netcurmudgeon (netcurmudgeon) wrote,

  • Mood:
  • Music:

Wireless networking is your friend

So, I just spent the past hour banging out a first draft of a wireless networking policy paper. We have been kinda dealing with / kinda not dealing with the whole 'wireless thing' for the past year or so. There now seems to be a critical mass of school folks who want wireless networks in their buildings so that we have to tackle this head-on.

The hard part isn't putting together a wireless network -- nailing up wireless access points is easy -- the hard part is running a wireless network that isn't one great big hemorrhaging security hole. We've been steering a middle-of-the-road course between doing noting and implementing industry best practice. Industry best practice would have us treat our wireless networks as hostile public networks (a la the Internet) and require users to fire up a VPN connection to gain access into the main network.

You see, the security protocol built into the IEEE 802.11 wireless technologies (WEP) was apparently put together by a crew of cryptographers from a low-bidder consulting firm. It's got a number of problems that make it trivial for an intruder with some patience to use freely available tools to crack WEP wide open. Hence the best practice to run WEP and require a VPN on top of that. IPSEC VPNs running triple-DES or AES qualify as strong encryption; current super-computer clusters can't crack triple-DES or AES, whereas the logical flaws in the WEP implementation allow a dude with a laptop and a day or two to pop WEP's encryption like a zit.

...The aforementioned middle-of-the-road course has been to permit mobile carts with laptops in the schools, providing that they have WEP turned on. The idea is that the carts are transient and they don't stay on all the time, creating a mitigating factor against WEP's weaknesses. There's also the idea that there are still many other wide-open wireless networks out there, so just having WEP turned on will keep the freeloaders out.

A fellow educational organization that we love to poke fun at ('cause it's just so easy) provides an example of easy pickings: in their spiffy new inter-district regional magnet school they have wireless access points over the door in every classroom. From one spot in the building we were able to see a dozen APs, all running on channel 11 (and thereby contending with each other for air time), all running with the manufacturer's default network ID, and all running without WEP. Some teachers from my City who visited this regional organization's spiffy new school were raving to me about how easy it was to get on their network -- if a student forgot to download their homework, they could just go back to the school, sit in the parking lot, get on the network and download their assignments! Yeah, no shit, along with anyone else in the town who wants some free 'net time!

Why is it that IT is so easy to do badly, and so hard to do right?

  • Post a new comment


    default userpic

    Your reply will be screened

    Your IP address will be recorded 

    When you submit the form an invisible reCAPTCHA check will be performed.
    You must follow the Privacy Policy and Google Terms of use.