Wireless insecurity at NANOG meetings

Tony Rall trall at almaden.ibm.com
Sat Sep 21 22:36:06 UTC 2002


On Saturday, 2002-09-21 at 17:46 AST, Sean Donelan <sean at donelan.com> 
wrote:
> I'm waiting for one of the professional security consulting firms to 
issue
> their weekly press release screaming "Network Operator Meeting Fails
> Security Test."
> 
> The wireless networks at NANOG meetings never follow what the security
> professionals say are mandatory, essential security practices. The NANOG
> wireless network doesn't use any authentication, enables broadcast SSID,
> has a trivial to guess SSID, doesn't use WEP, doesn't have any perimeter
> firewalls, etc, etc, etc. At the last NANOG meeting IIRC over 400
> stations were active on the network.
> 
> Are network operators really that clueless about security, or perhaps we
> need to step back and re-think.  What are we really trying to protect?

I don't have an issue with the meeting use of wireless.  To me it is not 
much different from connecting my machine to the open Internet.  My 
traffic is more sniffable, but I always consider that any Internet traffic 
is sniffable.

There are only 2 exposures with the NANOG wireless setup - compared to 
using a wired NANOG connection:

1. The traffic is more easily sniffable, and it's sniffable by non-NANOG 
members (not to say that it wouldn't be hard for a nonmember to use one of 
NANOG's wired connections and not to say that NANOG members should be more 
trusted with my network traffic than nonmembers).

2. NANOG bandwidth can be more easily stolen.

I protect my usage in 2 ways:

a. Traffic that I might rather not be revealed (including all of my email) 
to sniffers is sent over an encrypted tunnel.

b. I use a personal firewall on my machine (in paranoid mode) to provide 
some protection against the machine itself being attacked.

So, someone can steal "NANOG" resources and could sniff my web browsing 
(for example).  I am not concerned.

(BTW, the use of an SSID without encryption is useless against an even 
slightly determined interloper.)

Even if NANOG had a good system to provide WEP keys to registered users 
there isn't really anything to stop malicious folks from registering. 
Assume there is evil out there and act accordingly. 

Tony Rall



More information about the NANOG mailing list