RE: Interlopers on the WLAN

["Philip J. Koenig" <pjklist () ekahuna com>]

On 9 Nov 2002 at 9:10, Frank O'Dwyer boldly uttered: 

> On Wed, 2002-11-06 at 22:25, Philip J. Koenig wrote:
> > On 6 Nov 2002 at 21:41, Frank O'Dwyer boldly uttered: 
> [...] Firstly, you're assuming the WLAN is "insecure" simply 
> > > because it lets anyone connect without asking who they are. 
> > > Maybe that's what the owner and users of the WLAN want. His
> > > network, his policy. If you don't like his policy, maybe 
> > > you need make sure your network isn't connected to his in
> > > any way that matters to you. 
> >
> > Once you connect a network to the internet, your security problems 
> > often become everyone else's security problems.
>
> Absolutely, but you're still prejudging the issue by using loaded terms
> like "insecure" and "interloper". An open access point is not
> necessarily "insecure", it's just open. Someone connected to an open
> access point may not be an "interloper" but may in fact be using it
> exactly as intended by its owner. In this case the appropriate term is
> "user" not "interloper". In this sense it is rather like a public access
> web site, which don't authenticate users either, and are also a risk to
> the Internet. We could demand that all of those be shut down too using a
> similar argument, but actually they are pretty useful so we don't.
>
> Also note that these people are not particularly *likely* to be
> DDoS'ing, spamming, or hacking anyone. Certainly these abuses are
> possible and a real problem, but I'd hazard a guess that to three
> significant figures, 100% of such users simply want to surf and read
> their email. As far as providing open access goes, the security features
> of WLAN simply wouldn't apply even if they worked. (Except in so far as
> the current default installations make it far too likely that someone
> will *unwittingly* set up an open access point.)
>
> Basically the point I am trying to make here is that these sorts of
> networks are not useful only to hackers etc, they are also just plain
> useful.


I think you're stating the obvious.  Of course they're useful, just 
like open SMTP relay hosts are "useful".. but they also happen to be 
a widely frowned-upon attractive nuisance on the internet these days. 
Almost every security problem on the net starts out because someone 
stuck some host or device online to do something "useful".. but 
simultaneously overlooked the security implications.

I remember the days when running an open SMTP relay was considered 
neighborly - and convenient if for example your normal ISPs MTA(s) 
were having temporary problems.  But the current situation makes it 
an extremely bad idea to run such hosts any more.


> Disconnecting them would be a really draconian response, and the
> underlying issue would remain (these attacks occurred before WLAN even
> existed).


I have never advocated "disconnecting" open WLANs.  

I have pointed out that A) those who deign to hop on them for a "free 
ride" may find themselves the subject of criminal proceedings, B) I 
hope to make people aware of the need for vendors to ship products in 
a secure configuration by default (and fix the WEP problems) and C) I 
hope to make people aware of the serious security implications of 
(intentionally or unintentionally) running open WLANs.


> [...]
> > Bear in mind my main original point was about the legality or ethics 
> > of hopping onto an open WLAN.  But beyond that, there is this concept 
> > of an "attractive nuisance" when someone connected to the internet 
> > does something to encourage hacking activity from systems under their 
> > control. 
>
> Merely setting up an open access point hardly constitutes encouragement
> of that kind. If I lend you my mobile phone, am I encouraging you to
> make an illegal call? Or if someone uses a cab as a getaway vehicle does
> that mean there shouldn't be cabs, or cab drivers should ask for ID? 


This is a pointless argument and I hope that your common sense and 
(presumed) experience in the security field will allow you to 
understand the big picture here.  To wit, the argument you attempt to 
make, taken to its logical conclusion, would excuse just about any 
latent security problem on the net whatsoever.


> What would be more useful here is some kind of mitigation - e.g. the
> ability to perform some kind of 'egress filtering' - that could be a
> standard firewall operated in reverse, to filter certain protocols, or
> to drop signs of misuse, or to shape traffic. It might be more
> appropriate for ISPs to do that however, than to expect end users to do
> it. A useful feature for any developer of personal firewalls though -
> zonealarm could easily do some of this. This would also start to address
> wired abuses.


I personally am not a great fan of ISPs acting as "Big Brother" by 
scrutinizing every packet their users send/receive, and I do think 
the issues in question can be addressed without dumping that 
responsibility on them. (and subjecting us all to constant 
surveillance)

As we can see every day, relying on end-users to solve their own 
security problems is generally a waste of time. (See ILOVEYOU, 
BubbleBoy, Klez, CodeRed, various DDoS zombie client trojans, and 
every other virus, trojan, worm, malicious code, ad infinitum.)

 
> > The term commonly used is that it's a "rogue" network or 
> > system. 
>
> Again this is a loaded term that doesn't necessarily fit the facts.
> Other terms that are commonly used for the same thing are "internet
> cafe", "open access point", and "wow, you mean I can get broadband
> access when on the road, how handy!". :)


A clueful internet cafe doesn't create internet security liabilities 
just by being in business.  Likewise, lots of things are convenient 
but are REALLY BAD IDEAS.  Telnet is pretty convenient too, but how 
many people with any sense at all are using it for anything that has 
any security importance whatsoever these days?

You also characterize things above as if open WLANs are the only 
source of mobile connectivity in the world - hardly the case.  But 
even with all the issues I point out, with a little work using 
existing standards and adjusting practices on the part of vendors and 
users even WLAN security issues can be solved pretty easily.  

The question of "anonymous strangers" using someone's network is a 
bone of contention for anyone who runs an ISP or backbone and those 
who are impacted by the resulting security issues - and I really 
don't think WLANs are any different than any other potentially 
anonymizing access-point in that respect.  They're just a relatively 
new, popular (and particularly appealing for a hacker, I'd surmise) 
option at this point.


--
Philip J. Koenig                                       pjklist () ekahuna com
Electric Kahuna Systems -- Computers & Communications for the New Millenium


_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards