[52226] in North American Network Operators' Group
Re: Wireless insecurity at NANOG meetings
daemon@ATHENA.MIT.EDU (Tony Rall)
Sat Sep 21 18:37:48 2002
To: nanog@merit.edu
From: Tony Rall <trall@almaden.ibm.com>
Date: Sat, 21 Sep 2002 15:36:06 -0700
Errors-To: owner-nanog-outgoing@merit.edu
On Saturday, 2002-09-21 at 17:46 AST, Sean Donelan <sean@donelan.com>
wrote:
> I'm waiting for one of the professional security consulting firms to
issue
> their weekly press release screaming "Network Operator Meeting Fails
> Security Test."
>
> The wireless networks at NANOG meetings never follow what the security
> professionals say are mandatory, essential security practices. The NANOG
> wireless network doesn't use any authentication, enables broadcast SSID,
> has a trivial to guess SSID, doesn't use WEP, doesn't have any perimeter
> firewalls, etc, etc, etc. At the last NANOG meeting IIRC over 400
> stations were active on the network.
>
> Are network operators really that clueless about security, or perhaps we
> need to step back and re-think. What are we really trying to protect?
I don't have an issue with the meeting use of wireless. To me it is not
much different from connecting my machine to the open Internet. My
traffic is more sniffable, but I always consider that any Internet traffic
is sniffable.
There are only 2 exposures with the NANOG wireless setup - compared to
using a wired NANOG connection:
1. The traffic is more easily sniffable, and it's sniffable by non-NANOG
members (not to say that it wouldn't be hard for a nonmember to use one of
NANOG's wired connections and not to say that NANOG members should be more
trusted with my network traffic than nonmembers).
2. NANOG bandwidth can be more easily stolen.
I protect my usage in 2 ways:
a. Traffic that I might rather not be revealed (including all of my email)
to sniffers is sent over an encrypted tunnel.
b. I use a personal firewall on my machine (in paranoid mode) to provide
some protection against the machine itself being attacked.
So, someone can steal "NANOG" resources and could sniff my web browsing
(for example). I am not concerned.
(BTW, the use of an SSID without encryption is useless against an even
slightly determined interloper.)
Even if NANOG had a good system to provide WEP keys to registered users
there isn't really anything to stop malicious folks from registering.
Assume there is evil out there and act accordingly.
Tony Rall
