[Dshield] Wireless networks and corporate Lans
warpmedia at comcast.net
Thu Mar 4 05:55:11 GMT 2004
As a matter of preference & some degree of not wasting batteries I have
setup my laptop to startup with the WIFI support software/drivers disabled.
When time comes to enable it, I have an icon that starts the driver &
support software. Now when I shutdown & reboot, I revert back to disabled.
Of course if I hibernate while on WIFI, that blows the whole approach as
the system boots back up enabled. But the AP SSID is a random name, not
default, uses WEP & MAC security so I assume my default profile won't just
attach to any random AP in the field.
Add to this I have a software FW (Kerio PFW 4) installed & running to
attempt to thwart rouge programs & certain kinds of Internet access like
foreign DNS servers, pings, private ports, etc...
In a homogenous environment it's a simple matter to use AD/GP to push
settings down to laptops so they boot in the disabled state, configure
settings like bridging, stop uneeded services, install scripts/shortcuts
for per-session enabling of WIFI, etc... IMHO I do so here on my home
Question: Does manually setting the metric (vs automatic) on WIFI high and
LAN low keep traffic routed to LAN until the LAN is unplugged?
At 10:42 AM 2/28/2004, Pete Cap wrote:
>This is a topic I'm covering for my GSEC practical--designing just such a
>small-business LAN where you have desktops and travel laptops which all
>need to communicate.
>The solution I'm looking at now is have a sectioned-off area of the
>network, using firewalls, specifically for "transitory" hosts (it would
>have the modem pool, VPN setup, and wireless access points). If the
>laptops were to dual-home then it would defeat the firewalls! That never
>occurred to me. When I get my certification I'll be sure to give you
>I am 99% sure that I can craft a security policy for the machines which
>would negate this. In simple terms, something along the lines of "When
>the NIC card is plugged in, the wireless card stops functioning." But
>putting that into "real" language is the poser.
>Will let you know what I come up with :)
>"Johannes B. Ullrich" <jullrich at sans.org> wrote:
> > A laptop is connected to a corporate LAN via ethernet or a docking
> > station. The laptop also has a wireless card installed. A public
> > wireless access point is within range. Will the laptop connect both
> > interfaces? What will be the default route? Chances are the laptop
> > will be running Win2K.
> > What are the vulnerabilities?
>you now have a gateway into your corporate LAN.
>By default, the wireless card will connect to the access point.
>So now you have a dual homed system. Pretty much like a router.
>Default route: depends on what the access point is telling your
>system during the DHCP negotiation.
>This is pretty much a worst case scenario. Similar to a user
>on your LAN using a dialup modem to connect to a random ISP.
>This computer is now a gateway into your network.
>In addition: This user will now takes the laptop and travel.
>They will fire it up in an airport. The wireless card will
>try to associate itself with any access point in range and
>I am not sure how to fix this best. Probably depends on the card.
>But at least, you should install a personal firewall, so the card
>is at least protected.
>Funny story in this context: Last year, I helped out with a SANS
>class. People where connected to a wired network and where supposed
>to scan designated targets on this wired network. A student had
>problems and got odd results from simple commands like traceroute.
>It turned out that he has a wireless card, which was connected
>to the wireless conference network. In class, the sample machines
>had various host names within the 'sans.org' domain. Instead of
>scanning the class systems, he scanned our actual web servers and
>such (luckily he didn't find a hole ;-) ).
warpmedia at comcast.net
More information about the list