I was at a customer last week helping them with a wireless rollout when the security person pulled a set of security requirements out of his back pocket. The goal of this wireless network was to support guest users: people who had come into the building for a day for a meeting or short project. The security requirements started with “disable SSID advertisement” and “use 128-bit WEP.” I rolled my eyes.
“What’s the point of this,” I asked? The security person had an answer: these are “best practices.” And then he proceeded to pull out a stack of white papers, articles, and web postings 3-inches thick that he had downloaded off the Internet and showed me, indeed: these are “best practices.” After all, you get 50 security people writing the same thing, you begin to believe it’s the right thing to do.
Unless, of course, it’s not. And that’s the problem with this bit of advice. We have way too many people writing as wireless security experts and way too few people actually thinking about wireless security and keeping up with the change both in the technology and how we use it. This problem isn’t unique to wireless security—it extends to every aspect of how we do security, and how we design networks.
What happens is that early thinking on how to build security becomes codified as law, largely by people who gather most of their knowledge by doing Google searches and writing white papers based on what they found other people saying first. SSID hiding is a great example. That was an interesting idea, back before the Airjack folks rubbed our noses in it and demonstrated how stupid it was—back in 2002. Nevertheless, people continue to pick up this same bit of lame advice and offer it as a primary requirement for secure wireless.
Yeah, it does provide security. Job security to your help desk people who will be continually explaining to people how to spell your SSID and enter WEP keys. Let’s not even get started with WEP. As Network World demonstrated last year, even brand new wireless APs cannot be trusted not to have old defects in them. The solution is to abandon WEP and use a security solution that doesn’t have the problems WEP does: 802.11i, also called WPA2.
We have become a community of parrots, repeating the same rules and arguments for doing things that have become “conventional wisdom.” As Mark Basinski, one of Cisco’s wisest souls puts it, “the problem with conventional wisdom is that it’s neither conventional, nor is it wisdom.” Mark is spot-on. We do things out of rote and without thinking about whether that’s still the right way to design and implement security.
Even sacred cows such as 3-port firewalls (“inside,” “outside,” and “DMZ”) need rethinking. Is that really the right way to do things? How many networks have a need for exactly three and only three security zones? Are we designing secure networks, or are we replicating the same network architecture that seemed right back in 1990?