North American Network Operators Group|
Date Prev | Date Next |
Date Index |
Thread Index |
Author Index |
Re: Wireless insecurity at NANOG meetings
- From: Randy Bush
- Date: Sat Sep 21 18:10:42 2002
> I'm waiting for one of the professional security consulting firms
> to issue their weekly press release screaming "Network Operator
> Meeting Fails Security Test."
> The wireless networks at NANOG meetings never follow what the
> security professionals say are mandatory, essential security
> practices. The NANOG wireless network doesn't use any
> authentication, enables broadcast SSID, has a trivial to guess
> SSID, doesn't use WEP, doesn't have any perimeter firewalls, etc,
> etc, etc. At the last NANOG meeting IIRC over 400 stations were
> active on the network.
> Are network operators really that clueless about security, or
> perhaps we need to step back and re-think. What are we really
> trying to protect?
the nanog net is not run by network operators. it is run by some
well-meaning non-op folk from merit. for example, if i can gather
the patience (unlikely), next week i will join the third conference
phone call to try to explain to the merit folk why it's really ok
to put vern's bro ids on the incoming. and the merit powers that
be specifically forbid warning folk about the wireless, showing
caught passwords, ... as we do at ietf.
the nanog net is run *for* operators, not *by* operators.
btw, the ietf/atlanta net will be run by operators. if you would
care to discuss how to make the wireless safer, we're all for it.
but do not be fooled that it is an easy problem. e.g., wep is a
joke, and is very hard to get people to set up.