In general I think that there is an issue with wireless being on by default. Because when you are plugged into the corporate LAN by Cat5, that makes your PC act like a router.
Corporate Lan------(Wired)----PC- - -(Wireless)- - -Corparate Lan
Any agreement, disagreement?
Thanks people for your ideas on this!
Which operating system makes your PC "act like a router" by default?
Two criteria must be met for the PC to function as a router.
For the PC to route between interfaces, the connected segments of the Corporate LAN must be logically discrete.
Discretion is advised. I dunno about logical discretion.
How to enable IP routing in W2K and XP:
Right, to actually be a "Router" that makes sense in a literal sense. I just meant that say from outside the office they can access the pc from the wireless lan through their snort findings or something. Then after they are in my pc they could go through the hardwired lan, that is wide open, no ACLs or anything. Routing in that sense.
It seems better to always turn off the wireless if you have a cat5 lan connection as a security precaution ,(Why have wireless enabled if you are hard wired, from a security standpoint their is no good reason to have both enabled) Agreed?
Not literally Neill. If you have one interface and in one LAN and another nic in another LAN, and your wireless side is compromised then it can be a way into your less protected wired LAN.
This is an argument against leaving the wireless card enabled and active on a wireless network; while being connected and active on a wired nic. Best practice to go ahead and disable the wireless in this case.
From a security standpoint, secure the wireless connection (on the laptop)!
It is David.
I don't think there is any standard way to do that. You can encrypt it (with very weak and horribly broken crypto) but you can't secure it.
Alun Harford
What are you trying to secure? If somebody has broken into your machine and can run arbitary code on the machine, you've lost. If your machine is vulnerable on the wireless network, it'll (almost certainly) be vulnerable on the wired network too. It's very rare that you can assume the LAN is safe, so I don't see how turning off the wireless helps you.
Alun Harford
Standard way? Probably not, the standards suck. There are better ways to secure WiFi though which secure both the laptop and the corporate LAN.
I don't call AES 256 bit key weak and horribly broken crypto either! :)
David.
This is more of the conversation that I was hoping for.
Now I agree with what you are saying. BUT, if you can have access speed of 100Mbps to your servers on a wired lan. And a wireless network for convenience, why have the wireless open from a security standpoint if you are sitting near a network drop? Thanks for the input!
Your wireless should *never* be left enabled when you aren't using it. Doing so puts your computer at risk, and by extension any other computers it's networked to. This is a real and serious issue in business environments for which there is no real answer other than (1) sniffing out and shutting down any active wireless or (2) treating any internal LAN as a compromised environment.
I leave mine enabled, it is secure, see previous post.
Sure there's an answer, secure the communications on the wireless LAN adaptor!
David.
Navas- That was the point that I was looking for backing on here.
Secure computer with an active network adapter is an oxymoron. Even WPA-PSK is vulnerable to attack (as described below), not to mention the ever-present danger of exploits due to software errors.
There's simply no way to ensure that all wireless adapters are truly secure. Thinking otherwise (with all due respect, no offense intended) is naive.
---------------------------------------------------------------------------- Weakness in Passphrase Choice in WPA Interface By Glenn Fleishman By Robert Moskowitz Senior Technical Director ICSA Labs, a division of TruSecure Corp
... The offline PSK dictionary attack ... Just about any 8-character string a user may select will be in the dictionary. As the standard states, passphrases longer than 20 characters are needed to start deterring attacks. This is considerably longer than most people will be willing to use.
This offline attack should be easier to execute than the WEP attacks. ... Using Random values for the PSK
The PSK MAY be a 256-bit (64 hexadecimal) random number. This is a large number for human entry; 20 character passphrases are considered too long for entry. Given the nature of the attack against the 4-Way Handshake, a PSK with only 128 bits of security is really sufficient, and in fact against current brute-strength attacks, 96 bits SHOULD be adequate. This is still larger than a large passphrase ... ... Summary ... Pre-Shared Keying is provided in the standard to simplify deployments in small, low risk, networks. The risk of using PSKs against internal attacks is almost as bad as WEP. The risk of using passphrase based PSKs against external attacks is greater than using WEP. Thus the only value PSK has is if only truly random keys are used, or for deploy testing of basic WPA or 802.11i functions. PSK should ONLY be used if this is fully understood by the deployers.
See also: Passphrase Flaw Exposed in WPA Wireless Security
Wi-Fi Protected Access. Security in pre-shared key mode
Cracking Wi-Fi Protected Access (WPA)
WPA Cracker
No, you're wrong.
I'm not talking about WPA-PSK
You'd have to have a connection first for that to work.
Simply, there is. It's good enough for your NSA, good enough for your government for military use and it's good enough for me! :)
Has no relevance, i'm not talking about WPA, did you see I mentioned AES
256, WPA or WPA2 doesn't go that far. :)David.
The NSA and the military do not permit open wireless systems on their networks.
I think neither of you has any clue what you're talking about. The military has zillions of wireless systems, but I suspect very few of them are running 802.11b/g. Mark McIntyre
Who said open? Did you not read what I wrote at all?
I mentioned AES encryption with 256 bit key length applied to a PC such that everything going in and out of the wireless adaptor is encrypted.
Such that there's no fuss about having to disable the wireless adaptor.
I hope that's clear enough?
David.
Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.