Andrew, Let's keep in mind that security is about mitigating risk not eliminating it. You will never eliminate risk. The job of security it to make it hard enough to accomplish something that someone will either give up or, more likely, go on to the next "opportunity". Kris ___________________________________________ Kris Quinby, CISSP Systems Engineer - Data Center Operations GE Medical Systems Information Technologies Email: kris.quinby@private Phone: 503-531-7190 Fax: 503-531-7001 -----Original Message----- From: Andrew Plato [mailto:aplato@private] Sent: Wednesday, October 23, 2002 12:20 PM To: Zot O'Connor; crime@private Subject: RE: CRIME Driveby DOS >> Coupled with host IDS, firewalls, and a >> few other goodies, it's a pretty safe network now. >Just run the a VPN gateway behind the wireless segment. Refuse anyone >to go past it without the client VPN, and you are done. Run WEP and MAC >filters, if you can, just to keep the casual eavesdroppers off the net. >Therefore you have > a) Strong Authentication of the users. > b) Strong Encryption of the data. >You are now *better* than the wired segments. That's a peachy solution...unless the end node gets hacked and the hacker uses the VPN tunnel to come into the network. This is how Microsoft was hacked about a a year ago. A hacker took over some developer's home PC, grabbed his VPN credentials and agent configuration, and then used the VPN tunnel to access the network and steal stuff. The intruder essentially bypassed all the security by gaining control of the end-node in this case. In fact his intrusion enjoyed a level of security itself, since his attack was nicely encrypted inside the VPN tunnel. So VPN and authentication alone will not solve the problem. You have to have some kind of strong, two-factor authentication on the end-node or somthing to help prevent the end-nodes from getting hacked in the first place. In this example, a simple reactive firewall or intrusion prevention system running on the host might have stopped the hacker from stealing the VPN credentials and agent software in the first place. ___________________________________ Andrew Plato, CISSP President / Principal Consultant Anitian Corporation 503-644-5656 Office 503-644-8574 Fax 503-201-0821 Mobile www.anitian.com ___________________________________
This archive was generated by hypermail 2b30 : Wed Oct 23 2002 - 14:06:26 PDT