This is more of a LAN question than a wireless, but maybe somebody can give me quick answer.
One of our clients on the LAN wrote me saying that he thinks I should turn off Wake on LAN on each pc in the subnet because it's a security issue if somebody inside our LAN is infected with malware.
He says that he knows, because it happened to him in the past.
I can not find any references to WOL security issues and will write him asking for a link or example. , but thought I'd ask first here.
From what little I understand, it seems that packet sniffing and file- sharing are more of a security issue within our LAN than having a sleeping pc woken up.
Yes. In general, if the feature isn't used, turn it off. However, WOL itself is not a security issue. However, tinkering with the firewall settings in order to get WOL to work through the firewall usually does result in a security problem.
Yep. There are programs the exploit WOL. WOL has no security from attacks originating from the LAN side of the firewall. Of course, if you have malware and other junk running on your LAN, you've got bigger problems than just WOL. Try treating the causes instead of tinkering with WOL.
WOL can only turn on a computah, not off. In order to turn on a computah, it needs to know the MAC address of the ethernet card. This can be done by sniffing. If the PC's are on an ethernet switch, the client machines will only see their own MAC address, the various server MAC addresses, and any devices they can access (printers, gateways, routers, etc). Sniffing does not magically obtain everyone elses MAC address. Try it with a Windoze machine using a sniffer such as Ethereal, Wireshark, or just "arp -a".
Once an attacker has a shopping list of MAC addresses, it can turn on any of the machines it see. The theory is that if it's going to spread viruses and worms, doing so at night, when the offices are closed is a somewhat better time to attack. If the virus protection and personal firewalls are functional on the PC's, nothing will happen.
Frankly, I'm not worried, but there are some issues. Having someone arrive at the office in the morning, and finding their machine turned on is rather disconcerting. They usually suspect that someone has been tinkering, hacking, or snooping on their private files. However, it's usually NOT a WOL attack. It's me doing remote administration in the middle of the night using VNC, PC Anywhere, or remote desktop. I sometimes forget to turn off the machine when done (or screwup and crash the machine). If your client has reported that machines are magically turned on in the morning, when nobody is on, look for remote control software, usually installed by employees that wanna do work at home.
It's impossible to sniff non-connected traffic on a switched ethernet port. Try it with Wireshark and you'll only see your own traffic. However, replace the switch with hub, and you can sniff merrily. Some managed switches also offer a monitor port, which redirects all the traffic to some designated port.
Sounds like it very close to being a non-issue. I surmise, as before, that it won't hurt to turn it off on people's BIOS at leisure, but I'm not getting excited.
Good to hear that not even packet sniffing is a concern considering we do use an ethernet switch (router).
Critters playing on the keyboard? My previous cat would walk all over the keyboard. It was an HP that a power on/off button on the keyboard. I also found the machine turned on at odd hours.
It's not impossible to punch a hole in your firewall to use for WOL. I've often suspected that UPnP can do that
Hmmm... That's possible, but I don't think so. I've got several of mine set like that, with WOL active (and functional). I haven't seen that problem on my machines or my customers.
There are many BIOS's that have a wake up from standby feature for various inputs. Mine shows wake on modem ring, which might be the culprit.
Standby means that machine is still running, but at the very lowest CPU clock speeds and with all the peripherals powered down. In effect, it's turned on, but in a low power mode.
Yes, but only in standby. If in hibernate or powered down, no way.
I just came back from Starbucks, had my caffeine blast,
am fully wired and ready for networking or security questions. Being wired certainly improves the quality of my answers, but really ruins my typing and spelling.
No critters. It's in the bedroom. I hear the disk spin up, and the monitor lights up. The keyboard is on a slide in tray, so it would have to be a small critter. I had to disable the "sleep" button on the upper left of this HP keyboard. I kept smacking it instead of the ESC key during wild vi sessions, and sending the PC directly to standby.
UPnP is off... It's a foul thing ;-)
That should be every night. I did that to myself on a laptop. No such setting on my desktop.
No phone line. I think it has a modem.
Maybe that's it. If we shutdown the PC, it stays off. If we leave it alone early enough, it eventually goes to hibernate before the automatic updates scheduled 3am start. If we leave it alone later, it's still in standby and leaps into action at
If a host wants to know the MAC address of another system in the same broadcast domain, it sends an ARP (Address Resolution Protocol) request, and the destination host responds with its MAC address. It doesn't need to passively wait hoping to observe MAC addresses.
Your statement: "It's impossible to sniff non-connected traffic on a switched Ethernet port. Try it with Wireshark and you'll only see your own traffic.", is false.
Although you normally would only see your own unicast traffic, broadcasts, multicasts, and the occasional unicast packet flooded by the switch because it had not yet learned which port the destination device resided on, it is possible to see "all" of the traffic the switch handles.
A switch maintains a table that associates source MAC addresses with the ports that they were received on. This table has a limited capacity (device dependent). If you exceed the tables capacity using readily available software, switch ports will typically "fail-open". The result is that unicast traffic will be flooded out "all" the ports (other than the one the packet was received on), rather than just the port to which the destination device was attached to.
With this exploit, a sniffer can then see all of the traffic the switch handles, and not just the traffic that would normally be seen on the port the sniffer is connected to.
Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here.
All logos and trade names are the property of their respective owners.