Penetration Testing mailing list archives
RE: Wireless Pent-Test
From: "Keith T. Morgan" <keith.morgan () terradon com>
Date: Tue, 7 Oct 2003 10:44:28 -0400
<snip>
Cool, lots of xtras to deal with as regards maintaining and managing the setup. As long as your IT group and corporation are willing to take those steps, more power to all of you. Of course, it's pretty impractical still and a onetime looksee is not going to make sure it's happening all the time.
Agreed. Security is never fire and forget. It should always be cyclic. <snip>
Security that does not address the real points of risk and attack is useless though. Thus my rant that VPN's are not a cureall, and seldom address such, though I've seen VPN's tossed about nilly and frilly to anyone, regardless of if there's a real requirement or not for such. And far too often those implimenting such sollutions are not gaining anything of real value for the efforts. Point of my whole posting<s> on the topic.
Again I agree. We also see VPNs deployed when there may not be legitimate need. But this points back to the whole productivity/security balance. Essentially, any VPN connected device should be treated just as a LAN connected device with a cat 5 cable. Most of us have firewalls in place to protect our LANs, most of us use AV protection, most of us perform security audits (vuln analysis etc...) and I think my point would be, once a user connects from home, the corporate security policies, and all of the security management work that goes into protecting a LAN, now has to be done at the user's end as well. Hence, this brings forth the extension of the organizational security policy to the home as a pre-requisite to VPN connection. Just saying that doesn't accomplish much. There's real work to be done on behalf of the security staff to assure this. <snip>
Automate all you wish, but, unless you own the PC enough to *not* provide the user with admin access rights, you'll likely find the auto updates are disabled a short time later, if not by the user you are responsible for, then by their kids <smile>.
Could happen. Has happened. At which point it becomes a documented exposure, and said user is sanctioned appropriately. Back to the security being cyclic, and no such thing as fire and forget etc.... A corporate user could just as easily turn off thier desktop AV protection because "it slows my computer down, wah." That happens too. Dilligence is work, but we have to stay on top of these things.
But, to actually mitigate risk, there's more to a VPN'ed setup then anti-viri/trojan gaurds, how do you safely offer your users http access, without a strong proxy? Thanks,
Proxy is one way. Making the VPN connection's default route come through the organization's HTTP security mechanisms is a good general practice. Same would apply for SMTP, POP3, etc... One of the biggest dangers here, and most dificult to mitigate is what happens on the end user's machine when they're *not* connected to and through the VPN. This provides cause to place VPN concentrators in a DMZ type environment when resources permit. I don't think we ever recommend configuring VPN users as "trusted" network connections. A customer may go against our advice after considering productivity gain versus cost. To anyone following this thread, please understand that this is a really good point we're bantering about here. I'm personally aware of cases where organizational core networks have been compromised by VPN connected users. I haven't stumbled across a case where a war-driver cruising the neighborhood happened to find himself connected with full access to a corporate network via VPN, but I'm certain it will happen in time. Most of the time, the war-drivers find themselves in the heart of an organization's network as soon as they connect up with the WAP. There are a lot of poorly configured/deployed wireless solutions out there. But this isn't news to anyone. <snip> ************************************************************************************************** The contents of this email and any attachments are confidential. It is intended for the named recipient(s) only. If you have received this email in error please notify the system manager or the sender immediately and do not disclose the contents to anyone or make copies. ** this message has been scanned for viruses, vandals and malicious content ** ************************************************************************************************** --------------------------------------------------------------------------- Tired of constantly searching the web for the latest exploits? Tired of using 300 different tools to do one job? Get CORE IMPACT and get some rest. www.coresecurity.com/promos/sf_ept2 ----------------------------------------------------------------------------
Current thread:
- RE: Wireless Pent-Test, (continued)
- RE: Wireless Pent-Test Maxime Rousseau (Oct 06)
- Re: Wireless Pent-Test n0g0013 (Oct 07)
- Re: Wireless Pent-Test Michael J. Semaniuk (Oct 06)
- Re: Wireless Pent-Test goat (Oct 06)
- RE: Wireless Pent-Test Steve De Doncker (Oct 06)
- RE: Wireless Pent-Test Artes, Francisco (Oct 06)
- RE: Wireless Pent-Test Matthew Wagenknecht (Oct 06)
- RE: Wireless Pent-Test MJohnst5 (Oct 06)
- RE: Wireless Pent-Test Keith T. Morgan (Oct 06)
- Re: Wireless Pent-Test Gregory Spath (Oct 06)
- RE: Wireless Pent-Test Keith T. Morgan (Oct 07)
- Re: Re: Wireless Pent-Test Anish (Oct 09)
- Re: Wireless Pent-Test MARTIN M. Bénoni (Oct 10)
- RE: Wireless Pent-Test Maxime Rousseau (Oct 06)