Re: Wireless Internet Access and Corporate LAN connectivity
From: Walter Roberson (roberson_at_ibd.nrc-cnrc.gc.ca)
Date: 5 Aug 2003 17:22:48 GMT
In article <firstname.lastname@example.org>, J.Flowers <email@example.com> top-posted:
:My concern is that the PC would have two IP Addresses simultaneously. One
:on the Internet (Wireless-Infrastructure mode) and one from the corporate
:LAN (wired). The Internet IP obtained via the Access point would be
:vulnerable to attack/compromise. Should the PC have a virus/trojan/etc
:installed or become infected, the entire Corporate LAN (which does not use
:Wireless) would be susceptable. The PC would in essence become an alternate
:gateway into our corporate network, thus bypassing the firewall.
You do not seem to have read and considered my previous points.
If a PC is [hypothetically] vulnerable to virus/trojans/etc while it is
wireless, then the virus/trojan/etc that sneaks in can just sit idle
after sneaking in, until the PC is connected to the wired internet, at
which point you are SOL. This is not a new vulnerability introduced by
being active on wired and wireless simultaneously.
The only new vulnerability introduced by being active on both
simultaneously, is the possibility of active remote control through the
wireless link. But is that a realistic possibility? Ask yourself what
-exactly- has to happen for this possibility to become a reality.
- The wireless card slips into peer-to-peer unencrypted mode. Are there
no steps you can take on a PC to prevent or reduce this possibility?
Did you test to see whether the default configuration is to
peer-to-peer? What would you have to do in order to lock down the
configuration while still allowing the card to be inserted and
removed? Is this even the scenario you were thinking of, considering
that a card that is in peer-to-peer mode is not going to be talking to
your Access Point? If the card can somehow slip in to peer-to-peer,
don't you have substantial other problems anyhow, like someone reading
stored email or documents? Or installing keystroke loggers?
- Another system connects to the AP as well and starts using the AP as
a relay, trusting the AP to do whatever encryption is necessary to talk
to the PC. Is it not possible to lock your AP to rebuff unauthorized
systems from connecting, such as by using encryption with strong keys,
and possibly MAC filters? Is it not possible to lock your AP to prevent
it from acting as a wireless bridge?
- An attacker introduces an additional AP and convinces the PC to
connect to it. Is it not possible to lock the PC so as to likely only
connect to authorized AP, such as by using encryption with strong keys,
and using an obscure SSID and set the SSID to non-broadcast? Is it not
possible to layer security on top of the wireless transport layer, so
that even though the packets reach the PC interface, the PC won't trust
them unless they meet additional security criteria? Can the wireless
encryption keys not be changed at reasonable intervals to prevent
people from breaking them using the weak IV attack (that requires about
5 Gb of traffic to analyze) ?
- The wireless interface blindly relays traffic to the wired
interface. Can this not be locked down to prevent that kind of
- A program gets pushed on to the PC while in wireless mode. Can the PC
not be running a firewall? Can the PC not have anti-virus software? Can
the PC not have its shares locked down? Can the PC not have NETBIOS
disabled? Can the PC operating system not be replaced with FreeBSD?
Don't just hand-wave and say that "It could happen!" -- define exactly
*how* it could happen, take measures against those paths, and evaluate
the risks of what remains. I would put it to you that most of the
attack vectors work almost as well even if both interfaces are never
active simultaneously, and that if you have solved those other problems
that you will find that the additional risk of having two interfaces
active is inconsequential.
If you must stick with Windows, then Yes, you must consider the
possibility that one of those customers (or a commercial infiltrator)
knows about a Windows exploit that hasn't been made public knowledge
yet. Is that a considered a high risk, that one of your customers is
just waiting to infiltrate you the moment they can? If your
organization is like most organizations, then I would suggest that more
likely is that you Just Haven't Gotten Around To patching against known
exploits... and that that is a problem even when the connection is
wired instead of wireless.
-- This is not the same .sig the second time you read it.