Improve company productivity with a Business Account.Sign Up

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 2292
  • Last Modified:

Security question about "Boot on Lan Technology"

  My institution is considering using "Boot on Lan Technology" is there any security problems with that? Whats to keep someone from booting computers on the network. If I goto freshmeat.net i can download software that boots computers for free and so can someone that i don't want to. Is the special packet that wakes a computer up configurable?

  I'm not looking for a answer pertaining to the security of the entire network nor it's machines no matter how justified you might think it is. Which means im not awarding points for these types of answers.
0
Fubyou
Asked:
Fubyou
  • 3
1 Solution
 
Rich RumbleSecurity SamuraiCommented:
The basic security of wake-on-lan technology is the knowledge of the MAC adderss, that's it. USUALLY there is no password, you just have to have the MAC address correct. Sometimes you need both MAC and IP, others have added a password in addtion to the IP and MAC address. Your BIOS must support the feature first, then your NIC.
http://support.intel.com/support/network/adapter/pro100/sb/cs-008438.htm
http://support.intel.com/support/network/sb/CS-008459.htm#1 (no password required)
http://www.amd.com/us-en/ConnectivitySolutions/TechnicalResources/0,,50_2334_2481,00.html

There isn't much as far as authentication with respect to WOL... but it would take you a long time to brute-force a bunch of MAC address's to get one right. The NIC's don't answer regular boadcast's when the PC is powered off, they do listen, and that's how they pick-up the WOL packet. So someone can't sniff your network and get MAC address's while the PC's are off.
http://www.ciol.com/content/search/showarticle1.asp?artid=38876

But if they did manage to boot the a pc or server, then they could start to work on those boxes...
GL!
-rich
0
 
Rich RumbleSecurity SamuraiCommented:
To clarify, look at different NIC verdors to see if one offers more security than another.
This is the process...
A Magic Packet is simply a UDP packet with a specific sequence of bytes. The sequence is a 6 byte synchronization byte sequence (0xFFFFFFFFFFFF), followed by the primary network cards Physical Addresses (MAC address) repeated 16 times in sequence, for the machine you are attempting to wake up.  After building this packet we then broadcast it to a local subnet.

Still I was unable to find any of the popular NIC providers that offered a password for wak-on-lan...
intel,amd,3com,linksys,dell etc...
-rich
0
 
Phill_upsonCommented:
Whilst using network boot doesn't require an initial password all you really have access to is the wiring and to see that other kit exists (no less secure than someone plugging their laptop into a spare socket on the wall).  Whatever you are booting over the network, which as commented before would need a matching MAC address, would normally be your standard OS anyway, requiring the user to login before accessing resources.  I have to say I haven't seen an attack use lan boot as an access method, coupled with this, the machine would need matching hardware to boot successfully anyway due to the drivers for the hardware.

Hope this helps
0
 
Rich RumbleSecurity SamuraiCommented:
True, it appears that physical security is necessary, but should someone be able to get in your lan from outside,  a backdoor, a trojan, P2P exploit, hacking etc... they could install the WOL software. I've never seen anyone do it however, most PC's are left on after hours, or the majority of them are, typically because users aren't told to turn them off, or to roll out updates to the PC's. You can inforce both... you can schedule a task to run to shut down PC's after hours, in addtion you can specify Log-On hours so that no one could try to log on pc's after hours, but the PC's can be booted or remain booted "after hours". Windows Shutdown.exe can easily be scripted to send the "shutdown" command to IP's that you specify, in what ever time frame you specify, every five minutes, every hour etc...  But as said before, it's typically overlooked, and or not done often- the WOL that is.
-rich
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Get 10% Off Your First Squarespace Website

Ready to showcase your work, publish content or promote your business online? With Squarespace’s award-winning templates and 24/7 customer service, getting started is simple. Head to Squarespace.com and use offer code ‘EXPERTS’ to get 10% off your first purchase.

  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now