might not work, at least some of the time; for example, if someone is on vacation the week that the "keys email" goes out, how can they get to the email system to get the new keys?

Generally, it'll be no problem ... but you have to consider who is most likely to get locked out, when, and how critical it's likely to be.

Depending on your network and wireless system(s), some other authentication and authorization system may work better ... perhaps something like EAP-Fast. It's a little more setup on the front end, and perhaps you have some clients that don't support "Cisco Mode" auth/auth.

If you have a small number of users, you may be able to run the whole auth/auth system on an AP (potential security problem, but it's done ...)

What would be helpful are some details ... things like how many employee users (concurrent and Max), how many APs, how many areas to cover, level of technical expertise with wireless, auth-auth, do you have a server with AD or LDAP? What kind of budget is available ....anything you can offer would be good, but keep in mind thast this is better done as an on-site visit by someone experienced ... the forums are good for specific questions, but it's not a good place for explicit designs.

Good Luck

Scott

rob.huffman Tue, 06/12/2007 - 05:13

Scott, as always, an excellent response! 5 points is a must.

Take care,

Rob

Actions

This Discussion

 

 

Trending Topics - Security & Network