I remember hearing this when I asked about turning SSID broadcast off
for a wireless router:
"You can usually turn off broadcasting the SSID at the router, but
there are plenty of reports that doing this can lead to connection
issues that are suddenly fixed by turning it back on."
I definitely think I'm seeing these "connection issues" with SSID
broadcast off, but I don't see a logical reason for it. Any ideas why
SSID broadcast off results in connection issues?
Here they recommend turning off SSID broadcast, and using a non-obvious
SSID string.
http://www.depts.ttu.edu/helpcentral/safecomputing/secure/securewireless.php
The protocol is explained a bit here.
http://www.swiss.ai.mit.edu/6095/student-papers/spring02-papers/paranoia.htm
"When the wireless station is searching for an access point via its built-in
scanning function, it is in State 1, unauthenticated and unassociated.The
station finds an access point either via listening for an access point’s
beacon management frame or through knowing the access point’s uniquenetwork
name, otherwise named Service Set IDentifiers (SSID). Access points send
out beacon management frames periodically to allow a station waiting to
connect to find those access points within transmission range. A station
wishing to connect to a particular access point with known SSID sends out
a probe request management frame to locate the desired access point."
What that says is, the SSID is used in two kinds of packets. At least
as I understand it. The Access Point can broadcast the SSID, which is
an aid to roaming amongst multiple Access Points. But the client also
sends probe packets with the SSID in them, and it is also possible to
identify the SSID of a potential network, by listening to the probe
packets.
"Wireless Vulnerabilities & Exploits - Airjack tool"
http://www.wirelessve.org/entries/show/WVE-2005-0018
Page 5 here, walks through the protocol. It really depends on whether
the client is depending on an SSID broadcast, as a means to identify
an Access Point that is within range or not.
http://www.cs.umd.edu/~waa/wireless.pdf
Here are some examples of tools. Kismet is the one that can
identify your SSID, even when the beacon is disabled. It does
that by listening to the client sending probe packets.
http://www.netstumbler.com/downloads/netstumbler_v0.4.0_release_notes.pdf
http://www.kismetwireless.net/
http://www.kismetwireless.net/documentation.shtml
"Kismet identifies networks by passively collecting packets and detecting
standard named networks, detecting (and given time, decloaking) hidden
networks, and infering the presence of nonbeaconing networks via data
traffic."
So disabling the beacon, may prevent your SSID from showing
conveniently in a list of Access Points, but does not entirely
make your network invisible. As soon as your client sends
a probe packet, the game is up. A person running Linux on
a laptop, with a copy of Kismet, will get to know your SSID
eventually. The Airjack tool looks like its "essid_jack"
method may do something similar.
On this Cisco web page, you can see the things that a Cisco
"intrusion detection tool" is checking for.
http://www.cisco.com/en/US/tech/tk722/tk809/technologies_tech_note09186a008063e5d0.shtml
And this page has a recommendation for SSID:
http://www.cisco.com/en/US/products/hw/wireless/ps4570/products_white_paper09186a00800b469f.shtml
"In addition, disabling SSID broadcasts might have adverse effects
on Wi-Fi interoperability for mixed-client deployments."
In other words, if you mix different brands of wireless equipment,
disabling SSID broadcast may affect their ability to work together.
To me, that could only be the case, if a client refused to send
probe packets on its own. As usual, the problem is finding a
web page that addresses the protocol with greater precision.
(One of the reasons for going to the Cisco site in the first place.)
I think it would be fun to record the packets being sent by your
gear. As an example of the fun you can have, I got a copy of
Ethereal the other day, to find out what my computer was sending
when I wasn't doing anything. At first I feared the worst, but
once I captured a few packets with Ethereal, I could see the
OS was doing some uPNP. Disabling uPNP on my new router fixed that.
So a packet sniffer is great fun to have, as long as there is
no effort to setting it up. If you want to play with a wired
packet sniffer, try this one. (Presumably there is a tool
like this for the wireless world.)
http://freestuff.openxtra.co.uk/downloads/opensource/3_18_0/Ethereal_XTRA_3_18_0.exe
Paul
