[Dshield] Wireless networks and corporate Lans

Pete Cap peteoutside at yahoo.com
Sat Feb 28 15:42:01 GMT 2004

Johannes, List,
This is a topic I'm covering for my GSEC practical--designing just such a small-business LAN where you have desktops and travel laptops which all need to communicate.
The solution I'm looking at now is have a sectioned-off area of the network, using firewalls, specifically for "transitory" hosts (it would have the modem pool, VPN setup, and wireless access points).  If the laptops were to dual-home then it would defeat the firewalls!  That never occurred to me.  When I get my certification I'll be sure to give you credit! :P
I am 99% sure that I can craft a security policy for the machines which would negate this.  In simple terms, something along the lines of "When the NIC card is plugged in, the wireless card stops functioning."  But putting that into "real" language is the poser.
Will let you know what I come up with :)

"Johannes B. Ullrich" <jullrich at sans.org> wrote:

> A laptop is connected to a corporate LAN via ethernet or a docking 
> station. The laptop also has a wireless card installed. A public 
> wireless access point is within range. Will the laptop connect both 
> interfaces? What will be the default route? Chances are the laptop 
> will be running Win2K.

> What are the vulnerabilities? 

Worst case:

you now have a gateway into your corporate LAN.

By default, the wireless card will connect to the access point.
So now you have a dual homed system. Pretty much like a router.
Default route: depends on what the access point is telling your
system during the DHCP negotiation.

This is pretty much a worst case scenario. Similar to a user
on your LAN using a dialup modem to connect to a random ISP.
This computer is now a gateway into your network. 

In addition: This user will now takes the laptop and travel.
They will fire it up in an airport. The wireless card will
try to associate itself with any access point in range and
start 'talking'... 

I am not sure how to fix this best. Probably depends on the card.
But at least, you should install a personal firewall, so the card
is at least protected.

Funny story in this context: Last year, I helped out with a SANS
class. People where connected to a wired network and where supposed
to scan designated targets on this wired network. A student had
problems and got odd results from simple commands like traceroute.

It turned out that he has a wireless card, which was connected
to the wireless conference network. In class, the sample machines
had various host names within the 'sans.org' domain. Instead of
scanning the class systems, he scanned our actual web servers and
such (luckily he didn't find a hole ;-) ).

CTO SANS Internet Storm Center http://isc.sans.org
phone: (617) 837 2807 jullrich at sans.org 

contact details: http://johannes.homepc.org/contact.htm

> ATTACHMENT part 1.2 application/pgp-signature name=signature.asc
list mailing list
list at dshield.org
To change your subscription options (or unsubscribe), see: http://www.dshield.org/mailman/listinfo/list

Do you Yahoo!?
Get better spam protection with Yahoo! Mail

More information about the list mailing list