North American Network Operators Group|
Date Prev | Date Next |
Date Index |
Thread Index |
Author Index |
Re: Wireless insecurity at NANOG meetings
- From: Tony Rall
- Date: Sat Sep 21 18:39:29 2002
On Saturday, 2002-09-21 at 17:46 AST, Sean Donelan <email@example.com>
> I'm waiting for one of the professional security consulting firms to
> their weekly press release screaming "Network Operator Meeting Fails
> Security Test."
> The wireless networks at NANOG meetings never follow what the security
> professionals say are mandatory, essential security practices. The NANOG
> wireless network doesn't use any authentication, enables broadcast SSID,
> has a trivial to guess SSID, doesn't use WEP, doesn't have any perimeter
> firewalls, etc, etc, etc. At the last NANOG meeting IIRC over 400
> stations were active on the network.
> Are network operators really that clueless about security, or perhaps we
> need to step back and re-think. What are we really trying to protect?
I don't have an issue with the meeting use of wireless. To me it is not
much different from connecting my machine to the open Internet. My
traffic is more sniffable, but I always consider that any Internet traffic
There are only 2 exposures with the NANOG wireless setup - compared to
using a wired NANOG connection:
1. The traffic is more easily sniffable, and it's sniffable by non-NANOG
members (not to say that it wouldn't be hard for a nonmember to use one of
NANOG's wired connections and not to say that NANOG members should be more
trusted with my network traffic than nonmembers).
2. NANOG bandwidth can be more easily stolen.
I protect my usage in 2 ways:
a. Traffic that I might rather not be revealed (including all of my email)
to sniffers is sent over an encrypted tunnel.
b. I use a personal firewall on my machine (in paranoid mode) to provide
some protection against the machine itself being attacked.
So, someone can steal "NANOG" resources and could sniff my web browsing
(for example). I am not concerned.
(BTW, the use of an SSID without encryption is useless against an even
slightly determined interloper.)
Even if NANOG had a good system to provide WEP keys to registered users
there isn't really anything to stop malicious folks from registering.
Assume there is evil out there and act accordingly.