First we will talk about Wi-Fi Scanning and it types:-
Each 802.11 station
periodically scans each RF channel in order to find a BSS to join. The process
of scanning is critical when a station is first activated. After powering up,
the station will initiate scanning to find an initial BSS to join. As RF
conditions change, the station will periodically
scan and possibly
reassociate with another BSS.
There are two forms of scanning: passive scanning and active
scanning.
Passive Scanning
Passive scanning is the process through which a
station listens to each channel (or set of channels) for a specific period of
time. The station waits for the transmission of beacon management frames
(a.k.a. beacons) having the SSID of the network that the station is configured
to join.
Beacons contain fixed fields and information elements
that hold information about the BSS which are used by stations to determine whether
or not the station may associate. Some vendors allow configuration of access
points to remove the SSID value from the beacon so that the access point is not
.announcing. its SSID to nearby stations.
Once the station detects beacons from one or more
access points, the station will decide which access point with which to
associate based on a vendor-proprietary algorithm. The station will negotiate a
connection on the applicable channel by proceeding with authentication and
association processes. An advantage of passive scanning is that it does not
require the transmission of any additional frames, which reduces overhead
traffic on the wireless medium and improves overall network throughput.
Active Scanning
Active scanning requires that a station broadcast
probe request frames indicating the SSID of the network that the station is
configured to join. The station that sends the probe request frames will
receive probe response frames from access points within range and having the
specified SSID. This process, like that of passive scanning, provides
information that the station can use to determine the access point with which
to associate. Alternately, a station can send probes containing a broadcast SSID
(a null value) that causes all access points within reach to respond.
An access point must reply to all probes that contain
the broadcast SSID or an SSID that matches its own. This standard is ignored
when the vendor provides a proprietary mechanism allowing the network administrator
to disable probe responses to probes with broadcast SSIDs.
This feature is very common in today.s access points
and wireless LAN switches. With Ad Hoc networks, the station that generated the
last beacon frame will respond to probes. The advantage of active scanning is that
it identifies potential access points faster, which may be necessary if the
client station is experiencing a rapid decrease in received signal
strength from frames.
Disabling SSID Broadcast:-
- "Hide SSID" Will hide the SSID name in beacon
frames so that the casual observer cannot see the name of the SSID in casual AP
to client communication.
- "Deny broadcast probe request" means that the AP will not respond to a broadcast probe request that clients send to see what APs are out there.
- "Deny broadcast probe request" means that the AP will not respond to a broadcast probe request that clients send to see what APs are out there.
-Denying broadcast probe requests does cause problems with
roaming in some clients.
-When associating to wireless network, even if it is hidden,
if a client goes to connect, he must specify the SSID that he is connecting to.
In the probe response, the AP MUST reply with the SSID, as well. This is as per
the specification, and is another reason why you cannot completely hide an
SSID.
Here we saw downside of denying SSID broadcast!!!
Reference:
Why
Non-broadcast Networks are not a Security Feature -
