|
[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]
|
Re: [PLUG] Wireless access - from a security expert
|
- From: Jason <jcostom@gmail.com>
- To: "Philadelphia Linux User's Group Discussion List" <plug@lists.phillylinux.org>
- Subject: Re: [PLUG] Wireless access - from a security expert
- Date: Mon, 10 Dec 2007 12:34:37 -0500
- Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:message-id:date:from:to:subject:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; bh=Oog9KBB4e0O7dfvJdfxcMxoTC1kHS8tIMuUCdpgwSrI=; b=NPLvRUiN/ubjDwlpE8DEkHOFRfR2QpnOnB2lnhbQGEC1i0Q2IwBCgMZc9McEFLuu7e1PCCrfyP2S1HJTWa2bTOeEMFQHtakjpjXrglKejR4Jtwbdp9c6aazmjaEK5uwxjnV1B4jXmDSbxpULIc408ydBvVYfpJxHJaZU6HxcEW8=
- Reply-to: Philadelphia Linux User's Group Discussion List <plug@lists.phillylinux.org>
- Sender: plug-bounces@lists.phillylinux.org
On 12/9/07, Matthew Rosewarne <mrosewarne@inoutbox.com> wrote:
> I'm quite sure Bruce is aware that it's trivial to sniff all wireless traffic.
> What he is saying is that there really isn't much difference between having a
> wire and a wireless network, since people can also sniff from wired networks
> too. Proper security should be implemented regardless of the physical
> medium, so there is no need for physical-layer encryption.
In an enterprise environment, absolutely. The article was targetted
at home users. You know a lot of home users that deploy multi-segment
networks, IDS sensors, and VPN gateways? I don't. :)
> 1 & 2. The only reasonably effective protection is WPA2 with AES, and even
> then it's much better to use a proper VPN. Anything else just makes it
> harder for innocent people to get a connection, but just slows down the
> intruders by a few minutes. Since the security provided is in name only, you
> might as well be a good neighbour and allow others access.
>
> 3. MAC filtering is a joke.
Agreed, 100%.
> 4. You could do that, or even better, make the wireless a DMZ, and access
> your "internal" network over a decent VPN. That way, you can share your
> network AND have actual security.
If my goal was to offer up free Internet to my neighbors, sure, that's
how I'd do it, or I'd deploy a 2nd access point on an isolated network
that only got to the Internet. Again, how many average folks are
either capable of doing that, or have the desire to do that. They
just read a "security expert" telling them it's ok to have an open
wifi network. Lots of folks live within wifi range of public parks.
I could sit on a bench and get personal financial info pretty easily,
if they follow the advice given in the article.
That's the issue here - not how to design a proper enterprise
deployment - but rather, how to keep from getting fleeced and taken
advantage of. I know plenty of people who take advantage of open wifi
to download torrents of movies & music too. Where would you like your
subpeona sent, home or office? :)
___________________________________________________________________________
Philadelphia Linux Users Group -- http://www.phillylinux.org
Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce
General Discussion -- http://lists.phillylinux.org/mailman/listinfo/plug
|
|