Company claims hardwire connections are a security issue

Question

Someone to whom I am related is at a study camp for their desired profession. This person, let's call her Jane, is supposed to be studying rigorously for two months. The housing provided offers wireless internet connections, which are spotty and don't allow for fluid streaming of even low-quality video, or other useful tasks to studying. Being that Jane wants to study in her down-time and look up resources as a reference to the material, she needs to access these materials and suffer with a slow connection. There are no provided modems or other ways to connect via Ethernet, and the student is expected to have some form of wireless connection computer, presumably.

Now, I want Jane to have the best possible studying experience, and I understand that they might deem this experience "the best to study in," so I called and claimed that I was interested in attending the camp myself, but I only have a desktop computer with no wireless card, and I expect a wired connection. After a few hours, I received a response saying the following:

"We do not provide hard wire connections to our network because of viruses and stuff"

It was clear to me the information I was being relayed was second-hand, but acknowledging that I wouldn't be able to change anyone's mind about this policy, I come here to posit this question:

Exactly what security benefits could be gained by only offering a Wireless connection?

In this case, I'm assuming that the answer given to me was genuine and not just an excuse for them to not do extra work or anything of the sort.

Answer 1

Warning: Conjecture, because none of us know their actual setup.

It is very likely that the organization has their own network, which is hard-wired, as well as a guest network, which is wireless-only. The two are separate networks. This is a common layout because laying wire to desks is expensive, but worth it, for your own employees; broadcasting wireless is cheap, and worth every penny of it, for your guests.

When you asked about a hard-wired connection, they are answering the question of which network you'd be on rather than how you connect to the network. And as the two are intertwined in their minds ("hard-wire is our network, wireless is guest network") they are answering very simply.

From their point of view, they don't want non-organization machines on their network, only on the guest network - because of viruses and stuff. We can all understand that we wouldn't want random visitors on our internal networks, right? So that would be a context in which their answer makes sense.

I would suggest explaining your concern to them and seeing if they can come up with a solution, instead of asking them about the solution you would expect to work. It may be that they only expect guests to need enough connectivity for email and light web browsing. If you explain that Jane needs more bandwidth for her study needs, and can convince them that it's a reasonable request, they're likely to find some way to help - even if it's just moving Jane to a room closer to the Wireless AP.

Answer 2

It really depends on how they have set up their network, so we can only speculate. But I can provide a similar anecdote.

My local library has a wifi that you can log into using your library card. Several rooms have ethernet ports in the wall, but when I asked if I could plug in, I was told that the ethernet goes straight to the back-end network with access to the library's databases, printers, etc. Not intended for customers.

It's common practice to keep separate networks for "trusted" machines that are using corporate-supplied anti-virus, etc, and a separate network for the public to use. I guess wifi vs ethernet is as good a way as any to split that.

Answer 3

I'm going to come at this from a network-engineering point-of-view (full disclosure: CCNA / N+, I work on enterprise-level network systems which include complex topics that we'll discuss here, as well as having done network-engineering for a private university).

Every network is different, and every network-device is different, but there are some commonalities:

• Many enterprise-level devices (switches) offer some sort of "VLAN" ("Virtual-LAN"), for those unfamiliar, think of it as a way of saying that "This switchport is in LAN X, whereas this other switchport is in LAN Y.", this allows us to separate devices logically, so that you and I can be plugged into the same switch, but not even see each other through MAC targeting;
• Many enterprise-level devices (switches) offer SNMP targeting / triggering / "trap"ping to switch ports between different VLAN's based on things like MAC-addresses and the like;

Here's the thing about Ethernet / RJ-45 / 100M/1000M connections: we typically use lower-end devices for this, because we often "just" need a basic connection back to the router. Often they're less advanced, and don't offer good-quality features of the above. (You'll typically find "VLAN" segregation on just about every switch now-a-days, but the SNMP triggering and targeting is substantially more difficult to find for a good price-point.)

When I worked for the University we used a software that would look at a switchport and the MAC-address (a unique hardware-identifier for your Ethernet port) which would decide what "VLAN" you were on: Guest, Staff, Faculty, Student, Lab, etc. This was extraordinarily expensive, both in licensing and implementation. While there are good, free tools out there to do this, it's still difficult to setup, and may not be worth it depending on what the goals of the company are. (This software is notoriously unreliable.) Another problem is that, with sufficient work, a MAC Address can be spoofed, which makes it about as secure as using someone's full name.

So, we have to make a decision, support hard-wired connections that may be unstable, insecure, and leak access to privileged resources, or not?

No network is perfectly secure, even if we have all the resources on the "protected" network locked down, there's still a risk of connection a foreign device to the network. Therefore, we often make decisions like "any BYOD connects to this wireless network." We can turn the wireless network into a "Guest"/"Secured" network, via different SSID's and authentication mechanisms. This means we can have both the guests and employees connected to one wireless access point. Infrastructure cost is lower, and we get the same security benefit.

Like this other answers, this is conjecture or speculation, but from my (professional) experience this would be the likely explanation. The infrastructure cost to support hard-wired connections was too high to be justified. (And since almost all devices people use have wireless capability these days, it's tough to justify.) Considering even Apple is dropping Ethernet ports off the MacBook Pro by default, we get into a "is it even worth it?" situation.

---

TL;DR;: Ethernet is too expensive to do across the board and secure properly, whereas Wireless is becoming much more commonplace, secure and easier to distribute access for.

Answer 4

Looks like this is solved, but I wanted to inject discussion of "Wireless AP Isolation" which is a one-button click on most vendors' small-to-mid scale deployments such as small schools and hotels.

I could easily see a "summer camp" relying on AP isolation, rather than hardware network segmentation to keep out "viruses and stuff."

What I don't know is whether this is actually a good defense, or whether this is easily broken out of.

Answer 5

I suspect that the REAL answer is not any security concern about "viruses and stuff", but rather that it is too difficult and expensive to run ethernet cable to all the campers. Setting up a wifi router is pretty cheap and simple: you run one cable from the modem to the router, put it someplace where it gives a good signal throughout the desired area, and you're done. Stringing ethernet cable is a lot of work: you have to run a cable to every workstation. Depending on how pretty you want the results to be that can mean tearing out walls to string the cable.

Wifi has the inherent security hole that anyone who can get within the signal range with a computer could conceivably hack into your network. I pick up signals from a dozen of my neighbors whenever I turn on my computer. With a wired-only network, they'd have to break into your building. I can't think of any reason why ethernet would be LESS secure than wifi, though I confess I am not a security expert.

Several others have mentioned that they might have a wired network with greater access than the wifi network. Possible. The issue there is not really wire vs wifi, but that one network "coincidentally" has greater access than another, but it's certainly possible that that's what someone was thinking of when they answered the question.

Answer 6

If plugging in the physical cable is a bypass for the wireless connection password as other posters mentioned, then have a physical cable connect to a wireless router in a locked box just for that location. This way you have both the reliability and extensibility of a wired connection but the security (pending items below) of no-physical-access. You can thus also easily serve many other users within that more remote area.

Of course wired connections have vulnerabilities such as physical (cable) interception and vulnerable routers/ hubs/ etc.

Answer 7

My immediate thought when I read the OP was PHYSICAL ACCESS. (The OP was looking for possible scenarios where copper (UTP cable) could be more of a security risk than WiFi...)

The first thing (well, one of the first things) you learn about IT security is that physical network devices need to be placed where they cannot be accessed by "just anyone."

The reason for this, generally, is because there are nasty things you can do to a device (like bring down the entire network) if you can "physically touch it." Things you cannot do over a remote connection.

Example: On a brand new Cisco device, you must physically connect to the device via a "console cable" to begin the basic configuration process. Basics like setting up remote access, setting passwords, etc. You can also just as easily wipe out the entire IOS image, delete the running-config, etc.

So, to reduce certain security risks, you put your devices behind locked doors and grant access to the devices only to those who need it.

So coming back to the OP's question, you could say that you'd need physical access to a device in order to plug in a patch cable, whereas you wouldn't need physical access to make a wireless connection.

In that most basic scenario, wireless connectivity would pose less of a security risk.

---

And yeah, yeah, yeah..., I know that most physical connections are made via wall jack and therefore you don't need direct access to the network device itself, but I'm providing a SIMPLE scenario which fulfills the OP's original question.