Wi-Fi: Essential Checklist

Which is, indeed, one of the flaws.

Its like stating you don't see the point locking your house doors, without mentioning the rabid wolf in your hallway.

Reply to
Mark McIntyre
Loading thread data ...

You rang?

I don't think WPA will protect anyone against "the rabid wolf in the hallway". However, I have been known to ignore trespassers if they bring caviar, sushi, or ice cream.

Reply to
Jeff Liebermann

On Mon, 1 Dec 2008 21:13:31 +0000 (UTC), Sylvain Robitaille wrote in :

While your point in valid in principle, in practice it's far more difficult to snoop wired Internet traffic than open wireless traffic.

What point? That the NSA can do it, so why bother with security?

You should be. No matter how good you are, those systems are still vulnerable.

True, but that can be quite valuable as a part of the overall solution.

Not necessarily -- it's a matter of relative risks, and the risk of open wireless is orders of magnitude greater than the risk on the Internet backbone.

Abstinence? That's actually a pretty good analogy. If you're not going to bother with WPA, then abstain from wireless.

Actually it encrypts the traffic.

I disagree on both counts. Feel free to provide real evidence to back up those contentions.

There's ample evidence that he's wrong -- whether he prevails or not in the end, he can still go through hell in the meantime.

In your opinion. Not in mine.

Reply to
John Navas

On Mon, 01 Dec 2008 16:37:16 -0500, John Mason Jr wrote in :

On the contrary -- his argument is based solely on computer-level protection.

Reply to
John Navas

That really depends on which side of the network you're sitting on. Where I sit, they're both equally trivial. Where the average script-kiddie sits, perhaps you're right, but the really serious threats are usually "on the inside", where, once again, they're equally trivial.

Of course they're "vulnerable", in one form or another. I've taken measures, however to reduce _known_ vulnerabilities to a minimum, to limit the potential avenues of intrusion, and to increase the likelihood that a compromise will be detected. That last one matters, and is what permits me to not worry. Can undetected intrusion occur? Of course, at least in theory. Is it likely? No.

Only if your traffic isn't encrypted end-to-end by other means, which means someone trying to sniff needs only to park himself somewhere between the wired side of your wireless access point, and the sensitive data's destination.

Consider the layers above the backbone. Your traffic does not pass from personal wireless link, to backbone, to destination host. There are other layers involved. The security of the data in transit is only as good as the weakest form of security applied to it within the entire end-to-end trajectory.

Encrypting the traffic (over a single short network link) has nothing to do with the previous statement of protecting the computer from attack over the wireless network.

Try getting onto a WPA-secured network for which you don't know the "key", and see "evidence" that it works well at providing access control. Start examining some packet traces, of traffic over both the WPA-secured wireless network, where you'll see that WPA works well at encrypting traffic over that link, then the same traffic over the wired portion of the network after it leaves the AP, and see WPA fall short. Need more evidence than that?

Reply to
Sylvain Robitaille

On Tue, 2 Dec 2008 06:33:25 +0000 (UTC), Sylvain Robitaille wrote in :

I respectfully disagree. Snooping of wireless traffic is orders of magnitude more likely than snooping of wired traffic, and the really serious threats aren't hard things like snooping of wired Internet traffic -- they are relatively easy things like website compromise, cross-site scripting attacks, and the like.

It's actually likely. The vast majority of intrusions go undetected, even by folks with serious expertise. Your assumption is unwarranted, and probably giving you a false sense of security.

It's hard if not impossible to encrypt *all* traffic end-to-end.

When browsing websites that don't support HTTPS for all traffic, as most don't, then traffic is unencrypted over the public Internet even when using VPN -- since the remote VPN endpoint isn't at the remote website, part of the Internet path is unencrypted. Thus I use VPN when at an open public hotspot (very high risk), but not when I'm using a wired connection (very low risk).

To be clear, I do protect the transmission of sensitive information (passwords, bank account numbers, credit card numbers, social security number, etc), but I don't know of any practical way for me to encrypt

*everything*. If you really do know how to do it, then please educate me... ;)

But then even with end-to-end encryption you are still vulnerable to compromise of and at the other end, which is a far more likely risk. I worry much more about the security of businesses on the Internet than I do my own security and wired Internet security, and with good reason. One of a great many cases in point:

"This week also saw the personal information of almost 1,000 bank customers lost by an employee of Bank of Ireland, after the data was copied onto an unencrypted USB memory stick."

Sure, but I think you're worrying about the wrong problem. I don't take precautions against struck by meteorites while walking around outside, but I do take precautions against getting hit by cars. I might be killed by a meteorite, but I won't get hit by a car while worrying about meteorites. ;)

Of course it does, since malware traffic can't be successfully injected into the encrypted transmissions.

Yes, I need real evidence that snooping of traffic over the wired Internet is a *significant* (not just theoretical) risk, especially as compared to other risks.

Reply to
John Navas

Ummmm.... and WPA on the local wireless link protects against these? How? I think you're drifting off the point.

Who's making the unwarranted assumption here? You know nothing about my systems or about what I know or can detect about them. The thing about undetected intrusion, of course, is that by definition, you never know if one has happened. However, if you know your systems well, and you know how to protect them, you can be pretty sure of raising the bar of the skill level that would be required for an undetected intrusion. You raise that bar high enough, and the question becomes whether or not it's worth the effort for the would-be intruder.

Would I claim that I can single-handedly properly secure financial data or medical data on a database server? (well, I did do one of those in the past) No; I'm not trying to be arrogant. However, I have plenty of experience protecting what I would consider non-critical personal information (mine and others') on computer systems. Could I have done even better? Probably, yes. Have I ever had a system compromised? Once, many years ago, via a then-recently discovered vulnerability in FTP server software on a system I was managing. Undetected? Only briefly ...

Not *all* traffic contains sensitive data. Do I really care if you can sniff my Google searches and their results? Protect what's worth protecting.

Does WPA on a single network link do all that much to protect your username and password if you use POP or IMAP to read mail? I suppose it does if your only concern is protecting your credentials from the neighborhood teens. I prefer to avoid unencrypted protocols like POP or IMAP. If you use "secure POP" (POP/TLS) or "secure IMAP", it wouldn't matter if WPA wasn't available.

It isn't "end-to-end" if it isn't "application-to-application". WPA, as you know, won't protect your data at the other end. If the risk is far more likely, what protection does WPA offer?

That's a big part of the problem, yes: people ("businesses") making false assumptions about computer and network security, and those false assumptions lead to compromised data, usually because not enough emphasis was placed on protecting that data in the right places. "hard crusty exterior with a soft chewy center ..." Businesses "believe" their data is "secure" because they've deployed a "firewall". How is that different than individuals believe their personal computers are "secure" because they've enabled WPA on their wireless access points?

I bet they had HTTPS for authenticated access to their web servers, and WPA-protected wireless local networks, though. They took the steps recommended to them by computer security "experts", yet still failed to protect their sensitive data. Thank you for helping make my point. :-)

No, I'm worrying about understanding what it is I'm protecting, where, from what or whom, and why. I use WPA on my wireless network at home (and incorporated EAP-TTLS with dynamically negotiated encrytion for a large wireless network I did in my previous employment), because it keeps outsiders from being able to use my network, not because it encrypts any personal information that might pass over that link. The protection of the sensitive data passing over the wireless link is taken care of by other means, and that data would be protected regardless of the encryption on the wireless link. That's been my point all along, and it is that which I feel others missed from Schneier's article (recall that's what caused me to join the discussion), largely because the article makes no explicit mention of it. It is, however, quite visible in its absence.

Wait a minute ... The points that you disagree with above, and for which I explained a simple means by which you can observe them in action ("evidence") are the following:

Now you want evidence that *wired* connections are vulnerable to snooping. See HTTPS (and other TLS-tunneled protocols) for such evidence. It long predates WPA, and even WEP. Are you suggesting that it's really a no-op and is protecting against an insignificant threat?

See also the above quote you provided about Bank of Ireland's customer data. Would WPA have helped there, or would better protection of the data in transit have been warranted?

Reply to
Sylvain Robitaille

On Wed, 26 Nov 2008 20:01:42 -0800, John Navas wrote in :

  • True story of network collision problem:

A client complained to me that the home office wireless Internet had always been very flaky, that even having the (shudder) Geek Squad come out hadn't really helped, and asked me if anything affordable could be done about the problem. Sure enough I had trouble getting and keeping a connection with a laptop. Even moving closer to the wireless access point didn't help. That was sufficiently odd that I decided to start over from scratch, loading the latest router firmware, resetting to factory defaults, and then running through my standard initial setup routine for wireless networking. And voilà! Strong, solid connection, excellent performance.

While I was working my client gave me a rundown on the Geek Squad, how they had come out to fix the first wireless, couldn't get it working, had to come back out to swap the wireless router for a different brand, got that working albeit poorly, told my client it was poor because the laptop was old, and left.

I probed a bit and learned the first wireless router had been brand L, that the Geek Squad had swapped it for brand N when they couldn't make it work, and that the laptop had then started working so they didn't even touch it. Thus the laptop was still configured for brand L, and what was actually happening was that it was connecting to a neighbor's open wireless, not the new brand N wireless router, because the Geek Squad were using factory defaults and no security. In 1-1/2 years of paying for broadband my client had never actually used it, or the expensive wireless router for that matter.

That wouldn't have happened, of course, if the Geek Squad had configured a unique SSID in the first place, any sort of wireless security, or otherwise had any real clue about wireless networking. (Likewise the neighbor.) But I guess I shouldn't complain -- puts food on my table. :)

  • True story of network identification problem:

Before installing a wireless network for another client I did a site survey (my normal practice), and found a strong signal on channel 1 and another strong signal on channel 9 (go figure), leaving me with no clear channel to use. The "easy" solution, of course, would be to persuade the neighbor on channel 9 to switch to either channel 6 or channel 11. Actually not so easy since the default SSID gave no clue as to who was running that wireless network. Worse, my client was in a multi-unit complex that left us with quite a few possibilities, which meant knocking on a lot of doors, which had to wait until evening. It would have been much faster and easier if the SSID identified the network operator.

Reply to
John Navas

On Tue, 2 Dec 2008 21:42:15 +0000 (UTC), Sylvain Robitaille wrote in :

Straw man argument: I didn't say or even suggest that.

I was rebutting *your* claims.

I'm making no assumption there.

You have no way of knowing what you cannot detect or have not detected.

Again, your assumption is unwarranted, and probably giving you a false sense of security. You have no way of knowing how high you've raised the bar relative to potential attackers, or even if you've raised the bar at all. All you can do is be as thorough as you can, *hope* it's enough, and keep checking that hope in different ways.

Again, your assumption is unwarranted, and probably giving you a false sense of security. You have no way of knowing if you were compromised or not. All you can say is that you don't know you were compromised.

Putting aside the fact that you've just backed away from your sweeping claim, Google searches *can* be worth protecting. Should (say) a prospective employer or insurer get wind of the fact that you're repeatedly searching for cancer treatments, there might well be negative consequences. Again, your assumption is unwarranted, and probably giving you a false sense of security.

Another straw man argument: What WPA protects is *all* wireless traffic, not just *some* wireless traffic.

You missed the point. Read what I wrote more carefully.

None for that risk. What WPA does (as I'm sure you know) is protect against the much higher risk of wireless snooping.

They hopefully just believe their *wireless* is secure, which is true.

Doesn't prove your point, but you are of course free to think and claim whatever you want.

I think we'll just have to agree to disagree.

Nope. Still waiting for your evidence.

Assuming you're not deliberately resorting to straw man arguments, read what I wrote more carefully.

Like Jeff I'm getting tired of this increasingly pointless debate, so I'm going to give you the last word and be done with it.

Reply to
John Navas

(snip story which boils down to 'uniquely identify your network so you /know/ you're connecting to it'.)

Absolutely agree.

What wireless needs is a way to say "who the heck are you?" and for end-users to be able to configure a response. Oh, wait, snmp... :-)

Reply to
Mark McIntyre

Are you really that sanguine concerning well-documented and likely but undocumented domestic surveillance?

Michael

Reply to
msg

On Tue, 02 Dec 2008 17:46:55 -0600, msg wrote in :

Only a very small fraction of Internet traffic is screened by the government, and while I strongly object to the practice, I have nothing directly to fear from it.

Reply to
John Navas

On Tue, 02 Dec 2008 17:11:50 -0800, John Navas wrote in :

p.s. IMHO there's a higher risk to me from poorly screened folks working for Internet transit providers, but that risk is still too small for me to worry much about.

Reply to
John Navas

On Tue, 02 Dec 2008 23:18:35 +0000, Mark McIntyre wrote in :

Oh, wait, SNMP won't work when you can't connect to the network. Or when the user isn't running suitable software and paying attention. ("What a router log?")

My suggestion is much simpler and more practical.

Reply to
John Navas

The discussion at hand is about Bruce Schneier's article regarding his unsecured wireless network, with most participants agreeing that such a configuration is generally unadvisable. Perhaps you missed that part. We seem to be disagreeing on the details of *how* the secured network is beneficial, leading to the discussion above where you stray further from the main point of discussion. Your response to an attempt to maintain the focus of the discussion, apparently is to declare "straw-man", presumably so you can continue adding more tangential points to the discussion. Ok.

My "claims" were that a WPA secured wireless network does not protect (potentially sensitive) data in transit beyond the wireless link, therefore that data is better protected by other means (such as end-to-end encryption of the data). Which part of the above is a rebuttal to that claim?

Oh no. That's definitely not true. I can tell you with certainty that a compromise happened if I find one. If I *don't* find a compromise, however, all I can tell you (with certainty) is that I've not found one.

I don't recall making a "sweeping claim". Care to remind me?

Yes it encrypts all the traffic on that one link. *All* the traffic then (usually) travels on wired networks to its destination. The question stands.

WPA protects the access to the wireless network. Those are the "P" and the "A" in WPA. I'll leave it to you to sort out the "W". One can't "snoop" a network that one cannot access, but that's only part of the equation.

Yes, hopefully, but that's not what I've been reading in this thread ...

I've been reading about "protecting computers from attack" by securing access to the wireless network. I've been reading how protecting the wireless link with WPA is easier than end-to-end encrypting data in transit, so that's the security that must be in place. I've been reading that sensitive data won't be intercepted if it's encrypted over a single wireless link (with no mention of protecting that data beyond the wireless link).

Yes, on that we can agree.

Well, then your disagreement was placed within the wrong context, and the evidence you seek isn't clear.

I bet you won't, but I've made my point.

Reply to
Sylvain Robitaille

Indeed. I didn't say it was a fully formed solution, I was merely pointing out that technologies exist to do this properly.

Indeed - however if router makers were clueful, their "setup" CD could solve this problem by asking for the relevant info.

Sure - its a hack though. A proper solution shouldn't rely on misusing an identifier field that isn't really long enough and which is freeform text. Professionally I encounter this all the time 'there's nowhere to put the UK post-code and the US Zip field is sanity checked so lets use the "alternate email" field instead'. Terrific - until someone needs two email addys... :-)

Reply to
Mark McIntyre

On Wed, 03 Dec 2008 23:00:40 +0000, Mark McIntyre wrote in :

Except they don't. What's needed is something that can work *without* a working connection. Like identification in the SSID. Fully formed. Works well. Makes sense. Just too low tech for you? ;)

Some wireless routers do at least now setup reasonable security, but I doubt that any manufacturers will see sufficient payback in your suggestion -- after all, the security issue only got addressed when the problem got to be overwhelming.

Like many good solutions. :) But not really -- SSID is actually an "ID" string.

There's no misuse. SSID is actually an "ID" string.

64 characters gets the job done for me. What would you have to say that needs more than that?
[shrug]

Installed a wireless network last week with the SSID containing name, street address and phone number. Seems sufficient to me, but as always, YMMV.

Reply to
John Navas

You just can't resist, can you. I've already agreed that SNMP isn't a full solution, how about just stopping being so superior?

You just can't resist being offensive can you?

We've been over this ground. I'm not interested.

Reply to
Mark McIntyre

On Thu, 04 Dec 2008 21:43:27 +0000, Mark McIntyre wrote in :

When you blow smoke I can't.

It's not any sort of solution, since it presupposes a connection that's the whole point of the issue.

Just a funny dig, but you apparently have a very thin skin. In other words, you can dish it out, but you can't take it.

Why am I not surprised.

Reply to
John Navas

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.