Hidden SSIDs?
Last Post: November 30, 2005:
-
Hi Klulue of Metairie:
Thanks for the considerate followup.
Here is a rewrite of my earlier post meant to cast additional light on the cost of SSID "hiding" to, as you say: "keep the novice wardrivers from even picking up the network at all."
=========================
Publishing the SSID is a requirement of the IEEE 802.11-1999 standard for one good reason -- ease of use, lower administrative cost, and greater market success.
Seeing an SSID discovered from the air is the WLAN equivalent of seeing an Ethernet link light, and is invaluable in WLAN operation and troubleshooting. If the WLAN customer sees the expected SSID his client station has physical layer connectivity even if some other difficulty prevents communication. If the customer does not see the SSID his station does not have physical layer connectivity and no time need be spent testing the data-link, authentication, or IP configuration. Hide the SSID and the customer and support staff are both left guessing and wasting valuable time when troubleshooting.
Access points that publish their SSIDs make it relatively easy for operators of other WLANs in the vicinity to discover them, their channels, and their points of contact so that a better sharing of the medium may be accomplished, with or without a conversation between administrators. Hide the SSIDs and a less efficient choice of channels is more likely to go undiscovered.
A business that "hides" its SSID, or even multiple SSIDs representing virtual WLANs, takes on additional support burdens for communicating those SSIDs to authorized customers and client stations. Changing SSIDs in response to new requirements becomes harder. Cisco WLAN equipment that formerly "hid" all but one "guest" virtual WLAN now allow all virtual WLAN SSIDs to be published, arguably for increased convenience, reduced administrative costs, and greater market success (for Cisco).
Although not as common now as before, some client stations simply will not join WLANs that violate the IEEE 802.11 standard by "hiding" their SSIDs. In any event, "hiding" SSIDs lengthens the troubleshooting cycle. When something that should work doesn't work, is it because the SSID is hidden?
"Hiding" the SSID became part of the WLAN culture in 2001 due to a vendor conspiracy to compensate for the utter failure of WEP by offering a stopgap faux security method. The IEEE in the 802.11i-2004 amendment gave us WPA, WPA2, and 802.1X/EAP. The IEEE in that same amendment could have blessed the by then popular practice of "hiding" the SSID, but did not. In light of these new IEEE 802.11 Robust Security Network (RSN) methods, the security value of "hiding" SSIDs is vanishingly small while the opportunity costs and support costs of hiding SSIDs are increasing along with greater demands on WLANs.
Unfortunately many customers to this day are convinced that the "Hide the SSID" check box must be there for some smart reason so why not be safe and check the box. These customers for the most part are unaware that they are reducing ease of use and increasing administrative cost.
For years to come WLAN equipment will support the now seriously deprecated WEP, and probably SSID "hiding". Vendors would do their customers and the quest for world peace a great service if they would offer the "Hide the SSID" check box only when customers choose either WEP or no protection, and >>hide<< the "Hide the SSID" check box when customers choose an RSN configuration based on WPA or WPA2.
I hope this helps. Thanks. /criss
- 1