Security Basics mailing list archives

Re: wifi security

From: "simon (www.snosoft.com)" <simon () snosoft com>
Date: Mon, 08 Sep 2003 17:28:28 -0400

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Dave,

I agree with you that all points of vulnerability are a threatregardless of how small. But I disagree that all points ofvulnerability pose an equal threat. Fact is, script bunnies and youraverage cracker aren't going to read the rf from copper and translateit. In fact, the average one most probably doesn't even have theslightest idea as to how to do that.

The answer to the question of security levels also depends on thenature of the client and their data. There are A's and C's where do theyfall?

So, understanding your point as "all points of vulnerability areimportant" I will agree. I will however not agree that all points ofvulnerability are equal. If copper rf sniffing becomes popular some how,then the risk will increase... but right now, copper is safer imho.




Dave Killion wrote:
> Simon,
>
> Wifi is obviously easier to obtain that copper or fiber - there's no
> argument there.  I also agree with you on the relative merits of
> air-vs-copper, and copper-vs-fiber.
>
> But in order to address security properly, you must assume that an
> attacker has access to your dataflow *regardless* of the physical medium
> over which it travels.  To think otherwise is naive.  All of these medium
> are interceptible under the proper conditions.
>

> I stand by my statement - IPSec (and "good" encryption in general) isjust

> as secure over any of the transmission mediums.  A good attacker will get
> your flow - which makes the medium issue moot.
>
> In order to use wifi securely, of course you need to add layers of
> protection.  But my point is, these layers are prudent under any
> circumstance.
>
> -Dave
>
> P.S. - My bank reference had nothing to do with bank network
> administrators.  It had everything to do with the standards and protocols
> they specify.
>
> -----Original Message-----
> From: simon (www.snosoft.com) [mailto:simon () snosoft com]
> Sent: Monday, September 08, 2003 1:33 PM
> To: Mark Medici
> Cc: Dave Killion; D'Amato Luigi; lists () kentane net;
> security-basics () lists securityfocus com
> Subject: Re: wifi security
>
>

In response to Dave Killion:

"Just the same, IPSec over WiFi is just as secure as IPSec
over copper or fiber.  And it's good enough for banks to use.
It all comes down to managing risk.  Good encryption can be useful."

Dave, with all due respect you are wrong...

Fact is when you send data out over the air via any method the signal
will be stronger than it would be out of a cat5 (I figured that this
would be obvious). When using cat5 it is simply not easy to collect
radio waves and turn them into anything useful.

Having said that it is correct to say that copper is more secure than
air, and fibre is more secure than copper assuming that all is equal in
the data going over the line.

What are the chances of someone recording your radio waves from cat5 v.s
the chances of someone recording data from 802.11x?

Also, don't use banks as an example of security, IMHO they are not
secure enough. What is good enough for a bank network is far from good
enough for mine. It is not that their administrators are idiots, because
they are not idiots, they just don't have the time to do what the
hackers of today have the time to do.


Mark Medici wrote:

Actually, the most secure networks are required to run fiber-optic


inside

of pressurized conduit with full-time monitoring against physical
intrusion.  This is because even fibre-optic can  tapped without


breaking

the optical conductor if you have sufficient knowledge, skill and
patience, plus a few specialized tools.

Of course, this is probably too extreme for most private enterprises.

-----Original Message-----
From: Dave Killion [mailto:Dkillion () netscreen com]
Sent: Wednesday, August 27, 2003 12:38 PM
To: 'simon () snosoft com'; D'Amato Luigi
Cc: lists () kentane net; security-basics () lists securityfocus com
Subject: RE: wifi security

Simon,

Even copper can create interceptible radio waves if one is in
close enough proximity to the cable.  Which is why for Top
Secret data networks the DoD uses fiber.

Yes, there are fiber taps and what not, but copper can be
intercepted non-invasively.

Just the same, IPSec over WiFi is just as secure as IPSec
over copper or fiber.  And it's good enough for banks to use.
It all comes down to managing risk.  Good encryption can be useful.

-Dave

-----Original Message-----
From: -SIMON- [mailto:simon () snosoft com]
Sent: Tuesday, August 26, 2003 12:32 PM
To: D'Amato Luigi
Cc: lists () kentane net; security-basics () lists securityfocus com
Subject: Re: wifi security

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Actually,
        What I would suggest for wireless security is simply
not sending your sensitive data out over the air.  Encrypted
or not, you are still sending it out for everyone and anyone
to snag. If you are relying on the encryption for good
security, well, you are simply assuming that no one else has
the key, or a way to crack it.

Sensitive data == copper.
other can == air.

D'Amato Luigi wrote:

try
www.securitywireless.info


----------------------------------------------------------------------

--


---

----------------------------------------------------------------------

--


----


- --

- -simon-
        http://www.snosoft.com
        Tibetan "Book of the Dead," ca. 4000 BC.

- --Regards,

        -simon-

        Secure Network Operations, Inc.
        http://www.secnetops.com || http://www.snosoft.com
        Office: 978-263-3829  Fax: 978-263-0033
        -------------------------------------------------------
        "Embracing the future of technology, protecting you..."
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQE/XPR8f3Elv1PhzXgRAkzfAKDLjGNKCnpgFsJMGHvH2Pwftw66TwCdEkLX
ZsVeu6FDLLy+msLCjj1mIk4=
=Coti
-----END PGP SIGNATURE-----


---------------------------------------------------------------------------

Captus NetworksAre you prepared for the next Sobig & Blaster?- Instantly Stop DoS/DDoS Attacks, Worms & Port Scans- Precisely Define and Implement Network Security- Automatically Control P2P, IM and Spam TrafficFIND OUT NOW - FREE Vulnerability Assessment Toolkithttp://www.captusnetworks.com/ads/42.htm

----------------------------------------------------------------------------

Current thread:

RE: wifi security Mark Medici (Sep 02)
- Re: wifi security simon (www.snosoft.com) (Sep 08)
- <Possible follow-ups>
- RE: wifi security Dave Killion (Sep 08)
  - Re: wifi security simon (www.snosoft.com) (Sep 08)