RE: WiFi security implications

["David J. Jackson" <djackson () netdmz com>]

Hi.  Great question.  Their issue is probably not as much related to VPN being secure or not secure.  It's more than 
likely a problem with your laptop accessing a publicly available wireless access point to get to them.  If I'm also 
sitting on that access point and launch an exploit or backdoor, etc. on your laptop, I now have control too.  Now, you 
connect to your VPN and access the company's internal LAN, guess what...I have access now too.  Even worse, it's a 
security policy nightmare.  Consider the following that they may or may not have been thinking:
 
1.  Do they have an existing Security Policy that demands virus updates be done on a regular basis?
2.  Does is cover updates to software not only for the operating system, but for additional software installed?
3.  Does it protect the interest of the rest of the computers and servers in their company?
4.  Do they prevent users from installing "Non-Supported" software and hardware that may interfere with your network?
5.  Can users "Hook up" their personal laptop to other networks besides the company's where they can be infected, etc.?
 
These are just some of the issues that come to mind.  Think about this....they allow you to connect.  You go home or to 
the publicly available access point, and you get infected with some new worm virus, like the more recent Blaster Worm.  
Your company hasn't been infected from the outside because they have firewalls, virus updates, etc.You now connect into 
your network and have just infected your entire network from the inside out.  Most people look at security from an 
outside in approach only.
 
Good Luck!
 

        -----Original Message----- 
        From: Tres London [mailto:telconstar99 () wblondon com] 
        Sent: Wed 12/3/2003 6:28 PM 
        To: security-basics () securityfocus com 
        Cc: 
        Subject: WiFi security implications
        
        

        Hello List, 1st time poster here :) 

        If I work for a financial firm, have a laptop with wireless access and 
        am at a publicly available wireless access point, and want access to my 
        network via VPN, what are the security implications? 

        My company currently allows people from home to VPN into the network at 
        work, but IT is nervous about allowing it over a wireless connection 
        because of security implications. 

        My point is that VPN should be secure enough on it's own, even if people 
        access my information, it's still encrypted with IPSec (or something 
        like that). 

        Thoughts? 

        Thanks, 

        -Tres London 


        --------------------------------------------------------------------------- 
        ----------------------------------------------------------------------------