North American Network Operators Group|
Date Prev | Date Next |
Date Index |
Thread Index |
Author Index |
Re: Wireless insecurity at NANOG meetings
- From: Kevin Oberman
- Date: Sat Sep 21 19:14:00 2002
> Date: Sat, 21 Sep 2002 17:46:27 -0400 (EDT)
> From: Sean Donelan <email@example.com>
> Sender: firstname.lastname@example.org
> On Sat, 21 Sep 2002, Iljitsch van Beijnum wrote:
> > Anyway, in our efforts to see security weaknesses everywhere, we might be
> > going too far. For instance, nearly all our current protocols are
> > completely vulnerable to a man-in-the-middle attack. If someone digs up a
> > fiber, intercepts packets and changes the content before letting them
> > continue to their destination, maybe the layer 1 guys will notice, but not
> > any of us IP people.
> I'm waiting for one of the professional security consulting firms to issue
> their weekly press release screaming "Network Operator Meeting Fails
> Security Test."
> The wireless networks at NANOG meetings never follow what the security
> professionals say are mandatory, essential security practices. The NANOG
> wireless network doesn't use any authentication, enables broadcast SSID,
> has a trivial to guess SSID, doesn't use WEP, doesn't have any perimeter
> firewalls, etc, etc, etc. At the last NANOG meeting IIRC over 400
> stations were active on the network.
> Are network operators really that clueless about security, or perhaps we
> need to step back and re-think. What are we really trying to protect?
> Banks are mostly concerned about people defrauding the bank, not the
> bank's customers. Banks rarely check the signature on a check. Is
> security just perception?
I agre security is sadly lacking, but it is probably impossible to
implement in a conference environment.
What is inexcusable is that the NANOG management does not make LOUD
noises about the risks and run an IDS to be able to warn people about
I work a large computer trade show every year that has an open
wireless network of very large size. Covers the entire exhibit hall,
all meting rooms, the lobby, with antennas pointed at larger hotels
near the conference. No WEP and no closed SSID because WEP is not
practical in such an environment and a closed SSID is too trivial to
hack to make it worth the number of complaints we would have.
We do have large security advisories that the network is wide open in
all conference materials and run a really impressive IDS (multiple
systems running Vern Paxon's BRO to monitor the DS-3 and as much of
th4e various OC-192s an OC-48s as possible. With several OC-192s, it
seems that some packets will have to be dropped this year, but we will
We tried displaying passwords last year, but several folks thought it
was fun to telnet to some system and enter something unprintable as the
password to watch it appear on the screen.
It's not an easy problem, less so for a conference/show that involves
lots of non-network people. I believe the key is warning attendees
that the net is subject to sniffing and clear-text passwords should
not be used. Couple that with a good IDS and make sure that things
like Code Red and nimda infections are isolated quickly is about all
you can do. Sort of like waring people that they need to keep a close
sys on laptops, keep a close eye on the network.
Last year slashdot even carried a note that the net was open at the
Denver Convention Center and we survived with minimal problems.
R. Kevin Oberman, Network Engineer
Energy Sciences Network (ESnet)
Ernest O. Lawrence Berkeley National Laboratory (Berkeley Lab)
E-mail: email@example.com Phone: +1 510 486-8634