RE: Slashback!

["Taylor, Gord" <gord.taylor () rbc com>]

The ones I've looked at give multiple options, but mostly it's a
pingable network device or subnet (or both). Some tie directly into the
VPN software to determine network. There's other criteria as well, but
I'd have to look it up and it's typically available in the vendor
glossies.

Most of the corporate PFWs allow multiple configs based on whatever
criteria above (not sure if the home version are true). So, we have 3
configs: Remote, Local (internal network attached), and VPN, so we apply
very strict controls to Remote, very few rules on Local, and a very few
for VPN since this can also be controlled on the VPN itself. I think
this is a good scenario without a "static" trusted/untrusted design ala
MS IE.

For "Remote" mode, we only allow communications to our public VPN
address using our VPN software (it can block communications based on
executable name/checksum), and a couple other OUTBOUND ONLY odds and
ends such as DHCP & DNS. So, realistically, the only time it switches is
when connected internally to our network, or once the VPN connection is
established. 

Works well except for the mentioned unexpected connects to an open
wireless connection - then it automatically reverts back to "Remote"
mode since it has something other than one of our internal subnet
address ranges.


-----Original Message-----
From: Dino A. Dai Zovi [mailto:ddz () theta44 org] 
Sent: 2006, January, 16 12:34 PM
To: Taylor, Gord
Cc: Dave Aitel; dailydave () lists immunitysec com
Subject: Re: [Dailydave] Slashback!

> I ran into exactly this same scenario - a good personal firewall helps

> since the laptop must be joined to a "friendly" network to have a 
> "friendly" policy applied. But this causes the occasional denial of 
> service if you're working wired and your wireless adapter joins the 
> "unfriendly" network since the policy switches from "friendly" to 
> "unfriendly" mode midway through a session. Not a big deal for me, but

> I'm sure it stumps users all the time.

Hello Gord,

Do you know how the firewall identifies a "friendly" network?  Does the
firewall tap into the wireless layer in Windows to get out the SSID and
base station MAC address, or does it just verify the subnet?  I don't
actually "use" any of my windows boxes, so I have never used this kind
of stuff :).

For example, Windows has something called "Network Location Awareness"
that applications can use to identify the network they are actually on.
However, it just identifies the network by DNS domain name, and if there
is none, by subnet.  Obviously, by this criteria, all 'linksys' base
stations are the same network.

I would hope that in future versions of Windows, NLA factors in the MAC
address of the base station to uniquely identify "trusted"  
networks and more applications make use of NLA so they don't send
sensitive info or mitm/client-side-exploitable requests over untrusted
networks.

MacOS X is pretty bad about this too.  I'd love to be able to classify
the trust level of the wireless networks I join.  E.g. when it asks "Add
this network to your trusted networks?", I have a drop down to qualify
how much I trust it.  If I don't trust it very much, my laptop won't do
Bonjour/Rendezvous stuff over it, etc.  However, at least I get to join
and network and tell the OS that this is a one- off, and it won't try
and automatically join it in the future.

Cheers,

-Dino

_______________________________________________________________________

This e-mail may be privileged and/or confidential, and the sender does not waive any related rights and obligations.
Any distribution, use or copying of this e-mail or the information it contains by other than an intended recipient is 
unauthorized.
If you received this e-mail in error, please advise me (by return e-mail or otherwise) immediately.  

Ce courrier électronique est confidentiel et protégé. L'expéditeur ne renonce pas aux droits et obligations qui s'y 
rapportent.
Toute diffusion, utilisation ou copie de ce message ou des renseignements qu'il contient par une personne autre que le 
(les) destinataire(s) désigné(s) est interdite.
Si vous recevez ce courrier électronique par erreur, veuillez m'en aviser immédiatement, par retour de courrier 
électronique ou par un autre moyen.