Merit Network
Can't find what you're looking for? Search the Mail Archives.
  About Merit   Services   Network   Resources & Support   Network Research   News   Events   Home

Discussion Communities: Merit Network Email List Archives

North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: Wireless insecurity at NANOG meetings

  • From: Stephen Sprunk
  • Date: Mon Sep 23 10:07:33 2002

Thus spake "Sean Donelan" <sean@donelan.com>
> The wireless networks at NANOG meetings never follow what the security
> professionals say are mandatory, essential security practices. The NANOG
> wireless network doesn't use any authentication, enables broadcast SSID,
> has a trivial to guess SSID, doesn't use WEP, doesn't have any perimeter
> firewalls, etc, etc, etc. At the last NANOG meeting IIRC over 400
> stations were active on the network.

There is no useful security mechanism that can be applied to NANOG wireless.

WEP assumes a black-and-white security model, just like most VPNs: if a user is
on the "inside", they're fully trusted.  This is somewhat reasonable in the
corporate world, where all of the users are employees who are responsible to a
common entity, but it has no application to NANOG or other public events where
none of the users are responsible to the operator, much less have any trust for
each other.  There is no sense giving people the illusion of security here.

Many corporations are going to open access-points "outside" their firewall and
requiring per-user VPNs to access any data-center resources.  This is the
simplest (and cheapest) solution to deploy and offers security folks the best
options for AAA besides.

I can't say without a sniffer, but I'd bet that most NANOG participants are
doing the same: SSH or IPsec VPN's back to home (wherever that is).  Anyone who
isn't is begging to be hacked, WEP or not.  Anyone interested in hacking NANOG
attendees' networks is likely a NANOG attendee himself.  Caveat attendor.

S





Discussion Communities


About Merit | Services | Network | Resources & Support | Network Research
News | Events | Contact | Site Map | Merit Network Home


Merit Network, Inc.