The security status quo is wrong

By Joel Snyder
Network World, 04/25/05

Original Article on Network World Web Site

Recently, I was helping a customer with a wireless rollout when the person in charge of security pulled a set of requirements out of his back pocket. The goal of this wireless network was to support guest users - people who had come into the building for a meeting or short project. The security requirements started with "disable Service Set Identifier advertisement" and "use 128-bit WEP." I rolled my eyes.

"What's the point of this?" I asked. "These are best practices," the security person replied, gesturing toward the thick stack of white papers, articles and Web postings he had downloaded off the Internet. After all, if 50 security people are writing the same thing, you begin to believe it's the right thing to do.

Unless, of course, it's not. And that's the problem with this type of advice. We have way too many people writing as wireless security experts and way too few actually thinking about wireless security. We also have way too few keeping up with the changes in the technology and how we use it. This problem isn't unique to wireless security - it extends to every aspect of how we do security and design networks.

What happens is that early thinking on how to build security becomes codified as law, largely by people who gather most of their knowledge by doing Google searches and writing white papers based on what other people already have said. SSID hiding is a great example. This was an interesting idea before the AirJack folks demonstrated how stupid it was - back in 2002. Nevertheless, people continue to pick up this same bit of lame advice and offer it as a primary requirement for secure wireless.

Yeah, SSID hiding does provide security - job security for your help desk staff, which will be continually explaining to people how to spell your SSID and enter Wired Equivalent Privacy (WEP ) keys. Let's not even get started on WEP. As Network World demonstrated last year, even brand-new wireless access points cannot be trusted to be free of defects. The solution is to abandon WEP and use a security technology that doesn't have the problems WEP does - 802.11i, also called WPA2.

We have become a community of parrots, repeating the same rules and arguments for doing things that have become "conventional wisdom." As Cisco's Mark Basinski puts it, "The problem with conventional wisdom is that it's neither conventional nor wisdom." Mark is spot-on. We do things by rote, without thinking about whether that's still the best way to design and implement security.

Even sacred cows such as three-port firewalls ("inside," "outside" and "DMZ") need rethinking. Is that really the right way to do things? How many networks have a need for exactly three, and only three, security zones? Are we designing secure networks, or are we replicating the same network architecture that seemed right back in 1990?