Re: Perhaps the most OBVIOUS question you will ever see.
From: Patrick J. LoPresti (patl_at_users.sourceforge.net)
To: "Matt Gibson" <firstname.lastname@example.org> Date: 31 Jan 2005 11:19:37 -0500
You would be suprised what I have heard of.
ARP spoofing is just pretending you have an IP address which another
machine already has. If you do any kind of network monitoring at all,
you will notice very quickly when this happens. Machines tend to
complain loudly when they receive multiple replies to an ARP request.
Look, I am not saying it is a good idea to run an open wireless access
point inside your firewall. I am saying that there are other things I
would worry about first. Script kiddies like to stay at home close to
mommy, and most of them are overseas; very few are going to travel to
within range of your access point. Assuming you have a decent
Internet firewall in place, I would worry more about the threat from
your own employees than from random passers-by.
"Matt Gibson" <email@example.com> writes:
> You obviously have NEVER heard of ARP spoofing attacks.
> "Patrick J. LoPresti" <firstname.lastname@example.org> wrote in message
> > Here is a somewhat contrarian opinion.
> > First of all, relax a little. This is not that bad if you have the
> > sort of internal access controls which you ought to have anyway.
> > A wireless attacker cannot "sniff" anything except other wireless
> > traffic. Packets to and from machines on the wired network are not
> > sent over the wireless, period. In order to sniff most of your
> > traffic, the attacker would need to compromise a machine on the
> > internal network. And even then, a switched network (like most are
> > today) would make sniffing useless.
> > And even the most basic Windows authentication mechanisms do not send
> > passwords in the clear.
> > A wireless attacker has the same access as an employee who has
> > forgetten his password; no more, no less. So he can probably browse
> > the Internet, send objectionable mail originating from your network,
> > try to guess passwords, seek out unpatched security flaws on internal
> > systems, and so on.
> > But if you are a serious network admin, you should already be
> > preventing (or at least noticing) any of these. By far the most
> > widespread and expensive security compromises are inside jobs. They
> > do not make the newspapers because they are not "sexy" and companies
> > do not like to publicize them. But disgruntled or curious employees
> > are the biggest threat you face, and if your network is secure against
> > them, it will be secure against a wireless attacker.
> > That said, it is certainly not considered best practice to have an
> > unsecured wireless access point behind your firewall, because you
> > might as well not have a firewall. Which is actually how I would
> > argue this to management: For anybody within range, your firewall does
> > not exist.
> > On the other hand, unsecured access points in a DMZ are not uncommon.
> > Many companies find that the convenience of easy binding to the
> > wireless network (especially for visitors) is worth the cost/risk of
> > providing free Internet access to anyone nearby.
> > - Pat