Wireless Adapter Security Question

Could my internal wired network be easily breached by wireless cards on
laptops?  Let me list 2 areas of concern.  A user in an office connects to
an unsecure hotspot while connected to the internal secure wired network.
or a user makes an adhoc connection to another wireless user.  Is this a
concern?  Thanks in advance.
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Anytime there's data transmitted wirelessly, there should be a concern.  So if your people are transmitting valuable data between each other, the data can easily be intercepted.  I would be very concerned.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
aptmisAuthor Commented:
Ok this particular user is testing a hot spot setup that he is working on for a comercial setup near the office.  So he connects to it and works on the AP.  Sometimes tests internet connectivity.  My concern is that there are a lot of unsecured hot spots out there and anytime a user boots up their laptop they will see a notification in their sys-tray.  This may tempt them to connect to it.  I don't beleive they would be sending sensitve info over this connection.  But obviously sensitive info is sent over secure wired connection.  Can the wired network  be comprimised?  This must be a commonplace issue now adays with the amount of unsecure wireless networks.  Issue 2 is can an adhoc connection be setup from a malicous user on the outside to a user with laptop on inside?  I would think that this has to be a mutual setup.
ap, in general, if the thieves want your data bad enough, they will get.  There's no 100% secured network, so when you plug your comp in, you're vulnerable to attacks.

with that said, the answer to your 1st question is yes, absolutely.  If that laptop he's using has access to your wired network, then your network is at potential risk of being compromised.  But as far as setting up an adhoc connection to the laptop, it would take some work, but that also is possible.

You're right, issues along these lines are so common these days.  Due to risks as such, my org has limitted our users to wired networks.  Hopefully there'll be stricter laws against illegal activities on the web.  I think that'll be the only way to deter some of these thieves.

good luck
SolarWinds® IP Control Bundle (IPCB)

Combines SolarWinds IP Address Manager and User Device Tracker to help detect IP conflicts, quickly identify affected systems, and help your team take near instantaneous action. Help improve visibility and enhance reliability with SolarWinds IP Control Bundle.

aptmisAuthor Commented:
How did you limit users to wired?  Do you use a group policy?  This would be hard unless you could only apply it when attached to wired network,  because our mobile users need to connect to wireless network hot spots when traveling.
What i have done in my network is that i have enabled the WEP security feature on my wireless router. So any wireless device can only connect to my wireless net work if they provide a special key. Like a password. Otherwise the wireless adaptors can only see that there is a network, but they can not connect to it.
As already stated, anything sent over a wireless network (especially outside insecure ones) can potentially be a concern, so it's best to protect yourself. An ad-hoc network could be established, but it would still require the user to actually connect to it. (Some people don't pay attention to if they're connecting to an AP or another wireless adapter)

Don't even consider using WEP. It's the second easiest security measure to crack or bypass on wireless networks (MAC filtering being the first). Not very hard to get into with some freely available software. Use WPA-PSK or WPA2-PSK as your security measure of choice on wireless... much stronger options.
aptmisAuthor Commented:
I understand and agree that sending info over an unsecured wireless network is a security concern.  I am not trying to setup a wireless network.  There are so many unsecured wireless networks out there the users on my secure wired network can connect to.  Almost all new laptops these days have wireless adapters.  When you boot up with a wireless adapter you are automatically notified of available wireless networks in the area.  This surely would tempt someone to connect (it tempts me).  Also there is a setting to automatically connect to non-prefferred networks (this would eliminate user interaction).  I have heard so many reports of networks being comprimised from having the AP attached to their internal network.  But I have not heard of any reports of breachs the other way around, where the AP is outside their network but a user on the inside is connected to it, have you?  How are other security admins dealing with this?  What is the best way to protect yourself against this threat?  I wouldn't mind limiting this but then my mobile users need to be able to use this feature when they are on the road so they can check their email at Starbucks or wherever.  I don't care if they connect to these networks when they are off my network.  
Ok. I have a question. Suppose a notebook user comes in the office and connects to the network via wire. His notebook is assigned with an ip from the network. Via his wireless network adapter he can also connect to wifi network. Aren't these 2 different networks? How could someone from the wifi look at the office network? What is rsiky is that the user's files on th notebook could be in danger. I am not sure about this because i have not tried it. But it is a thought...

Take a look at this:


it looks like there are a few methods for what you are trying to achieve
aptmisAuthor Commented:
Hmm  Thanks darren that would be a good solution for a tech savy individual.  One could also setup a separate hardware profile which would disable wireless networking, giving the user a choice at bootup depending on what network they wanted to use.  

I am looking more for enterprise wide control of this.  And more for what other enterprise security admins are doing for this potential problem.  And I am really interested if anyone has heard of any actual successful breaches.  Documentation of this breach will give me the ammo to disable wireless networking.

I will research group policy templates and see where you can set this and let you know what I find.

In (quickly) reading this the immediate issue I see with a computer both wired and wireless--when you're trying to protect the wired network--is how safe the computer itself is from attack, assuming it's clean when connected.

The fact that Non-Routable/Private NAT is (probably) used to give addresses to one or both laptop NICs gives some measure of protection from people in the outside world (those past the WAN interface of the WiFi access point), since not only would unsolicited requests be blocked from accessing the (WiFi) private IPs (assuming it's a decent firewall, it's not using default passwords--many are--and it hasn't had holes drilled in the rules), but also, traffic from one side of the target computer is usually not routable to another interface.

I'm assuming the laptop is not acting as a gateway itself, i.e., ICS, and that it's at least XP SP2. Note that the default search behavior of XP before SP2 is to go into AdHoc mode when the access point it was last connected to is not available. I'm also ignoring the fact that anyone else who has a WiFi lease in the place next to you can probably see every other computer on the WiFi gateway. Some gateways disable this, creating virtual networks for each client, but I'd assume it's not doing that.

The following scenerio would allow access to your internal network from the WiFi connection: The computer is poorly patched or cannot be patched against a vulnerability--which may or may not be known to vendors who would patch it. It connects to both networks, and a few minutes later, is exploited by a computer in the WiFi network. Malware is loaded with the user's rights (frequently an administrator) onto the laptop. At this point the malware can see both interfaces; if the user/computer is authenticated on your internal network, the malware simply masquerades as the user and takes what actions the user could take. Is it likely? Not with reasonable precautions. Is it just as likely the same thing will happen from the LAN interface? Depends on the kinds of sites they visit.

What worries me more is that with both connections active the computer will tend to send requests to both interfaces. End-users are rarely as concerned with security, and even if they are they're not always diligent. Many users not only use SIMPLE passwords but also REUSE them, and it is a trivial exercise to sit next door and "sniff" the traffic that "leaks" on the WiFi interface, then attempt to use information gleaned (cleartext passwords) against the computer's authentication services. If the laptop isn't running a firewall, other services are exposed that (with a password obtained) can allow the registry to be edited remotely, services to be started that should not be running, and general freedom to examine the computer as long as it's within range. For example, if port 139 is exposed, it's trivial to obtain the user's login name, the actual domain they're logged into, and other services already running.

A quick search didn't reveal newsworth exploits from WiFi -> LAN, but there was a lot of commentary that enabling both interfaces at the same time is a risky proposition. Disregarding that for a moment, let's look at this from another angle: You're allowing a computer that has left your network to go out and "get dirty", then to come back in behind your firewall, into what is for most companies their soft underbelly. I see that as a larger security concern, and it's up to you to decide if that computer requires more attention to mitigate risk. In my company traveling computers were updated more often (Software Update Services, now WUS), antivirus and policies were stricter, logins had fewer rights, event logs were monitored, we received alerts when they reauthenticated on the domain, and we used full-drive encryption to guard against theft...because physical access to a machine with domain credentials or company data is also undesireable. We also received alerts when new computers showed up that had never been on before--and we'd go slap the hands of employees who let their friends (who have even less concept of what they're doing wrong) plug in their laptops "for just a minute."

Turning off the WiFi sounds like a good plan, but I'm emphasizing the old axiom: the greatest risk comes from inside. If you've slogged through all of this, I suggest the following document, which addresses some of your concerns in a sideways fashion, and certainly says a few things better than I just did.


Best regards.
Its very simple...

Takes ~30 mins to crack 128Bit WEP key.
Takes ~20 mins to hack pc on network (pc connected to that wireless AP)
Takes ~5  mins to login to newely hacked machine and do whatever u want.... meaning can with no problem browse your internal network using the legit laptop as the host....

Try to make sure laptop is free of vulnerabilitys, no open shares, very strong passwords.... and 3rd party firewall, and AVP.  Windows firewall just doesnt cut it! ;)
aptmisAuthor Commented:
Hi and thanks for the comments.  I have been real busy and have not had time to research this.  I aggree that this is a concern thats why I brought it up.  I was wondering if anyone knows how to disable wireless networking in group policy.   And can anyone point me to any articles documenting this exact scenario as a security concern?  Thanks...
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.