At no other time in the life cycle of a laptop will it be more vulnerable than when it connects to a public Wi-Fi hotspot. I’ve mentioned this numerous times already in this book, and it is an extremely important threat to realize. This section examines the following threats:
Connecting to many unknown systems Connecting to the Internet
Data flying through the air
Other people in the area viewing the laptop screen
Connecting to the same network as a bunch of unknown computers is always a security risk. If you think about the Internet, that is exactly what is happening. Computers from all over the world are connected to the same big network, and they are able to communicate with each other. This is what makes the Internet so valuable. These computers can easily exchange information. It is also what makes the Internet so insecure. There is no means to separate the peaceful computers from the ones that are trying to attack. That is why every
150 Chapter 5 ■ Understanding the Need for Mobile NAC
smart enterprise in the world places firewalls and other security equipment between corporate LANs and the Internet. Those other computers can’t be trusted, so they can’t be allowed access. They must be firewalled from the corporate LAN. It makes perfect security sense.
Now, look at it from a mobility standpoint. When laptops are in a Wi-Fi hotspot at an airport, coffee shop, and so on, they are connecting to a wireless network. They connect to this network so that they can get Internet access. At the same time, a bunch of other computers are also connecting to that same wireless network. In reality, the corporate laptop is now connected to a bunch of other computers, and there is no way to tell if these computers are peaceful or if they will try to attack that laptop. Figure 5-16 illustrates this point.
This direct connection with the other computers at the public Wi-Fi hotspot is a serious threat. Unfortunately, it’s not the only threat. Just as the mobile corporate laptop is directly connected to these computers, it is also connected to the Internet. Thus, it would still need all the protection it would normally have if it were on the corporate LAN.
In this scenario, would a hardware-based firewall or LAN-based NAC help? They really wouldn’t. These technologies don’t come into play at this point. Clearly, there are major threats, but these technologies aren’t the ones to address them.
Internet
Because these laptops are on the same network, it is easy for them to be attacked directly. There isn’t a
firewall between these devices. Hacker can launch
direct attack against the corporate laptop. Wireless Access Point Hackers Laptop Corporate Laptop Peaceful Laptop
Mobile NAC and the Wireless Threat 151 Another threat is the fact that data is flying through the air. Previous chapters have discussed how an unauthorized user on the corporate LAN can sniff data that is flying by on the Ethernet. The same is true at public Wi-Fi hotspots, only it’s a bit easier. You don’t have to break into the LAN; you simply have to be in range of the Wi-Fi signal. All of the data leaving the computers on the public wireless network is literally just flying in the air, waiting to be seen. By default, these hotspots do not offer any encryption to protect the data. Also, many applications don’t provide encryption, either. Figure 5-17 shows a Yahoo! Instant Messaging session being intercepted.
Since the hotspots themselves don’t offer encryption to protect this data, there is a pretty useful way to still protect it — use a VPN client with split tunneling disabled. That way, all data leaving the mobile device is sent through a VPN tunnel that is encrypted, commonly with AES or 3DES. This provides very good protection for the data, as illustrated in Figure 5-18.
The last threat that we’ll cover has to do with physical security. If a user has a corporate laptop open in a public area, there’s always the chance that someone can see what is on the screen. Often, I have to work from public places, such as airports and coffee shops. There are times when I do notice people trying to look at my screen. You’ll also see this often on airplanes. If there’s a screen in view, you just can’t help being drawn to look at it.
3M offers a pretty nifty solution to help address this threat. It’s a filter that is placed on the laptop screen. Unless you are directly in line with the screen, you are not able to see what’s on it. These are definitely pretty neat. More
Internet Wi-Fi Hotspot
Access Point Corporate Laptop
Actual Yahoo! Instant Messaging session being intercepted
152 Chapter 5 ■ Understanding the Need for Mobile NAC
Hacker cannot view any encrypted data leaving the mobile
device
All data sent inside encrypted VPN tunnel encrypted with AES Corporate Laptop Wi-Fi Hotspot Access Point Corporate VPN Device Internet
Figure 5-18 Using a VPN client with split tunneling disabled
information can be found at http://solutions.3 m.com/wps/portal/3 M/ en US/ComputerFilter/Home.
So, what exactly can companies do to protect their corporate laptops when they are being used with wireless networks? A big part of the answer involves Mobile NAC. Here’s how it helps:
Ensuring the mobile laptop has all necessary patches when it is mobile. This would help by removing the vulnerabilities to direct attacks from the other computers on the wireless LAN and the Internet.
Ensuring that the personal firewall and all other security software is run- ning and configured properly. This would help stop exploits as they were run against the corporate laptop.
Disallowing the corporate laptop from connecting to the public Wi-Fi hotspot if its security posture is deficient.
Enforcing that the VPN client must be up and running or the wireless connection will be disconnected. This would protect data going to and from the machine that would otherwise be flying through the air unencrypted.
Again, the key point to realize is that while LAN-based NAC does have value, it wouldn’t have helped in this very realistic and common scenario.
Mobile NAC and the Wireless Threat 153
N O T E The examples in this section would also hold true for public broadband networks that are commonly found in hotels.