nanog mailing list archives
Re: Wireless insecurity at NANOG meetings
From: "Stephen Sprunk" <ssprunk () cisco com>
Date: Mon, 23 Sep 2002 09:04:05 -0500
Thus spake "Sean Donelan" <sean () donelan com>
The wireless networks at NANOG meetings never follow what the security professionals say are mandatory, essential security practices. The NANOG wireless network doesn't use any authentication, enables broadcast SSID, has a trivial to guess SSID, doesn't use WEP, doesn't have any perimeter firewalls, etc, etc, etc. At the last NANOG meeting IIRC over 400 stations were active on the network.
There is no useful security mechanism that can be applied to NANOG wireless. WEP assumes a black-and-white security model, just like most VPNs: if a user is on the "inside", they're fully trusted. This is somewhat reasonable in the corporate world, where all of the users are employees who are responsible to a common entity, but it has no application to NANOG or other public events where none of the users are responsible to the operator, much less have any trust for each other. There is no sense giving people the illusion of security here. Many corporations are going to open access-points "outside" their firewall and requiring per-user VPNs to access any data-center resources. This is the simplest (and cheapest) solution to deploy and offers security folks the best options for AAA besides. I can't say without a sniffer, but I'd bet that most NANOG participants are doing the same: SSH or IPsec VPN's back to home (wherever that is). Anyone who isn't is begging to be hacked, WEP or not. Anyone interested in hacking NANOG attendees' networks is likely a NANOG attendee himself. Caveat attendor. S
Current thread:
- RatHole: Wireless insecurity at NANOG meetings, (continued)
- RatHole: Wireless insecurity at NANOG meetings Al Rowland (Sep 23)
- Re: Wireless insecurity at NANOG meetings Mike Harrison (Sep 21)
- Re: Wireless insecurity at NANOG meetings Kevin Oberman (Sep 21)
- Re: Wireless insecurity at NANOG meetings Martin J. Levy (Sep 21)
- Re: Wireless insecurity at NANOG meetings Sean Donelan (Sep 21)
- Message not available
- Re: Wireless insecurity at NANOG meetings Dave Crocker (Sep 21)
- RE: Wireless insecurity at NANOG meetings Sameer R. Manek (Sep 21)
- Re: Wireless insecurity at NANOG meetings Stephen J. Wilcox (Sep 21)
- Re: Wireless insecurity at NANOG meetings alex (Sep 21)
- Re: Wireless insecurity at NANOG meetings John M. Brown (Sep 22)
- Re: Wireless insecurity at NANOG meetings Stephen Sprunk (Sep 23)
- Re: Wireless insecurity at NANOG meetings David Diaz (Sep 23)