Modernizing Authentication — What It Takes to Transform Secure Access
The thing is, though, paranoia is an unfounded fear of the unknown. We tell ourselves that ours is not a paranoid fear of the unknown, but a healthy respect for the known. Right?
Have we gone too far?
Well, let's explore that a bit.
Let's consider, for example, the fact that I set my 802.11g WLAN up to use the latest WPA security protocol. Further, I've set up an access list containing only the MAC addresses that I authorize to use my WLAN. Then, I set up my Linux-based DHCP service to only dish out IP numbers to a (separately maintained) list of MAC addresses. And I diligently log every DHCP transaction on my (again, separate) Linux event log server.
Paranoid? I don't think so, but others tell me that it is.
Draconian? Perhaps. To be sure, it's a fair amount of extra work for me.
But, as I tell my friends who accuse me of paranoia, I've only taken these measures in response to the myriad of papers, articles and books that provide details of just how unsecure most wireless LANs are. Let's face it, if I were relying on WEP -- even in its 128 bit instantiation -- to protect my business' assets over my WLAN, I would consider myself negligent.
And there we get to the heart of the matter: namely, my business' assets.
I use my WLAN to access my home/office network. My business files are on that same LAN. I made the conscious decision to use all the technology readily available to protect those assets. After all, it is quite literally my livelihood that is at risk. Of course it's worth spending the extra time to really get every ounce of possible protection from all of my security devices.
But what about the more typical home and home office user? What about the user setting up his cable modem and WLAN gear, which only gets used for Web surfing, emails with friends, and such? Should she be as ''paranoid'' as I am? For that matter, how about other PC and LAN configuration issues than just WLANs?
Clearly, there is a lot of room for an individual's judgment call here. After all, the direct risks to each end user can and do vary quite radically. I'd still counsel people to consider other issues than just their own business assets. Your home PC is still a desirable target to many miscreants in the world. Take, for example, recent trends in distributed spambots, spyware, phishing attacks, and such. They don't target individual end users. They target all end users, which is just one of the things that makes them so heinous.
So, even if you don't have your own business, banking information, retirement account information, or other vital assets at risk on your PC, I still believe a healthy respect for even the known attacks that we've seen to date is a wise consideration in configuring your systems.
Go ahead and call me paranoid if you'd like. I've been called worse. But, when I'm setting up my latest gizmo, I spend a few extra minutes and actually read through the owner's manual to learn all of the capabilities of each new device. I find out what security capabilities it has, and I take the time to enable them. In almost every case, they're not turned on by default, which, in my opinion, is a horrible mistake that all too many product vendors make. Blindly plugging that new device in and hoping for the best is, in my opinion, tantamount to putting a ''kick me'' sign on your front door.
I should add that security is only one benefit of my approach.
In taking the time to study each device's capabilities before turning it on, I've also often discovered features and such that I was unaware of before. I like to think it enables me to get the most out of each new gizmo that I add to my collection.
So, when the police knock on your door because your neighbor's kid has been using your WLAN to download copyright-protected files from the net, we can talk about who was paranoid and who was just taking appropriate measures to protect his assets.
I wouldn't leave my WLAN unprotected any sooner than I'd leave my car unlocked while parked at the airport.