RE: Wireless Pent-Test

From: Keith T. Morgan (keith.morgan@terradon.com)
Date: Tue Oct 07 2003 - 10:44:28 EDT


<snip>
>
> Cool, lots of xtras to deal with as regards maintaining and
> managing the
> setup. As long as your IT group and corporation are willing
> to take those
> steps, more power to all of you. Of course, it's pretty
> impractical still
> and a onetime looksee is not going to make sure it's happening all the
> time.
>

Agreed. Security is never fire and forget. It should always be cyclic.

<snip>
>
> Security that does not address the real points of risk and attack is
> useless though. Thus my rant that VPN's are not a cureall, and seldom
> address such, though I've seen VPN's tossed about nilly and frilly to
> anyone, regardless of if there's a real requirement or not
> for such. And
> far too often those implimenting such sollutions are not
> gaining anything
> of real value for the efforts. Point of my whole posting<s>
> on the topic.

Again I agree. We also see VPNs deployed when there may not be legitimate need. But this points back to the whole productivity/security balance. Essentially, any VPN connected device should be treated just as a LAN connected device with a cat 5 cable. Most of us have firewalls in place to protect our LANs, most of us use AV protection, most of us perform security audits (vuln analysis etc...) and I think my point would be, once a user connects from home, the corporate security policies, and all of the security management work that goes into protecting a LAN, now has to be done at the user's end as well. Hence, this brings forth the extension of the organizational security policy to the home as a pre-requisite to VPN connection. Just saying that doesn't accomplish much. There's real work to be done on behalf of the security staff to assure this.

<snip>

>
> Automate all you wish, but, unless you own the PC enough to
> *not* provide
> the user with admin access rights, you'll likely find the
> auto updates are
> disabled a short time later, if not by the user you are
> responsible for,
> then by their kids <smile>.

Could happen. Has happened. At which point it becomes a documented exposure, and said user is sanctioned appropriately. Back to the security being cyclic, and no such thing as fire and forget etc.... A corporate user could just as easily turn off thier desktop AV protection because "it slows my computer down, wah." That happens too. Dilligence is work, but we have to stay on top of these things.

>
> But, to actually mitigate risk, there's more to a VPN'ed setup then
> anti-viri/trojan gaurds, how do you safely offer your users
> http access,
> without a strong proxy?
>
> Thanks,
>

Proxy is one way. Making the VPN connection's default route come through the organization's HTTP security mechanisms is a good general practice. Same would apply for SMTP, POP3, etc... One of the biggest dangers here, and most dificult to mitigate is what happens on the end user's machine when they're *not* connected to and through the VPN. This provides cause to place VPN concentrators in a DMZ type environment when resources permit. I don't think we ever recommend configuring VPN users as "trusted" network connections. A customer may go against our advice after considering productivity gain versus cost.

To anyone following this thread, please understand that this is a really good point we're bantering about here. I'm personally aware of cases where organizational core networks have been compromised by VPN connected users. I haven't stumbled across a case where a war-driver cruising the neighborhood happened to find himself connected with full access to a corporate network via VPN, but I'm certain it will happen in time. Most of the time, the war-drivers find themselves in the heart of an organization's network as soon as they connect up with the WAP. There are a lot of poorly configured/deployed wireless solutions out there. But this isn't news to anyone.

<snip>

**************************************************************************************************
The contents of this email and any attachments are confidential.
It is intended for the named recipient(s) only.
If you have received this email in error please notify the system manager or the
sender immediately and do not disclose the contents to anyone or make copies.

** this message has been scanned for viruses, vandals and malicious content **
**************************************************************************************************

---------------------------------------------------------------------------
Tired of constantly searching the web for the latest exploits?
Tired of using 300 different tools to do one job?
Get CORE IMPACT and get some rest.
www.coresecurity.com/promos/sf_ept2
----------------------------------------------------------------------------



This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:53:41 EDT