Re: Perhaps the most OBVIOUS question you will ever see.

From: S. Pidgorny (slavickp_at_yahoo.com)
Date: 01/29/05

  • Next message: Curious George: "Re: Perhaps the most OBVIOUS question you will ever see." 
    Date: Sat, 29 Jan 2005 10:21:40 +1100

    Patrick,

    I strongly disagree: according to Curious George, the wireless network
    provides full connectivity to the corporate network - that is, gives
    opportunity ti explore and attack.

    Regarding the passwords - too often weak authentication schemes are used for
    business applications, so sniffing is a problem. 

    -- 
Svyatoslav Pidgorny, MVP, MCSE
-= F1 is the key =-
"Patrick J. LoPresti" <patl@users.sourceforge.net> wrote in message
news:s5gk6px64d1.fsf@patl=users.sf.net...
> Here is a somewhat contrarian opinion.
>
> First of all, relax a little.  This is not that bad if you have the
> sort of internal access controls which you ought to have anyway.
>
> A wireless attacker cannot "sniff" anything except other wireless
> traffic.  Packets to and from machines on the wired network are not
> sent over the wireless, period.  In order to sniff most of your
> traffic, the attacker would need to compromise a machine on the
> internal network.  And even then, a switched network (like most are
> today) would make sniffing useless.
>
> And even the most basic Windows authentication mechanisms do not send
> passwords in the clear.
>
> A wireless attacker has the same access as an employee who has
> forgetten his password; no more, no less.  So he can probably browse
> the Internet, send objectionable mail originating from your network,
> try to guess passwords, seek out unpatched security flaws on internal
> systems, and so on.
>
> But if you are a serious network admin, you should already be
> preventing (or at least noticing) any of these.  By far the most
> widespread and expensive security compromises are inside jobs.  They
> do not make the newspapers because they are not "sexy" and companies
> do not like to publicize them.  But disgruntled or curious employees
> are the biggest threat you face, and if your network is secure against
> them, it will be secure against a wireless attacker.
>
> That said, it is certainly not considered best practice to have an
> unsecured wireless access point behind your firewall, because you
> might as well not have a firewall.  Which is actually how I would
> argue this to management: For anybody within range, your firewall does
> not exist.
>
> On the other hand, unsecured access points in a DMZ are not uncommon.
> Many companies find that the convenience of easy binding to the
> wireless network (especially for visitors) is worth the cost/risk of
> providing free Internet access to anyone nearby.
>
>  - Pat
>
>
> "Curious George" <curious@spampoop.com> writes:
>
> > Dear Colleagues:
> >
> > For the life of me I don't know why I have to ask this question since
the
> > answer is so obvious, however, I need to have others tell me that I am
not
> > completely insane.
> >
> > I work at a place where we have a myriad of wireless access points and
NO, I
> > am not writing from there at present.
> >
> > NONE of the wireless access points has any form of security on them
> > whatsoever.  No WEP, no CHAP. . . no nothing.  Everything is open so you
> > could walk into our joint, grab an IP address and surf the web to your
> > heart's content.
> >
> > Here is the problem.  My boss insists that its "no big deal" and that
since
> > the servers are on the inside and protected, we really don't have a
thing to
> > worry about.  Furthermore, my boss is under the impression that since we
are
> > situated in a wide area, that nobody would be able to get into our
network
> > because of this distance.  Needless to say, my boss does not consider
> > somebody sneaking into a parking lot with a laptop, a good network card
and
> > a directional bazooka antenna a possibility.
> >
> > So here is what I have to explain to my boss' boss and, perhaps, the
board
> > of directors. . . and here is where I can't help but laugh.  I hope that
I
> > will be able to keep a straight face come Monday when I have to explain
> > myself to people why its important.
> >
> > Okay, so I know the analogies.  For example, I understand that not
having a
> > secure wireless network with many Waps and high gain transmission
antennas
> > is the same as putting cables out to anybody within 'x' amount of yards
with
> > a sign that says "free internet access", but since I am going to be
asked
> > these obvious questions, just what type of damage could somebody do?
> >
> > Yeah, I know about denial of service attacks, yeah I also know about
> > enumeration and password guessing, but considering that we have an SQL
> > server on the inside of our network (no, the sa account password is not
> > null) what are we talking about.
> >
> > I can envision so many things.  Like somebody just sitting there
caputring
> > packets to get things like usernames, passwords and the like, but come
on. .
> > . what else could they do.
> >
> > I have read my boss the riot act many times, but this is now going to go
in
> > front of somebody over my boss' head, so, aside from giving them worst
case
> > scenarios, end of the world analogies, etc., how else could people break
in.
> >
> > Creative responses are appreciated and will be rewarded with much
praise.
> >
> > I can't believe that I have to actually explain this to people, and this
> > entire thing would last about two seconds when it comes to talking with
a
> > computer professional, but you see, my boss is under the impression that
> > they are a computer professional because they received a Master's degree
in
> > Comp Sci back in the 80's.  I know that this line of thinking is
dangerous,
> > but I really want some creative answers to put my point across strongly,
and
> > yet professionally.
> >
> > Although I realize that this post will likely be the *** of many jokes
> > (which I will appreciate immensely) I never the less would appreciate a
bit
> > of useful information in your responses.
> >
> > I am going to have a serious drink now, and then bang my head against
the
> > wall.
> >
> > Thanks in advance,
> >
> > CC
  • Next message: Curious George: "Re: Perhaps the most OBVIOUS question you will ever see."