Dfyjkt

It really depends on how they have set up their network, so we can only speculate. But I can provide a similar anecdote.

My local library has a wifi that you can log into using your library card. Several rooms have ethernet ports in the wall, but when I asked if I could plug in, I was told that the ethernet goes straight to the back-end network with access to the library's databases, printers, etc. Not intended for customers.

It's common practice to keep separate networks for "trusted" machines that are using corporate-supplied anti-virus, etc, and a separate network for the public to use. I guess wifi vs ethernet is as good a way as any to split that.

I'm going to come at this from a network-engineering point-of-view (full disclosure: CCNA / N+, I work on enterprise-level network systems which include complex topics that we'll discuss here, as well as having done network-engineering for a private university).

Every network is different, and every network-device is different, but there are some commonalities:

• Many enterprise-level devices (switches) offer some sort of "VLAN" ("Virtual-LAN"), for those unfamiliar, think of it as a way of saying that "This switchport is in LAN X, whereas this other switchport is in LAN Y.", this allows us to separate devices logically, so that you and I can be plugged into the same switch, but not even see each other through MAC targeting;


• Many enterprise-level devices (switches) offer SNMP targeting / triggering / "trap"ping to switch ports between different VLAN's based on things like MAC-addresses and the like;

Here's the thing about Ethernet / RJ-45 / 100M/1000M connections: we typically use lower-end devices for this, because we often "just" need a basic connection back to the router. Often they're less advanced, and don't offer good-quality features of the above. (You'll typically find "VLAN" segregation on just about every switch now-a-days, but the SNMP triggering and targeting is substantially more difficult to find for a good price-point.)

When I worked for the University we used a software that would look at a switchport and the MAC-address (a unique hardware-identifier for your Ethernet port) which would decide what "VLAN" you were on: Guest, Staff, Faculty, Student, Lab, etc. This was extraordinarily expensive, both in licensing and implementation. While there are good, free tools out there to do this, it's still difficult to setup, and may not be worth it depending on what the goals of the company are. (This software is notoriously unreliable.) Another problem is that, with sufficient work, a MAC Address can be spoofed, which makes it about as secure as using someone's full name.

So, we have to make a decision, support hard-wired connections that may be unstable, insecure, and leak access to privileged resources, or not?

No network is perfectly secure, even if we have all the resources on the "protected" network locked down, there's still a risk of connection a foreign device to the network. Therefore, we often make decisions like "any BYOD connects to this wireless network." We can turn the wireless network into a "Guest"/"Secured" network, via different SSID's and authentication mechanisms. This means we can have both the guests and employees connected to one wireless access point. Infrastructure cost is lower, and we get the same security benefit.

Like this other answers, this is conjecture or speculation, but from my (professional) experience this would be the likely explanation. The infrastructure cost to support hard-wired connections was too high to be justified. (And since almost all devices people use have wireless capability these days, it's tough to justify.) Considering even Apple is dropping Ethernet ports off the MacBook Pro by default, we get into a "is it even worth it?" situation.

TL;DR;: Ethernet is too expensive to do across the board and secure properly, whereas Wireless is becoming much more commonplace, secure and easier to distribute access for.

Looks like this is solved, but I wanted to inject discussion of "Wireless AP Isolation" which is a one-button click on most vendors' small-to-mid scale deployments such as small schools and hotels.

I could easily see a "summer camp" relying on AP isolation, rather than hardware network segmentation to keep out "viruses and stuff."

What I don't know is whether this is actually a good defense, or whether this is easily broken out of.

I suspect that the REAL answer is not any security concern about "viruses and stuff", but rather that it is too difficult and expensive to run ethernet cable to all the campers. Setting up a wifi router is pretty cheap and simple: you run one cable from the modem to the router, put it someplace where it gives a good signal throughout the desired area, and you're done. Stringing ethernet cable is a lot of work: you have to run a cable to every workstation. Depending on how pretty you want the results to be that can mean tearing out walls to string the cable.

Wifi has the inherent security hole that anyone who can get within the signal range with a computer could conceivably hack into your network. I pick up signals from a dozen of my neighbors whenever I turn on my computer. With a wired-only network, they'd have to break into your building. I can't think of any reason why ethernet would be LESS secure than wifi, though I confess I am not a security expert.

Several others have mentioned that they might have a wired network with greater access than the wifi network. Possible. The issue there is not really wire vs wifi, but that one network "coincidentally" has greater access than another, but it's certainly possible that that's what someone was thinking of when they answered the question.

If plugging in the physical cable is a bypass for the wireless connection password as other posters mentioned, then have a physical cable connect to a wireless router in a locked box just for that location. This way you have both the reliability and extensibility of a wired connection but the security (pending items below) of no-physical-access. You can thus also easily serve many other users within that more remote area.

Of course wired connections have vulnerabilities such as physical (cable) interception and vulnerable routers/ hubs/ etc.

My immediate thought when I read the OP was PHYSICAL ACCESS. (The OP was looking for possible scenarios where copper (UTP cable) could be more of a security risk than WiFi...)

The first thing (well, one of the first things) you learn about IT security is that physical network devices need to be placed where they cannot be accessed by "just anyone."

The reason for this, generally, is because there are nasty things you can do to a device (like bring down the entire network) if you can "physically touch it." Things you cannot do over a remote connection.

Example: On a brand new Cisco device, you must physically connect to the device via a "console cable" to begin the basic configuration process. Basics like setting up remote access, setting passwords, etc. You can also just as easily wipe out the entire IOS image, delete the running-config, etc.

So, to reduce certain security risks, you put your devices behind locked doors and grant access to the devices only to those who need it.

So coming back to the OP's question, you could say that you'd need physical access to a device in order to plug in a patch cable, whereas you wouldn't need physical access to make a wireless connection.

In that most basic scenario, wireless connectivity would pose less of a security risk.

And yeah, yeah, yeah..., I know that most physical connections are made via wall jack and therefore you don't need direct access to the network device itself, but I'm providing a SIMPLE scenario which fulfills the OP's original question.