nanog mailing list archives

Re: Wireless insecurity at NANOG meetings

From: Tony Rall <trall () almaden ibm com>
Date: Sat, 21 Sep 2002 15:36:06 -0700


On Saturday, 2002-09-21 at 17:46 AST, Sean Donelan <sean () donelan com> 
wrote:

I'm waiting for one of the professional security consulting firms to

issue

their weekly press release screaming "Network Operator Meeting Fails
Security Test."

The wireless networks at NANOG meetings never follow what the security
professionals say are mandatory, essential security practices. The NANOG
wireless network doesn't use any authentication, enables broadcast SSID,
has a trivial to guess SSID, doesn't use WEP, doesn't have any perimeter
firewalls, etc, etc, etc. At the last NANOG meeting IIRC over 400
stations were active on the network.

Are network operators really that clueless about security, or perhaps we
need to step back and re-think.  What are we really trying to protect?


I don't have an issue with the meeting use of wireless.  To me it is not 
much different from connecting my machine to the open Internet.  My 
traffic is more sniffable, but I always consider that any Internet traffic 
is sniffable.

There are only 2 exposures with the NANOG wireless setup - compared to 
using a wired NANOG connection:

1. The traffic is more easily sniffable, and it's sniffable by non-NANOG 
members (not to say that it wouldn't be hard for a nonmember to use one of 
NANOG's wired connections and not to say that NANOG members should be more 
trusted with my network traffic than nonmembers).

2. NANOG bandwidth can be more easily stolen.

I protect my usage in 2 ways:

a. Traffic that I might rather not be revealed (including all of my email) 
to sniffers is sent over an encrypted tunnel.

b. I use a personal firewall on my machine (in paranoid mode) to provide 
some protection against the machine itself being attacked.

So, someone can steal "NANOG" resources and could sniff my web browsing 
(for example).  I am not concerned.

(BTW, the use of an SSID without encryption is useless against an even 
slightly determined interloper.)

Even if NANOG had a good system to provide WEP keys to registered users 
there isn't really anything to stop malicious folks from registering. 
Assume there is evil out there and act accordingly. 

Tony Rall

Current thread:

Re: Wireless insecurity at NANOG meetings Tony Rall (Sep 21)
- <Possible follow-ups>
- Re: Wireless insecurity at NANOG meetings Tony Rall (Sep 22)
- Re: Wireless insecurity at NANOG meetings Steven M. Bellovin (Sep 23)
- Re: Wireless insecurity at NANOG meetings Steven M. Bellovin (Sep 23)
- Re: Wireless insecurity at NANOG meetings Steven M. Bellovin (Sep 23)
  - Re: Wireless insecurity at NANOG meetings JC Dill (Sep 23)
- Re: Wireless insecurity at NANOG meetings Huopio Kauto (Sep 23)
  - Re: Wireless insecurity at NANOG meetings Greg Maxwell (Sep 23)