Educated Guesswork: Security requirements for open wireless networks

« California Prop. 77 | Main | Airport explosives scanners: not as cool as I had hoped »

November 5, 2005

Security requirements for open wireless networks

News.com reports that Westchester County NY is considering requiring a firewall on all wireless networks operated by "commercial businesses":

Politicians in Westchester County are urging adoption of the law--which appears to be the first such legislation in the U.S.--because without it, "somebody parked in the street or sitting in a neighboring building could hack into the network and steal your most confidential data," County Executive Andy Spano said in a statement.
The draft proposal offered this week would compel all "commercial businesses" with an open wireless access point to have a "network gateway server" outfitted with a software or hardware firewall. Such a firewall, used to block intrusions from outside the local network, would be required even for a coffee shop that used an old-fashioned cash register instead of an Internet-linked credit card system that could be vulnerable to intrusions.
...
The proposed law has two prongs: First, "public Internet access" may not be provided without a network gateway server equipped with a firewall. Second, any business or home office that stores personal information also must install such a firewall-outfitted server even if its wireless connection is encrypted and not open to the public. All such businesses would be required to register with the county within 90 days.

This seems like the kind of well-meaning but basically useless measure you get when people who don't understand technology try to make rules for it. The reasoning goes something like this: Wireless networks are insecure. That's bad. Firewalls are used to secure your network. Therefore, business should be required to install firewalls.

Even if you believe (which I don't) that counties should be in the business of regulating people's network security, there are two problems with this proposal. First, there's no real evidence that open APs are the major threat to the security of commercial networks. After all, lots of intrusions happen over the Internet. The number of people who could potentially break into your system over the Internet vastly exceeds the number of people in the local area attached to your AP. And there's no talk here of requiring businesses who don't operate wireless networks to have firewalls.

Second, the requirement to have a firewall on your "gateway server" is basically meaningless. These days, some kind of firewall is a standard feature on even extremely low end wireless routers. And, of course, it's trivial to have a firewall but not configure it correctly. Unless Westchester is going to get into the business of certifying people's actual installations, just making people sprinkle on some firewall pixie dust is unlikely to have much of an effect.

Posted by ekr at November 5, 2005 10:09 PM | Filed under: