Security Basics mailing list archives
Re: Wireless security question...
From: Fred Cohen <fred.cohen () all net>
Date: Fri, 28 Oct 2005 15:06:14 -0700
On Oct 27, 2005, at 4:11 PM, Marty wrote:
Hi, We're having an in-house discussion regarding the risk related to wireless security. The mobile users would like to be able to use the wireless technology within their laptops to access the office while they are away. Right now we don't allow wireless access points. The questions we have are: 1- Can a wireless router (installed in their home-office) be hacked into
Yes. If...
AND can this hacker take control of the wireless laptop.
Yes. If...
If so I would need some detail on how we can prevent that (besides WEP). Let's assume for the sake of discussion that there is no WEP encryption on the router.
Without encryption wireless provides no integrity, confidentiality, accountability, use control, or availability. But on the other hand, why is this any different from going to Starbucks and logging in?
2- How easy is it to access the laptop once you're into the router? Is it child splay or do we need a specialist?
Again, it is not the right question to ask. The question is how you protect the computer at STarbucks. IF you protect the computer that way and then treat the computer and AP as if they were at a Starbucks, you will have the same protection from here as there.
3- If the laptop's wireless router is secured with WEP and connected to the office via VPN can it be EASILY hacked into? The VPN connection gives them little access to the network, barely what they need to work. Will the intruder have access to our network?
Yes. If...It is the same basic issue as before. If the PC cannot defend itself you should not be letting it roam. If the network cannot be protected it should not be connected. If they can, they are as safe at home as at Starbucks.
4- How secure is my sales rep. running around hotels with his laptop?
My point exactly.
We are trying to assess the risk...should we, should we not allow wireless for the mobile workforce.
Wireless or wired - when they are away you cannot protect the intervening infrastructure - so you need to protect the endpoint, the communications, and the places they go on the other side. This is a simplification of course, but you get the idea.
Thanks! Marty
-- This communication is confidential to the parties it is intended to serve --
Security Posture securityposture.com tel/fax University of New Haven unhca.com 925-454-0171 Fred Cohen & Associates all.net 572 Leona Drive Security Management Partners policygeeks.com Livermore, CA 94550
Current thread:
- Wireless security question... Marty (Oct 28)
- RE: Wireless security question... David Gillett (Oct 31)
- Re: Wireless security question... phunked up! (Oct 31)
- Re: Wireless security question... Fred Cohen (Oct 31)
- Re: Wireless security question... Kenton Smith (Oct 31)
- <Possible follow-ups>
- Re: Wireless security question... groffg (Oct 31)
- Re: Wireless security question... me (Oct 31)
- RE: Wireless security question... Hagen, Eric (Oct 31)