Re: WiFi security implications

["Tres London" <telconstar99 () wblondon com>]

Hello,

Thanks for the advice. 

Now, if their current policy allows me to connect via VPN from my home
network and it also allows for me to access a publicly available
wireless network just so long as I don't connect via VPN.

If their policies allow this, then doesn't that mean that IT's concern
is not about me getting a trojan installed on my laptop (since they
allow me to connect to a publicly accessible wireless network and thus
already choose to allow me to be exposed to anybody that cares to use an
exploit on my laptop) and doesn't it also mean that they are ok with me
accessing the company network (via VPN) from an untrusted network (my
house)?

If these things are ok, it would seem that connecting via VPN over a
publicly accessible wireless network would cause no additional risk. Am
I incorrect in this assumption?

-Tres London

-----Original Message-----
From: David J. Jackson [mailto:djackson () netdmz com] 
Sent: Thursday, December 04, 2003 5:37 PM
To: Tres London; security-basics () securityfocus com
Subject: RE: WiFi security implications

Hi.  Great question.  Their issue is probably not as much related to VPN
being secure or not secure.  It's more than likely a problem with your
laptop accessing a publicly available wireless access point to get to
them.  If I'm also sitting on that access point and launch an exploit or
backdoor, etc. on your laptop, I now have control too.  Now, you connect
to your VPN and access the company's internal LAN, guess what...I have
access now too.  Even worse, it's a security policy nightmare.  Consider
the following that they may or may not have been thinking:
 
1.  Do they have an existing Security Policy that demands virus updates
be done on a regular basis?
2.  Does is cover updates to software not only for the operating system,
but for additional software installed?
3.  Does it protect the interest of the rest of the computers and
servers in their company?
4.  Do they prevent users from installing "Non-Supported" software and
hardware that may interfere with your network?
5.  Can users "Hook up" their personal laptop to other networks besides
the company's where they can be infected, etc.?
 
These are just some of the issues that come to mind.  Think about
this....they allow you to connect.  You go home or to the publicly
available access point, and you get infected with some new worm virus,
like the more recent Blaster Worm.  Your company hasn't been infected
from the outside because they have firewalls, virus updates, etc.You now
connect into your network and have just infected your entire network
from the inside out.  Most people look at security from an outside in
approach only.
 
Good Luck!
 

        -----Original Message----- 
        From: Tres London [mailto:telconstar99 () wblondon com] 
        Sent: Wed 12/3/2003 6:28 PM 
        To: security-basics () securityfocus com 
        Cc: 
        Subject: WiFi security implications
        
        

        Hello List, 1st time poster here :) 

        If I work for a financial firm, have a laptop with wireless
access and 
        am at a publicly available wireless access point, and want
access to my 
        network via VPN, what are the security implications? 

        My company currently allows people from home to VPN into the
network at 
        work, but IT is nervous about allowing it over a wireless
connection 
        because of security implications. 

        My point is that VPN should be secure enough on it's own, even
if people 
        access my information, it's still encrypted with IPSec (or
something 
        like that). 

        Thoughts? 

        Thanks, 

        -Tres London 


        
------------------------------------------------------------------------
--- 
        
------------------------------------------------------------------------
---- 



---------------------------------------------------------------------------
----------------------------------------------------------------------------