Announcement

Collapse
No announcement yet.

Unsecured wifi and VPN

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Unsecured wifi and VPN

    I have a question that I am hoping someone can help me clear up. I have a client that has a Microsoft SBS 2003 network. It is fully patched and firewalled. Two of the employees are moving to a remote office and will connect to the network via the SBS 2003 connection manager established VPN. So far so good. The problem is that the 2 employees will be connecting their laptops to an unsecured wifi access point that is being shared by other companies.

    Two employees that I work with state that as long as the VPN is connected, they are secured regardless of the fact they are connecting to an unsecured WAP. My stance is that the VPN will only protect the data in route, and that they are still sitting ducks waiting to be hacked. Furthermore, I state that once someone breaks into one of the laptops, the VPN will more than likely provide the attacker secured access to their server via the VPN link.

    So I need to know, am I right in believing that they are not secured attaching to an unsecured open wifi, even with a VPN to their remote office, or will the VPN provide security to the laptops.

    Thanks, I look forward to getting the answer.

  • #2
    Re: Unsecured wifi and VPN

    AFAIK, you are correct in your understanding. I've had a conversation with a user about this in the not too distant past. "If we're using a VPN connection, do we really need to worry about anti-virus? Aren't I secure?" was the general question. I tend to like this analogy concerning the whole situation:

    "If you and I were to have a conversation in a language that only we knew... let's say an obscure dialect of Klingon... no-one else in the room would be able to eavesdrop and steal the information that we were talking about. However, someone could still sneak up behind me and pick my pocket or kick me in the pants. The conversation isn't compromised, but my computer is still a 'sitting duck' to other attacks."

    Of course, the secure communication could be compromised if the machine was attacked, an administrator account was compromised and an .exe was copied to the file system and was set to run the next time an admin logged in (in a Windows environment anyway; the specifics would be different in a *NIX environment, but the end result would be the same). Now a trusted machine has a rootkit, keylogger, remote control proggy, or all of the above installed on it. The badware now has a convenient open door into the network ala the VPN. I'll let your imagination figure out the mayhem that could potentially ensue. All because it was an open target on a public wifi spot.

    You could mitigate this threat by having a pretty hard client firewall policy and strict best practices OS configuration. Try your hardest to fight against the "Hard Crunchy Outside with the Soft Chewy Inside" security paradigm. A mobile force is the proverbial monkey wrench in the cogs when it comes to security. I know it well. My current project is trying to raise the level of security for my organizations fleet of laptops.
    Wesley David
    LinkedIn | Careers 2.0
    -------------------------------
    Microsoft Certifications: MCSE 2003 | MCSA:Messaging 2003 | MCITP:EA, SA, EST | MCTS: a'plenty | MCDST
    Vendor Neutral Certifications: CWNA
    Blog: www.TheNubbyAdmin.com || Twitter: @Nonapeptide || GTalk, Reader and Google+: [email protected] || Skype: Wesley.Nonapeptide
    Goofy kitten avatar photo from Troy Snow: flickr.com/photos/troysnow/

    Comment


    • #3
      Re: Unsecured wifi and VPN

      Thanks for the reply. I am not a security expert by any means, but I have been studying network security for about 6 months now, and my understanding is an unsecured connection to a public WAP is an unsecured connection, reagrdless of any tunneling. With the tools available on the Web, I am afraid that the laptops will be comprimised within a week. After all, it is a public WAP.

      Thanks again,

      -T0nz

      Comment


      • #4
        Re: Unsecured wifi and VPN

        I have to agree with Nonapeptide.

        The clients will be vulnerable and although the tunnel is encrypted, the wireless connection isn't.
        I don't know what kind of VPN client you're using however, some firewall suppliers distribute a vpn client with their firewall which can be configured securely.
        For example: Check Point distribute secure client. Secure Client is a VPN Client with a build-in Firewall.
        Although I don't like the client for this purpose it works very well.
        Marcel
        Technical Consultant
        Netherlands
        http://www.phetios.com
        http://blog.nessus.nl

        MCITP(EA, SA), MCSA/E 2003:Security, CCNA, SNAF, DCUCI, CCSA/E/E+ (R60), VCP4/5, NCDA, NCIE - SAN, NCIE - BR, EMCPE
        "No matter how secure, there is always the human factor."

        "Enjoy life today, tomorrow may never come."
        "If you're going through hell, keep going. ~Winston Churchill"

        Comment


        • #5
          Re: Unsecured wifi and VPN

          I also agree with Dumber and Nonapeptide, the VPN will ensure that the connection to the home network is secure but it will do nothing regarding the data encapsulated in the VPN tunnel. If the laptop is infected with any type of network based malware then that malware will be "injected" into the home network via the VPN tunnel. This was a big problem at my previous job with laptop users. What you might look into is RAP (Remote Access Protection?) which is available with either Windows Server 2003 R2 or Windows Server 2008. It basically allows you to "quarantine" yoor remote users with your Remote Access Policy unless they meet certain "standards" such as having up to date anti-malware and such.

          Comment


          • #6
            Re: Unsecured wifi and VPN

            The VPN connection is the built-in VPN connection supplied by Microsoft SBS 2003. The wizard creates an executable which, when run on the client, creates a VPN connection with the SBS server. While that connection is secure, I keep trying to explain to the others that the VPN connection does nothing to protect the 2 laptops from the unsecured public wifi connection.

            Thanks for the suggestion of using Remote Access Protection. I haven't heard of that, so I am going to research it. I'm not sure if it is available with SBS 2003 R1, but I am definitely going to look into it.

            Comment


            • #7
              Re: Unsecured wifi and VPN

              I keep trying to explain to the others that the VPN connection does nothing to protect the 2 laptops from the unsecured public wifi connection.
              Need any help with analogies? How about this one:

              Two people pass notes to each other in class. There communication is secure. The teacher whacks one of the kids with her ruler. He looks up in surprise and says "What happened? We're talking securely?!?" Secure commuinication does not protect your head from a ruler.

              Or...

              You're talking on a a secured telephone in your house. The phone's transmissions are encoded by a military grade piece of equipment. A home invasion robber kicks down your front door. You look surprised and say "But... I'm talking securely!!" Secure communication does not protect your front door.

              Okay, those are a little oddball.
              Last edited by Nonapeptide; 13th March 2008, 03:26. Reason: Punctuation
              Wesley David
              LinkedIn | Careers 2.0
              -------------------------------
              Microsoft Certifications: MCSE 2003 | MCSA:Messaging 2003 | MCITP:EA, SA, EST | MCTS: a'plenty | MCDST
              Vendor Neutral Certifications: CWNA
              Blog: www.TheNubbyAdmin.com || Twitter: @Nonapeptide || GTalk, Reader and Google+: [email protected] || Skype: Wesley.Nonapeptide
              Goofy kitten avatar photo from Troy Snow: flickr.com/photos/troysnow/

              Comment


              • #8
                Re: Unsecured wifi and VPN

                Oddball yes. But...they are not listening to reason, so maybe oddball might break through. Both of those analogies are exactly what's happening.

                Thanks, I'll see if they get these

                Comment


                • #9
                  Re: Unsecured wifi and VPN

                  Why don't they spend $50 on a WAP that they can secure. Everyone is happy. I tell my daughter when she starts to go out with boys she is to tell them, "if it ain't on, it ain't on". (Can't get much more oddball than that).

                  If hey refuse to connect through a secure AP then explain to your boss they are opening the network up for a potential invasion and they shouldn't be connected until their end is secured. A chain is only as strong as the weakest link.
                  1 1 was a racehorse.
                  2 2 was 1 2.
                  1 1 1 1 race 1 day,
                  2 2 1 1 2

                  Comment


                  • #10
                    Re: Unsecured wifi and VPN

                    Tons of Fun mournfully cried:
                    But...they are not listening to reason, so maybe oddball might break through.
                    Who is this ubiquitous "they"? Is it an IT person that is above you in the pecking order or a non IT person? The reason I wonder is this: If you're paid position is an IT guy, who is the one who ostensibly analyzes, discerns, and decides on these things, why does this "they" not accept your judgment as that of a trained and knowledgeable professional and allow you to do your job? I think I know the answer, but am just a naturally curious person. Maybe it's time to have a heart-to-heart talk? Maybe ask them if they have a legitimate reason to question your judgment and see what gets said.

                    "Having done this vocation for some time now, and learned quite a bit about it, the reality of this situation with our wireless connection and the use of the VPN is apparent to me. It's obvious that you don't trust my judgment on this matter. Why is that? Have I done something in the past that causes you to question whether or not I know what I'm doing? If that's the case, maybe you need to find someone else that you're more comfortable with. Or if you do trust me, just allow me to do my job and trust my judgment on matters that I know more about. This is what I do for a living. It's in my best interest to know about these things and do what's best for the organization."



                    Biggles77 musingly pondered:
                    Why don't they spend $50 on a WAP that they can secure.
                    ...and Tons of Fun said in a previous post (emphasis mine):
                    The problem is that the 2 employees will be connecting their laptops to an unsecured wifi access point that is being shared by other companies.
                    Ummm... that last bit about several companies connecting through the same AP makes me scratch my head. Quite a unique situation... is it an office park that decided to piggyback onto the WiFi link at the Burger king across the street?
                    Wesley David
                    LinkedIn | Careers 2.0
                    -------------------------------
                    Microsoft Certifications: MCSE 2003 | MCSA:Messaging 2003 | MCITP:EA, SA, EST | MCTS: a'plenty | MCDST
                    Vendor Neutral Certifications: CWNA
                    Blog: www.TheNubbyAdmin.com || Twitter: @Nonapeptide || GTalk, Reader and Google+: [email protected] || Skype: Wesley.Nonapeptide
                    Goofy kitten avatar photo from Troy Snow: flickr.com/photos/troysnow/

                    Comment


                    • #11
                      Re: Unsecured wifi and VPN

                      Technically, there is an other option which is secure but this option is expensive.
                      For example: you can use SecureClient from Check Point to connect to you're Check Point VPN-1 server. Within Check Point you can configure SecureClient to deny all traffic except the traffic which flows trough the VPN connection.

                      However for this you need a Check Point firewall and when needed licenses for SecureClient (I believe you got 5 clients for free).

                      I'm not sure if there are other client firewalls out there who are network aware.
                      If so you could configure them to deny all inbound traffic except the traffic which come from you're office.
                      Marcel
                      Technical Consultant
                      Netherlands
                      http://www.phetios.com
                      http://blog.nessus.nl

                      MCITP(EA, SA), MCSA/E 2003:Security, CCNA, SNAF, DCUCI, CCSA/E/E+ (R60), VCP4/5, NCDA, NCIE - SAN, NCIE - BR, EMCPE
                      "No matter how secure, there is always the human factor."

                      "Enjoy life today, tomorrow may never come."
                      "If you're going through hell, keep going. ~Winston Churchill"

                      Comment


                      • #12
                        Re: Unsecured wifi and VPN

                        I am sure they won't spend the money, but I wonder if the Linux-based IPCop has that capability; I could probably push that through, and I know how to install and set it up. The mysterious "they" is my boss and another administrator. The other admin is the one setting it up, and I saw the potential problem so I immediately brought it up. I believe the other admin feels like I am stepping on his toes, but we are responsible for our clients security, and the hole is there. My boss is open minded, so I am going to talk to him again tomorrow, and use those great analogies that Nonapeptide gave me.
                        I am new to security, so if anyone knows if IPCop will provide the same functionality as the checkpoint in denying all inbound traffic except that which flows through the VPN that would be great.

                        Thanks.

                        Comment


                        • #13
                          Re: Unsecured wifi and VPN

                          Ipcop won't provide the same security as Check Point. Check Point is the market leader of security products.
                          Also, the notebooks needs protection. I assume that the notebooks are Windows and not Linux

                          An other option might be simply using the Windows firewall and create some exceptions.
                          Although it isn't the greatest one, it will make it more difficult.
                          The Windows firewall will only block inbound traffic and won't protect the clients against outbound traffic. Also it's central managed by using GPO's.

                          So my recommendation is when you need high security go for Check Point. They are simply the best but also the most expensive.

                          Otherwise use any other client side firewall and simply deny all inbound traffic with some exceptions from you're internal network.

                          Some examples:
                          Windows Firewall
                          Mcafee Destkop Firewall
                          ZoneAlarm (now from Check Point)
                          And there are much more.
                          Marcel
                          Technical Consultant
                          Netherlands
                          http://www.phetios.com
                          http://blog.nessus.nl

                          MCITP(EA, SA), MCSA/E 2003:Security, CCNA, SNAF, DCUCI, CCSA/E/E+ (R60), VCP4/5, NCDA, NCIE - SAN, NCIE - BR, EMCPE
                          "No matter how secure, there is always the human factor."

                          "Enjoy life today, tomorrow may never come."
                          "If you're going through hell, keep going. ~Winston Churchill"

                          Comment


                          • #14
                            Re: Unsecured wifi and VPN

                            Quoth Dumber:
                            The Windows firewall will only block inbound traffic and won't protect the clients against outbound traffic.
                            That's true for the pre-Vista Windows Firewall. Vista's firewall does include outbound rules. Now, as to the functionality of the new Vistafied firewall, I'm not so sure. I haven't tinkered with it much, but the possibility does seem to exist that one could make a sweeping ruleset to block all outbound traffic that does not go through the VPN.

                            ToF, Is Vista on the network yet?


                            Quoth Dumber:
                            So my recommendation is when you need high security go for Check Point. They are simply the best but also the most expensive.
                            So, umm... do you like Check Point?
                            Last edited by Nonapeptide; 18th March 2008, 00:39. Reason: Added clarity
                            Wesley David
                            LinkedIn | Careers 2.0
                            -------------------------------
                            Microsoft Certifications: MCSE 2003 | MCSA:Messaging 2003 | MCITP:EA, SA, EST | MCTS: a'plenty | MCDST
                            Vendor Neutral Certifications: CWNA
                            Blog: www.TheNubbyAdmin.com || Twitter: @Nonapeptide || GTalk, Reader and Google+: [email protected] || Skype: Wesley.Nonapeptide
                            Goofy kitten avatar photo from Troy Snow: flickr.com/photos/troysnow/

                            Comment


                            • #15
                              Re: Unsecured wifi and VPN

                              Originally posted by Nonapeptide View Post
                              Quoth Dumber:
                              The Windows firewall will only block inbound traffic and won't protect the clients against outbound traffic.
                              That's true for the pre-Vista Windows Firewall. Vista's firewall does include outbound rules. Now, as to the functionality of the new Vistafied firewall, I'm not so sure. I haven't tinkered with it much, but the possibility does seem to exist that one could make a sweeping ruleset to block all outbound traffic that does not go through the VPN.

                              ToF, Is Vista on the network yet?
                              I don't know how the firewall is from Vista. I still haven't played with vista.
                              For now I even want to keep it that way just because I need te get my mcse 2003
                              Although i've got Windows 2008 ande Vista ultimate at home. A present from Microsoft (been to a seminar and that was a present )


                              Originally posted by Nonapeptide View Post
                              Quoth Dumber:
                              So my recommendation is when you need high security go for Check Point. They are simply the best but also the most expensive.
                              So, umm... do you like Check Point?
                              Yeah I do like Check Point (I'm a CCSE +) however, I also like ASA and ISA. Both won't run well on a client

                              However, bottomline of my story was that he need to enable some kind of firewall which at least blocks all inbound traffic except the traffic from his network.
                              However I don't know if all those firewalls are VPN aware so you need to do some concessions.
                              Marcel
                              Technical Consultant
                              Netherlands
                              http://www.phetios.com
                              http://blog.nessus.nl

                              MCITP(EA, SA), MCSA/E 2003:Security, CCNA, SNAF, DCUCI, CCSA/E/E+ (R60), VCP4/5, NCDA, NCIE - SAN, NCIE - BR, EMCPE
                              "No matter how secure, there is always the human factor."

                              "Enjoy life today, tomorrow may never come."
                              "If you're going through hell, keep going. ~Winston Churchill"

                              Comment

                              Working...
                              X