SSID Monitoring
What Is SSID Monitoring?
Monitoring SSIDs (wireless network names) in range provides situational awareness, allowing you to manually verify that no potentially malicious networks are nearby—especially those that similar-sounding or restricted SSID monitoring might miss. It also enables you to detect new, unexpected networks, such as a printer automatically starting its own network for device adoption, or unauthorized mobile hotspots which could introduce vulnerabilities without your knowledge.
Newly detected networks should be treated as informational, not as critical alerts, until further investigated and properly classified to ensure they don't pose a security risk.
You can learn more about the concept and practice of SSID monitoring in the nzyme knowledge base.
Configuration
The SSID monitoring functionality offers the following configuration options in the web interface:
Configuration | Default | Description |
---|---|---|
Is monitoring enabled | false | Networks are only collected and added to the list of known networks if enabled . This also disables any alerting for new SSIDs because no new SSIDs are discovered. |
Is event generation enabled | false | Events (Alerts) are only triggered if enabled . See also Training Period below. |
Minimum continuous network dwell time | 5 minutes | How long a network has to be continuously seen before it is considered a new network. Used to avoid detecting extremely transient networks and to reduce false alerts. (Can currently not be configured by user.) |
Required Permissions
All super administrators, organization administrators and tenant users with the Manage Monitored WiFi Networks permission can configure SSID monitoring and manage known networks.
How Are New Networks Added?
Nzyme automatically scans recorded WiFi data for new networks in the background if Is monitoring enabled is set to
true
.
Approving Networks
Approving a network will keep it from triggering any alerts and resolve all related alerts within a few minutes.
Revoking the approval of a network will make it trigger alerts again until ignored, deleted or approved.
Ignoring Networks
Ignoring a network will keep it in the list of known networks, keep it from triggering any alerts but not mark it as approved. Existing alerts will automatically resolve within a few minutes.
Deleting Networks
Deleting a network will make it disappear from the list and all related alerts will automatically resolve within a few minutes. The network will re-appear as a new, unapproved network the next time it is observed by nzyme.
Training Period
You can create a training period for the system to learn about all networks in range, approve or ignore as required and then start to enable event/alert creation:
- Set Is monitoring enabled to
true
. - Keep Is event generation enabled set to
false
. This will make sure no SSID monitoring events/alerts are created. - Wait several hours to make sure that all networks in range are listed in the table of known networks.
- Approve, ignore and delete known networks as applicable.
- Set Is event generation enabled to
true
. No SSID monitoring alerts should be triggered if you approved, ignored, or deleted all networks in the previous step.
Retention Cleaning
Nzyme will automatically delete all known networks that have not been seen in the previous 30 days.