On Wed, 2002-10-23 at 12:20, Andrew Plato wrote: > >> Coupled with host IDS, firewalls, and a > >> few other goodies, it's a pretty safe network now. > > >Just run the a VPN gateway behind the wireless segment. Refuse > anyone > >to go past it without the client VPN, and you are done. Run WEP and > MAC > >filters, if you can, just to keep the casual eavesdroppers off the > net. > > >Therefore you have > > a) Strong Authentication of the users. > > b) Strong Encryption of the data. > > >You are now *better* than the wired segments. > > > That's a peachy solution...unless the end node gets hacked and the > hacker uses the VPN tunnel to come into the network. This is how > Microsoft was hacked about a a year ago. Actually it over 2 years ago, and it was the QAZ worm, which would have been detected by any Antivirus. I left that off my note since the goal was to make it as good as the wired segment. All machines should have A/V and a firewall running on them. > A hacker took over some developer's home PC, grabbed his VPN > credentials and agent configuration, and then used the VPN tunnel to > access the network and steal stuff. The intruder essentially bypassed > all the security by gaining control of the end-node in this case. In > fact his intrusion enjoyed a level of security itself, since his > attack was nicely encrypted inside the VPN tunnel. > So VPN and authentication alone will not solve the problem. Define "the problem." If the problem is wireless, then a VPN will solve it. If the problem is remote control programs, then no. But no one mentioned them until you did just now. Please do not redefine the goal without redefining the question. The attack against Microsoft was on a wired segment. Then fact that it was on a home DSL line does not matter. It quickly spread to the main network and was going out the normal firewall/gateways of MS. > You have to have some kind of strong, two-factor authentication on > the end-node or somthing to help prevent the end-nodes from getting > hacked in the first place. In this example, a simple reactive firewall > or intrusion prevention system running on the host might have stopped > the hacker from stealing the VPN credentials and agent software in the > first place. A/V would have blocked QAZ in any number of places. Firewalling might have at the time. The worms tend to keep up with the firewalls though. 2 factor auth means nothing to a piggy backed connected. Most IPSEC solutions allow a passphrase on the certificate, or even a passphrase to get in. The worm can wait for me to connect. Good VPNs allow a lockdown on the connection (I can only connect to the VPN network, when VPNed) and this prevents straight-through tunnelling. If its a worm though, it will still propagate. But if there is not a known signature to the worm, then nothing would have prevented it. Remote control of a machine looks like a user. If you cannot detect the worm, you have to use IDS (host or network based) to alert you to the user's behavior. I don't want to get into IDS issues in this thread. > > ___________________________________ > Andrew Plato, CISSP > President / Principal Consultant > Anitian Corporation > > 503-644-5656 Office > 503-644-8574 Fax > 503-201-0821 Mobile > www.anitian.com > ___________________________________ > > > > -- Zot O'Connor http://www.ZotConsulting.com http://www.WhiteKnightHackers.com
This archive was generated by hypermail 2b30 : Wed Oct 23 2002 - 15:58:10 PDT