Re: Wireless Internet Access and Corporate LAN connectivity
From: J.Flowers (me_at_aol.com)
Date: Tue, 5 Aug 2003 15:50:41 -0400
Your points are well taken and I understand what you are saying. It is just
rather difficult to describe the *exact* scenario I am concerned with. Some
of the items you mention, we have already addressed. We currently have
Anti-virus software loaded on all PC's and laptops. The wireless network
will operate in Infrastructure mode. I'm sure there will be some sort of
encryption "between the access point and wireless network adapter" and MAC
address authorization. This encryption, however, does not address the fact
that anyone on the Internet could access this PC. Any traffic that flows
from the PC/laptop in question would not be encrypted once it hits the
access point (only between the access point and wireless adapter).
The problem(s) we foresee (and I'm sure there are others)
- We load firewall protection on all PC's that we think 'might' connect this
way accidentally, what happens if a new user (without firewall) installs a
wireless adapter into his/her PC? How do we detect this violation? Are you
recommending we install firewall on EVERY PC on our network (800+)? Is this
Is there a setting on Windows where we can tell it to only use one NIC? Is
there something we can do with blackhole routes? Can we install SNMP
agents, poll for violators (2 or more active interfaces) and script the
disabling of ports? We would love to lock down the PC's and not allow a
user to add or change anything, however, corporate politics do not quite
operate in that manner. We are trying to find a solution that is effective,
but also allows a user to be functional. Any suggestions?
"Walter Roberson" <email@example.com> wrote in message
> In article <firstname.lastname@example.org>, J.Flowers <email@example.com>
> :My concern is that the PC would have two IP Addresses simultaneously.
> :on the Internet (Wireless-Infrastructure mode) and one from the corporate
> :LAN (wired). The Internet IP obtained via the Access point would be
> :vulnerable to attack/compromise. Should the PC have a virus/trojan/etc
> :installed or become infected, the entire Corporate LAN (which does not
> :Wireless) would be susceptable. The PC would in essence become an
> :gateway into our corporate network, thus bypassing the firewall.
> You do not seem to have read and considered my previous points.
> If a PC is [hypothetically] vulnerable to virus/trojans/etc while it is
> wireless, then the virus/trojan/etc that sneaks in can just sit idle
> after sneaking in, until the PC is connected to the wired internet, at
> which point you are SOL. This is not a new vulnerability introduced by
> being active on wired and wireless simultaneously.
> The only new vulnerability introduced by being active on both
> simultaneously, is the possibility of active remote control through the
> wireless link. But is that a realistic possibility? Ask yourself what
> -exactly- has to happen for this possibility to become a reality.
> - The wireless card slips into peer-to-peer unencrypted mode. Are there
> no steps you can take on a PC to prevent or reduce this possibility?
> Did you test to see whether the default configuration is to
> peer-to-peer? What would you have to do in order to lock down the
> configuration while still allowing the card to be inserted and
> removed? Is this even the scenario you were thinking of, considering
> that a card that is in peer-to-peer mode is not going to be talking to
> your Access Point? If the card can somehow slip in to peer-to-peer,
> don't you have substantial other problems anyhow, like someone reading
> stored email or documents? Or installing keystroke loggers?
> - Another system connects to the AP as well and starts using the AP as
> a relay, trusting the AP to do whatever encryption is necessary to talk
> to the PC. Is it not possible to lock your AP to rebuff unauthorized
> systems from connecting, such as by using encryption with strong keys,
> and possibly MAC filters? Is it not possible to lock your AP to prevent
> it from acting as a wireless bridge?
> - An attacker introduces an additional AP and convinces the PC to
> connect to it. Is it not possible to lock the PC so as to likely only
> connect to authorized AP, such as by using encryption with strong keys,
> and using an obscure SSID and set the SSID to non-broadcast? Is it not
> possible to layer security on top of the wireless transport layer, so
> that even though the packets reach the PC interface, the PC won't trust
> them unless they meet additional security criteria? Can the wireless
> encryption keys not be changed at reasonable intervals to prevent
> people from breaking them using the weak IV attack (that requires about
> 5 Gb of traffic to analyze) ?
> - The wireless interface blindly relays traffic to the wired
> interface. Can this not be locked down to prevent that kind of
> - A program gets pushed on to the PC while in wireless mode. Can the PC
> not be running a firewall? Can the PC not have anti-virus software? Can
> the PC not have its shares locked down? Can the PC not have NETBIOS
> disabled? Can the PC operating system not be replaced with FreeBSD?
> Don't just hand-wave and say that "It could happen!" -- define exactly
> *how* it could happen, take measures against those paths, and evaluate
> the risks of what remains. I would put it to you that most of the
> attack vectors work almost as well even if both interfaces are never
> active simultaneously, and that if you have solved those other problems
> that you will find that the additional risk of having two interfaces
> active is inconsequential.
> If you must stick with Windows, then Yes, you must consider the
> possibility that one of those customers (or a commercial infiltrator)
> knows about a Windows exploit that hasn't been made public knowledge
> yet. Is that a considered a high risk, that one of your customers is
> just waiting to infiltrate you the moment they can? If your
> organization is like most organizations, then I would suggest that more
> likely is that you Just Haven't Gotten Around To patching against known
> exploits... and that that is a problem even when the connection is
> wired instead of wireless.
> This is not the same .sig the second time you read it.