I believe Norm Jacknis, CIO of Westchester County, NY reads this list... Perhaps he will respond...
http://wifinetnews.com/archives/006500.html April 21, 2006 Hey, Westchester! A Firewall Is Not Encryption By Glenn Fleishman 19179423A stupid, stupid law has been passed in Westchester County: Sometimes righteous technical indignation overcomes me and I must, like the mad prophet of the airwaves in Network, tell you to throw open your DVD drive doors and launch Windows and shout, ³I¹m firewalled as hell, and I¹m not going to encrypt it any more!² Months ago, word emerged from the tony suburb of New York that is pony-infested, mansion-encrusted, millionaire-swarming Westchester County that a law would be passed requiring businesses collecting personal information that use Wi-Fi to have minimal protections, and businesses that offer Wi-Fi to post notices about security. Seemed a little silly to try to regulate this at a local level, but when you read what they actually planned to do, it was apparent that no one involved with the law understands precisely what they¹re asking for: they¹re trying to regulate a solution that only covers part of the problem. By misstating the security risks, they¹re not serving their constituents. Months have passed and so has the law, which goes into effect in 180 days. The law correctly describes a firewall: ³Firewall² shall mean a set of related programs or hardware, located at a network gateway server that protects the resources of a private network from users of other networks. A firewall only protects computers from outside threats, and then only if placed at the correct point in the network¹s topology (at all entry points for outsiders). It does not protect against the interception of data passing across the network. A firewall is a necessary first line of defense for any company network, and many Wi-Fi gateways include adequate to great firewalls that employ one or more well-acccepted techniques, starting with network address translation (NAT), which creates private, non-routable addresses, all the way up to active firewalls with packet inspection that recognize and block well-known attacks. The law as enacted could help educate businesses to this particular threat: the invasion of their computers via Wi-Fi networks that they operate. Properly configured and placedand viruses, worms, and other malware separately invading the network asidea firewall could prevent private data from being obtained via a Wi-Fi network that otherwise would allow direct access into a company¹s wired network. Westchester appears to believe the firewall solves the whole security risk caused by using Wi-Fi. It doesn¹t solve what¹s typically seen as a more significant problem. Wi-Fi data, when unencrypted either by a Wi-Fi security protocol or by a separate encryption session (like a secure Web session), is passed in the clear to any other user of the same network. The chief information office of Westchester County is paraphrased in this article: ³Jacknis said easily available firewalls would protect credit card transactions, for example, from being detected by a hacker posted outside a dry cleaner that uses a wireless network.² The firewall might protect a hacker from gaining access to computers running credit-card transactions. But if the computers at the dry cleaner¹s were connected to the Internet or to each other via Wi-Fi and they don¹t have encryption of some form enabled, and the credit card transactions aren¹t encrypted (which they should be, of course), then those transactions are freely available to any hacker. The tips for securing Wi-Fi networks are weak, starting with changing the default SSID or network name and disabling SSID broadcast. Down the list of suggestions on improving security, there¹s a small mention of enabling encryption. Companies running public hotspots have to firewall their own machines against the open network, as I read the law, and have to post a fairly dopey message that¹s not an accurate statement of what¹s at risk.: YOU ARE ACCESSING A NETWORK WHICH HAS BEEN SECURED WITH FIREWALL PROTECTION. SINCE SUCH PROTECTION DOES NOT GUARANTEE THE SECURITY OF YOUR PERSONAL INFORMATION, USE YOUR OWN DISCRETION The sign should more accurately state: ALL THE DATA YOU USE ON THIS NETWORK CAN BE RECEIVED BY ANYONE ELSE ON THE SAME NETWORK. USE A PERSONAL FIREWALL AND USE SECURED CONNECTIONS FOR WEB BROWSING, EMAIL, AND OTHER SURFING. OR RISK THEFT OF PASSWORDS AND PRIVATE INFORMATION. That¹s a little more direct, no? It¹s accurate but so frightening it might drive off all hotspot users. --~--~---------~--~----~------------~-------~--~----~ TELECOM-CITIES Current searchable archives (Feb. 1, 2006 to present) at http://www.mail-archive.com/[email protected]/ Old searchble archives at http://www.mail-archive.com/[email protected]/ -~----------~----~----~----~------~----~------~--~---
