Wireless Network Administration: Securing the SSID

A client computer must know the access point’s SSID in order to join the wireless network. If you can prevent unauthorized clients from discovering the SSID, you can prevent them from accessing your network.

Securing the SSID is not a complete security solution, so you shouldn’t rely on it as your only security mechanism. SSID security can slow down casual intruders and wardrivers who are just looking for easy and free Internet access, but it isn’t possible to prevent serious hackers from discovering your SSID.

You can do three things to secure your SSID:

  • Change the SSID from the default. Most access points come preconfigured with well-known default SSIDs. For example, the table below lists some well-known default SSIDs. By changing your access point’s SSID, you can make it more difficult for an intruder to determine your SSID and gain access.

Common Default SSID Values
SSID Manufacturer
3com 3Com
Compaq Compaq
linksys Linksys
tsunami Cicso
Wireless NetGear
  • Disable SSID broadcast. Most access points frequently broadcast their SSIDs so that clients can discover the network when they come within range. Clients that receive this SSID broadcast can then use the SSID to join the network.

    You can increase network security somewhat by disabling the SSID broadcast feature. That way, clients won’t automatically learn the access point’s SSID. To join the network, a client computer must figure out the SSID on its own. You can then tell your wireless network users the SSID to use when they configure their clients.

    Unfortunately, when a client computer connects to a wireless network, it sends the SSID to the access point in an unencrypted packet. So a sophisticated intruder who’s using a packet sniffer to eavesdrop on your wireless network can determine your SSID as soon as any legitimate computer joins the network.

  • Disable guest mode. Many access points have a guest mode feature that enables client computers to specify a blank SSID or to specify “any” as the SSID. If you want to ensure that only clients that know the SSID can join the network, you must disable this feature.