On the ISP-Wireless discussion list in February, MR
queried,
“I
was trying to pitch wireless service to someone recently, and he showed
me a Wall Street Journal article that said wireless isn’t secure. What
do you think?”
A number of respondents contended that the fears are overblown:
[RR recalled] “We recently had a bank
question us about our security. We explained that neither wireless or
wired connections are secure unless you use secure servers. If anyone
is really concerned about their data, then they need to encrypt from both
points, not just one segment in the middle.”
[MKS agreed] “It’s not much harder to
get traffic via wired networks than wireless. If the data is that sensitive,
they need to encrypt it before it leaves the PC or LAN. We don’t use any
encryption here. If someone wants things encrypted, they need to do it
themselves. Educate your customer about the risks.”
PF suggested that the situation’s a
little more complex than that:
“The one thing you’re missing is that even with encryption, the 802.11
headers and beacons are not encrypted. Until the radios encode the entire
802.11 frame, you are vulnerable to people getting beacons and intercepting
traffic. So encrypt all you want; just make sure that you’re actually
talking to who you think you are, because current 802.11 specs can’t do
it for you.”
JM countered that holes in wireless
aren’t quite that easy to find:
“Ultimately, hacking into a wireless network is no different than hacking
into any other network. There are several things that a would-be hacker
would need to know to get into a ‘secure’ wireless network: ESSID, valid
IP address, valid MAC address, and a rule set up on our traffic shaper
allowing traffic to actually pass per your specific MAC address and IP.
Security lies more in the admin and the network than it does in the technology.”
[MS agreed] “I plan on binding IPs to
MAC addresses in the router to prevent anyone from getting on the Internet
without authorization. At a certain point, though, you can only do so
much. Sure, the wireless system can be broken into, but so can the Internet
itself. Whoever said the Internet was secure?”
BM observed a particularly depressing
security concern:
“I have an associate in my office who sets up wireless LAN systems indoors.
He says the biggest security hole is that many admins never change the
security parameters on their equipment, choosing to use factory defaults”
[RC agreed] “I have walked directly
through many firewalls using default passwords and settings.”
CM provided a summary:
“Yes, it is possible to break into any network given enough time and
money. For wireless, just listen, store, and decrypt to gain information,
and spoof for access. For wired networks, find a wiring closet and some
alligator clips.
The level of security needed also must be based on the type of service
being offered: public Internet access, contrary to public belief, does
not need to be secure, since the other 10-15 hops on the public Internet
are also unencrypted and readily sniffed.
Is current wireless technology sufficient to stop the casual listener?
Most certainly, since the barrier to entry is the cost of equipment. Is
it secure enough to stop a determined break-in? No more than any wired
solution, and since the gear is usually on the roof and locked up, you
have a leg up on the DSL guys: their termination jacks are all outside,
unlocked, and calling out to be opened.”