|
North American Network Operators Group Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical Re: Wireless insecurity at NANOG meetings
Having been a past host of 2 NANOG's
I would state the following:
1. There should be CLEARLY POSTED SIGNS that state this is a
conference network, access is permitted only to registered
attendee's, and that all traffic on this network is subject
to monitoring.
2. The wireless or wired networks do not need additional layers
of security. Is it the "show net's" responsiblilty to PROTECT
YOUR DATA. I think not. If you have data you do not want others
to see, then LOCK YOUR MACHINE DOWN.
I've forgotten to turn off OS features that shouldn't be on
at a show net, so have other "famous, clued and well respected
people on this list".
I now run tunnels for all external communications, including
IM's and chat programs. (Trillian has blowfish for ICQ as an example)
3. The NANOG show.net isn't a "production network"
4. MERIT SHOULD ALLOW Randy to post his password list. Its comical
at times, and helps re-enforce the need for security on mobile machines.
Manditory security practices are good for a "production network" I don't
consider NANOG networks "production" They are short lived, ad-hoc
nets provided as a convience to the attendees and as a way to stream
data to those that can't attend.
If you want security, then unplug.
NANOG is operated by non-operational people, its quality has suffered because
of that.
john brown
On Sat, Sep 21, 2002 at 05:46:27PM -0400, Sean Donelan wrote:
>
> On Sat, 21 Sep 2002, Iljitsch van Beijnum wrote:
> > Anyway, in our efforts to see security weaknesses everywhere, we might be
> > going too far. For instance, nearly all our current protocols are
> > completely vulnerable to a man-in-the-middle attack. If someone digs up a
> > fiber, intercepts packets and changes the content before letting them
> > continue to their destination, maybe the layer 1 guys will notice, but not
> > any of us IP people.
>
> I'm waiting for one of the professional security consulting firms to issue
> their weekly press release screaming "Network Operator Meeting Fails
> Security Test."
>
> The wireless networks at NANOG meetings never follow what the security
> professionals say are mandatory, essential security practices. The NANOG
> wireless network doesn't use any authentication, enables broadcast SSID,
> has a trivial to guess SSID, doesn't use WEP, doesn't have any perimeter
> firewalls, etc, etc, etc. At the last NANOG meeting IIRC over 400
> stations were active on the network.
>
> Are network operators really that clueless about security, or perhaps we
> need to step back and re-think. What are we really trying to protect?
>
> Banks are mostly concerned about people defrauding the bank, not the
> bank's customers. Banks rarely check the signature on a check. Is
> security just perception?
>
>
|