When it comes to organizing your business WiFi network, there are a lot of moving parts that need attention. While most of the network remains behind the scenes, there is something that everyone in the office is probably aware of: your SSIDs.
Never heard of a SSID before? It’s simply the technical term for the name of a WiFi network. When you’re at work and you pull up a list of networks that are available for you to connect to, you are looking at a list of SSIDs (service set identifiers).
Most of the time, when you’re trying to decide which network to connect to, the answer is fairly straightforward. You might have been told which network to use, or perhaps your office is in a remote location and there’s only one network available. What if there are multiple choices though and several of them are named after your company? Such as CompanyZ-WiFi-A, CompanyZ-WiFi-B and so on? Is either network fine? Will one limit your network access, or even worse, is one a rogue network?
The complicated side of SSIDs
Now we’re getting into the less-than-straightforward side of things. Before any employee can connect to the WiFi and get to work, these networks have to be designed to provide consistent, reliable connectivity. Part of that process requires IT teams and administrators to determine:
- How many SSIDs to offer
- Whether to hide or broadcast SSIDs
- How to secure each SSID
- How to manage and allocate bandwidth between each SSID
While IT can determine how many SSIDs to create and whether to hide or broadcast them fairly easily, optimizing each network quickly becomes complex. For that reason, we recommend working with a WiFi Automation platform to get the real-time and historical data you need for long-term optimization, all while bypassing hours of manual packet capture and analysis.
How many SSIDs?
Our official opinion is that in most cases of a well-designed network, the desired outcome can be achieved using 3 SSIDs. It should be noted that each SSID creates its own management traffic overhead which can vary depending on the beacon data rate, size of beacon frame, beacon interval, and number of APs per channel. When using a 1 Mbps beacon data rate, the impact of this overhead is much higher than when using a 6 Mbps data rate for beacons. With more than 3, you can quickly see your network performance degrading as the SSIDs’ necessary beaconing and responses to broadcast Probe responses clogs the network.
We recommend deploying:
- SSID 1 for employees, staff, faculty, etc. This should be the most secure network.
- SSID 2 for guests. This network can be enabled with an open or pre-shared key, or an user agreement.
- SSID 3 as a catchall network for any other devices such as smart thermostats and printers.
Should I hide my SSIDs?
Hiding the SSID name was once considered a security mechanism, while it never actually was. The name of the SSID can be discovered very easily using passive sniffing, and waiting until a device that knows the SSID name connects to that SSID. Therefore, hiding the name does not offer any security benefit at all. These days, some AP vendors (Cisco Meraki) automatically hide the SSID name on the 2.4 GHz band as a means for band-steering, while others may allow the same to be done by manual configuration. Other than that, hiding the SSID name can only cause additional Probe Requests traffic from devices (hence additional overhead) as each device may now send a broadcast Probe as well as a unicast Probe Request. Hiding the SSID name can also make it hard for your employees to find the network, which can lead to IT constantly answering the question, “How do I connect?”
How to secure SSIDs
First, as mentioned above, have two or three SSIDs so that network traffic can be separated based on user roles. This limits the number of users that have access to secure data. The different SSIDs can be protected by requiring everything from passwords and acknowledged user policies for guest networks, to enabling WPA2-Enterprise security on employee networks. It’s important to note that many IoT devices don’t support WPA2-Enterprise security and should be kept on separate networks to prevent them from being hacked and providing someone with easy access to secure data.
Secondly, use firewalls to restrict access to certain applications and ports.
Thirdly, use a WiFi Automation platform to monitor ports and alert IT to any open ports and rogue APs. Work with a platform like the Wireless Intelligence Platform (WIP)™ that will alert IT to any changes in network behavior – like a port being opened that is usually closed – and that will automatically detect all APs and classify them as Mine, Known, Unknown, or Unauthorized. An Unknown or Unauthorized AP could be a sign that a malicious user is operating within your wireless network environment. Even if harmless, these APs can steal some of your bandwidth, degrading network performance for all employees. It’s best for everyone if IT receives real-time alerts that these APs are around.
WIP™ will also detect which devices are connecting to the network via each SSID. This additional security check allows IT to see if a Guest has somehow connected to a secure network, or if employees are not connecting securely.
How to allocate bandwidth between SSIDs
You want the majority of your bandwidth going to your primary network, SSID 1, since this is the network responsible for supporting all critical business practices. There are different regulatory functions that can be used to control bandwidth, such as prioritizing a certain SSID or even allocating a fixed amount of bandwidth per user. To truly make the most of these functions and ensure optimization, IT needs complete visibility into the network.
With complete visibility, IT can see what devices are accessing the network, how much bandwidth devices are taking up, and can track trends and utilization to see where bandwidth needs to be allocated for streamlined, issue-free performance.
For example, if more employees are video-conferencing, what has that done to bandwidth usage? Or, if a dozen new WiFi security cameras were installed, do they have the bandwidth they need to operate without disrupting other devices?
Answering these questions requires constant usage analytics as bandwidth needs fluctuate not only throughout the month but throughout the day as devices connect and disconnect, and users perform different tasks. IT either needs to be able to “babysit” the network themselves 24/7, or outsource the time-consuming work to a platform like WIP.
WIP automates the entire process, enabling IT to focus on other mission critical tasks. The platform will alert IT to any issues in real-time, and store historical data for later review. It’s this historical data that will provide insights into long-term trends in utilization and performance, providing administrators with the intel they need for the most cost-effective and efficient budget and capacity planning.
The easy way forward
While an SSID might be simple in name, it is far from simple in terms of behavior. Optimizing the network and future-proofing it cost-effectively and efficiently requires the ability to analyze thousands of data packets a second in real-time. This simply isn’t possible for humans. Work with a WiFi Automation platform today and remove ‘Worry about the WiFi’ from your list of to-dos.