Dailydave mailing list archives
RE: Slashback!
From: "Taylor, Gord" <gord.taylor () rbc com>
Date: Mon, 16 Jan 2006 12:53:38 -0500
The ones I've looked at give multiple options, but mostly it's a pingable network device or subnet (or both). Some tie directly into the VPN software to determine network. There's other criteria as well, but I'd have to look it up and it's typically available in the vendor glossies. Most of the corporate PFWs allow multiple configs based on whatever criteria above (not sure if the home version are true). So, we have 3 configs: Remote, Local (internal network attached), and VPN, so we apply very strict controls to Remote, very few rules on Local, and a very few for VPN since this can also be controlled on the VPN itself. I think this is a good scenario without a "static" trusted/untrusted design ala MS IE. For "Remote" mode, we only allow communications to our public VPN address using our VPN software (it can block communications based on executable name/checksum), and a couple other OUTBOUND ONLY odds and ends such as DHCP & DNS. So, realistically, the only time it switches is when connected internally to our network, or once the VPN connection is established. Works well except for the mentioned unexpected connects to an open wireless connection - then it automatically reverts back to "Remote" mode since it has something other than one of our internal subnet address ranges. -----Original Message----- From: Dino A. Dai Zovi [mailto:ddz () theta44 org] Sent: 2006, January, 16 12:34 PM To: Taylor, Gord Cc: Dave Aitel; dailydave () lists immunitysec com Subject: Re: [Dailydave] Slashback!
I ran into exactly this same scenario - a good personal firewall helps
since the laptop must be joined to a "friendly" network to have a "friendly" policy applied. But this causes the occasional denial of service if you're working wired and your wireless adapter joins the "unfriendly" network since the policy switches from "friendly" to "unfriendly" mode midway through a session. Not a big deal for me, but
I'm sure it stumps users all the time.
Hello Gord, Do you know how the firewall identifies a "friendly" network? Does the firewall tap into the wireless layer in Windows to get out the SSID and base station MAC address, or does it just verify the subnet? I don't actually "use" any of my windows boxes, so I have never used this kind of stuff :). For example, Windows has something called "Network Location Awareness" that applications can use to identify the network they are actually on. However, it just identifies the network by DNS domain name, and if there is none, by subnet. Obviously, by this criteria, all 'linksys' base stations are the same network. I would hope that in future versions of Windows, NLA factors in the MAC address of the base station to uniquely identify "trusted" networks and more applications make use of NLA so they don't send sensitive info or mitm/client-side-exploitable requests over untrusted networks. MacOS X is pretty bad about this too. I'd love to be able to classify the trust level of the wireless networks I join. E.g. when it asks "Add this network to your trusted networks?", I have a drop down to qualify how much I trust it. If I don't trust it very much, my laptop won't do Bonjour/Rendezvous stuff over it, etc. However, at least I get to join and network and tell the OS that this is a one- off, and it won't try and automatically join it in the future. Cheers, -Dino _______________________________________________________________________ This e-mail may be privileged and/or confidential, and the sender does not waive any related rights and obligations. Any distribution, use or copying of this e-mail or the information it contains by other than an intended recipient is unauthorized. If you received this e-mail in error, please advise me (by return e-mail or otherwise) immediately. Ce courrier électronique est confidentiel et protégé. L'expéditeur ne renonce pas aux droits et obligations qui s'y rapportent. Toute diffusion, utilisation ou copie de ce message ou des renseignements qu'il contient par une personne autre que le (les) destinataire(s) désigné(s) est interdite. Si vous recevez ce courrier électronique par erreur, veuillez m'en aviser immédiatement, par retour de courrier électronique ou par un autre moyen.
Current thread:
- Re: Slashback!, (continued)
- Re: Slashback! H D Moore (Jan 15)
- Re: Slashback! Kurt Grutzmacher (Jan 16)
- Re: Slashback! Mike Kershaw (Jan 17)
- Re: Slashback! Kurt Grutzmacher (Jan 16)
- Re: Slashback! Technocrat (Jan 15)
- Re: Slashback! Alexander Bochmann (Jan 16)
- Re: Slashback! Dino A. Dai Zovi (Jan 16)
- Re: Slashback! Alexander Bochmann (Jan 16)
- RE: Slashback! Taylor, Gord (Jan 16)
- Re: Slashback! Dino A. Dai Zovi (Jan 16)
- Re: Slashback! byte_jump (Jan 17)
- Re: Slashback! Curt Wilson (Jan 17)
- Re: Slashback! Dino A. Dai Zovi (Jan 16)
- Re: Slashback! H D Moore (Jan 15)
- RE: Slashback! Taylor, Gord (Jan 16)
- RE: Slashback! Skyler King (Jan 18)
- RE: Slashback! Dave Korn (Jan 18)
- RE: Slashback! Skyler King (Jan 18)