Merit Network
Can't find what you're looking for? Search the Mail Archives.
  About Merit   Services   Network   Resources & Support   Network Research   News   Events   Home

Discussion Communities: Merit Network Email List Archives

North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: Wireless insecurity at NANOG meetings

  • From: Sean Donelan
  • Date: Sat Sep 21 20:49:02 2002

On Sat, 21 Sep 2002, Martin J. Levy wrote:
> >I agre security is sadly lacking, but it is probably impossible to
> >implement in a conference environment.
> Look this is a very simple issue.  Sean's first post really pointed out
> that it's "bad form" for a set of operators to run an insecure network.
> I would believe that it's "good form" to at least try.  It was stated
> that the network was not run by the "operators".  OK, I accept that, but
> it's run by people with great (actually fantastic) connections to real
> operators (ie: us).

I feel like a Rorschach Test.

Is the Nanog confernce network really insecure for its purpose?

Some security experts may claim it is, but I'm not certain they are
correct.  Do you put a biometric reader and armed guard next to a
public drinking fountain?  What is the risk of someone stealing
the water? Its possible, even likely, an unauthorized person will
take a drink but what is the loss versus the cost of more security
for the drinking fountain?

Yes, some security consulting firm issuing press releases about the
dangers of war-chalking, war-driving, war-pr may claim the network is
insecure.  Its great for generating publicity.

The Nanog conference wireless network a semi-public, unauthenticated
network used by several hundred competitors for a few days.  It is about
as secure as the wired network, the hotel in-room cable, cellular
telephones or most other available means of communication at a convention
center. Users can take appropriate measures to secure their communications
based on their risk acceptance.

I don't see much of a need to rely on a volunteer network operator to
provide what I think is the appropriate level of security for my
communications.  Heck, even if Nanog used the latest, greatest network
security whiz-bang gadgets to secure the network; I still wouldn't rely
on it.

> WEP may not be a good protocol, but it's better than nothing.  If
> people thing it's hard to configure, then run two networks.. one without
> WEP and one with WEP.

Link-layer encryption always sounds like a "simple" security solution.
But when using other people's networks, you are usually better off with a
different security solution.  How many people use modems with encryption
to dial into their local ISP?  How many use link-layer encryption with
their NIC cards on their wired networks?

> Security is a relative thing... Normally security at the door to the
> nanog conference hall is "low", but that does not seem to bother many
> people.  (Hence security at a "wired" locations within the conference is
> "low" making the WEP issue mute).

ICANN had armed guards at its meeting to keep the rif-raff out.  I don't
think NANOG requires that level of security (yet).  We still run the
network cable down the hallways, and "hide" the wireless access points
in the potted palms next to the bar.

Discussion Communities

About Merit | Services | Network | Resources & Support | Network Research
News | Events | Contact | Site Map | Merit Network Home

Merit Network, Inc.