RE: Interlopers on the WLAN

["Frank O'Dwyer" <fod () brd ie>]

On Sat, 2002-11-09 at 10:26, Philip J. Koenig wrote:
> On 9 Nov 2002 at 9:10, Frank O'Dwyer boldly uttered: 
[...]
> > Basically the point I am trying to make here is that these sorts of
> > networks are not useful only to hackers etc, they are also just plain
> > useful.
>
> I think you're stating the obvious.  Of course they're useful, just 
> like open SMTP relay hosts are "useful".. 

No. MUCH more useful than that. That's the problem really. A mobile user
could download their email at something like modem speeds using a mobile
phone, and pay through the nose for it, or they could receive broadband
access on the move for nothing. Which of these models do you think is
going to prevail? And when users, and corporates for that matter, figure
out that they can effectively get an 11M LES circuit to their buddies
without paying a telco for it, what do you think they will do with that
information?

> but they also happen to be 
> a widely frowned-upon attractive nuisance on the internet these days. 
> Almost every security problem on the net starts out because someone 
> stuck some host or device online to do something "useful".. but 
> simultaneously overlooked the security implications.

The net itself started out that way and has been a basket of security
holes ever since. Why is it still here? Because it is compellingly
useful and users are either ignorant of the risks or have evaluated the
risks and taken them anyway. 

That doesn't mean everyone on the net is stupid. Sometimes not taking a
risk is a more of a risk. As security people we too often do risk
analysis while normal people and business people do risk/benefit
tradeoffs, which is actually more rational. Human beings also have an
appetite for risk - give them a safety belt or an airbag and they will
drive faster.

Also just like IPSEC won't fix the net's issues, nor will any fixed
version of WEP address the above or change the economic advantages of
doing it anyway. Those measures solve a different problem. 

> I remember the days when running an open SMTP relay was considered 
> neighborly - and convenient if for example your normal ISPs MTA(s) 
> were having temporary problems.  But the current situation makes it 
> an extremely bad idea to run such hosts any more.

Agreed - but the current situation makes it an absolutely irresistable
and mouth watering idea to run widely interconnected and even open
WLANs. That's the difference. Indeed it's happening already, despite the
known issues.

> > Disconnecting them would be a really draconian response, and the
> > underlying issue would remain (these attacks occurred before WLAN even
> > existed).
>
> I have never advocated "disconnecting" open WLANs.  
>
> I have pointed out that A) those who deign to hop on them for a "free 
> ride" may find themselves the subject of criminal proceedings, B) I 
> hope to make people aware of the need for vendors to ship products in 
> a secure configuration by default (and fix the WEP problems) and C) I 
> hope to make people aware of the serious security implications of 
> (intentionally or unintentionally) running open WLANs.

OK, but what's the solution for these people? It sounds very much like
you're saying "don't run open WLANs" and "don't use open WLANs (even if
the owner wants you to)" and "sue open WLANs out of existence" to me.

How do you suggest someone sets up an open access point so that their
users don't have to worry about winding up in court? How do users tell
an intentionally open access point from an accidentally created one?
What could open access points do to improve security, short of ceasing
to be open?

[..] 
> > What would be more useful here is some kind of mitigation - e.g. the
> > ability to perform some kind of 'egress filtering' - that could be a
> > standard firewall operated in reverse, to filter certain protocols, or
> > to drop signs of misuse, or to shape traffic. It might be more
> > appropriate for ISPs to do that however, than to expect end users to do
> > it. A useful feature for any developer of personal firewalls though -
> > zonealarm could easily do some of this. This would also start to address
> > wired abuses.
>
> I personally am not a great fan of ISPs acting as "Big Brother" by 
> scrutinizing every packet their users send/receive, and I do think 
> the issues in question can be addressed without dumping that 
> responsibility on them. (and subjecting us all to constant 
> surveillance)

No, I don't mean surveillance. I mean security measures such as dropping
HTTP requests that look like attempts to exercise buffer overruns,
discarding proxy CONNECT requests on port 25 and other silly ports,
shaping traffic that looks like DDoS, etc. These are things that would
be helpful and could be done to outbound traffic by ISP firewalls (or
even zonealarm) without affecting legitimate traffic or subjecting
anyone to big brother. No, it wouldn't solve every problem, but it would
help.

[...]
> The question of "anonymous strangers" using someone's network is a 
> bone of contention for anyone who runs an ISP or backbone and those 
> who are impacted by the resulting security issues - and I really 
> don't think WLANs are any different than any other potentially 
> anonymizing access-point in that respect.  They're just a relatively 
> new, popular (and particularly appealing for a hacker, I'd surmise) 
> option at this point.

I appreciate that this is your concern, and I understand why. However I
think it's going to happen anyway, simply because the benefits are
compelling (hence the popularity) and the "solutions" that forgo the
benefits demonstrably do not solve the problem. To stop it will take
very draconian measures, which no doubt will also be attempted. There
are legitimate uses for anonymity too, by the way, and in some cases
they are (thankfully) protected by law, at least in these parts :)

Cheers,
Frank.

_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards