The access point (abbreviated as "AP"; see Figure 1) serves as the base station. The concept is common, from cordless phones to the large wireless carriers: the access point is what provides the "network," and the clients connect to it to gain access. Each Wi-Fi radio, whether it be in the access point or the client, is designed to send its wireless signals across a limited range, far enough to be useful but not so far as to violate the limits set by the regulations and to grossly exceed the bounds of the building the network is deployed within. This range is in the order of 100 feet, though. To set apart which device connects to the network, the access point must take on a role as some sort of master.
Figure 1: A typical Access Point
An access point often looks like a small brick, but with antennas and an Ethernet cable. The Ethernet cable provides the connection to the wired network, and, if power over Ethernet (PoE) is in use, the access point receives its power over the same cable. Access points are normally independent physical devices. Commonly, they are placed along walls, or above or below a false ceiling, to provide the maximal amount of wireless coverage with the least amount of physical impediments to the signals (see Figure 2).
Access points make their networks known by sending frequent wireless transmissions, known as beacons. These beacons describe to the client devices what capabilities the access point has, and most importantly, what network the access point is providing access to. The way the network is designated is by an arbitrary text string provided by the administrator, known as a service set identifier (SSID). This text string is sent in the beacons, and other transmissions, to the clients, which then provide a list of SSIDs seen to the user. Thus, when the user brings up a list of the networks that his or her laptop sees and can connect to, the list contains the SSIDs of the access points.
Because the SSID is the only way users can select which network they wants to connect to, we need to look into it a bit deeper. There are very few technical restrictions on the SSIDs except for the length, which must be less than 32 characters. However, the SSID needs to be meaningful to the user, or else he or she will not connect to it. Because SSIDs are supposed to name the network that the user is connecting to, rather than the individual access point, multiple access points can and do share the same SSID. That being said, there is nothing stopping someone else from giving an access point the SSID that belongs to your network. There is no security in the SSID itself. Eavesdroppers can trivially discover what the SSID is that your network is using (even if you use a feature known as SSID hiding or SSID broadcast suppression) and use it to either gain entry into your network or spoof your network and try to fraudulently get your clients to connect to them instead. In fact, there is nothing that prevents SSIDs from being used for nearly any purpose at all. Most of what applies to SSIDs are in the form of best practices, of which the important ones are:
- The SSID should be meaningful to the user: "employees" and "guest" are good examples of meaningful names. They may be based on the role of the user, the device the user has (such as "voice" for phones), or any other words that help the user find the network.
- When the installation shares the air with neighboring networks from other organizations, the SSID should also include text to highlight to the user what the right network is; "xyz-employees" is an example of an SSID for an organization named XYZ.
- The SSID should be able to be easily typed by the user. Although most devices show SSIDs in a list from what already are being broadcasted, allowing the user to select the SSID with minimal effort, there are many occasions on which when the user may need to type the SSID. This is especially true for mobile devices, with small keyboards or limited keys.
- Again, do not rely on obscurity of the SSID to restrict access to your network. Use real security mechanisms, as described later, instead.
No comments:
Post a Comment