Wireless insecurity at NANOG meetings
John M. Brown
john at chagresventures.com
Mon Sep 23 02:53:56 UTC 2002
> Access control should be used when you need access control. Sometimes
> engineers need to step back from solving the problem, and look at whether
> the problem needs to be solved.
Yes...
> What access control do you need for a public drinking fountain?
Today, none, that was different in recent past.
> What access control do you need for a public wireless access point?
Depends on the network. If you are a provider of public wireless for
a fee, then you want to make sure you can charge the user. Thus you need
to beable to identify the user so you can charge them. You need to also
prevent theft of service, via false id's or bypassing the id method, etc.
For events like a NANOG, et al, given the large number of "different
and ad-hoc" systems, identificaion is more a pain. It needs to be balanced
between the "cost, hassle factor" and the life of the network.
I'd say that mostly this is a rat hole thread.
Short lived conference networks will be insecure. Those attending should
be told, and expect it. They should prepare accordingly.
Show ops should have plans incase someone steals bandwidth, or causes
other problems with the "important show net stuff" like multicast feeds.
The cost and management requirements to deploy a reasonably secured network
for a show are higher than the benifits....
I don't see conferences giving out USB dongles to people with their ID
stored, or SecureID cards anytime soon :)
>
> WEP won't keep people from hacking other laptops at Nanog meetings, and
> won't stop people from sniffing plain-text passwords. Everyone at the
> meeting will have the key, and a secret shared with 500 people won't stay
> secret for even two days. For a network with no other access control,
> what purpose does WEP serve?
As long as we are all on a shared layer two network, we are vulnerable.
john brown
More information about the NANOG
mailing list