Security Basics mailing list archives
Re: WiFi security implications
From: "Tres London" <telconstar99 () wblondon com>
Date: Fri, 5 Dec 2003 01:49:58 -0600
Hello, Thanks for the advice. Now, if their current policy allows me to connect via VPN from my home network and it also allows for me to access a publicly available wireless network just so long as I don't connect via VPN. If their policies allow this, then doesn't that mean that IT's concern is not about me getting a trojan installed on my laptop (since they allow me to connect to a publicly accessible wireless network and thus already choose to allow me to be exposed to anybody that cares to use an exploit on my laptop) and doesn't it also mean that they are ok with me accessing the company network (via VPN) from an untrusted network (my house)? If these things are ok, it would seem that connecting via VPN over a publicly accessible wireless network would cause no additional risk. Am I incorrect in this assumption? -Tres London -----Original Message----- From: David J. Jackson [mailto:djackson () netdmz com] Sent: Thursday, December 04, 2003 5:37 PM To: Tres London; security-basics () securityfocus com Subject: RE: WiFi security implications Hi. Great question. Their issue is probably not as much related to VPN being secure or not secure. It's more than likely a problem with your laptop accessing a publicly available wireless access point to get to them. If I'm also sitting on that access point and launch an exploit or backdoor, etc. on your laptop, I now have control too. Now, you connect to your VPN and access the company's internal LAN, guess what...I have access now too. Even worse, it's a security policy nightmare. Consider the following that they may or may not have been thinking: 1. Do they have an existing Security Policy that demands virus updates be done on a regular basis? 2. Does is cover updates to software not only for the operating system, but for additional software installed? 3. Does it protect the interest of the rest of the computers and servers in their company? 4. Do they prevent users from installing "Non-Supported" software and hardware that may interfere with your network? 5. Can users "Hook up" their personal laptop to other networks besides the company's where they can be infected, etc.? These are just some of the issues that come to mind. Think about this....they allow you to connect. You go home or to the publicly available access point, and you get infected with some new worm virus, like the more recent Blaster Worm. Your company hasn't been infected from the outside because they have firewalls, virus updates, etc.You now connect into your network and have just infected your entire network from the inside out. Most people look at security from an outside in approach only. Good Luck! -----Original Message----- From: Tres London [mailto:telconstar99 () wblondon com] Sent: Wed 12/3/2003 6:28 PM To: security-basics () securityfocus com Cc: Subject: WiFi security implications Hello List, 1st time poster here :) If I work for a financial firm, have a laptop with wireless access and am at a publicly available wireless access point, and want access to my network via VPN, what are the security implications? My company currently allows people from home to VPN into the network at work, but IT is nervous about allowing it over a wireless connection because of security implications. My point is that VPN should be secure enough on it's own, even if people access my information, it's still encrypted with IPSec (or something like that). Thoughts? Thanks, -Tres London ------------------------------------------------------------------------ --- ------------------------------------------------------------------------ ---- --------------------------------------------------------------------------- ----------------------------------------------------------------------------
Current thread:
- WiFi security implications Tres London (Dec 04)
- RE: WiFi security implications Rusty Chiles (Dec 04)
- Re: WiFi security implications Paul Kurczaba (Dec 04)
- Re: WiFi security implications Moshe Ashkenazi (Dec 05)
- RE: WiFi security implications Tres London (Dec 05)
- Re: WiFi security implications Moshe Ashkenazi (Dec 05)
- RE: WiFi security implications David Gillett (Dec 05)
- <Possible follow-ups>
- RE: WiFi security implications David J. Jackson (Dec 04)
- Re: WiFi security implications Tres London (Dec 05)
- RE: WiFi security implications Tres London (Dec 05)
- RE: WiFi security implications Tres London (Dec 05)
- RE: WiFi security implications Tres London (Dec 05)
- RE: WiFi security implications James Tusini (Dec 15)
- Re: WiFi security implications Ronish Mehta (Dec 08)
- RE: WiFi security implications Security Newsletters-TM (Dec 08)
- RE: WiFi security implications Oliver Rebollido (Dec 09)
- RE: WiFi security implications dave kleiman (Dec 10)
- RE: WiFi security implications Steven A. Fletcher (Dec 09)