[Dshield] Wireless networks and corporate Lans

Al Reust areust at comcast.net
Mon Mar 1 04:18:16 GMT 2004


Hello All

I sat on this all weekend to see what was said.

Depending on the OS running ICS your mileage may vary. Win 9.x, Win2K or 
Win Xp or now 2003 Server (with very heavy Network Bridging). With the 
current state of 802.11x, it is fairly wide open. This gets very tough to 
properly address this in a short period of time without reproducing many 
other peoples work in my lab. From the problem described, I do not see what 
I considered a clear answer or information to the specific question. We all 
have views and experience with Wireless at some level.

The laptop I carry which has a Modem, Network card and a PCMCIA 
Wireless(Orinco). It is running XP Pro (Win2k is almost as bad, IF the OS 
is Win2k Server other features can be turned on [ICS]). All three network 
devices are set for DHCP (this does not mention the USB/1394 network 
connectivity). As it was stated IP Forwarding (Internet Connection Sharing 
- ICS) is not normally turned on by default. However a Quick check of the 
laptop showed.

* The modem connection "by default" does not have ICS turned on (IP 
forwarding). In the case of a modem the "ICS client" needs to be configured 
across a network. You are blocked at the ICS Host
* The Wireless NIC showed that it did have ICS turned on (I do not recall 
having enabled it, but it means It would hand out an IP if opened. By 
default it showed it was open.). The DHCP setting was, if it automatically 
connected to my network.

When I turn ICS on, it enables NAT which allows bridging networks with the 
appropriate routing (normally translating inbound/outbound [proxy] 
traffic). MS SOHO to SOHO. While I have not worked through all 
permutations, it would handle bridging different subnets easily (primarily 
TCP/IP). Generally, to make ICS work M$ had to get very liberal with 
routing (it knows the outbound DNS). The machine should respond to 
whichever route according to what is known about either network or the 
specific request. As long as the outbound IP, is routable. Caveat; 
Depending the status of the Internet Connection Firewall (ICF), it can 
prevent a portion of what can happen, it still allows port forwarding but 
that is another topic.

There would be two ways that someone could connect, my DHCP/NAT with "My 
IP" or I connect to their open Wireless Network with "Their IP." That would 
partly determine what is visible on the target machine/network. Can You say 
Road Warriors, we make it easy for them or the bad guys. Then you have to 
look at the security posture of the machine (everyone/guest account enabled).

Example:

A Wireless connection in Building A (across the street) to the Nic in 
Building B (my office LAN). Someone in "Building A" hooks up to my open 
Wireless and gets "My IP." My NAT'd IP is in the same subnet (liberally - 
ICS). It is open season, running a version of CommView would show my IP and 
domain\identify of the IP of "Building B" subnet. My resources/information 
are visible/connectable.

A Wireless connection in Building A (across the street) to the Nic in 
Building B (my office LAN). I get an IP from their open Wireless "There 
IP". Then I am visible on their network. The NAT engine "proxy" can 
translate between the two differing subnets. My resources are visible that 
is the start, go pick your tools. Not quite as easy.

Now we add:

If NetBIOS over TCP/IP (severe performance hit) is enabled on the 
interfaces, resources on the network become more transparent (Open Explorer 
and Browse the Network Neighborhood to the machine). I become a Browse 
Master (ICS) if I remember correctly from the MS Internetworking section. 
Or the discussion of Remote Access and Routing to take over from NAT in the 
sever model.

To make matters worse, if the credentials of the user is logged in under 
are Administrator/Domain Admin (required for SOHO ICS). It could allow 
other bad things to happen (if everyone/guest is enabled, allowing access 
to "my" resources). Other things would be running under the "Network 
Services" context potentially with my "machine/identity" security tokens 
(in Building B).

While I have not ran all the possible permutations in a lab. I have visited 
a location (the first example, with Netstumbler, Airopeek and CommView), 
and demonstrated that it was possible to gain entry and information about 
their internal network. Yes there are other tools, just pick one.

If I can plant an "executable" on the machine in "All Users\Programs\Start 
Menu" it becomes more of a done deal.

My Laptop practices are:
* I have Local accounts for when the machine is not logged into the domain.
* The machine is Firewalled, Anti Virus'd and checked for other nasty's 
before it is plugged back into the Office LAN.
* Remote Control Products are disabled in the Services.
* "Guest" is Password protected and account disabled, Built-in "Support 
Users" are password protected and disabled. Yes you can change the passwords.
* "Everyone" is removed from File Structure and replaced with Domain 
Admins, Administrators and Authenticated Users etc.
* Anyone needing to touch a "share" (C$, IPC$  etc) would have to have 
either Domain Credentials or Local Credentials.
* Hardware Profiles can prevent multiple network instances.
* Domain Policy can prevent ICS on the network.

So developing a Policy for how "transient" machines (Incoming Visitors or 
Corporate Users) are allowed to connect becomes a Must! The very least 
would be some form of check for Trojans/Virus before they are plugged into 
a DMZ, hopefully with an IDS listening.

This is without addressing ICS with DirectX or UPnP connections (mostly 
gamers).
As MS decribed it"
<Quote>
ICS allows a user with an "administrator account" to provide Internet 
access for a home or small office network, using one common connection as 
the Internet gateway, and to provide local private network services, such 
as name resolution and addressing. The ICS host is the only computer that 
is directly connected to the Internet. Multiple ICS clients simultaneously 
use the common (shared) Internet connection. ICS is available only on 
computers that have two or more network connections.
<End Quote>

Quick References:
Configure Internet Connection Sharing (Win2K) MSDN
http://www.microsoft.com/windows2000/techinfo/reskit/en-us/default.asp?url=/windows2000/techinfo/reskit/en-us/prork/prcc_tcp_savs.asp

Configuring Multihoming MSDN
http://msdn.microsoft.com/library/default.asp?url=/downloads/list/winxppeer.asp

Internet Connection Sharing and Internet Connection Firewall
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/ics/ics/about_internet_connection_sharing_and_internet_connection_firewall.asp

Peer Host NAT compatibility MSDN DirectX
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/directx9_c/directx/play/advancedtopics/nats/peerhostnatref.asp

Group Policy settings that prohibit home and small office networking on 
your domain
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/prodtechnol/windowsserver2003/proddocs/entserver/hnw_prohibit.asp

Network Bridge
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/prodtechnol/windowsserver2003/proddocs/entserver/hnw_understanding_bridge.asp

Enumerate Home Networking Connection Properties
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/ScriptCenter/network/Scrnet36.asp

Enumerate Home Networking ICS Settings
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/ScriptCenter/network/Scrnet36.asp

Defining a Client Connectivity Strategy
http://www.microsoft.com/windows2000/techinfo/reskit/en-us/default.asp?url=/windows2000/techinfo/reskit/en-us/deploy/dggh_clc_stim.asp

Please take this at Face Value, until you have checked. Yes our mileage vary's


R/

Al




More information about the list mailing list