Re: Secure workgroups!

From: Not-My-Real-Name (someone_at_micros0ft.com)
Date: 10/18/04 

Date: Mon, 18 Oct 2004 16:54:32 -0300

"Steve Riley [MSFT]" <steriley@microsoft.com> wrote in message
news:O0dZ4UUtEHA.3788@TK2MSFTNGP09.phx.gbl...
> After reading which, the review or the book?

The book of course.

>Have you actually tried hacking a wireless network?

I won't comfirm or deny that, have you? ;-) With the way "most" people
set them up, it's probably not that hard.
Google wardriving, the stories are everywhere.

>
> You need several gigabytes of data before you can crack a good 128-bit WEP
> key. It's highly unlikely that a home or small office network will
generate
> so much data in one month, thus my first-Monday-of-the-month suggestion
for
> key change. It's got nothing to do with (perceived) value of information
> stored in the computers.
>
That was a good suggestion, but harding the entry point is just one part of
it. How many laptops get stolen yearly?

You have mobile laptops involved here, most cracks tend to come from inside
jobs, so an obvious soft target for ingress is to compromise these laptops
directly. That is once they are outside your network environment, then
allow access once they join the Wireless network. How many of these
laptops go home and get Trojan duJour on them? So that's another point,
encrpyt /Virus check your Laptops! Your support folks will thank you.

> VPN is inappropriate for wireless security. In a wired network, the
computer
> logs onto the domain and computer group policies apply. Then the user logs
> on and user policies apply. If you use VPN for wireless, you lose both of
> these.
>The computer never performs a domain logon, so you don't get computer
> policies, and when the user logs on, in most instances user policies don't
> apply either.
>

Never say never. Have you installed a modern VPN client lately?

Nortels does exactly what you say can't be done and has done it for years.
The pinical of this is the Nortel 5.x client. It now provides a seemless
VPN/AD logon from bootup, even with dial-up.
Logon scripts run, access to shares, etc. Its logon screen starts before
the initial Microsofts logon screen. You still need to logon to the VPN
and the Domain.

Even Nortels old client performed this from several years back. However it
did so after Microsoft logon to the laptop (logs the user off after the VPN
session starts, which forces a "relogon", The PC now sees the AD controllers
etc, ).

> 802.1x with EAP (requires RADIUS) or PEAP (no RADIUS) is much better
because
> the logon behavior and user experience is equivalent to a wired network.
> Computer and user policies apply just fine, and EAP changes the WEP key
> every 60 minutes (by default). And if your wireless hardware was
> manufactured after August 2003 then you can use WPA (with or without
RADIUS)
> which is even better: WPA can use 256-bit AES (faster than RC4) and it
> assigns a new encryption key to every *frame*.
>

Now that's sounding a bit better than your average $50 Linksys.
He didn't say what Wireless gear he's running, it's a small workgroup so my
guess it's cheap gear without these features. Your assuming the above is
even implemented properly by the vendor. Anything can have bugs of course.

Security in depth, is just that, in-depth. Adding a VPN/Firewall
requirement in front of the Wireless isn't that big of a stretch if you have
data worth the effort.

I don't trust Wireless, it's going to take a bit more time in my mind before
it proves itself. It's fun at the house, but that's about it for me. If
you can run a wire to the desk, do so.

> Steve Riley
> steriley@microsoft.com
>
>
>
> "Not-My-Real-Name" <someone@micros0ft.com> wrote in message
> news:%23sRFtBStEHA.3872@TK2MSFTNGP15.phx.gbl...
> > Is node count an indication of the data importance on a network?
> > Can they afford to be hacked?
> >
> > These are the questions one needs to be asking if you're responsible for
> > protecting a small business (or any business).
> >
> > The price of a small ASIC based Firewall with VPN clients is sub $500
now
> > adays.
> > Implementing what I'm suggesting isn't expensive.
> >
> > WEP is never good enough in my books. Speaking of books, after reading
> > this
> > I'm double sure one should Firewall and VPN clients using wireless.
> > Better
> > yet, WIRE them if they are in "range" of your wiring closet.
> >
> > http://wifinetnews.com/archives/003399.html
> >
> >
> > "Steve Riley [MSFT]" <steriley@microsoft.com> wrote in message
> > news:uUxzq7xsEHA.624@TK2MSFTNGP09.phx.gbl...
> >> For a small organization like this, WEP is good enough. Configure a
> > 128-bit
> >> key in the AP and in the clients. Change the key every month -- put a
> >> reminder in your calendar to fire on the first Monday of each month
(this
> > is
> >> better than the first day of each month because sometimes that will be
on
> > a
> >> weekend).
> >>
> >> Steve Riley
> >> steriley@microsoft.com
> >>
> >>
> >> "Not-My-Real-Name" <someone@micros0ft.com> wrote in message
> >> news:OzAGBFrsEHA.2128@TK2MSFTNGP11.phx.gbl...
> >> > LOL. My level of paranoia is directly proportional to the
sensitivity
> > of
> >> > the data.
> >> > If this was a home/gaming network I wouldn't give a hoot.
> >> >
> >> > If this was my business, any wireless would have to be justified by
the
> >> > fact
> >> > that we couldn't run a cable to your desk. If we couldn't, and were
> >> > forced
> >> > to use wireless, I'd Firewall/VPN it. Basically it's the safe and
> >> > responsible thing to do. I treat wireless like the Internet and
> > Firewall
> >> > it.
> >> >
> >> >
> >> > "Max Ashton" <maxashton@eml.cc> wrote in message
> >> > news:OhROs1psEHA.3412@TK2MSFTNGP14.phx.gbl...
> >> >> Wow!
> >> >>
> >> >> And i thought *I* was paranoid!
> >> >>
> >> >> Max
> >> >>
> >> >> Not-My-Real-Name wrote:
> >> >>
> >> >> > I'd go a step further and have the Wireless accesspoint Firewalled
> > from
> >> >> > the LAN network as well possibly using an encrypted VPN client on
> >> >> > the
> >> >> > Wireless hosts.
> >> >> >
> >> >> >
> >> >> >
> >> >>
> >> >
> >> >
> >>
> >>
> >
> >
>
>

Relevant Pages

  • Re: Secure workgroups!
    ... you're mixing threat models when you introduce theft of laptops. ... stolen set) then you aren't going to get very far into the wireless network. ... I try to avoid add-ons like VPN clients and such. ...
    (microsoft.public.security)
  • Re: Is wireless viable on and SBS network?
    ... I have trouble believing the point you are suggesting that the wireless ... I've seen machines that don't have proper time sync ignore policy and logon ... Roaming profiles work fine over a VPN, all assuming you are not either too ... the VPN Dialup connection, connect, then initiate the user authentication. ...
    (microsoft.public.backoffice.smallbiz2000)
  • Re: Wi-Fi: Essential Checklist
    ... email and passwords that are sniffable via wireless ... treated in the same way when dealing with security. ... I have 5 VPN clients on my Verizon XV6700 cell phone running Windoze ... Most modern laptops will boot from USB, ...
    (alt.internet.wireless)
  • NAT, PPTP, VPN and routers
    ... I have two almost identical laptops running XP that connect to their ... out trusty netgear wireless router, ... The replacement was a belkin F5D8630 (pre-n, adsl modem, wireless). ... reliably VPN connection. ...
    (microsoft.public.windowsxp.work_remotely)
  • Re: How does Windows/AD know that an user account is logging on via VPN or wireless ?
    ... Windows understand that an account is attempting to logon via wireless or ... AAA clients are Cisco access points and VPN 3000 concentrators. ... see that you have to have the option on the active directory user account ... that an account is attempting to logon via wireless or VPN during the ...
    (microsoft.public.security)
Loading