Penetration Testing: RE: Wireless Pent-Test

["Keith T. Morgan" <keith.morgan () terradon com>]

<snip>
> Cool, lots of xtras to deal with as regards maintaining and 
> managing the
> setup.  As long as your IT group and corporation are willing 
> to take those
> steps, more power to all of you.  Of course, it's pretty 
> impractical still
> and a onetime looksee is not going to make sure it's happening all the
> time.
Agreed.  Security is never fire and forget.  It should always be cyclic.

<snip>
> Security that does not address the real points of risk and attack is
> useless though.  Thus my rant that VPN's are not a cureall, and seldom
> address such, though I've seen VPN's tossed about nilly and frilly to
> anyone, regardless of if there's a real requirement or not 
> for such.  And
> far too often those implimenting such sollutions are not 
> gaining anything
> of real value for the efforts.  Point of my whole posting<s> 
> on the topic.
Again I agree.  We also see VPNs deployed when there may not be legitimate need.  But this points back to the whole 
productivity/security balance.  Essentially, any VPN connected device should be treated just as a LAN connected device 
with a cat 5 cable.  Most of us have firewalls in place to protect our LANs, most of us use AV protection, most of us 
perform security audits (vuln analysis etc...) and I think my point would be, once a user connects from home, the 
corporate security policies, and all of the security management work that goes into protecting a LAN, now has to be 
done at the user's end as well.  Hence, this brings forth the extension of the organizational security policy to the 
home as a pre-requisite to VPN connection.  Just saying that doesn't accomplish much.  There's real work to be done on 
behalf of the security staff to assure this.

<snip>

> Automate all you wish, but, unless you own the PC enough to 
> *not* provide
> the user with admin access rights, you'll likely find the 
> auto updates are
> disabled a short time later, if not by the user you are 
> responsible for,
> then by their kids <smile>.
Could happen.  Has happened.  At which point it becomes a documented exposure, and said user is sanctioned 
appropriately.  Back to the security being cyclic, and no such thing as fire and forget etc....  A corporate user could 
just as easily turn off thier desktop AV protection because "it slows my computer down, wah."  That happens too.  
Dilligence is work, but we have to stay on top of these things.

> But, to actually mitigate risk, there's more to a VPN'ed setup then
> anti-viri/trojan gaurds, how do you safely offer your users 
> http access,
> without a strong proxy?
>
> Thanks,
Proxy is one way.  Making the VPN connection's default route come through the organization's HTTP security mechanisms 
is a good general practice.  Same would apply for SMTP, POP3, etc...  One of the biggest dangers here, and most 
dificult to mitigate is what happens on the end user's machine when they're *not* connected to and through the VPN.  
This provides cause to place VPN concentrators in a DMZ type environment when resources permit.  I don't think we ever 
recommend configuring VPN users as "trusted" network connections.  A customer may go against our advice after 
considering productivity gain versus cost.

To anyone following this thread, please understand that this is a really good point we're bantering about here.  I'm 
personally aware of cases where organizational core networks have been compromised by VPN connected users.  I haven't 
stumbled across a case where a war-driver cruising the neighborhood happened to find himself connected with full access 
to a corporate network via VPN, but I'm certain it will happen in time.  Most of the time, the war-drivers find 
themselves in the heart of an organization's network as soon as they connect up with the WAP.  There are a lot of 
poorly configured/deployed wireless solutions out there.  But this isn't news to anyone.




<snip>

**************************************************************************************************
The contents of this email and any attachments are confidential.
It is intended for the named recipient(s) only.
If you have received this email in error please notify the system manager or  the 
sender immediately and do not disclose the contents to anyone or make copies.

** this message has been scanned for viruses, vandals and malicious content **
**************************************************************************************************


---------------------------------------------------------------------------
Tired of constantly searching the web for the latest exploits?
Tired of using 300 different tools to do one job?
Get CORE IMPACT and get some rest.
www.coresecurity.com/promos/sf_ept2
----------------------------------------------------------------------------