Service set (802.11 network)

A service set is all the devices associated with a local or enterprise IEEE 802.11 wireless local area network (WLAN).

Contents

Basic service set

The basic service set (BSS) is the basic building block of an 802.11 wireless LAN. In infrastructure mode, a single access point (AP) together with all associated stations (STAs) is called a BSS.[1] This is not to be confused with the coverage of an access point, which is called basic service area (BSA). [2] An access point acts as a master to control the stations within that BSS. In ad hoc mode a set of synchronized stations, one of which acts as master, forms a BSS. Each BSS is identified by a BSSID. The most basic BSS consists of one access point and one station.

Independent basic service set (IBSS)

With 802.11, it is possible to create an ad-hoc network of client devices without a controlling access point called an independent basic service set (IBSS)[3], in which case the SSID is chosen by the client device that starts the network, and broadcasting of the SSID is performed in a pseudo-random order by all devices that are members of the network.

Extended service set

An extended service set (ESS) is a set of one or more interconnected BSSs and integrated local area networks that appear as a single BSS to the logical link control layer at any station associated with one of those BSSs.

The set of interconnected BSSs must have a common service set identifier (SSID). They can work on the same channel, or work on different channels to boost aggregate throughput.

Basic service set identification (BSSID)

A related field is the basic service set identification (BSSID)[4], which uniquely identifies each BSS (the SSID however, can be used in multiple, possibly overlapping, BSSs). In an infrastructure BSS, the BSSID is the MAC address of the wireless access point (WAP). In an IBSS, the BSSID is a locally administered MAC address generated from a 46-bit random number. The individual/group bit of the address is set to 0 (individual). The universal/local bit of the address is set to 1 (local).

A BSSID with a value of all 1s is used to indicate the broadcast BSSID. A broadcast BSSID may only be used during probe requests.

Security gains of SSID hiding

Many access points allow a user to turn off the broadcast of the SSID. With many network client devices, this results in the detected network displaying as an unnamed network and the user would need to manually enter the correct SSID to connect to the network.

Unfortunately, turning off the broadcast of the SSID may lead to a false sense of security. The method discourages only casual wireless snooping, but does not stop a person trying to attack the network.[5]

It is not secure against determined crackers, because every time someone connects to the network, the SSID is transmitted in cleartext even if the wireless connection is otherwise encrypted. An eavesdropper can passively sniff the wireless traffic on that network undetected (with software like Kismet), and wait for someone to connect, revealing the SSID. Alternatively, there are faster (albeit detectable) methods where a cracker spoofs a "disassociate frame" as if it came from the wireless bridge, and sends it to one of the clients connected; the client immediately re-connects, revealing the SSID.[6] [7]

As disabling SSID does not offer protection against determined crackers, proven security methods should be used such as requiring 802.11i/WPA2.[8]

Microsoft discourages SSID-hiding because it leads to clients probing for the SSID in plain text. This not only exposes the SSID that was meant to be hidden but also allows a fake accesspoint to offer a connection.[9] Programs that act as fake accesspoints are freely available. For example "airbase-ng" [10] and "Karma"[11].

References

  1. ^ "IEEE Std 802.11-2007". IEEE. 2007-06-12. p. 6. http://standards.ieee.org/getieee802/download/802.11-2007.pdf. Retrieved 2011-07-06. 
  2. ^ "IEEE Std 802.11-2007". IEEE. 2007-06-12. p. 5. http://standards.ieee.org/getieee802/download/802.11-2007.pdf. Retrieved 2011-07-06. 
  3. ^ "IEEE Std 802.11-2007". IEEE. 2007-06-12. p. 25. http://standards.ieee.org/getieee802/download/802.11-2007.pdf. Retrieved 2011-07-06. 
  4. ^ "IEEE Std 802.11-2007". IEEE. 2007-06-12. p. 65. http://standards.ieee.org/getieee802/download/802.11-2007.pdf. Retrieved 2011-07-06. 
  5. ^ Robert Moskowitz (2003-12-01). "Debunking the Myth of SSID Hiding". International Computer Security Association. http://www.library.cornell.edu/dlit/ds/links/cit/redrover/ssid/wp_ssid_hiding.pdf. Retrieved 2011-07-10. "[...] the SSID is nothing more than a wireless-space group label. It cannot be successfully hidden. Attempts to hide it will not only fail, but will negatively impact WLAN performance, and may result in additional exposure of the SSID [...]" 
  6. ^ Joshua Bardwell; Devin Akin (2005). CWNA Official Study Guide (Third ed.). McGraw-Hill. p. 334. ISBN 0072255382. 
  7. ^ Vivek Ramachandran (2011-04-21). "WLAN Security Megaprimer Part 6: Pwning hidden SSIDs". SecurityTube. http://vimeo.com/22697124. Retrieved 2011-07-10.  Videodemo of active and passive SSID-uncloaking.
  8. ^ "What is a Wireless Network's SSID?". Netgear. http://kbserver.netgear.com/kb_web_files/N100683.asp. Retrieved 2008-02-06. "The SSID is not a strong security measure, and should be used in conjunction with other security such as WEP or WPA." 
  9. ^ "Non-broadcast Network Behavior with Windows XP and Windows Server 2003". Microsoft Corporation. 2007-04-19. http://technet.microsoft.com/en-us/library/bb726942.aspx#EDAA. Retrieved 2011-07-10. "it is highly recommended that you do not use non-broadcast wireless networks."  Note: Here the term "non-broadcast" means a network that does not broadcast its SSID or broadcasts a null-SSID instead of the actual SSID.
  10. ^ Vivek Ramachandran (2011-04-25). "WLAN Security Megaprimer 10: Hacking isolated clients". SecurityTube. http://vimeo.com/22832760. Retrieved 2011-07-10.  Demonstrates the use of "airbase-ng" to respond to any probe request beacons.
  11. ^ Dookie2000ca (2009-06-13). "Karmetasploit ( Karma And Metasploit 3)". http://www.securitytube.net/video/383. Retrieved 2011-07-10.  Demonstrates the use of "Karma" to respond to any probe request beacons.