Blogs

Wi-Fi is More Secure than Ethernet

Jon Green, Jun 7th, 2011

Introduction time – I’m Jon, and I’m an IT security geek.  I’m such an IT security geek that I went and got a college degree in the subject.  “Don’t you want a respectable degree like Engineering or Computer Science?”  Nope, I’d rather have something obscure that people ask if I ordered from a spam email.  My wife has also expressed concerns about my level of paranoia, and has specifically requested that during family gatherings I not brief my in-laws on various vulnerabilities (imagined or real) in critical infrastructure and instead talk about happier topics – like cute things my kids said.  Still, those of us who work in IT need to know what we’re up against, so I’ll try to add my thoughts to the many good security-oriented blogs that are out there.  Feel free to leave notes and ask your security questions – I’ll do my best to answer in future posts.

With regard to the title of this post, I thought I would start off my first post with something inflammatory, since the title statement always seems to get reactions from people.  The reaction is typically some form of “You’re an idiot.  How can Wi-Fi possibly be more secure than Ethernet?”  Ouch, name-calling.  But really, for the average corporate network infrastructure, it’s a very easy statement to back up.  To wit:

1. On your wired network, do you authenticate all users and devices that connect?  I can count on one (or maybe two) hands the number of companies I’ve come across that have implemented 802.1X authentication on their wired infrastructure.  To be sure, the numbers are going up, but slowly.
2. On your wired network, do you encrypt all traffic?  Microsoft has some powerful capabilities for host-to-host IPsec in Windows, but I’ve never come across anyone who actually uses them.
3. On your wired network, do you control access to resources based on user identity?  This is a tough one to do if you’re not doing step 1.  Sometimes I hear “Yeah, we put ACLs on the routers so that only the Finance VLAN can talk to the SAP servers.”  Great idea when all of us used large desktop PCs that didn’t move around.  But what happens if I take my laptop over to the Finance department and plug in?

With Wi-Fi, on the other hand, (1) and (2) are natural parts of how we deploy the technology.  Aruba Wi-Fi users get (3) as well.  When I make those three points, a common response is “Yeah, but Wi-Fi is all over the parking lot while with Ethernet, you have to get into the building to plug in.”  Now we could go into RF emanations from Ethernet cable (or keyboard cables!) and how foreign governments are able to receive those from outside the building, but we’re getting a little too Spy vs. Spy even for my taste.  When was the last time you did pen-testing on your physical security though?  For 90% of companies I have seen, it’s really not that hard to get into the building.  I recommend reading The Art of Intrusion by Kevin Mitnick for ideas, but here are a few possibilities:

• Just walk into the lobby and act like you belong there.  Many times the receptionist won’t challenge you.  Yes, it’s that easy.
• If the receptionist does challenge you, have your story ready.  “Hi, I’m here to meet with <former IT employee who you knew left the company by finding him on LinkedIn>.  By the way, can I use the restroom real quick?  I’ve been driving for two hours now…”  Some companies have a restroom in the lobby, but often you’ll get a cheerful set of directions to the nearest restroom.
• Try this yourself, or buy lunch for a non-employee friend and ask him to try it for you.  Park in the parking lot by a side door.  Wait for a large group of people approaching the door.  Wear an ID badge flipped around backwards and start a pretend conversation on your cellphone.  Tailgate through the door behind the group of people.  9.9 times out of 10, nobody will challenge you.  It would be rude to interrupt a phone conversation, right?
• Hacker fiction is replete with stories of dressing up as the copy machine repair guy or the guy from the gas company who has an urgent leak to check, and it’s true that ID badges are very easy to forge.  But really, the cleaning crew is probably an easier attack vector if the easy paths above don’t work.

Now you’re inside – what do you do?  Find a conference room, find an open Ethernet jack, plug in your choice of non-conspicuous “dropboxes” that give you remote access to the network, and leave the building through the nearest exit.  You now have your electronic way back in.  No authentication, no encryption – no problem!

Wi-Fi is designed to be secure from the parking lot.  That means if you get inside the building, the Wi-Fi is just as secure as it was when you were outside.  Authentication, encryption, and access control – all built in.  I might be a little paranoid, and my sense of humor might leave some folks scratching their heads, but a complete idiot I am not.

• Tweet