[Dshield] Wireless networks and corporate Lans

warpmedia warpmedia at comcast.net
Thu Mar 4 05:55:11 GMT 2004


As a matter of preference & some degree of not wasting batteries I have 
setup my laptop to startup with the WIFI support software/drivers disabled. 
When time comes to enable it, I have an icon that starts the driver & 
support software. Now when I shutdown & reboot, I revert back to disabled.

Of course if I hibernate while on WIFI, that blows the whole approach as 
the system boots back up enabled. But the AP SSID is a random name, not 
default, uses WEP & MAC security so I assume my default profile won't just 
attach to any random AP in the field.

Add to this I have a software FW (Kerio PFW 4) installed & running to 
attempt to thwart rouge programs & certain kinds of Internet access like 
foreign DNS servers, pings, private ports, etc...

In a homogenous environment it's a simple matter to use AD/GP to push 
settings down to laptops so they boot in the disabled state, configure 
settings like bridging, stop uneeded services, install scripts/shortcuts 
for per-session enabling of WIFI, etc... IMHO I do so here on my home 
network. YMMV

Question: Does manually setting the metric (vs automatic) on WIFI high and 
LAN low keep traffic routed to LAN until the LAN is unplugged?


At 10:42 AM 2/28/2004, Pete Cap wrote:
>Johannes, List,
>
>This is a topic I'm covering for my GSEC practical--designing just such a 
>small-business LAN where you have desktops and travel laptops which all 
>need to communicate.
>
>The solution I'm looking at now is have a sectioned-off area of the 
>network, using firewalls, specifically for "transitory" hosts (it would 
>have the modem pool, VPN setup, and wireless access points).  If the 
>laptops were to dual-home then it would defeat the firewalls!  That never 
>occurred to me.  When I get my certification I'll be sure to give you 
>credit! :P
>
>I am 99% sure that I can craft a security policy for the machines which 
>would negate this.  In simple terms, something along the lines of "When 
>the NIC card is plugged in, the wireless card stops functioning."  But 
>putting that into "real" language is the poser.
>
>Will let you know what I come up with :)
>
>Regards,
>
>Pete
>
>"Johannes B. Ullrich" <jullrich at sans.org> wrote:
>
> > A laptop is connected to a corporate LAN via ethernet or a docking
> > station. The laptop also has a wireless card installed. A public
> > wireless access point is within range. Will the laptop connect both
> > interfaces? What will be the default route? Chances are the laptop
> > will be running Win2K.
>
> > What are the vulnerabilities?
>
>Worst case:
>
>you now have a gateway into your corporate LAN.
>
>By default, the wireless card will connect to the access point.
>So now you have a dual homed system. Pretty much like a router.
>Default route: depends on what the access point is telling your
>system during the DHCP negotiation.
>
>This is pretty much a worst case scenario. Similar to a user
>on your LAN using a dialup modem to connect to a random ISP.
>This computer is now a gateway into your network.
>
>In addition: This user will now takes the laptop and travel.
>They will fire it up in an airport. The wireless card will
>try to associate itself with any access point in range and
>start 'talking'...
>
>I am not sure how to fix this best. Probably depends on the card.
>But at least, you should install a personal firewall, so the card
>is at least protected.
>
>Funny story in this context: Last year, I helped out with a SANS
>class. People where connected to a wired network and where supposed
>to scan designated targets on this wired network. A student had
>problems and got odd results from simple commands like traceroute.
>
>It turned out that he has a wireless card, which was connected
>to the wireless conference network. In class, the sample machines
>had various host names within the 'sans.org' domain. Instead of
>scanning the class systems, he scanned our actual web servers and
>such (luckily he didn't find a hole ;-) ).
>

Joshua MacCraw
warpmedia at comcast.net
http://mywebpages.comcast.net/jmaccraw 




More information about the list mailing list