Security Basics mailing list archives
RE: Multihome based network attacks
From: "Verma, Neeraj K" <Neeraj_K_Verma () Keane com>
Date: Fri, 25 Aug 2006 22:43:31 +0530
Hello, What is possible solution --- to disable the wireless option of Laptops users, which can be enforced using technical approach. i.e. the moment laptop user log-on into Enterprise wired LAN / Windows Active Directory Domain; the wireless card get disabled automatically. I believe we can achieve this using either -- logon scrips or -- AD Group Policies. Pl. advice. Thanks, - Neeraj -----Original Message----- From: krymson () gmail com [mailto:krymson () gmail com] Sent: Thursday, August 24, 2006 8:24 PM To: security-basics () securityfocus com Subject: Re: Multihome based network attacks I'll answer your questions in reverse order. I will state that I might mispeak or have inaccuracies here, so I implore you to search google for your terms, or maybe other listusers will speak up and correct me. Yes, strong host models are not susceptible to multihomed attacks. Weak host models are susceptible. First of all, a multihome situation involves a computer having two or more NICs and having separate network configurations on each one. An easy example would be using the wireless NIC in a laptop while it is also plugged into a wired network. This would put the laptop on two networks and "multihome" it. A weak host model will accept packets from either of those networks and give it to the appropriate NIC that is on that network. For instance, if you are running a web server that is only listening on the wired network, but someone happens to send a packet to that web server over the wireless network using the wired NICs IP address, the OS will go ahead and move it over to the wired NICs stack. An OS like Windows XP likes to have usability over security, and implements a weak host model. Vista will be using a strong host model. Now, what about attacks? Well, attacks like this I wouldn't expect to find all that often, but there is some mischief I imagine you could do, especially if you have some knowledge of your target's two networks. 1) You can launch exploit attacks against services on either network, provided you are on one of the networks and know the IP addressing of the other network. In the example above, I could craft an exploit packet against your web server to penetrate it from the wireless network. The bad part, is that I won't get a response because the web server will attempt to communicate replies out to the other network. But if I could get a local admin account created, I can get into the system through the wireless network, then. 2) You can flood spoofed packets from the wireless network into the system, which may generate responses and traffic on the wired network. Again, though, you need to know the wired IP network addressing. I wouldn't consider such attacks terribly lucrative, because it requires some insider knowledge or good guessing on what is running on a system and the other networks the system is present on. To protect yourself, you should try to keep all end-users systems, particularly laptops, using only one network at a time. Don't let users both plug into the wired network while also using the wireless. One of the more interesting places I see this being a possible issue would be in a corporate environment where users have laptops and wireless networking while also having wired networks at their desk. This would be especially important for teams like developers who might run insecure web server setups on their Windows XP boxes... This would all be compounded by using easily guessable network address spaces on the wired network and insecure wireless configurations that could allow someone in the parking lot to associate or break into. A disgruntled employee or former employee could cause a little drama...but chances are if someone is running insecure systems on the wired network, they will also be insecure on the wireless, and probably can be directly attacked without needing to resort to multihome attacks. ------------------------------------------------------------------------ --- This list is sponsored by: Norwich University EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE The NSA has designated Norwich University a center of Academic Excellence in Information Security. Our program offers unparalleled Infosec management education and the case study affords you unmatched consulting experience. Using interactive e-Learning technology, you can earn this esteemed degree, without disrupting your career or home life. http://www.msia.norwich.edu/secfocus ------------------------------------------------------------------------ --- --------------------------------------------------------------------------- This list is sponsored by: Norwich University EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE The NSA has designated Norwich University a center of Academic Excellence in Information Security. Our program offers unparalleled Infosec management education and the case study affords you unmatched consulting experience. Using interactive e-Learning technology, you can earn this esteemed degree, without disrupting your career or home life. http://www.msia.norwich.edu/secfocus ---------------------------------------------------------------------------
Current thread:
- Multihome based network attacks smith . norton (Aug 23)
- <Possible follow-ups>
- Re: Multihome based network attacks krymson (Aug 24)
- RE: Multihome based network attacks Verma, Neeraj K (Aug 25)
- RE: Multihome based network attacks Verma, Neeraj K (Aug 28)
- Re: Multihome based network attacks J Jude (Aug 29)
- RE: Multihome based network attacks Scott Ramsdell (Aug 29)