802.11g and dvd

Nick Christenson npc at gangofone.com
Tue Dec 16 09:40:47 PST 2003


> >         - note that WEP is NOT secure ... ( its been cracked )
> 
> Definitely, and that point needs to be chanted in deep sonorous
> tones with a tenor wailing away a few octaves higher.  All the 
> while the message should be flashed in huge blinky
> ten meters tall scrolling around the entire edge of a city
> block.

This is fine, but that doesn't mean that it isn't worthwhile to use
WEP.  Yes, even a moderately determined intruder can cut through WEP
like it was soft cheese, but it's still posting a "must be *this* 
determined to crack my network" sign.  Cracking a WEP encrypted network
will take minutes to hours, depending on the traffic and luck.  Cracking
a non-WEP 802.11 network will take seconds.  WEP may not afford much
protection, but it is, as the saying goes, better than nothing.
It's like using The Club on your car.  It's not effective against a 
determined thief, but as long as the cars next to you don't use it, 
joy-riders will probably steal their car and not yours.

> I am a little confused as to why vendors are trying to graft
> a security protocol specific to wireless ethernet.  

Well, there are security issues that come up on wireless networks that
aren't an issue on wired networks.  It is entirely appropriate to 
consider these aspects when designing a wireless network security
protocol.

> It seems that
> this would be an application for IPSec.   (Of course that
> does assume that you're running IP, but it is not a wire
> replacement protocol like bluetooth.)

802.11i still has it's place, though.  Not all currently deployed IP
devices are IPSec capable.  It would be nice to have some mechanism
at the link layer to allow these machines to interoperate on a wireless 
network with at least a little bit of security.

Of course, this doesn't mean that IPSec isn't an appropriate answer,
but by itself, it has gaps in the wireless world.  A combination of
IPSec and 802.1x is pretty much state-of-the-art right now, at least
until 802.11i, but this combination wasn't designed for wireless networks
and there are still holes.  For example, check out:
http://www.cs.umd.edu/~waa/1x.pdf

> It frustrates me that the home vendors keep getting close
> to the mark, but missing it.   Many vendors seem to
> have all the necessary parts in one box:  VPN, Firewall,
> wireless hub, and a wired hub.  The problem is how the
> pieces are connected.   The wireless hub should be
> isolated behind the firewall, and you should only be
> able to get out of the wireless net by setting up a
> VPN connection.

I would say that the problem is that the vendors walk up to the edge
of providing a secure topology and then flinch when they get there, 
backing off to an insecure architecture.  They clearly don't think the
average consumer has a shot at getting things to work in a secure 
configuration.  I fear they may be correct.

-- 
Nick Christenson
npc at jetcafe.org



More information about the Baylisa mailing list