Comments on: Security for retail wireless LANs http://blog.matthewgast.com/2007/06/06/security-for-retail-wireless-lans/ A former physicist tries to make sense of technology Tue, 07 Feb 2012 20:40:33 +0000 http://wordpress.org/?v=2.5.1 By: mary fouts http://blog.matthewgast.com/2007/06/06/security-for-retail-wireless-lans/#comment-10599 mary fouts Mon, 06 Aug 2007 14:08:26 +0000 http://blog.matthewgast.com/2007/06/06/security-for-retail-wireless-lans/#comment-10599 Retailers don't always think about the proper stop shoplifting equipment needed, much less about needing extra cash registers via wireless. I think it is up to the cash regester industry to promote this aspect of their products. --mary, http://www.sensortags.com Retailers don’t always think about the proper stop shoplifting equipment needed, much less about needing extra cash registers via wireless. I think it is up to the cash regester industry to promote this aspect of their products. –mary, http://www.sensortags.com

]]> By: matthew http://blog.matthewgast.com/2007/06/06/security-for-retail-wireless-lans/#comment-6088 matthew Thu, 14 Jun 2007 16:58:24 +0000 http://blog.matthewgast.com/2007/06/06/security-for-retail-wireless-lans/#comment-6088 From a technology perspective, 802.11 client bridges work fine to solve the problem. (Well, not quite. They mess with ARP in funny ways, but for the most part, those effects are not observable as long as you use them exactly as they were intended.) However, from a security view, they provide a great way into the network because you typically configure the bridge, attach it to the client computer, and forget about it. Attackers interested in attaching to the network can steal a bridge and get on, or gain access to the bridge's configuration for credentials. Furthermore, the incremental cost for any type of client can be large compared to the cost of the cash register. A search on cash registers with Ethernet led me to the <a href="http://www.cashregistersonline.com/store/Scripts/SharpprodView.asp?idproduct=210" rel="nofollow">Sharp UP-600</a>, which sells for around $900. (I have no idea how comparable the Sharp is compared to the other registers that I was discussing.) If the unit is an "overflow" unit used only for big sales a few times a year, maintaining, configuring, and managing a second part at 10% of the cost is not worth it to most stores. Finally, the cost of an Ethernet hardware bridge is substantially more than client software. The bridge costs $100, but the list pricing for commercial client software is generally $30-40 per unit. Big stores could get better pricing than that, but there is greater ability to heavily discount large software orders, or use a zero-cost alternative. From a technology perspective, 802.11 client bridges work fine to solve the problem. (Well, not quite. They mess with ARP in funny ways, but for the most part, those effects are not observable as long as you use them exactly as they were intended.)

However, from a security view, they provide a great way into the network because you typically configure the bridge, attach it to the client computer, and forget about it. Attackers interested in attaching to the network can steal a bridge and get on, or gain access to the bridge’s configuration for credentials.

Furthermore, the incremental cost for any type of client can be large compared to the cost of the cash register. A search on cash registers with Ethernet led me to the Sharp UP-600, which sells for around $900. (I have no idea how comparable the Sharp is compared to the other registers that I was discussing.) If the unit is an “overflow” unit used only for big sales a few times a year, maintaining, configuring, and managing a second part at 10% of the cost is not worth it to most stores.

Finally, the cost of an Ethernet hardware bridge is substantially more than client software. The bridge costs $100, but the list pricing for commercial client software is generally $30-40 per unit. Big stores could get better pricing than that, but there is greater ability to heavily discount large software orders, or use a zero-cost alternative.

]]> By: Moschops http://blog.matthewgast.com/2007/06/06/security-for-retail-wireless-lans/#comment-5947 Moschops Tue, 12 Jun 2007 07:18:43 +0000 http://blog.matthewgast.com/2007/06/06/security-for-retail-wireless-lans/#comment-5947 Why can't you just install a WPA2 enabled 802.11 to ethernet bridge? Then they can just plug in a regular ethernet connection to it and no hardware upgrade is required. For $100 you can get a DWL-3150 that fits the bill supporting WEP (snicker!), WPA, WPA-Enterprise, WPA2, and WPA2-Enterprise, plus its centrally manageable via SNMP. I'm sure there are plenty of others like it that you could use. Why can’t you just install a WPA2 enabled 802.11 to ethernet bridge? Then they can just plug in a regular ethernet connection to it and no hardware upgrade is required. For $100 you can get a DWL-3150 that fits the bill supporting WEP (snicker!), WPA, WPA-Enterprise, WPA2, and WPA2-Enterprise, plus its centrally manageable via SNMP. I’m sure there are plenty of others like it that you could use.

]]>