Buy or Renew
Buy or Renew
Cisco Virtual Engineer generative AI bot now active in Wireless Discussion Forum. Learn more.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1114
Views
0
Helpful
6
Replies

SSID broadcasting

Go to solution
schaufd
Level 1
Level 1

‎10-20-2006 12:53 PM - edited ‎07-03-2021 01:07 PM

Would like a couple of opinions on broadcasting the SSID or not. We have 200 1200 series ap's across a college campus and currently only broadcast in a couple of areas (about 5%)on of the campus. we also have cisco's WLSE to manage them.

Labels:
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
scottmac
Level 10
Level 10

‎10-24-2006 06:35 PM

IMHO, not broadcasting SSID is security the same way that wrapping yourself in aluminum foil makes you bulletproof. (It isn't / doesn't, trust me).

Much of this decision comes down to administrative bandwidth.

For example, by not broadcasting your SSID, anyone using MS Windows Zero Wireless Config will have problems connecting ... ZWC will always prefer a broadcast SSID, frequently even if you have the client "hard coded" to associate with a specific SSID. Expect phone calls.

With either decision, I'd hope that you have some solid back-office authentication and authorization.

It basically boils down to you having something that other people want (bandwidth, potentially for free). If you're lucky, people will *only* steal bandwidth.

Historically, I believe you'll find that "only" stealing bandwidth is not enough, you're gonna get some hotshot or script-kiddie, or spammer, or porno king that will do malicious things to and over your network (whether you broadcast your SSID or not .. word gets around).

For the sake of user convenience, and to reduce the "My Laptop won't connect to your wireless system (it tries to connect to some student's rogue AP or other hotspot) calls.

Also keep i mind that if you don't broadcast your SSID, but some other (malicious) person does (advertise *your* SSID) ... they can spoof the user and capture the traffic ... or at least it makes it significantly easier to execute a man-in-the-middle attack (do a search for "ettercap").

Advertise your SSIDs and have a good auth/auth system on the back-end. Log everything and be vigilant. Have a plan (and a strong policy) for dealing with attackers and don't hesitate to execute it.

There's a couple days worth of discussion around this topic and a variety of opinions, each valid within a given context. You have to weigh the consumers versus the administration, versus the risk, versus the budget .... and a dozen other variables.

There is (usually) no single best answer for most scenarios.

That's why a good designer / system architect pulls down the big bucks and is worth ever cent.

Good Luck

Scott

View solution in original post

0 Helpful

Go to solution
jdevoll
Level 1
Level 1
In response to scottmac

‎11-03-2006 10:19 PM

Regarding "ZWC will always prefer a broadcast SSID, frequently even if you have the client "hard coded" to associate with a specific SSID. Expect phone calls..."

This is no longer the case. In their infinate wisdom MS has finally made Zero config usable. Just install this patch: http://support.microsoft.com/?kbid=917021

Here's a bit of background info http://www.microsoft.com/technet/itsolutions/network/evaluate/hiddennet.mspx

View solution in original post

0 Helpful
6 Replies 6

Go to solution
Stephen Rodriguez
Cisco Employee
Cisco Employee

‎10-20-2006 03:05 PM

Depends on what the WLAN is to be used for. If it's for guest access, then yes set it to broadcast, if it's for staff, then no I wouldn't broadcast it.

HTH,
Steve

------------------------------------------------------------------------------------------------
Please remember to rate useful posts, and mark questions as answered
0 Helpful

Go to solution
ethiel
Level 3
Level 3

‎10-20-2006 08:18 PM

Here's my opinion. Take it for what it's worth. I'm in the process of deploying a good sized university. First off, I agree with Stephen that a bit more information could help us help you. For the purpose of this discussion, I will assume you have a similar environment as I am in right now.

Disabling SSID broadcast for security reasons is pointless nowadays in my opinion. Anyone that knows how to break wireless security can get the SSID with no effort at all. That rules out one reason to not broadcast.

Now as Stephen said, if you are intending public access, you absolutely should broadcast.

If you are going to have special-purpose SSIDs such as VoIP, or maybe campus police, or any other SSID that is not intended for general use, I find it best to disable broadcast just to minimize confusion for users. If I broadcast, I will likely get calls asking how to get on from people who don't belong on the SSID.

If you have a secure SSID for students/staff/faculty, I would suggest broadcasting. The reason is it makes it easier for the user, and puts you no more at risk of intrusion IMO.

Now with all of that said, I am not sure how closely you work with your account reps at Cisco, but if you have plans to expand your WLAN, I would highly recommend talking to them about LWAPP based APs. The ease of deployment and management in a campus environment is well worth the expense in my opinion. My current deployment will likely grow to 6000 APs, and the cost per AP to deploy drops off significantly after the first few buildings because the infrastructure is already in place.

-Eric

Please remember to rate all helpful posts.

0 Helpful

Go to solution
schaufd
Level 1
Level 1
In response to ethiel

‎10-24-2006 08:23 AM

To answer both the first question, all our students (7500) are registered users and have campus laptops now and we setup the wireless with our ssid in it. I have left a couple area's with the broadcast on because it is where some guest's come in. my 2 concernes were security and traffic difference with broadcast on (to much chattering between them with broadcast on). I do understand that security is a joke especially with the ssid but it is a level of security in a sence.

I do appreciate your opinion eric, and with the little more information that I have added maybe I can get a little more opinions.

Dean Schauf

0 Helpful

Go to solution
scottmac
Level 10
Level 10

‎10-24-2006 06:35 PM

IMHO, not broadcasting SSID is security the same way that wrapping yourself in aluminum foil makes you bulletproof. (It isn't / doesn't, trust me).

Much of this decision comes down to administrative bandwidth.

For example, by not broadcasting your SSID, anyone using MS Windows Zero Wireless Config will have problems connecting ... ZWC will always prefer a broadcast SSID, frequently even if you have the client "hard coded" to associate with a specific SSID. Expect phone calls.

With either decision, I'd hope that you have some solid back-office authentication and authorization.

It basically boils down to you having something that other people want (bandwidth, potentially for free). If you're lucky, people will *only* steal bandwidth.

Historically, I believe you'll find that "only" stealing bandwidth is not enough, you're gonna get some hotshot or script-kiddie, or spammer, or porno king that will do malicious things to and over your network (whether you broadcast your SSID or not .. word gets around).

For the sake of user convenience, and to reduce the "My Laptop won't connect to your wireless system (it tries to connect to some student's rogue AP or other hotspot) calls.

Also keep i mind that if you don't broadcast your SSID, but some other (malicious) person does (advertise *your* SSID) ... they can spoof the user and capture the traffic ... or at least it makes it significantly easier to execute a man-in-the-middle attack (do a search for "ettercap").

Advertise your SSIDs and have a good auth/auth system on the back-end. Log everything and be vigilant. Have a plan (and a strong policy) for dealing with attackers and don't hesitate to execute it.

There's a couple days worth of discussion around this topic and a variety of opinions, each valid within a given context. You have to weigh the consumers versus the administration, versus the risk, versus the budget .... and a dozen other variables.

There is (usually) no single best answer for most scenarios.

That's why a good designer / system architect pulls down the big bucks and is worth ever cent.

Good Luck

Scott

0 Helpful

Go to solution
jdevoll
Level 1
Level 1
In response to scottmac

‎11-03-2006 10:19 PM

Regarding "ZWC will always prefer a broadcast SSID, frequently even if you have the client "hard coded" to associate with a specific SSID. Expect phone calls..."

This is no longer the case. In their infinate wisdom MS has finally made Zero config usable. Just install this patch: http://support.microsoft.com/?kbid=917021

Here's a bit of background info http://www.microsoft.com/technet/itsolutions/network/evaluate/hiddennet.mspx

0 Helpful

Go to solution
schaufd
Level 1
Level 1
In response to jdevoll

‎11-06-2006 11:58 AM

Thank you to all for thier oppinions, convinced supervisor to broadcast.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card