Wireless insecurity at NANOG meetings

Date: Sat, 21 Sep 2002 17:46:27 -0400 (EDT)
From: Sean Donelan <sean@donelan.com>
Sender: owner-nanog@merit.edu

> Anyway, in our efforts to see security weaknesses everywhere, we might be
> going too far. For instance, nearly all our current protocols are
> completely vulnerable to a man-in-the-middle attack. If someone digs up a
> fiber, intercepts packets and changes the content before letting them
> continue to their destination, maybe the layer 1 guys will notice, but not
> any of us IP people.

I'm waiting for one of the professional security consulting firms to issue
their weekly press release screaming "Network Operator Meeting Fails
Security Test."

The wireless networks at NANOG meetings never follow what the security
professionals say are mandatory, essential security practices. The NANOG
wireless network doesn't use any authentication, enables broadcast SSID,
has a trivial to guess SSID, doesn't use WEP, doesn't have any perimeter
firewalls, etc, etc, etc. At the last NANOG meeting IIRC over 400
stations were active on the network.

Are network operators really that clueless about security, or perhaps we
need to step back and re-think. What are we really trying to protect?

Banks are mostly concerned about people defrauding the bank, not the
bank's customers. Banks rarely check the signature on a check. Is
security just perception?

I agre security is sadly lacking, but it is probably impossible to
implement in a conference environment.

What is inexcusable is that the NANOG management does not make LOUD
noises about the risks and run an IDS to be able to warn people about
"bad things"..

I work a large computer trade show every year that has an open
wireless network of very large size. Covers the entire exhibit hall,
all meting rooms, the lobby, with antennas pointed at larger hotels
near the conference. No WEP and no closed SSID because WEP is not
practical in such an environment and a closed SSID is too trivial to
hack to make it worth the number of complaints we would have.

We do have large security advisories that the network is wide open in
all conference materials and run a really impressive IDS (multiple
systems running Vern Paxon's BRO to monitor the DS-3 and as much of
th4e various OC-192s an OC-48s as possible. With several OC-192s, it
seems that some packets will have to be dropped this year, but we will
be watching.

We tried displaying passwords last year, but several folks thought it
was fun to telnet to some system and enter something unprintable as the
password to watch it appear on the screen.

It's not an easy problem, less so for a conference/show that involves
lots of non-network people. I believe the key is warning attendees
that the net is subject to sniffing and clear-text passwords should
not be used. Couple that with a good IDS and make sure that things
like Code Red and nimda infections are isolated quickly is about all
you can do. Sort of like waring people that they need to keep a close
sys on laptops, keep a close eye on the network.

Last year slashdot even carried a note that the net was open at the
Denver Convention Center and we survived with minimal problems.

R. Kevin Oberman, Network Engineer
Energy Sciences Network (ESnet)
Ernest O. Lawrence Berkeley National Laboratory (Berkeley Lab)
E-mail: oberman@es.net Phone: +1 510 486-8634

I agre security is sadly lacking, but it is probably impossible to
implement in a conference environment.

Look this is a very simple issue. Sean's first post really pointed out that it's "bad form" for a set of operators to run an insecure network. I would believe that it's "good form" to at least try. It was stated that the network was not run by the "operators". OK, I accept that, but it's run by people with great (actually fantastic) connections to real operators (ie: us).

WEP may not be a good protocol, but it's better than nothing. If people thing it's hard to configure, then run two networks.. one without WEP and one with WEP.

Security is a relative thing... Normally security at the door to the nanog conference hall is "low", but that does not seem to bother many people. (Hence security at a "wired" locations within the conference is "low" making the WEP issue mute).

I would be happy to run on a wireless network with a specific SSID and no SSID beacon with a static WEP key. (I don't have LEAP, or other protocols on my laptop). Does this make my communications more secure? I don't know... Everything from my nanog laptop is VPN'ed anyway... hence already end-to-end encrypted.

I believe that Sean brought up a good point and something worth working on.

Even an incremental improvement at this upcoming meeting followed by another incremental improvement at the next meeting, etc. etc. will be a good thing.

BTW: WEP may not be a great protocol and people may believe there is a false sense of security. If this worries you, then I would recommend a note placed on the nanog web pages that states something like "all IP networking provided at the conference should be considered insecure, etc.".

Martin

PS: As for bandwidth "stealing". Heck... looking at the stats for previous nanog's, we are doing a poor job of using the provided bandwidth. I say... bring it on! (legal traffic only --- of-course!).

>I agre security is sadly lacking, but it is probably impossible to
>implement in a conference environment.

Look this is a very simple issue. Sean's first post really pointed out
that it's "bad form" for a set of operators to run an insecure network.
I would believe that it's "good form" to at least try. It was stated
that the network was not run by the "operators". OK, I accept that, but
it's run by people with great (actually fantastic) connections to real
operators (ie: us).

I feel like a Rorschach Test.

Is the Nanog confernce network really insecure for its purpose?

Some security experts may claim it is, but I'm not certain they are
correct. Do you put a biometric reader and armed guard next to a
public drinking fountain? What is the risk of someone stealing
the water? Its possible, even likely, an unauthorized person will
take a drink but what is the loss versus the cost of more security
for the drinking fountain?

Yes, some security consulting firm issuing press releases about the
dangers of war-chalking, war-driving, war-pr may claim the network is
insecure. Its great for generating publicity.

The Nanog conference wireless network a semi-public, unauthenticated
network used by several hundred competitors for a few days. It is about
as secure as the wired network, the hotel in-room cable, cellular
telephones or most other available means of communication at a convention
center. Users can take appropriate measures to secure their communications
based on their risk acceptance.

I don't see much of a need to rely on a volunteer network operator to
provide what I think is the appropriate level of security for my
communications. Heck, even if Nanog used the latest, greatest network
security whiz-bang gadgets to secure the network; I still wouldn't rely
on it.

WEP may not be a good protocol, but it's better than nothing. If
people thing it's hard to configure, then run two networks.. one without
WEP and one with WEP.

Link-layer encryption always sounds like a "simple" security solution.
But when using other people's networks, you are usually better off with a
different security solution. How many people use modems with encryption
to dial into their local ISP? How many use link-layer encryption with
their NIC cards on their wired networks?

Security is a relative thing... Normally security at the door to the
nanog conference hall is "low", but that does not seem to bother many
people. (Hence security at a "wired" locations within the conference is
"low" making the WEP issue mute).

ICANN had armed guards at its meeting to keep the rif-raff out. I don't
think NANOG requires that level of security (yet). We still run the
network cable down the hallways, and "hide" the wireless access points
in the potted palms next to the bar.

Is the Nanog confernce network really insecure for its purpose?

...

I don't see much of a need to rely on a volunteer network operator to
provide what I think is the appropriate level of security for my
communications.

exactly.

seems like the same situation as we have for walk-by hot-spot wireless nets. is anyone suggesting that they should have some special, local privacy mechanisms, rather than each user relying on providing their own, end-to-end mechanisms?

ICANN had armed guards at its meeting to keep the rif-raff out.

In fact there was a public disclosure of a trivial circumvention of that mechanism.

It was never clear what actual benefit the guards were supposed to provide, either.

d/