Re: Wi-Fi: Essential Checklist
- From: Sylvain Robitaille <syl@xxxxxxxxxxxxxxxxxx>
- Date: Mon, 1 Dec 2008 21:13:31 +0000 (UTC)
Following up to multiple posts at once ... I know that Jeff Liebermann
is trying to put the thread to rest, and I'm risking waking up the horse
just so I can beat it some more. I just want to clarify some points
I've made and be sure that responses I've received are given their due
.....
Jeff Liebermann wrote:
As I've mentioned several times, the computer can be almost totally
protected, but without encrypting the wireless traffic, a simple
sniffer can capture unencrypted traffic, passwords, email, etc.
I prefer, and heartily recommend, regardless of wireless encryption,
end-to-end encryption. If you don't trust your traffic in wireless
space (because you can't control whether it can be intercepted in that
space), why would you trust it travelling over wires you don't control?
... No amount of security is ever sufficient. Given sufficient time,
resources, and technology, any level of security can eventually be
compromised. ...
Yes. That's precisely the point.
... What I find offensive about Schneier's article is that he trashes
the most basic and easist form of security, which in this case is WPA.
We differ here. I don't feel he trashed it, but rather put it in the
same context as what I quoted from you just above ("no amount of
security ..."), then pointed out that he operates his own wireless
network without WPA, and makes a case why he believes this is a good
thing.
To get decent security, the one part of the puzzle that must work is
WPA. Everything else can be no more than an additional obstacle,
usually of minor importance.
Given a suitable definition of "security", perhaps, but then I would
likely disagree with the definition of "security".
To get decent security, we must first understand what it is we are
securing. Is it the data? Where is the data? What is the data's
lifespan? Is it access to the computer(s)? Is it access to the network?
Securing each of these things is done differently than each of the
others.
... I'm undecided as to whether it's better to protect the data or
control access. ...
My sense on that is that it's case-by-case dependant, but more often
than not, protecting the data regardless of access control on the
network is warranted.
I honestly don't care why or how he runs his open network. It's bad
advice for the general public, most of whom fail to appreciate the
risks and implications.
I agree that for most people it would not be advisable to leave network
access open.
... even if WPA is considered a suitable way to secure access to your
network at the momen, don't count on it to secure the data on your
computer.
Ummm... it secures the data transport, not the computer.
It controls access to, and encrypts *a portion* of the data transport,
unless your data is residing strictly within an ad-hoc wireless network.
At some point that data will travel on wires on its way to its ultimate
destination. If you're concerned about protecting data in transit, you
need to protect it end-to-end, not just over one (wired or wireless)
link.
... I'm sure he also uses a VPN and SSH to talk to his work computers.
Great idea, but somehow missing in his article advocating running an
unencrypted network.
Agreed. I'm guessing, but I suspect the author assumes the reader is a
regular reader and already knows about end-to-end encryption techniques.
If my guess is correct, that's an unfortunate assumption.
For what it's worth, all of this is one reason why I don't like "op-ed",
and I feel that such articles are frequently given much too much weight.
Bruce Schneier is respected among computer security professionals, but
this article was quite obviously (to me, anyway) just an opinion piece.
In my experience, Wired generally is.
... Most real security experts that I know, are constantly worried
about this or that threat. Every time there's a new exploit
announced, there's a flurry of nervous activity.
I consider myself pretty good with computer and network security,
perhaps even an "expert" (it is part of my job and has been for more
than a few years). I'm not nervous about systems I manage (whether my
own or managed for someone else).
... I had one such expert bail out in the middle of lunch when someone
detailed a new exploit that he hadn't heard about. I pay security
experts to be worried.
I prefer security experts that are informed and prepared ... I don't
want someone working with me who will do "anything" just for the sake of
doing "something".
Again, wireless security (WPA) will not protect your computer. It
will protect your network from sniffing.
Only on that particular link. I see (and refer to) WPA as a form of
access control. If you want to protect your data in transit, you need
to protect it beyond that initial wireless link.
(quoting Bruce Schneier's statement about WPA)
"But there are going to be security flaws in it; there always are."
Note that the original article ... would have been equally effective
at making his points without this sentence.
Agreed.
John Navas wrote:
It's a bit like saying, condoms sometimes fail, so don't bother to use
them. ...
Not exactly. It's more like saying "condoms sometimes fail, and they're
inconvenient" so I prefer to use a different (better) form of protection.
WPA does protect your computer from attack over the wireless network.
.... and it does so by controlling access to your network.
That would not be a valid point -- WPA does provide real and valuable
security. ....
WPA provides access control and encryption over one network link. It
works well for that. Most people need their data protected between two
endpoints that span multiple network links. WPA falls short on that.
There's ample evidence that open wireless will be abused, with
potentially negative consequences. All it takes is for the kid next
door to use your wireless to file share illicit materials (imagine
that); the RIAA and MPAA trace it back to your account; your computers
get seized and you get sued.
Schneier points out in his article, however, that he feels he has the
perfect alibi for such a case, precisely by keeping his wireless network
access point unsecured. I wouldn't test that myself, by the way, nor
would I recommend it, but it's relevant to the discussion in the context
of the above quote.
Mark McIntyre wrote:
Then his article is highly disingenuous, or he really is a fool. Does
he run an encrypted VPN between every computer on his network? Is all
traffic to the internet encrypted, including email?
I'm not defending the article or its author. I was simply pointing out
that one or more previous posters on this thread appear to have
misinterpreted the point of the article. Your question would be best
directed at the author.
--
----------------------------------------------------------------------
Sylvain Robitaille syl@xxxxxxxxxxxxxxxxxx
Systems analyst / AITS Concordia University
Faculty of Engineering and Computer Science Montreal, Quebec, Canada
----------------------------------------------------------------------
.
- Follow-Ups:
- Re: Wi-Fi: Essential Checklist
- From: John Navas
- Re: Wi-Fi: Essential Checklist
- Prev by Date: Re: Wi-Fi: Essential Checklist
- Next by Date: Re: Wi-Fi: Essential Checklist
- Previous by thread: Re: Wi-Fi: Essential Checklist
- Next by thread: Re: Wi-Fi: Essential Checklist
- Index(es):
Relevant Pages
|
