Solved: 802.11 Discovery process question

johnsos · ‎01-22-2007

I'm trying to find out the scanning method that I'm currently in during the initial phase of a client and AP interaction. Either "Active or Passive." What I means is there are two kinds of scanning methods defined in the standard on how a station "Client" would or could gather info about an APs available. Now if I have disabled broadcast SSID on my AP am I putting my clients into the ACTIVE mode or am I way off base in my thinking. While in active mode I increase my probe/reply activity as it reads in the documents that I have. This will help me in determining whether or not I gain or lose anything if I were to start broadcasting my SSID again. Yes I would lose some security for the young hackers but the Authentication phase should cover us.

mikraus · ‎01-26-2007

As it sounds like you understand, when most clients are "Active", they will send out probe requests that include the SSID that you have configured on the client. Many clients have configurable intervals for how often this occurs.

"Passive" typically the clients are listening for the SSID broadcasts to determine what wireless networks are available to join.

Broadcasting your SSID is usually frowned upon, even though it really isn't considered a security boundary by itself (defense in depth).

However, it does improve your usability slightly, since the user will be able to see your ssid if they configure their own systems. However, depending on your authentication mechanisms, typing in the SSID may be the easy part!

From a performance perspective, you really aren't going to see any noticeable upside or downside from either configuration.

View solution in original post

john.preves · ‎01-22-2007

Active mode means that you are passing traffic between the client and the radio. Merely being on the network is active mode.

Passive mode is when the client is being used to sniff like Airmagnet or Netstumbler. all it is doing is listening. The Cisco client also has a survey tool with active /passive mode. An example of an active survey would be a continuous ping going on while you are surveying. A passive survey would be like watching to see what pops up in the available networks list and walking around seeing who you associated to.

The SSID is found in three other frames/packets besides broadcast and I should be shot for not knowing which ones they are. SYN, ACK, and something else...damn.

Turning off "broadcast SSID" is not a security measure (anymore). Airmagnet and a slew of other programs will get it anyway so you're just creating a certain amount of un-necessary overhead.

mikraus · ‎01-26-2007

As it sounds like you understand, when most clients are "Active", they will send out probe requests that include the SSID that you have configured on the client. Many clients have configurable intervals for how often this occurs.

"Passive" typically the clients are listening for the SSID broadcasts to determine what wireless networks are available to join.

Broadcasting your SSID is usually frowned upon, even though it really isn't considered a security boundary by itself (defense in depth).

However, it does improve your usability slightly, since the user will be able to see your ssid if they configure their own systems. However, depending on your authentication mechanisms, typing in the SSID may be the easy part!

From a performance perspective, you really aren't going to see any noticeable upside or downside from either configuration.

johnsos · ‎01-29-2007

Thanks for your response, this helps. After looking around it seems that not broadcasting the SSID is more of a best practice. Which we will continue just to have the first level of defense as you mentioned. Seems that Microsoft poo poos this practice in one of their articles I've seen. It probably interferes with something they are trying to accomplish or get working. Again thanks for your help.