{"id":1798,"date":"2017-09-11T04:31:33","date_gmt":"2017-09-11T04:31:33","guid":{"rendered":"http:\/\/www.mtin.net\/blog\/?p=1798"},"modified":"2017-09-11T04:31:33","modified_gmt":"2017-09-11T04:31:33","slug":"wpa-is-not-encrypting-your-customer-traffic","status":"publish","type":"post","link":"https:\/\/www.mtin.net\/blog\/wpa-is-not-encrypting-your-customer-traffic\/","title":{"rendered":"WPA is not encrypting your customer traffic"},"content":{"rendered":"

There was a Facebook discussion that popped up tonight about how a WISP answers the question “Is your network secure?” There were many good answers and the notion of WEP vs WPA was brought up.<\/p>\n

In today’s society, you need end-to-end encryption for data to be secure. An ISP has no control over where the customer traffic is going. Thus, by default, the ISP has no control over customer traffic being secure. \u00a0“But Justin, I run WPA on all my aps and backhauls, so my network is secure.” \u00a0Again, think about end-to-end connectivity. Every one of your access points can be encrypted, and every one of your backhauls can be encrypted, but what happens when an attacker breaks into your wiring closet and installs a sniffer on a router or switch port?What most people forget is that WPA key encryption is only going on between the router\/ap and the user device.\u00a0\u00a0“But I lock down all my ports.” you say. \u00a0Okay, what about your upstream? Who is to say your upstream provider doesn’t have a port mirror running that dumps all your customer traffic somewhere. \u00a0“Okay, I will just run encrypted tunnels across my entire network!. Ha! let’s see you tear down that argument!”. Again, what happens when it leaves your network? \u00a0The encryption stops at the endpoint, which is the edge of your network.<\/p>\n

Another thing everyone hears about is hotspots. Every so often the news runs a fear piece on unsecured hotspots. \u00a0This is the same concept. \u00a0If you connect to an unsecured hotspot, it is not much different than connecting to a hotspot where the WPA2 key is on a sign behind the cashier at the local coffee shop. The only difference is the “hacker” has an easier time grabbing any unsecured traffic you are sending. Notice I said unsecured. \u00a0If you are using SSL to connect to a bank site that session is sent over an encrypted session. \u00a0No sniffing going on there. \u00a0If you have an encrypted VPN the possibility of traffic being sniffed is next to none. I say next to none because certain types of VPNs are more secure than others. Does that mean the ISP providing the Internet to feed that hotspot is insecure? There is no feasible\u00a0way for the ISP to provide end to end security of user traffic on the open Internet.<\/p>\n

These arguments are why things like SSL and VPNs exist. Google Chrome is now expecting all <\/a>websites to be SSL enabled to be marked as secure. VPNs can ensure end-to-end security, but only between two points. \u00a0Eventually, you will have to leave the safety and venture out into the wild west of the internet. \u00a0Things like Intranets exist so users can have access to information but still be protected. Even most of that is over encrypted SSL these days so someone can’t install a sniffer in the basement.<\/p>\n

So what is a WISP supposed to say about security? The WISP is no more secure than any other ISP, nor are then any less secure. \u00a0The real security comes from the customer. Things like making sure their devices are up-to-date on security patches. \u00a0This includes the often forgotten router. Things like secure passwords, paying attention to browser warnings, e-mail awareness, and other things are where the real user security lies. VPN connections to work. Using SSL ports on e-mail. Using SSH and Secure RDP for network admins. Firewalls can help, but they don’t encrypt the traffic. Does all traffic need encrypted? no.<\/p>\n","protected":false},"excerpt":{"rendered":"

There was a Facebook discussion that popped up tonight about how a WISP answers the question “Is your network secure?” There were many good answers and the notion of WEP vs WPA was brought up. In today’s society, you need end-to-end encryption for data to be secure. An ISP has no control over where the […]<\/p>\n","protected":false},"author":1,"featured_media":1799,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"jetpack_post_was_ever_published":false,"_jetpack_newsletter_access":"","jetpack_publicize_message":"","jetpack_is_tweetstorm":false,"jetpack_publicize_feature_enabled":true,"jetpack_social_post_already_shared":true,"jetpack_social_options":{"image_generator_settings":{"template":"highway","enabled":false}}},"categories":[17,274,86,156],"tags":[357,108,467,358,466,5,465],"jetpack_publicize_connections":[],"aioseo_notices":[],"jetpack_featured_media_url":"https:\/\/i0.wp.com\/www.mtin.net\/blog\/wp-content\/uploads\/2017\/09\/download.jpg?fit=236%2C213&ssl=1","jetpack_sharing_enabled":true,"jetpack_shortlink":"https:\/\/wp.me\/p6VLMf-t0","jetpack-related-posts":[{"id":3411,"url":"https:\/\/www.mtin.net\/blog\/what-is-wpa3\/","url_meta":{"origin":1798,"position":0},"title":"What is WPA3?","author":"j2sw","date":"April 21, 2019","format":false,"excerpt":"With the introduction of WIFI6, we now have the new WPA standard in WPA3. In an earlier article, I talk about WIFI6, and it's the introduction of WPA3. As we are used to with the previous versions of WPA, WPA3 comes in two \"flavors. We have WPA personal and WPA\u2026","rel":"","context":"In "MTIN"","block_context":{"text":"MTIN","link":"https:\/\/www.mtin.net\/blog\/category\/mtin\/"},"img":{"alt_text":"","src":"https:\/\/i0.wp.com\/www.mtin.net\/blog\/wp-content\/uploads\/2019\/04\/encryption-head-640x353.jpg?fit=640%2C353&ssl=1&resize=350%2C200","width":350,"height":200},"classes":[]},{"id":2421,"url":"https:\/\/www.mtin.net\/blog\/cambium-and-management-vlans\/","url_meta":{"origin":1798,"position":1},"title":"Cambium and Management vlans","author":"j2sw","date":"September 6, 2018","format":false,"excerpt":"Just a quick diagram on how to separate Management traffic on an ePMP network. The aps\u00a0and CPE are in bridge mode in this setup. The Cambium CPE are in bridge mode with CNPilot routers doing PPPoE, which the ISP has control over as a managed router. Our netonix has a\u2026","rel":"","context":"In "Cambium"","block_context":{"text":"Cambium","link":"https:\/\/www.mtin.net\/blog\/category\/cambium\/"},"img":{"alt_text":"","src":"https:\/\/i0.wp.com\/www.mtin.net\/blog\/wp-content\/uploads\/2018\/09\/aps_vlans-e1536254028499.jpg?fit=647%2C532&ssl=1&resize=350%2C200","width":350,"height":200},"classes":[]},{"id":3371,"url":"https:\/\/www.mtin.net\/blog\/podcast-mum-2019-jj-eric-isp-talk\/","url_meta":{"origin":1798,"position":2},"title":"PodCast: Mum 2019 JJ & Eric ISP talk","author":"j2sw","date":"April 15, 2019","format":false,"excerpt":"Sat down With JJ Mcgrath and Eric Sooter at the Mikrotik User meeting in Autin for a little \"routerside chat\" about the WISP industry. #routinglight #routingrf #bendingpackets #podcast Routerside chat with Eric and JJ","rel":"","context":"In "podcast"","block_context":{"text":"podcast","link":"https:\/\/www.mtin.net\/blog\/category\/podcast\/"},"img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]},{"id":2512,"url":"https:\/\/www.mtin.net\/blog\/funding-for-your-isp\/","url_meta":{"origin":1798,"position":3},"title":"Funding for your ISP","author":"j2sw","date":"October 15, 2018","format":false,"excerpt":"One of the more common\u00a0questions at #WISPAPALOOZA2018 was how to do funding your for WISP.\u00a0 One of our partner companies is Ritalia Fundiing \u00a0","rel":"","context":"In "WISP"","block_context":{"text":"WISP","link":"https:\/\/www.mtin.net\/blog\/category\/wisp\/"},"img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]},{"id":1832,"url":"https:\/\/www.mtin.net\/blog\/the-problem-with-peering-from-a-logistics-standpoint\/","url_meta":{"origin":1798,"position":4},"title":"The problem with peering from a logistics standpoint","author":"j2sw","date":"September 29, 2017","format":false,"excerpt":"Many ISPs run into this problem as part of their growing pains.\u00a0 This scenario usually starts happening with their third or 4th peer. Scenario.\u00a0 ISP grows beyond the single connection they have.\u00a0 This can be 10 meg, 100 meg, gig or whatever.\u00a0 They start out looking for redundancy. The ISP\u2026","rel":"","context":"In "BGP"","block_context":{"text":"BGP","link":"https:\/\/www.mtin.net\/blog\/category\/networking\/bgp\/"},"img":{"alt_text":"","src":"https:\/\/i0.wp.com\/www.mtin.net\/blog\/wp-content\/uploads\/2017\/09\/dreamstime_xs_87568893.jpg?fit=480%2C320&ssl=1&resize=350%2C200","width":350,"height":200},"classes":[]},{"id":1656,"url":"https:\/\/www.mtin.net\/blog\/mtin-is-growing-again\/","url_meta":{"origin":1798,"position":5},"title":"MTIN is growing again","author":"j2sw","date":"August 1, 2017","format":false,"excerpt":"Over the years MTIN has gone from being a computer repair shop to a dial-up ISP, to a Wireless ISP, and many things in-between. \u00a0Each time technology and market conditions change we adapt to change with it. \u00a0Our next metamorphosis is needed so we can grow into more aspects of\u2026","rel":"","context":"In \"MTIN\"","block_context":{"text":"MTIN","link":"https:\/\/www.mtin.net\/blog\/tag\/mtin\/"},"img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]}],"jetpack_likes_enabled":true,"_links":{"self":[{"href":"https:\/\/www.mtin.net\/blog\/wp-json\/wp\/v2\/posts\/1798"}],"collection":[{"href":"https:\/\/www.mtin.net\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.mtin.net\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.mtin.net\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.mtin.net\/blog\/wp-json\/wp\/v2\/comments?post=1798"}],"version-history":[{"count":1,"href":"https:\/\/www.mtin.net\/blog\/wp-json\/wp\/v2\/posts\/1798\/revisions"}],"predecessor-version":[{"id":1800,"href":"https:\/\/www.mtin.net\/blog\/wp-json\/wp\/v2\/posts\/1798\/revisions\/1800"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.mtin.net\/blog\/wp-json\/wp\/v2\/media\/1799"}],"wp:attachment":[{"href":"https:\/\/www.mtin.net\/blog\/wp-json\/wp\/v2\/media?parent=1798"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.mtin.net\/blog\/wp-json\/wp\/v2\/categories?post=1798"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.mtin.net\/blog\/wp-json\/wp\/v2\/tags?post=1798"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}