Re: [PLUG] Wireless access

Matthew Rosewarne <mrosewarne@inoutbox.com> · Mon, 10 Dec 2007 15:19:23 -0500

On Monday 10 December 2007, Jason wrote:
> In an enterprise environment, absolutely.  The article was targetted
> at home users.  You know a lot of home users that deploy multi-segment
> networks, IDS sensors, and VPN gateways?  I don't. :)

It's not about all that.  Regardless of whether you have a small network or a 
big one, you need to use secure practises regardless.  That doesn't mean you 
_need_ to run IDS, VPN, etc.  It only means you need to use your head, never 
transfer anything confidential in the clear, since you can always assume 
someone might be listening.  It makes no difference whether you have an open 
AP, ethernet, or a dedicated line.

> If my goal was to offer up free Internet to my neighbors, sure, that's
> how I'd do it, or I'd deploy a 2nd access point on an isolated network
> that only got to the Internet.  Again, how many average folks are
> either capable of doing that, or have the desire to do that.  They
> just read a "security expert" telling them it's ok to have an open
> wifi network.  Lots of folks live within wifi range of public parks.
> I could sit on a bench and get personal financial info pretty easily,
> if they follow the advice given in the article.

They don't have to do any DMZ/VPN stuff.   That's only if you really want a 
(well-secured) separate internal/external setup.

> That's the issue here - not how to design a proper enterprise
> deployment - but rather, how to keep from getting fleeced and taken
> advantage of.  I know plenty of people who take advantage of open wifi
> to download torrents of movies & music too.  Where would you like your
> subpeona sent, home or office? :)

You say you have an open AP.  There's no liability for unmonitored, 
publicly-available services, just like a cafe wouldn't be liable for what 
people do on their free wifi.