Re: Whitehouse Tackels Cybersecurity
In message <3D8899BF.6060301@ehsco.com>, "Eric A. Hall" writes:
on 9/18/2002 10:12 AM Sean Donelan wrote:
On Wed, 18 Sep 2002 sgorman1@gmu.edu wrote:
A little flavor of what I'd alluded to in some of the previous threads. Any guesses what the proposal to change both BGP and DNS to improve security might entail??
The official document should be posted on WhiteHouse.GOV later today.
Is it on again?
See http://www.whitehouse.gov/pcipb/ A news story I saw said that they're treating this as a draft, too, and asking for two months of public comment. --Steve Bellovin, http://www.research.att.com/~smb (me) http://www.wilyhacker.com ("Firewalls" book)
On Wed, 18 Sep 2002, Steven M. Bellovin wrote:
Wow, we should all start using out of band management. Anyone think it is feasible to do management of an IP network exclusively out of band? And BGP should be more secure. What is the problem we should be trying to fix here? There is a "Secure BGP" draft: http://www.ir.bbn.com/projects/sbgp/draft-clynn-s-bgp-protocol-00a.txt Implementing this may make BGP very secure, but it will make the internet as a whole much less reliable because routing will no longer be a function that can be performed autonomously by routers, but something that's tied into a global (public key) infrastructure. An infrastructure that depends on routing to work... Hello circularity. I read solutions (well, avenues for possible solutions) without a good indication of what the problem is. (That goes for both the Secure Cyberspace and S-BGP drafts.)
On Wed, Sep 18, 2002 at 07:31:41PM +0200, Iljitsch van Beijnum wrote:
On Wed, 18 Sep 2002, Steven M. Bellovin wrote:
Wow, we should all start using out of band management. Anyone think it is feasible to do management of an IP network exclusively out of band?
And BGP should be more secure. What is the problem we should be trying to fix here? There is a "Secure BGP" draft: http://www.ir.bbn.com/projects/sbgp/draft-clynn-s-bgp-protocol-00a.txt
I think the problem that people are attempting to address is the fact that most interprovider bgp sessions are unfiltered and this can cause significant problems if someone starts leaking improper routes or decides to do something malicious. Authentication of routing announcements is seen as better than "just letting it all slosh around".
Implementing this may make BGP very secure, but it will make the internet as a whole much less reliable because routing will no longer be a function that can be performed autonomously by routers, but something that's tied into a global (public key) infrastructure. An infrastructure that depends on routing to work... Hello circularity.
Well, you need to have graded levels of trust. You will trust your upstream more than your customers obviously. But yeah, there do become some issues if people aren't doing local mirroring of the dataset and they break their configs badly and need to reconfigure. This does increase the barrier to entry significantly in getting your announcements out there.
I read solutions (well, avenues for possible solutions) without a good indication of what the problem is. (That goes for both the Secure Cyberspace and S-BGP drafts.)
Well, there are significant problems today with router architecture that prevent s-bgp and other things from being deployed. Namely start looking at those still using 2500/4500/4700 for bgp in their networks (yes people still do this) and then ask it to do some major cryptograhic authentication... The hardware is not designed for this. Even a reasonable amount of todays 'modern' hardware may not be able to handle this due to the centralized architecture. (take the above router types as example as well as any others that don't have distributed forwarding). When "W" goes surfing the net at night to shop for things on ebay and can't get there because someone is improperly announcing a /24 to hijack/DoS them, these are the things that they will suggest down that there needs to be authentication and centralized routing data created. Take a look at the LERG sometime if you have the ability to see it. Lists the CLLI for each NPA-NXX that you are required to deliver the call to. There are those that understand that there are more complicated lookups involved but without people from the industry providing feedback and playing hawk on the gov't, we may not like what they come up with if we don't get people involved. - jared -- Jared Mauch | pgp key available via finger from jared@puck.nether.net clue++; | http://puck.nether.net/~jared/ My statements are only mine.
On Wed, 18 Sep 2002, Jared Mauch wrote:
And BGP should be more secure. What is the problem we should be trying to fix here? There is a "Secure BGP" draft: http://www.ir.bbn.com/projects/sbgp/draft-clynn-s-bgp-protocol-00a.txt
I think the problem that people are attempting to address is the fact that most interprovider bgp sessions are unfiltered and this can cause significant problems if someone starts leaking improper routes or decides to do something malicious.
Authentication of routing announcements is seen as better than "just letting it all slosh around".
It does. But the problem is that what you can know to be good is very likely to be a lot less than what is actually good. So if you simply start requiring authentication, you're going to break reachability in some places.
I read solutions (well, avenues for possible solutions) without a good indication of what the problem is. (That goes for both the Secure Cyberspace and S-BGP drafts.)
Well, there are significant problems today with router architecture that prevent s-bgp and other things from being deployed. Namely start looking at those still using 2500/4500/4700 for bgp in their networks (yes people still do this) and then ask it to do some major cryptograhic authentication... The hardware is not designed for this.
The protocols aren't designed for it either. This is a good thing, because every router can run the necessary protocols autonomously. But it also means a huge duplication of effort. It seems pretty ridiculous to me to have each and every router do strong crypto on each and every BGP update. This kind of stuff should run on centralized servers with adequate disk capacity to cache results. The hard part is integrating such a solution into what we have now. I'm thinking of a protocol that enables BGP routers to consult "policy servers" about the updates they receive. When very strict security is required, the router waits for the PS to clear the update before allowing it, but in a less strict setup the router could process updates and remove the routes later if the PS doesn't like them. In this case, loss of the PS doesn't break the network. So we still have autonomy and implementing new security features becomes much easier because only the policy servers have to know about them.
When "W" goes surfing the net at night to shop for things on ebay and can't get there because someone is improperly announcing a /24 to hijack/DoS them,
Announcing a /24 you have no business announcing is a VERY hard thing to do. The overwheling majority of all ISPs has strict filtering on BGP announcements from customers. Now if the same were true for source address filtering for IP packets, it would be possible to adequately filter DoS traffic (unless massively distributed in nature).
these are the things that they will suggest down that there needs to be authentication and centralized routing data created.
Actually this particular BGP weakness isn't that hard to address: you only need to verify the first few AS numbers in the path and the prefix using a routing registry. You don't even need any crypto (in BGP, at least) for that. And if you want to make it really secure you can add a signature attribute at the source. That costs extra memory in routers, but it's doable. My problems are with the assumption in the S-BGP draft that information in BGP must be protected against modification by routers it passes legitimately. I think some reasonable level of trust is necessary. After all, we trust others to prepare our food, stop for a red light when we cross the road and so on. Or maybe we can all promise to password protect our BGP sessions?
On Wed, 18 Sep 2002, Iljitsch van Beijnum wrote:
Wow, we should all start using out of band management. Anyone think it is feasible to do management of an IP network exclusively out of band?
Welcome to my nightmare. Getting ISPs to participate is always difficult. I encourage ISPs to read the draft and send in their comments to the White House. Otherwise, because they are the ones particpating, the future Internet security architecture will probably look like what a big telco thinks is a good security model. Why separate the circuit into 2B+D, just give me all the bandwidth. Is the telephone security model better than the Internet security model? It depends on who you ask. They both have interesting security issues. Unfortunately, a lot of it is based on perception on both sides, and only a little on fact. I would love to see some proposals from different ISPs how they view the Internet (or ISP) security architecture. Cisco, Sun, Lucent and Telcordia have vendor architectures. But what architecture work for real ISPs? What can we point to as a "good" Internet security architecture? Is there a difference between what works for a small, medium or large ISP? I can draw Internet security architectures until my fingers fall off, but they won't have the impact of industry consensus.
From a security perspective, the recommendations in this report are
On Wed, 18 Sep 2002, Sean Donelan wrote: :Is the telephone security model better than the Internet security model? :It depends on who you ask. They both have interesting security issues. :Unfortunately, a lot of it is based on perception on both sides, and only :a little on fact. Indeed, I am currently trying to retrofit security features onto a routed network designed by people who evidently have a better understanding of switching. It is no coincidence that they just happen to be telco network architects. (I can't believe I am still describing the importance of DNS to people in 2002, but I digress..) IMHO, the telco model is based on the notion of delivering services from a set of tiered providers instead of the facilitating the interconnection of relatively autonomous networks. It's pretty much a difference of philisophical worldviews. While there is some conceptual overlap between them, they are not particularly isometric. the same things that have been advocated for the last decade. In fact it looks like many of these recommendations could have been culled from the various vulnerability assessment report templates I have seen and even used over the years. I don't mean to undermine the importance of the strategy, but I think its impact will be through adding weight to us Cassandras in the security industry. Maybe they'll legislate Cisco's SAFE architecture on us all? ;) :I can draw Internet security architectures until my fingers fall off, but :they won't have the impact of industry consensus. Well, I think the consensus was just handed to you in the form of a national mandate. In fact, I think this looks like an excellent premise for a business plan for a security consulting and managed services firm. Got Capital? Cheers, -- batz
At 6:03 PM -0400 2002/09/19, batz wrote:
Well, I think the consensus was just handed to you in the form of a national mandate. In fact, I think this looks like an excellent premise for a business plan for a security consulting and managed services firm.
Can you say "Counterpane Systems"? I knew you could. Thing is, if this does turn out to be a big win for them, I figure they'll actually do what is right and not what the government says. Maybe that's why they probably won't be the real "winners" out of this. Anyone want to make any guesses as to who's going to be the Microsoft of US Government-mandated computer security? Hmmm.... Maybe Microsoft? Why not? They bought the government to begin with and the top computer security guy in the administration used to work for them, so it only makes sense that they would reap the windfall. -- Brad Knowles, <brad.knowles@skynet.be> "They that can give up essential liberty to obtain a little temporary safety deserve neither liberty nor safety." -Benjamin Franklin, Historical Review of Pennsylvania. GCS/IT d+(-) s:+(++)>: a C++(+++)$ UMBSHI++++$ P+>++ L+ !E W+++(--) N+ !w--- O- M++ V PS++(+++) PE- Y+(++) PGP>+++ t+(+++) 5++(+++) X++(+++) R+(+++) tv+(+++) b+(++++) DI+(++++) D+(++) G+(++++) e++>++++ h--- r---(+++)* z(+++)
On Thu, 19 Sep 2002, batz wrote:
From a security perspective, the recommendations in this report are the same things that have been advocated for the last decade. In fact it looks like many of these recommendations could have been culled from the various vulnerability assessment report templates I have seen and even used over the years. I don't mean to undermine the importance of the strategy, but I think its impact will be through adding weight to us Cassandras in the security industry.
People expecting the government to wave a magic wand and make us all safe will be disappointed. Security consulting firms probably aren't going to get a windfall from the publication of the national strategy. But if you had more modest goals, the strategy did accomplish some things. Despite the daily drumbeat of vulnerability announcements, there really aren't any new fundamental causes of security problems. The National Academies of Sciences published a report last year recapping 10 years of computer and network security studies. http://www.nap.edu/catalog/10274.html The particular instance may change, but the classes of security problems are unchanging. Although the security problems are the same, the solutions can change. In the 1980's I had a Multics/Dockmaster account. Multics may have been secure, but the system sucked. Perimeter firewalls may not be the security solution for the next decade. Would anti-virus software become obsolete with a better kernel? Are the same password rules we had for our one mainframe account applicable in today's web with dozens of "logons"? I think we need to re-evaluate our best solutions for our security problems. That National Cybersecurity Strategy did a nice job of collecting the problems from all groups into one document, and showing an interdependence between the groups. Simply securing one industry, company or home user isn't enough to solve the problem. I especially pleased that at least part of the US government now seems to recognize that security is more than just secrecy. Could the government move faster? It took over 15 years from the introduction of seat belts on an American car until they became "standard" items in American cars. The government only "mandated" seat belts after most car makers were already offering them. There were a lot of studies along the way. A democratic government can't get too far out in front of the public. American Seat Belt History (http://www.lemurzone.com/airbag/belts.htm) 1947 The first time seat belts were offered in a American car was the Tucker. The state of the art then were Lap belts. 1956 Ford introduces seat belts in American cars 1964 Seatbelts became a "standard" feature in American cars 1966 Rear Seatbelts became Standard 1967 Front Seatbelts became Mandatory 1968 Shoulder Belts became Mandatory Nevertheless, seat belts won't help unless the driver buckles up.
On Wed, 18 Sep 2002, Sean Donelan wrote:
I would love to see some proposals from different ISPs how they view the Internet (or ISP) security architecture. Cisco, Sun, Lucent and Telcordia have vendor architectures. But what architecture work for real ISPs? What can we point to as a "good" Internet security architecture? Is there a difference between what works for a small, medium or large ISP?
What exactly to do mean by "security architecture"? Many network security efforts seem to be inspired by Descartes. Several centuries ago, this very smart man sat down in front of the fire several nights in a row and started doubting everything he could possibly doubt. Senses, memory, everything. After all, everything that seems real may in fact be an illusion created by a "malicious demon". (No, he wasn't talking about a worm or trojan.) I'm not sure what his conclusion which can be simplified as "I think, therefore I am", would translate to. Maybe "I encrypt, therefore I am secure"? Anyway, in our efforts to see security weaknesses everywhere, we might be going too far. For instance, nearly all our current protocols are completely vulnerable to a man-in-the-middle attack. If someone digs up a fiber, intercepts packets and changes the content before letting them continue to their destination, maybe the layer 1 guys will notice, but not any of us IP people. So what should we do? It seems each and every protocol is now trying to solve the exact same problem. A better solution would be to adopt IPSec throughout the net. But that doesn't protect you from a denial of service attack: the man in the middle can just discard your packets. Even worse, if you have to do crypto for every packet you receive, an attacker can simply send packets that only turn out invalid after performing expensive cryptographic operations and have you burn CPU cycles like it's going out of style. What we need are realistic expectations. Yes, the internet is vulnerable to some degree, but the risks are nothing to worry about relative to eating food that strangers have prepared or driving at high speed between many bad-tempered people who are all armed with a ton of steel. For regular day-to-day stuff such as off-topic rants and downloading copyrighted material, the vulnerabilities that exist aren't really an issue: the expense and effort to break into a _network_ (rather than just some box connected to it) is not worth the gain. And for things that are more sensitive: refer to the end-to-end principle. SSL isn't perfect, but it's widely available. IPSec is more perfect, but less available. They'll both run fine over the current network. However, that doesn't mean we can lean back do nothing. Some protocols are really too insecure. Please be assured that these problems have the attention of the IETF. Everyone should feel free to donate time to help develop newer, more secure protocols or newer, more secure versions of old ones. In the mean time, many people are still doing things they shouldn't, and not doing things they should. If properly implemented, it is very hard to break BGP. But that means everyone has to use antispoofing packet filters, have strict filtering on the routes they accept from their customers and preferably on those they accept from their peers as well, and use TCP MD5 password protection on all BGP sessions. That's something we can all do before the month is out and it will actually make the net more secure without breaking anything. Iljitsch van Beijnum
On Sat, 21 Sep 2002, Iljitsch van Beijnum wrote:
Anyway, in our efforts to see security weaknesses everywhere, we might be going too far. For instance, nearly all our current protocols are completely vulnerable to a man-in-the-middle attack. If someone digs up a fiber, intercepts packets and changes the content before letting them continue to their destination, maybe the layer 1 guys will notice, but not any of us IP people.
I'm waiting for one of the professional security consulting firms to issue their weekly press release screaming "Network Operator Meeting Fails Security Test." The wireless networks at NANOG meetings never follow what the security professionals say are mandatory, essential security practices. The NANOG wireless network doesn't use any authentication, enables broadcast SSID, has a trivial to guess SSID, doesn't use WEP, doesn't have any perimeter firewalls, etc, etc, etc. At the last NANOG meeting IIRC over 400 stations were active on the network. Are network operators really that clueless about security, or perhaps we need to step back and re-think. What are we really trying to protect? Banks are mostly concerned about people defrauding the bank, not the bank's customers. Banks rarely check the signature on a check. Is security just perception?
I'm waiting for one of the professional security consulting firms to issue their weekly press release screaming "Network Operator Meeting Fails Security Test."
The wireless networks at NANOG meetings never follow what the security professionals say are mandatory, essential security practices. The NANOG wireless network doesn't use any authentication, enables broadcast SSID, has a trivial to guess SSID, doesn't use WEP, doesn't have any perimeter firewalls, etc, etc, etc. At the last NANOG meeting IIRC over 400 stations were active on the network.
Are network operators really that clueless about security, or perhaps we need to step back and re-think. What are we really trying to protect?
the nanog net is not run by network operators. it is run by some well-meaning non-op folk from merit. for example, if i can gather the patience (unlikely), next week i will join the third conference phone call to try to explain to the merit folk why it's really ok to put vern's bro ids on the incoming. and the merit powers that be specifically forbid warning folk about the wireless, showing caught passwords, ... as we do at ietf. the nanog net is run *for* operators, not *by* operators. btw, the ietf/atlanta net will be run by operators. if you would care to discuss how to make the wireless safer, we're all for it. but do not be fooled that it is an easy problem. e.g., wep is a joke, and is very hard to get people to set up. randy
On Sat, Sep 21, 2002 at 05:46:27PM -0400, Sean Donelan wrote:
I'm waiting for one of the professional security consulting firms to issue their weekly press release screaming "Network Operator Meeting Fails Security Test."
The wireless networks at NANOG meetings never follow what the security professionals say are mandatory, essential security practices. The NANOG wireless network doesn't use any authentication, enables broadcast SSID, has a trivial to guess SSID, doesn't use WEP, doesn't have any perimeter firewalls, etc, etc, etc. At the last NANOG meeting IIRC over 400 stations were active on the network.
What do you mean "trivial to guess", its started at www.nanog.org. :) I'm not aware of any wireless networks setup at conventions with the purpose of sharing confidential data and keeping people out. It is there as a "public service", for everyone to use. I'm certain that the company providing the bandwidth doen't put it inside their corporate firewalls. Would WEP solve anything other than keeping the casual person on the street who doesn't know what NANOG is from getting free bandwidth for a couple days? I don't think so.
Are network operators really that clueless about security, or perhaps we need to step back and re-think. What are we really trying to protect?
If I sit down at a crowded presentation with a Windows laptop, I'm sure to get an infrared connection to at least 3 people within 10 minutes. If I set my wireless to ad-hoc mode, I can find at least 10 people in any given room with open shares. And if you ever fire up a sniffer, you'll get a good laugh. Hundreds of plaintext passwords, plaintext mails, people irc'ing, hell there are even warez transfers. There are also people ssh'ing to personal and corporate machines from the terminal room where the root password is given out or easily available. Clearly *SOME* NANOG participants aren't terribly security conscious. But are these the experienced network operators, or just the people who show up because someone at their company thinks its a network training camp? That's what the password board is for I guess. -- Richard A Steenbergen <ras@e-gerbil.net> http://www.e-gerbil.net/ras PGP Key ID: 0x138EA177 (67 29 D7 BC E8 18 3E DA B2 46 B3 D8 14 36 FE B6)
On Sat, 21 Sep 2002, Richard A Steenbergen wrote:
Would WEP solve anything other than keeping the casual person on the street who doesn't know what NANOG is from getting free bandwidth for a couple days? I don't think so.
The trouble is that not using WEP looks like you're not bothering with the low level of security that's available in wireless. The fact that WEP only adds a 15 second - 15 minute delay to full access to the network both for legitimate and not-so-legitimate users means it offers more annoyance than security, but that doesn't alter the perception.
There are also people ssh'ing to personal and corporate machines from the terminal room where the root password is given out or easily available.
Are you saying people shouldn't SSH?
Clearly *SOME* NANOG participants aren't terribly security conscious. But are these the experienced network operators, or just the people who show up because someone at their company thinks its a network training camp?
The real question is: how far we want to go in protecting people against themselves? If the answer is: far, fine: then filter the wireless network for everything that isn't SSH, SSL or some kind of VPN. Otherwise they'll learn the hard way, just like why it's important to back up your files.
That's what the password board is for I guess.
Even more fun would be to scan for email headers and send messages back to the originator that the message is being read over insecure means. That should get some people's attention... However, I think it's dangerous to talk about how insecure everything is all the time. At some point, people are going to think it's no use to even try securing their stuff and just give up. It would be better to deliver a more positive message: if you use SSH, SSL and/or a VPN, you can do whatever you want over a wireless connection without running bigger risks than at home or at the office.
On Sun, Sep 22, 2002 at 01:11:07PM +0200, Iljitsch van Beijnum wrote:
There are also people ssh'ing to personal and corporate machines from the terminal room where the root password is given out or easily available.
Are you saying people shouldn't SSH?
I've seen far too many people get into trouble because they have some flawed thinking that "ssh == always secure", even against compromises of one of the endpoints. If root is available, a reasonable person should ASSUME that some bored individual (like Bandy Rush) has taken 30 seconds and recompiled the ssh binaries with a password logger. Heck even if it isn't available, you couldn't pay me enough money to trust public access terminals to log into something which doesn't use a one-time password. -- Richard A Steenbergen <ras@e-gerbil.net> http://www.e-gerbil.net/ras PGP Key ID: 0x138EA177 (67 29 D7 BC E8 18 3E DA B2 46 B3 D8 14 36 FE B6)
On Sun, 22 Sep 2002, Richard A Steenbergen wrote:
On Sun, Sep 22, 2002 at 01:11:07PM +0200, Iljitsch van Beijnum wrote:
There are also people ssh'ing to personal and corporate machines from the terminal room where the root password is given out or easily available.
Are you saying people shouldn't SSH?
I've seen far too many people get into trouble because they have some flawed thinking that "ssh == always secure", even against compromises of one of the endpoints. If root is available, a reasonable person should ASSUME that some bored individual (like Bandy Rush) has taken 30 seconds and recompiled the ssh binaries with a password logger.
Excellent point. Fortunately, this doesn't apply to running SSH from your laptop over the wireless network.
On Sun, Sep 22, 2002 at 01:37:22PM +0200, Iljitsch van Beijnum wrote:
On Sun, 22 Sep 2002, Richard A Steenbergen wrote:
I've seen far too many people get into trouble because they have some flawed thinking that "ssh == always secure", even against compromises of one of the endpoints. If root is available, a reasonable person should ASSUME that some bored individual (like Bandy Rush) has taken 30 seconds and recompiled the ssh binaries with a password logger.
Excellent point. Fortunately, this doesn't apply to running SSH from your laptop over the wireless network.
There are server-origin attacks to consider as well, beyond the more obvious password capture, etc. Consider agent and X11 forwarding, for which we've recently added some discussion to OpenSSH ssh_config(5): ForwardAgent Specifies whether the connection to the authentication agent (if any) will be forwarded to the remote machine. The argument must be ``yes'' or ``no''. The default is ``no''. Agent forwarding should be enabled with caution. Users with the ability to bypass file permissions on the remote host (for the agent's Unix-domain socket) can access the local agent through the forwarded connection. An attacker cannot obtain key material from the agent, however they can perform operations on the keys that enable them to authenticate using the identities loaded into the agent. ForwardX11 Specifies whether X11 connections will be automatically redirect- ed over the secure channel and DISPLAY set. The argument must be ``yes'' or ``no''. The default is ``no''. X11 forwarding should be enabled with caution. Users with the ability to bypass file permissions on the remote host (for the user's X authorization database) can access the local X11 display through the forwarded connection. An attacker may then be able to perform activities such as keystroke monitoring.
On Sun, 22 Sep 2002, Iljitsch van Beijnum wrote:
On Sun, 22 Sep 2002, Richard A Steenbergen wrote:
On Sun, Sep 22, 2002 at 01:11:07PM +0200, Iljitsch van Beijnum wrote:
There are also people ssh'ing to personal and corporate machines from the terminal room where the root password is given out or easily available.
Are you saying people shouldn't SSH?
I've seen far too many people get into trouble because they have some flawed thinking that "ssh == always secure", even against compromises of one of the endpoints. If root is available, a reasonable person should ASSUME that some bored individual (like Bandy Rush) has taken 30 seconds and recompiled the ssh binaries with a password logger.
When we hosted nanog 16 we made the effort to periodically compare the md5 sums of the binaries on the terminal room machines to a reference source. I wouldn't personally place a greate deal of trust in machines that aren't in ones possession but we try.
Excellent point. Fortunately, this doesn't apply to running SSH from your laptop over the wireless network.
-- -------------------------------------------------------------------------- Joel Jaeggli Academic User Services joelja@darkwing.uoregon.edu -- PGP Key Fingerprint: 1DE9 8FCA 51FB 4195 B42A 9C32 A30D 121E -- In Dr. Johnson's famous dictionary patriotism is defined as the last resort of the scoundrel. With all due respect to an enlightened but inferior lexicographer I beg to submit that it is the first. -- Ambrose Bierce, "The Devil's Dictionary"
The trouble is that not using WEP looks like you're not bothering with the low level of security that's available in wireless. The fact that WEP only adds a 15 second - 15 minute delay to full access to the network both for legitimate and not-so-legitimate users means it offers more annoyance than security, but that doesn't alter the perception.
but it adds annoyance for the intended users. in the case of non- techs, considerable annoyance. and it gives negligible privacy.
There are also people ssh'ing to personal and corporate machines from the terminal room where the root password is given out or easily available. Are you saying people shouldn't SSH?
a prudent user does not ssh _from_ a machine they don't control or strongly trust whover controls it. and a public machine should be presumed to be dangerous. i don't ssh from the laptop of a friend to whom i would not give root access to all of my machines. the common attacks at nanog/ietf/... are o intentional from the outside. one should be very prudent with measures on servers etc, and install and monitor an ids such as bro. this is bog standard net and system adminstration. o intentional over the wireless. - the users need to be told how to operate more safely, use end-to-end authentication and privacy, etc. it's a matter of education. and the education will stand them in good stead when they use 802.11 at starbucks, airports, etc. we do this at ietf, but it is not allowed at nanog. - users need to be told when they're operating unwisely. we post passwords or other embarrassing, but not revealing, data. we will do this at the atlanta ietf, but it is not allowed at nanog. - and we need to monitor the air traffic to detect when users are actually being exploited. this is an ops/research area, but is being played with at ietf, but is not allowed at nanog. o unintentional dos of the wireless. this is caused by users' mis-configurations of various kinds, win/mac configured as access points, ad hoc mode, ... detecting and dousing these are still an ops/research araa. as far as i can determine, the reason standard education and defenses are not allowed at nanog is because we fear the nanog net operators monitoring traffic. i.e. we would rather have users raped than have prudent folk notice them in their skivvies. hear no evil, see no evil, speak no evil. it's a comfortable feeling. randy
On Sun, 22 Sep 2002, Randy Bush wrote:
- the users need to be told how to operate more safely, use end-to-end authentication and privacy, etc. it's a matter of education. and the education will stand them in good stead when they use 802.11 at starbucks, airports, etc. we do this at ietf, but it is not allowed at nanog.
Sunday afternoon is full of tutorials on lots of different subjects. Has anyone volunteed to conduct a Sunday tutorial on wireless security for users of "public" wireless networks? Although I think it is a mistake to think a wireless network security is different than using any other network you don't control. Most wireless security tutorials tend to concentrate on "securing" the wireless network instead of how to communicate over an untrusted network.
Based on information at MERIT's website, its tolate to submit a resentation. In addition such presentations must be finalized and the slides approved by Merit no later than 30-Sep. Its important to note that the second requirement isn't publicly stated. I did receive email from Dr. Harris, that my two approved presentations Flotsam and Jetsam of the Net, a study at junk on the net. and IANA Running a IRR for IANA-Reserved space (a presentation supported by the IANA) have now been canceled because of this unknown 30-Sep requirement. I've appealed to Dr. Harris's management on the issue. They should have published the schedules better. I should know more soon. Merit handles NANOG meetings, like it handles network security. On Sun, Sep 22, 2002 at 05:06:27PM -0400, Sean Donelan wrote:
On Sun, 22 Sep 2002, Randy Bush wrote:
- the users need to be told how to operate more safely, use end-to-end authentication and privacy, etc. it's a matter of education. and the education will stand them in good stead when they use 802.11 at starbucks, airports, etc. we do this at ietf, but it is not allowed at nanog.
Sunday afternoon is full of tutorials on lots of different subjects. Has anyone volunteed to conduct a Sunday tutorial on wireless security for users of "public" wireless networks?
Although I think it is a mistake to think a wireless network security is different than using any other network you don't control. Most wireless security tutorials tend to concentrate on "securing" the wireless network instead of how to communicate over an untrusted network.
Use VPN technology, Use 802.11a/b as the media and nothing else. Encrypte Tunnel your connections. On Sun, Sep 22, 2002 at 05:06:27PM -0400, Sean Donelan wrote:
On Sun, 22 Sep 2002, Randy Bush wrote:
- the users need to be told how to operate more safely, use end-to-end authentication and privacy, etc. it's a matter of education. and the education will stand them in good stead when they use 802.11 at starbucks, airports, etc. we do this at ietf, but it is not allowed at nanog.
Sunday afternoon is full of tutorials on lots of different subjects. Has anyone volunteed to conduct a Sunday tutorial on wireless security for users of "public" wireless networks?
Although I think it is a mistake to think a wireless network security is different than using any other network you don't control. Most wireless security tutorials tend to concentrate on "securing" the wireless network instead of how to communicate over an untrusted network.
On Sun, 22 Sep 2002, John M. Brown wrote:
a prudent user does not ssh _from_ a machine they don't control or
prudent users don't get hacked.
Really? Care to list the bulletproof hardware and software these god-like creatures use, rather than the bug-ridden stuff we lesser folk have to make due with?
Same bug-ridden stuff, just better understanding, staying up with patches, and understanding the human engineering side of things. so maybe my absolute statement should have been.. s/prudent users don't get hacked/prudent users get hacked much less often On Mon, Sep 23, 2002 at 12:27:52AM +0200, Iljitsch van Beijnum wrote:
On Sun, 22 Sep 2002, John M. Brown wrote:
a prudent user does not ssh _from_ a machine they don't control or
prudent users don't get hacked.
Really? Care to list the bulletproof hardware and software these god-like creatures use, rather than the bug-ridden stuff we lesser folk have to make due with?
"John M. Brown" wrote:
On Sun, Sep 22, 2002 at 04:49:08AM -0700, Randy Bush wrote:
a prudent user does not ssh _from_ a machine they don't control or
prudent users don't get hacked. non-prudent users hopefully learn or darwin happens.
Ahem! I'm usually considered a prudent user (once upon a time, I was the _only_ person using IPSec at an IETF meeting, having written it myself, and communicating with just about the earliest commercial implementation by Morningstar). ADmittedly, that was from my own laptop, and I've never understood why we had public machines..... However, I've had machines taken over this past summer through the OpenSSH hole. A couple of years back, I had a router taken over through a Cisco hole. You're only as good as your software. And we all rely on each other. That's worth remembering: the Internet still relies on cooperation, between the vendors, and between the operators! Meanwhile, I think Randy and John are both moving in the right direction and I'm sure we'll all call Merit tomorrow to ask what in the world they are thinking.... -- William Allen Simpson Key fingerprint = 17 40 5E 67 15 6F 31 26 DD 0D B9 9B 6A 15 2C 32
Randy Bush wrote:
but it adds annoyance for the intended users. in the case of non- techs, considerable annoyance. and it gives negligible privacy.
(sigh) Randy has the best of intentions. But I'm tired of the old saw that security adds annoyance. I long ago gave up on a WG at the IETF when the members wanted to add security, but with *NO* configuration. Sorry, any security requires a *SECRET*. I will agree that the security in WEP is almost useless, and have personally campaigned to change it for years. But, it is still the only Access Control widely available. So, it should be used, in addition to the better methods. -- William Allen Simpson Key fingerprint = 17 40 5E 67 15 6F 31 26 DD 0D B9 9B 6A 15 2C 32
On Sun, 22 Sep 2002, William Allen Simpson wrote:
but it adds annoyance for the intended users. in the case of non- techs, considerable annoyance. and it gives negligible privacy.
Randy has the best of intentions. But I'm tired of the old saw that security adds annoyance. I long ago gave up on a WG at the IETF when the members wanted to add security, but with *NO* configuration.
Well, if that's a possibility, then it sounds like the way to go.
Sorry, any security requires a *SECRET*.
No way. If you have to depend on some information to remain secret in order to reach your security goals, you can start counting down until your security is breached because it will happen each and every time. Confidentiality in itself is only one goal.
I will agree that the security in WEP is almost useless, and have personally campaigned to change it for years. But, it is still the only Access Control widely available. So, it should be used, in addition to the better methods.
In this particular instance, the gain is incredibly small (you only keep out non-participants for 15 minutes or so) and the annoyance is rather large. Also, if you use WEP people may be under the misguided impression their data isn't completely open to public scruteny. If you really want the wireless network at a convention to be safe, simply filter all clear-text protocols. That is much more inconvenient than having to find the right WEP key, but at least it really helps.
On Sun, 22 Sep 2002, William Allen Simpson wrote:
Sorry, any security requires a *SECRET*.
The only thing security really requires is *trust*. Secret keys won't do any good if the platform is compromised. Elaborate protections are useless if people who are allowed access are untruthworthy. No matter what you do it always boils down to trustworthiness of the physical implementations and people. Technological tricks simply modify the communication space by shifting vulnerable points around. This is often useful, but by no means can eliminate the need for inherently trusted devices and people at the end points. --vadim PS. As a side note - the "shocking" discovery that ObL's guys didn't really use steganography and other modern tricks much and still have world-wide network which is very hard to compromise or penetrate (all those montains of cool high-tech gagetry NSA has, notwithstanding) is a good illustration: they rely on the "first principle" of building trusted systems - i.e. building the network of personal loyalties and face-to-face communications, instead of fooling with techno fixes. PPS. I'm really really amazed at how people can consider any opaque system truthworthy. Most computer users naively trust their secrets to effectively every one of thousands of Microsoft engineers who can easily plant trapdoors. The same goes for trusting Intel. How hard it is for a CPU designer to plant an obscure bug causing switch to a privileged mode? It is hard _not_ to create trapdoors like that by mistake, even in much simpler designs (check the 30-year old report on Multics security).
PPS. I'm really really amazed at how people can consider any opaque system truthworthy. Most computer users naively trust their secrets to effectively every one of thousands of Microsoft engineers who can easily plant trapdoors. The same goes for trusting Intel. How hard it is for a CPU designer to plant an obscure bug causing switch to a privileged mode? It is hard _not_ to create trapdoors like that by mistake, even in much simpler designs (check the 30-year old report on Multics security).
I think it's even worse. Having traveled quite a lot in my previous job, I on one airplane realized that the person sitting next to me was working on the sales budget for one of our largest competitors..... I once (also on an airplane actually) learned that most investment banks have a ban on their employees to use their laptops or in other ways work on airplanes. Make sense to me. But I keep breaching it. - kurtis - / (...as I am sitting in the air somewhere over northern Germany)
On Sun, 22 Sep 2002, William Allen Simpson wrote:
I will agree that the security in WEP is almost useless, and have personally campaigned to change it for years. But, it is still the only Access Control widely available. So, it should be used, in addition to the better methods.
Access control should be used when you need access control. Sometimes engineers need to step back from solving the problem, and look at whether the problem needs to be solved. What access control do you need for a public drinking fountain? What access control do you need for a public wireless access point? WEP won't keep people from hacking other laptops at Nanog meetings, and won't stop people from sniffing plain-text passwords. Everyone at the meeting will have the key, and a secret shared with 500 people won't stay secret for even two days. For a network with no other access control, what purpose does WEP serve?
Access control should be used when you need access control. Sometimes engineers need to step back from solving the problem, and look at whether the problem needs to be solved.
Yes...
What access control do you need for a public drinking fountain?
Today, none, that was different in recent past.
What access control do you need for a public wireless access point?
Depends on the network. If you are a provider of public wireless for a fee, then you want to make sure you can charge the user. Thus you need to beable to identify the user so you can charge them. You need to also prevent theft of service, via false id's or bypassing the id method, etc. For events like a NANOG, et al, given the large number of "different and ad-hoc" systems, identificaion is more a pain. It needs to be balanced between the "cost, hassle factor" and the life of the network. I'd say that mostly this is a rat hole thread. Short lived conference networks will be insecure. Those attending should be told, and expect it. They should prepare accordingly. Show ops should have plans incase someone steals bandwidth, or causes other problems with the "important show net stuff" like multicast feeds. The cost and management requirements to deploy a reasonably secured network for a show are higher than the benifits.... I don't see conferences giving out USB dongles to people with their ID stored, or SecureID cards anytime soon :)
WEP won't keep people from hacking other laptops at Nanog meetings, and won't stop people from sniffing plain-text passwords. Everyone at the meeting will have the key, and a secret shared with 500 people won't stay secret for even two days. For a network with no other access control, what purpose does WEP serve?
As long as we are all on a shared layer two network, we are vulnerable. john brown
At 06:41 PM 9/22/2002 -0400, William Allen Simpson wrote:
... But, it is still the only Access Control widely available. So, it should be used, in addition to the better methods.
Using a supposed security mechanism that is known to be essentially useless does nothing but lull people into a false sense of security. d/ ---------- Dave Crocker <mailto:dave@tribalwise.com> TribalWise, Inc. <http://www.tribalwise.com> tel +1.408.246.8253; fax +1.408.850.1850
At 06:41 PM 9/22/2002 -0400, William Allen Simpson wrote:
... But, it is still the only Access Control widely available. So, it should be used, in addition to the better methods.
Using a supposed security mechanism that is known to be essentially useless does nothing but lull people into a false sense of security.
Rubbish. There are only two or three types of locks that cannot be picked from the outside by a lockpicker within 10-15 minutes. None of those locks is on your outside door. Why do you bother to lock your house? There is only one class of door designs that cannot be broken through in 10-15 minutes. None of the doors of that class is in your house. Why do you have a door on your house? Alex
Rubbish.
There are only two or three types of locks that cannot be picked from the outside by a lockpicker within 10-15 minutes. None of those locks is on your outside door. Why do you bother to lock your house?
But in the case of public WLAN, who is the one that you´re trying to keep out? You don´t give the keys to your house to 500 people so your analogy sucks. Pete
Rubbish.
There are only two or three types of locks that cannot be picked from the outside by a lockpicker within 10-15 minutes. None of those locks is on your outside door. Why do you bother to lock your house?
But in the case of public WLAN, who is the one that you�re trying to keep out?
That is not the point that was responded to [1].
You don�t give the keys to your house to 500 people so your analogy sucks.
Again that was not the point that was responded to. In a case of public wireless LAN or any other public line you by *definition* do not care about protecting public. Can someone please explain to me why (apart from relative ease of mounting those attacks) do we care about attacks mounted via wireless LANs more than attacks mounted over any other medium? Alex [1] The point that the original poster made was that since the WEP is rather trivial to break, one should not use WEP at all.
On Mon Sep 23, 2002 at 09:47:06AM -0400, alex@yuriev.com wrote:
There are only two or three types of locks that cannot be picked from the outside by a lockpicker within 10-15 minutes. None of those locks is on your outside door. Why do you bother to lock your house?
Someone stood at your front door with lock picking tools for more than a couple of minutes is going to arouse suspicion, and hopefully cause someone to call the police. Someone sat in the hotel lobby with a powerful laptop isn't going to cause anyone to look twice, at a NANOG conference. Simon -- Simon Lockhart | Tel: +44 (0)1737 839676 Internet Engineering Manager | Fax: +44 (0)1737 839516 BBC Internet Services | Email: Simon.Lockhart@bbc.co.uk Kingswood Warren,Tadworth,Surrey,UK | URL: http://support.bbc.co.uk/
Someone stood at your front door with lock picking tools for more than a couple of minutes is going to arouse suspicion, and hopefully cause someone to call the police.
Someone sat in the hotel lobby with a powerful laptop isn't going to cause anyone to look twice, at a NANOG conference.
Neither would someone standing in front of your door with lockpicks on a busy streeet. You would be amazed how small those tools are. The point of the post was that knowledge of the limitations of tools that we use to protect access does not justify not using those tools at all. Alex
On Mon, 23 Sep 2002 14:52:41 +0100 Simon Lockhart <simonl@rd.bbc.co.uk> wrote:
Someone sat in the hotel lobby with a powerful laptop isn't going to cause anyone to look twice, at a NANOG conference.
ok, i think we need to talk about the actual threats at a nanog conference. 1) some otherwise harmless person gets free internet access for a couple of days. BFD. 2) some hacker uses free, untraceable access to do something nasty. hmmm. 3) some attendee gets hacked because they have security problems with their laptop. sounds like a personal problem to me. 4) some spammer parks nearby and sends out a lot of spam. so block port 25 outbound, don't offer mail servers, anyone who wants to send email can bloody well tunnel back to their home systems using ssh or ipsec. are there others i've missed? do we really care about anything other than 2, as the others have remedies or are else apparently unimportant? turning up WEP would keep the riffraff out. is that actually necessary or important? richard -- Richard Welty rwelty@averillpark.net Averill Park Networking 518-573-7592 Unix, Linux, IP Network Engineering, Security
10-15 minutes. None of the doors of that class is in your house. Why do you have a door on your house?
It keeps honest people honest, and opportunists from taking advantage of easy opportunity.
Thank you. Why is it different from putting even rudimentary security in place on the wireless LAN? ALex
10-15 minutes. None of the doors of that class is in your house. Why do you have a door on your house?
It keeps honest people honest, and opportunists from taking advantage of easy opportunity.
Thank you. Why is it different from putting even rudimentary security in place on the wireless LAN?
I think it does exactly the same thing... And... I just opened up the wireless network at the local convention center for a convention. Placards at the entrance advertise it's presence, and that it is not secure. Reccomendations include NOT using plain POP e-mail.. etc..
On Sunday, Sep 22, 2002, at 15:41 US/Pacific, William Allen Simpson wrote:
I will agree that the security in WEP is almost useless, and have personally campaigned to change it for years. But, it is still the only Access Control widely available. So, it should be used, in addition to the better methods.
That will give people a false sense of security. Wouldn't it be better to use an approach like NetReg to give every user a warning when they first connect to the network? That doesn't require any arcane software config and would give an accurate indication of how secure the network is. Chris
"That [WEB] will give people a false sense of security." IMHO those 'people' are a group that is a subset of folk that will do 'unwise' things no matter what level of scurity is in place. Move along, nothing to see here... Internet != secure, period. Best regards, _________________________ Alan Rowland -----Original Message----- From: owner-nanog@merit.edu [mailto:owner-nanog@merit.edu] On Behalf Of Chris Adams Sent: Sunday, September 22, 2002 11:51 PM To: nanog@merit.edu Subject: Re: Wireless insecurity at NANOG meetings On Sunday, Sep 22, 2002, at 15:41 US/Pacific, William Allen Simpson wrote:
I will agree that the security in WEP is almost useless, and have personally campaigned to change it for years. But, it is still the only Access Control widely available. So, it should be used, in addition to the better methods.
That will give people a false sense of security. Wouldn't it be better to use an approach like NetReg to give every user a warning when they first connect to the network? That doesn't require any arcane software config and would give an accurate indication of how secure the network is. Chris
bank's customers. Banks rarely check the signature on a check. Is security just perception?
Yes. And I would expect that those people who cared about things assumed the wireless network was insecure (just like internet) and had secured their hardware and were using secure connection protocols: ie: SSH.. SSL.. (oh.. do they have holes?) Still, we do what we can.
Date: Sat, 21 Sep 2002 17:46:27 -0400 (EDT) From: Sean Donelan <sean@donelan.com> Sender: owner-nanog@merit.edu
On Sat, 21 Sep 2002, Iljitsch van Beijnum wrote:
Anyway, in our efforts to see security weaknesses everywhere, we might be going too far. For instance, nearly all our current protocols are completely vulnerable to a man-in-the-middle attack. If someone digs up a fiber, intercepts packets and changes the content before letting them continue to their destination, maybe the layer 1 guys will notice, but not any of us IP people.
I'm waiting for one of the professional security consulting firms to issue their weekly press release screaming "Network Operator Meeting Fails Security Test."
The wireless networks at NANOG meetings never follow what the security professionals say are mandatory, essential security practices. The NANOG wireless network doesn't use any authentication, enables broadcast SSID, has a trivial to guess SSID, doesn't use WEP, doesn't have any perimeter firewalls, etc, etc, etc. At the last NANOG meeting IIRC over 400 stations were active on the network.
Are network operators really that clueless about security, or perhaps we need to step back and re-think. What are we really trying to protect?
Banks are mostly concerned about people defrauding the bank, not the bank's customers. Banks rarely check the signature on a check. Is security just perception?
I agre security is sadly lacking, but it is probably impossible to implement in a conference environment. What is inexcusable is that the NANOG management does not make LOUD noises about the risks and run an IDS to be able to warn people about "bad things".. I work a large computer trade show every year that has an open wireless network of very large size. Covers the entire exhibit hall, all meting rooms, the lobby, with antennas pointed at larger hotels near the conference. No WEP and no closed SSID because WEP is not practical in such an environment and a closed SSID is too trivial to hack to make it worth the number of complaints we would have. We do have large security advisories that the network is wide open in all conference materials and run a really impressive IDS (multiple systems running Vern Paxon's BRO to monitor the DS-3 and as much of th4e various OC-192s an OC-48s as possible. With several OC-192s, it seems that some packets will have to be dropped this year, but we will be watching. We tried displaying passwords last year, but several folks thought it was fun to telnet to some system and enter something unprintable as the password to watch it appear on the screen. It's not an easy problem, less so for a conference/show that involves lots of non-network people. I believe the key is warning attendees that the net is subject to sniffing and clear-text passwords should not be used. Couple that with a good IDS and make sure that things like Code Red and nimda infections are isolated quickly is about all you can do. Sort of like waring people that they need to keep a close sys on laptops, keep a close eye on the network. Last year slashdot even carried a note that the net was open at the Denver Convention Center and we survived with minimal problems. R. Kevin Oberman, Network Engineer Energy Sciences Network (ESnet) Ernest O. Lawrence Berkeley National Laboratory (Berkeley Lab) E-mail: oberman@es.net Phone: +1 510 486-8634
I agre security is sadly lacking, but it is probably impossible to implement in a conference environment.
Look this is a very simple issue. Sean's first post really pointed out that it's "bad form" for a set of operators to run an insecure network. I would believe that it's "good form" to at least try. It was stated that the network was not run by the "operators". OK, I accept that, but it's run by people with great (actually fantastic) connections to real operators (ie: us). WEP may not be a good protocol, but it's better than nothing. If people thing it's hard to configure, then run two networks.. one without WEP and one with WEP. Security is a relative thing... Normally security at the door to the nanog conference hall is "low", but that does not seem to bother many people. (Hence security at a "wired" locations within the conference is "low" making the WEP issue mute). I would be happy to run on a wireless network with a specific SSID and no SSID beacon with a static WEP key. (I don't have LEAP, or other protocols on my laptop). Does this make my communications more secure? I don't know... Everything from my nanog laptop is VPN'ed anyway... hence already end-to-end encrypted. I believe that Sean brought up a good point and something worth working on. Even an incremental improvement at this upcoming meeting followed by another incremental improvement at the next meeting, etc. etc. will be a good thing. BTW: WEP may not be a great protocol and people may believe there is a false sense of security. If this worries you, then I would recommend a note placed on the nanog web pages that states something like "all IP networking provided at the conference should be considered insecure, etc.". Martin PS: As for bandwidth "stealing". Heck... looking at the stats for previous nanog's, we are doing a poor job of using the provided bandwidth. I say... bring it on! (legal traffic only --- of-course!).
On Sat, 21 Sep 2002, Martin J. Levy wrote:
I agre security is sadly lacking, but it is probably impossible to implement in a conference environment.
Look this is a very simple issue. Sean's first post really pointed out that it's "bad form" for a set of operators to run an insecure network. I would believe that it's "good form" to at least try. It was stated that the network was not run by the "operators". OK, I accept that, but it's run by people with great (actually fantastic) connections to real operators (ie: us).
I feel like a Rorschach Test. Is the Nanog confernce network really insecure for its purpose? Some security experts may claim it is, but I'm not certain they are correct. Do you put a biometric reader and armed guard next to a public drinking fountain? What is the risk of someone stealing the water? Its possible, even likely, an unauthorized person will take a drink but what is the loss versus the cost of more security for the drinking fountain? Yes, some security consulting firm issuing press releases about the dangers of war-chalking, war-driving, war-pr may claim the network is insecure. Its great for generating publicity. The Nanog conference wireless network a semi-public, unauthenticated network used by several hundred competitors for a few days. It is about as secure as the wired network, the hotel in-room cable, cellular telephones or most other available means of communication at a convention center. Users can take appropriate measures to secure their communications based on their risk acceptance. I don't see much of a need to rely on a volunteer network operator to provide what I think is the appropriate level of security for my communications. Heck, even if Nanog used the latest, greatest network security whiz-bang gadgets to secure the network; I still wouldn't rely on it.
WEP may not be a good protocol, but it's better than nothing. If people thing it's hard to configure, then run two networks.. one without WEP and one with WEP.
Link-layer encryption always sounds like a "simple" security solution. But when using other people's networks, you are usually better off with a different security solution. How many people use modems with encryption to dial into their local ISP? How many use link-layer encryption with their NIC cards on their wired networks?
Security is a relative thing... Normally security at the door to the nanog conference hall is "low", but that does not seem to bother many people. (Hence security at a "wired" locations within the conference is "low" making the WEP issue mute).
ICANN had armed guards at its meeting to keep the rif-raff out. I don't think NANOG requires that level of security (yet). We still run the network cable down the hallways, and "hide" the wireless access points in the potted palms next to the bar.
Terminal Rooms are no different then an internet cafe, you are using an untrusted system to access an untrusted network, and should be treated as such. The wireless network, is just an untrusted network, send over it what you would send over such a network. There is honor among thieves, but none among idle network admins who left their nerf guns back at the office. ssh, or encrypted vpn traffic is the only thing that should be sent over the network to connect to remote systems. Enabling WEP or setting a difficult to guess SSID would be silly, given that it is a public network, the SSID would probably posted in the terminal room anyways. Plus there are numerous tools to decrypt WEP in almost real time, with 400 stations, it wouldn't take long to gather the needed packets. Ultimately security is the responsibility of the person or organization affected by the lack of it. Which is something most people fail to realize consistantly. Sameer
-----Original Message----- From: owner-nanog@merit.edu [mailto:owner-nanog@merit.edu]On Behalf Of Sean Donelan Sent: Saturday, September 21, 2002 2:46 PM To: nanog@merit.edu Subject: Wireless insecurity at NANOG meetings
On Sat, 21 Sep 2002, Iljitsch van Beijnum wrote:
Anyway, in our efforts to see security weaknesses everywhere, we might be going too far. For instance, nearly all our current protocols are completely vulnerable to a man-in-the-middle attack. If someone digs up a fiber, intercepts packets and changes the content before letting them continue to their destination, maybe the layer 1 guys will notice, but not any of us IP people.
I'm waiting for one of the professional security consulting firms to issue their weekly press release screaming "Network Operator Meeting Fails Security Test."
The wireless networks at NANOG meetings never follow what the security professionals say are mandatory, essential security practices. The NANOG wireless network doesn't use any authentication, enables broadcast SSID, has a trivial to guess SSID, doesn't use WEP, doesn't have any perimeter firewalls, etc, etc, etc. At the last NANOG meeting IIRC over 400 stations were active on the network.
Are network operators really that clueless about security, or perhaps we need to step back and re-think. What are we really trying to protect?
Banks are mostly concerned about people defrauding the bank, not the bank's customers. Banks rarely check the signature on a check. Is security just perception?
On Sat, 21 Sep 2002, Sean Donelan wrote: ...
Are network operators really that clueless about security, or perhaps we need to step back and re-think. What are we really trying to protect?
This is often something that gets forgotten.. people are so hyped up about network security they can easily end up with ultra secure systems that really arent worth it for the data thats there..
Banks are mostly concerned about people defrauding the bank, not the bank's customers. Banks rarely check the signature on a check. Is security just perception?
This is a case of your only as good as the weakest link.. I point this sort of abstract thing out too. My usual examples are the office computers which tend to be laptops kept overnight in empty unlocked rooms with no password on them; people spend so much time getting secure VPNs and secure email setup they forget if someone really wanted the data they'd just walk right in and remove the hardware. Doesnt mean we shouldnt maintain a high level of security and be vigilent, but it does mean we should make sure we cover all angles. I like your cheque example, again I pick on credit cards.. the banks get so paranoid on internet shopping and yet its very common for fraud to occur because of who sees your card when you're out shopping at the local store... Think big picture! Steve
I like your cheque example, again I pick on credit cards.. the banks get so paranoid on internet shopping and yet its very common for fraud to occur because of who sees your card when you're out shopping at the local store...
Actually, you are not correct. The credit card companies are not doing jack shit to halt any kind of fraud since it lets them raise the rates a lot higher. One of my friends owns a mail order company that sells cigars. Every time they flag certain transaction (both electronic or convention) as 'fraud' and report it back to the CC company together with the address where stolen goods are supposed to be picked up at, CC company never reports it to police and gets the idiots. Why? Because they only lose 3% or so on transactions but get to tell congress that they are losing 9%. Nice 6% goes right into their pocket. Follow the money trail and you will get your answers. As a certain individual said five years ago "When insurance companies start jacking up premiums for those who ignore security issues, *then* we will get everyone doing something". Alex
Having been a past host of 2 NANOG's I would state the following: 1. There should be CLEARLY POSTED SIGNS that state this is a conference network, access is permitted only to registered attendee's, and that all traffic on this network is subject to monitoring. 2. The wireless or wired networks do not need additional layers of security. Is it the "show net's" responsiblilty to PROTECT YOUR DATA. I think not. If you have data you do not want others to see, then LOCK YOUR MACHINE DOWN. I've forgotten to turn off OS features that shouldn't be on at a show net, so have other "famous, clued and well respected people on this list". I now run tunnels for all external communications, including IM's and chat programs. (Trillian has blowfish for ICQ as an example) 3. The NANOG show.net isn't a "production network" 4. MERIT SHOULD ALLOW Randy to post his password list. Its comical at times, and helps re-enforce the need for security on mobile machines. Manditory security practices are good for a "production network" I don't consider NANOG networks "production" They are short lived, ad-hoc nets provided as a convience to the attendees and as a way to stream data to those that can't attend. If you want security, then unplug. NANOG is operated by non-operational people, its quality has suffered because of that. john brown On Sat, Sep 21, 2002 at 05:46:27PM -0400, Sean Donelan wrote:
On Sat, 21 Sep 2002, Iljitsch van Beijnum wrote:
Anyway, in our efforts to see security weaknesses everywhere, we might be going too far. For instance, nearly all our current protocols are completely vulnerable to a man-in-the-middle attack. If someone digs up a fiber, intercepts packets and changes the content before letting them continue to their destination, maybe the layer 1 guys will notice, but not any of us IP people.
I'm waiting for one of the professional security consulting firms to issue their weekly press release screaming "Network Operator Meeting Fails Security Test."
The wireless networks at NANOG meetings never follow what the security professionals say are mandatory, essential security practices. The NANOG wireless network doesn't use any authentication, enables broadcast SSID, has a trivial to guess SSID, doesn't use WEP, doesn't have any perimeter firewalls, etc, etc, etc. At the last NANOG meeting IIRC over 400 stations were active on the network.
Are network operators really that clueless about security, or perhaps we need to step back and re-think. What are we really trying to protect?
Banks are mostly concerned about people defrauding the bank, not the bank's customers. Banks rarely check the signature on a check. Is security just perception?
Thus spake "Sean Donelan" <sean@donelan.com>
The wireless networks at NANOG meetings never follow what the security professionals say are mandatory, essential security practices. The NANOG wireless network doesn't use any authentication, enables broadcast SSID, has a trivial to guess SSID, doesn't use WEP, doesn't have any perimeter firewalls, etc, etc, etc. At the last NANOG meeting IIRC over 400 stations were active on the network.
There is no useful security mechanism that can be applied to NANOG wireless. WEP assumes a black-and-white security model, just like most VPNs: if a user is on the "inside", they're fully trusted. This is somewhat reasonable in the corporate world, where all of the users are employees who are responsible to a common entity, but it has no application to NANOG or other public events where none of the users are responsible to the operator, much less have any trust for each other. There is no sense giving people the illusion of security here. Many corporations are going to open access-points "outside" their firewall and requiring per-user VPNs to access any data-center resources. This is the simplest (and cheapest) solution to deploy and offers security folks the best options for AAA besides. I can't say without a sniffer, but I'd bet that most NANOG participants are doing the same: SSH or IPsec VPN's back to home (wherever that is). Anyone who isn't is begging to be hacked, WEP or not. Anyone interested in hacking NANOG attendees' networks is likely a NANOG attendee himself. Caveat attendor. S
Actually, from a legal standpoint, you put locks on the door same reason as u would on the wireless. Otherwise an invitation could be implied. It's hard for someone to argue that they were invited if they had to use breakin tools. Otherwise I dont think anyone would have a case, public area, public use lan.... If I was walking through a hotel and found an open LAN I would assume it was there for a perk of the hotel. I still dont see the problem with either side of this discussion. If we had a minor amount of security, I think the nanog goers could easily figure it out. If not, a little friendly assistance from the person sitting next to you and you might just have made a friend. Payoff with a simple beer later would suffice. Actually I believe it was Bill Woodcock that sent me mac drivers back in 1997 for the wireless. I may still owe him a beer though. dave At 9:04 -0500 9/23/02, Stephen Sprunk wrote:
Thus spake "Sean Donelan" <sean@donelan.com>
The wireless networks at NANOG meetings never follow what the security professionals say are mandatory, essential security practices. The NANOG wireless network doesn't use any authentication, enables broadcast SSID, has a trivial to guess SSID, doesn't use WEP, doesn't have any perimeter firewalls, etc, etc, etc. At the last NANOG meeting IIRC over 400 stations were active on the network.
There is no useful security mechanism that can be applied to NANOG wireless.
WEP assumes a black-and-white security model, just like most VPNs: if a user is on the "inside", they're fully trusted. This is somewhat reasonable in the corporate world, where all of the users are employees who are responsible to a common entity, but it has no application to NANOG or other public events where none of the users are responsible to the operator, much less have any trust for each other. There is no sense giving people the illusion of security here.
Many corporations are going to open access-points "outside" their firewall and requiring per-user VPNs to access any data-center resources. This is the simplest (and cheapest) solution to deploy and offers security folks the best options for AAA besides.
I can't say without a sniffer, but I'd bet that most NANOG participants are doing the same: SSH or IPsec VPN's back to home (wherever that is). Anyone who isn't is begging to be hacked, WEP or not. Anyone interested in hacking NANOG attendees' networks is likely a NANOG attendee himself. Caveat attendor.
S
-- David Diaz dave@smoton.net [Email] pagedave@smoton.net [Pager] Smotons (Smart Photons) trump dumb photons
participants (29)
-
Al Rowland -
alex@yuriev.com -
batz -
Brad Knowles -
Chris Adams -
Dave Crocker -
David Diaz -
Iljitsch van Beijnum -
Jared Mauch -
Joel Jaeggli -
John M. Brown -
Kevin Oberman -
Kevin Steves -
Kurt Erik Lindqvist -
Martin J. Levy -
mike harrison -
Mike Harrison
-
Petri Helenius -
Randy Bush -
Richard A Steenbergen -
Richard Welty -
Sameer R. Manek -
Sean Donelan -
Simon Lockhart -
Stephen J. Wilcox -
Stephen Sprunk -
Steven M. Bellovin -
Vadim Antonov -
William Allen Simpson