Jason on 10 Dec 2007 17:34:45 -0000 |
On 12/9/07, Matthew Rosewarne <mrosewarne@inoutbox.com> wrote: > I'm quite sure Bruce is aware that it's trivial to sniff all wireless traffic. > What he is saying is that there really isn't much difference between having a > wire and a wireless network, since people can also sniff from wired networks > too. Proper security should be implemented regardless of the physical > medium, so there is no need for physical-layer encryption. In an enterprise environment, absolutely. The article was targetted at home users. You know a lot of home users that deploy multi-segment networks, IDS sensors, and VPN gateways? I don't. :) > 1 & 2. The only reasonably effective protection is WPA2 with AES, and even > then it's much better to use a proper VPN. Anything else just makes it > harder for innocent people to get a connection, but just slows down the > intruders by a few minutes. Since the security provided is in name only, you > might as well be a good neighbour and allow others access. > > 3. MAC filtering is a joke. Agreed, 100%. > 4. You could do that, or even better, make the wireless a DMZ, and access > your "internal" network over a decent VPN. That way, you can share your > network AND have actual security. If my goal was to offer up free Internet to my neighbors, sure, that's how I'd do it, or I'd deploy a 2nd access point on an isolated network that only got to the Internet. Again, how many average folks are either capable of doing that, or have the desire to do that. They just read a "security expert" telling them it's ok to have an open wifi network. Lots of folks live within wifi range of public parks. I could sit on a bench and get personal financial info pretty easily, if they follow the advice given in the article. That's the issue here - not how to design a proper enterprise deployment - but rather, how to keep from getting fleeced and taken advantage of. I know plenty of people who take advantage of open wifi to download torrents of movies & music too. Where would you like your subpeona sent, home or office? :) ___________________________________________________________________________ Philadelphia Linux Users Group -- http://www.phillylinux.org Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce General Discussion -- http://lists.phillylinux.org/mailman/listinfo/plug
|
|