Dedicated for network management: common mistakes in wireless network settings

Fast Setting of wireless networks is not what we are pursuing. It is important to set a secure and effective network. Here we will introduce the best setting suggestions to readers. Here, we will list these three suggestions based on their importance:

Common Mistakes in wireless network settings 1. Excessive SSID

What are the disadvantages of Running multiple SSID? Each radio frequency device sends about ten signals to each SSID every second. Therefore, if the user's environment has five SSID, the user will send 50 Wireless messages per second. All these wireless signal transmissions occupy available wireless media, thus reducing the amount of available bandwidth. Some people may say that their organization requires several different SSID for different user groups to logically send user communication to different VLANs, or use different authentication or encryption mechanisms (for example, internal employees may use 802.1X that supports WPA2/AES, and temporary customer data may be sent to unencrypted forced network entries.

However, I often see that multiple user groups use the same authentication and encryption method, but it is about different SSID (consider the situation of a university, university students and faculty members perform wireless network authentication in the same way, but it is about different SSID ). In this case, it is possible to integrate the SSID and make full use of the concept of "user group. For example, students and instructors can be located in different organizational units in the activity directory. Students and instructors log on to the wireless network with the same SSID. However, when the RADIUS server responds to the wireless network, it transmits the organizational unit as a RADIUS attribute. Wireless Networks view this information and place end users in appropriate user groups (students or instructors. A wireless network can create specific policies for each user group and allow or deny access based on multiple options (including ports, services, times, IP addresses, IP ranges, and so on. For example, only instructors are allowed to access the IP addresses of servers that contain student level information.

Using user groups can reduce the number of irrelevant SSID and reduce the use of wireless media. As a result, wireless signal transmission will be reduced, thus reducing network management costs and increasing available network bandwidth.

Common Mistakes in Wireless Network Settings 2. "hide" SSID Broadcast

The SSID represents the Service Set sign, that is, the network name that the user sees on the computer when scanning the wireless network. Most access points have an option for users to "hide" The SSID, so the network name does not appear on the data frame transmitted wirelessly. In the Windows operating system's built-in wireless detection software, these networks do not appear as available network connection options. However, there are too many articles and professionals who believe that the SSID broadcast should be disabled to protect the wireless network from attacks, as this will add a layer of protection. These people think that before attackers constantly monitor their networks, conquer network encryption and authentication, they must spend time to know the SSID and hide the SSID to increase the difficulty of attacks.

However, I do not know whether these people know that there are many commercial and free software that can quickly crack the so-called "hidden" SSID, such as Kismet. There is also Netstumbler, which may not be able to completely parse the SSID, but it will display the existence of an access point with an empty SSID. Netstumbler sends active detection requests. Even if the SSID is hidden, according to IEEE Standards, the access point is still required to respond to such requests. Although this response does not contain the actual SSID, it will contain other useful information, such as the MAC address, channel number, and signal strength. Attackers can use this information as a stepping stone for attacks, just as they did after discovering the real SSID.

Another problem is that legal users also need to know the SSID to connect to the wireless network. Hiding the SSID broadcast often causes legal users to be confused about the network to be connected, which may cause a lot of trouble.

In short, because the SSID can be easily detected, hiding the SSID is almost impossible to provide security opportunities. It can be said that it is not so much a hindrance to attackers as it is a hassle for legitimate users in their own units.

Common Mistakes in wireless network settings 3. time slice wireless Intrusion Detection

There are two main methods to perform Intrusion Detection for wireless networks. One is through a dedicated detector, and the other is through time slice. When not providing services for workstations (laptops, etc.), access points using time slice will spend some time scanning channels to provide intrusion detection functions. Many wireless products scan the network for 50 milliseconds every 15 seconds. This number sounds reasonable. However, if we calculate it in detail, the result is that there is only less than five minutes of scanning time every 24 hours, that is, there is too much free time.

What should I do? I believe that dedicated detection devices can be used. This detection device can scan the network around the clock. There are two types of specialized detection devices, embedded and covered. The embedded detector uses the Access Point or additional RF in the device, and reports to the same WLAN controller and management platform, these controllers and management platforms control the ap rf for client access services. The coverage detector is an independent device, and its manufacturer is usually different from the AP Access Point and reports it to its own independent server.

I personally prefer embedded detectors because these devices reduce the number of cables, the number of switch ports, and the installation time. The use of APS and detectors from the same manufacturer has other benefits, especially when it comes to single-point support and reduces maintenance costs. But most importantly, you can use any dedicated detector, but do not use a time-based wireless intrusion detection system.