A stupid, stupid law has been passed in Westchester County: Sometimes righteous technical indignation overcomes me and I must, like the mad prophet of the airwaves in Network, tell you to throw open your DVD drive doors and launch Windows and shout, "I'm firewalled as hell, and I'm not going to encrypt it any more!"
Months ago, word emerged from the tony suburb of New York that is pony-infested, mansion-encrusted, millionaire-swarming Westchester County that a law would be passed requiring businesses collecting personal information that use Wi-Fi to have minimal protections, and businesses that offer Wi-Fi to post notices about security.
Seemed a little silly to try to regulate this at a local level, but when you read what they actually planned to do, it was apparent that no one involved with the law understands precisely what they're asking for: they're trying to regulate a solution that only covers part of the problem. By misstating the security risks, they're not serving their constituents.
Months have passed and so has the law, which goes into effect in 180 days.
The law correctly describes a firewall: "Firewall" shall mean a set of related programs or hardware, located at a network gateway server that protects the resources of a private network from users of other networks.
A firewall only protects computers from outside threats, and then only if placed at the correct point in the network's topology (at all entry points for outsiders). It does not protect against the interception of data passing across the network. A firewall is a necessary first line of defense for any company network, and many Wi-Fi gateways include adequate to great firewalls that employ one or more well-acccepted techniques, starting with network address translation (NAT), which creates private, non-routable addresses, all the way up to active firewalls with packet inspection that recognize and block well-known attacks.
The law as enacted could help educate businesses to this particular threat: the invasion of their computers via Wi-Fi networks that they operate. Properly configured and placed--and viruses, worms, and other malware separately invading the network aside--a firewall could prevent private data from being obtained via a Wi-Fi network that otherwise would allow direct access into a company's wired network.
Westchester appears to believe the firewall solves the whole security risk caused by using Wi-Fi. It doesn't solve what's typically seen as a more significant problem. Wi-Fi data, when unencrypted either by a Wi-Fi security protocol or by a separate encryption session (like a secure Web session), is passed in the clear to any other user of the same network.
The chief information office of Westchester County is paraphrased in this article: "Jacknis said easily available firewalls would protect credit card transactions, for example, from being detected by a hacker posted outside a dry cleaner that uses a wireless network."
The firewall might protect a hacker from gaining access to computers running credit-card transactions. But if the computers at the dry cleaner's were connected to the Internet or to each other via Wi-Fi and they don't have encryption of some form enabled, and the credit card transactions aren't encrypted (which they should be, of course), then those transactions are freely available to any hacker.
The tips for securing Wi-Fi networks are weak, starting with changing the default SSID or network name and disabling SSID broadcast. Down the list of suggestions on improving security, there's a small mention of enabling encryption.
Companies running public hotspots have to firewall their own machines against the open network, as I read the law, and have to post a fairly dopey message that's not an accurate statement of what's at risk.:
YOU ARE ACCESSING A NETWORK WHICH HAS BEEN SECURED WITH FIREWALL PROTECTION. SINCE SUCH PROTECTION DOES NOT GUARANTEE THE SECURITY OF YOUR PERSONAL INFORMATION, USE YOUR OWN DISCRETION
The sign should more accurately state:
ALL THE DATA YOU USE ON THIS NETWORK CAN BE RECEIVED BY ANYONE ELSE ON THE SAME NETWORK. USE A PERSONAL FIREWALL AND USE SECURED CONNECTIONS FOR WEB BROWSING, EMAIL, AND OTHER SURFING. OR RISK THEFT OF PASSWORDS AND PRIVATE INFORMATION.
That's a little more direct, no? It's accurate but so frightening it might drive off all hotspot users.