Re: Wireless security question...

[Fred Cohen <fred.cohen () all net>]

On Oct 27, 2005, at 4:11 PM, Marty wrote:

>  Hi,
>
> We're having an in-house discussion regarding the risk
> related to wireless security.
>
> The mobile users would like to be able to use the wireless
> technology within their laptops to access the office while
> they are away. Right now we don't allow wireless access
> points.
>
> The questions we have are:
>
> 1- Can a wireless router (installed in their home-office) be
> hacked into

Yes. If...

> AND can this hacker take control of the wireless
> laptop.

Yes. If...

> If so I would need some detail on how we can prevent
> that (besides WEP). Let's assume for the sake of discussion
> that there is no WEP encryption on the router.

Without encryption wireless provides no integrity, confidentiality,  
accountability, use control, or availability. But on the other hand,  
why is this any different from going to Starbucks and logging in?

> 2- How easy is it to access the laptop once you're into the
> router? Is it child splay or do we need a specialist?

Again, it is not the right question to ask. The question is how you  
protect the computer at STarbucks. IF you protect the computer that  
way and then treat the computer and AP as if they were at a  
Starbucks, you will have the same protection from here as there.

> 3- If the laptop's wireless router is secured with WEP and
> connected to the office via VPN can it be EASILY hacked
> into? The VPN connection gives them little access to the
> network, barely what they need to work. Will the intruder
> have access to our network?

Yes. If...

It is the same basic issue as before. If the PC cannot defend itself  
you should not be letting it roam. If the network cannot be protected  
it should not be connected. If they can, they are as safe at home as  
at Starbucks.

> 4- How secure is my sales rep. running around hotels with
> his laptop?

My point exactly.

> We are trying to assess the risk...should we, should we not
> allow wireless for the mobile workforce.

Wireless or wired - when they are away you cannot protect the  
intervening infrastructure - so you need to protect the endpoint, the  
communications, and the places they go on the other side. This is a  
simplification of course, but you get the idea.

> Thanks!
>
> Marty

-- This communication is confidential to the parties it is intended  
to serve --
Security Posture            securityposture.com          tel/fax
University of New Haven               unhca.com        925-454-0171
Fred Cohen & Associates                 all.net      572 Leona Drive
Security Management Partners    policygeeks.com    Livermore, CA 94550