Terminal Rooms are no different then an internet cafe, you are using an untrusted system to access an untrusted network, and should be treated as such. The wireless network, is just an untrusted network, send over it what you would send over such a network. There is honor among thieves, but none among idle network admins who left their nerf guns back at the office. ssh, or encrypted vpn traffic is the only thing that should be sent over the network to connect to remote systems. Enabling WEP or setting a difficult to guess SSID would be silly, given that it is a public network, the SSID would probably posted in the terminal room anyways. Plus there are numerous tools to decrypt WEP in almost real time, with 400 stations, it wouldn't take long to gather the needed packets. Ultimately security is the responsibility of the person or organization affected by the lack of it. Which is something most people fail to realize consistantly. Sameer
-----Original Message----- From: owner-nanog@merit.edu [mailto:owner-nanog@merit.edu]On Behalf Of Sean Donelan Sent: Saturday, September 21, 2002 2:46 PM To: nanog@merit.edu Subject: Wireless insecurity at NANOG meetings
On Sat, 21 Sep 2002, Iljitsch van Beijnum wrote:
Anyway, in our efforts to see security weaknesses everywhere, we might be going too far. For instance, nearly all our current protocols are completely vulnerable to a man-in-the-middle attack. If someone digs up a fiber, intercepts packets and changes the content before letting them continue to their destination, maybe the layer 1 guys will notice, but not any of us IP people.
I'm waiting for one of the professional security consulting firms to issue their weekly press release screaming "Network Operator Meeting Fails Security Test."
The wireless networks at NANOG meetings never follow what the security professionals say are mandatory, essential security practices. The NANOG wireless network doesn't use any authentication, enables broadcast SSID, has a trivial to guess SSID, doesn't use WEP, doesn't have any perimeter firewalls, etc, etc, etc. At the last NANOG meeting IIRC over 400 stations were active on the network.
Are network operators really that clueless about security, or perhaps we need to step back and re-think. What are we really trying to protect?
Banks are mostly concerned about people defrauding the bank, not the bank's customers. Banks rarely check the signature on a check. Is security just perception?