It’s no secret that more and more employees are working from home. Some of these workers will work exclusively from this location, while others share their time between the home office, corporate office, customer locations, and so on. This puts laptops at risk, because these devices are not always connected to the corporate network. Thus, they do not receive the benefits and protection of all the security technologies that are in place to protect the corporate LAN. They are completely on their own.
In the home office scenario, it is common to see two topologies. One is where the user connects to the Internet via a home broadband connection and utilizes a VPN client to connect back to the corporate LAN. The other is where the company provides a hardware-based VPN device to establish connectivity back to the corporate LAN. In each case, the use of Wireless LAN is common. These topologies are depicted in Figure 5-19 and Figure 5-20.
Notice the location of the firewalls. These are important because they protect the laptop from direct attack from the Internet. Depending upon the user’s Internet service provider (ISP) and the hardware provided, a firewall may or may not be included in the cable modem. For a company-provided VPN device, these almost always have firewall functionality. In fact, sometimes these devices are actually firewalls that happen to have VPN functionality.
User utilizes VPN client to connect to corporate network Corporate Laptop
Wireless
Access Point Cable Modem VPN Device Corporate Network Internet VPN Client Software
154 Chapter 5 ■ Understanding the Need for Mobile NAC
The firewall protects the laptop
against Internet attacks.
Coporate Laptop Access PointWireless DeviceVPN
Internet
User is connected to the corporate LAN via a hardware device provided by the
company.
Cable Modem with Firewall
VPN Device
Corporate Network Figure 5-20 Connecting via hardware devices
Regardless, the user is connected to the corporate LAN from the home office, and the home office uses wireless. As with the firewalls, it is common for ISPs to now provide wireless capabilities with cable and DSL modems.
The biggest misconception that anyone can have about these topologies is that they will adequately protect the mobile laptop. Why? The weak link is the wireless connection. Some companies pretend that wireless networks aren’t used by their home users, and this is really a mistake.
The wireless network can provide an opportunity for an attacker to bypass the Internet firewall. By getting on the inside of the firewall, an attacker can attempt to exploit the laptop if it isn’t patched and doesn’t have the necessary security applications. This would be the same as the user being in a public Wi-Fi hotspot.
There are a number of security best practices when it comes to securing wireless. The unfortunate truth is that, regardless of whether these steps are taken, it is commonly possible to still break into the wireless network. The following are good, basic security steps that should be used on any wireless network:
Do not broadcast the SSID. Do not use the default SSID.
Mobile NAC and the Wireless Threat 155 Use encryption.
Use a secure authentication method.
Change the administrative username and password of the access point. If you work in IT, then you know that these simple steps usually aren’t taken by home office users. In fact, nearly half of all companies are still using Wired Equivalent Privacy (WEP) on their corporate LANs! So to think that this threat isn’t real is really having your head in the sand.
To find a wireless network, there are plenty of free tools that can be used. A very popular and really easy-to-use tool is called Network Stumbler, which will display all the wireless networks that are being broadcast within range. It also will give good information on the channel being used, the speed, and so on. Figure 5-21 is a screenshot of Network Stumbler.
While Network Stumbler is useful, it doesn’t display wireless networks where the SSID isn’t being broadcast. If you recall, not broadcasting the SSID is the first step mentioned in protecting a wireless network. Does this mean that these networks are not possible to find? No! It simply means that a different free tool must be used! A great tool for this is called Kismet, which is shown in Figure 5-22.
Now that a wireless network has been found, the next step is connect- ing to it. If authentication or encryption are not being used, then it’s as simple as typing the SSID and a hacker can connect to the same wireless network as the corporate laptop. Let’s say that the wireless network is using WEP, Wireless Protected Access (WPA), or it’s a satellite office that’s being fancy and running Lightweight Extensible Authentication Protocol (LEAP) for wireless. Would that stop the hacker? Not if the hacker had the appro- priate free tools! The following free tools can break these types of wireless networks:
156 Chapter 5 ■ Understanding the Need for Mobile NAC
Figure 5-22 Kismet
Figure 5-23 AirSnort
WEP— AirSnort (see Figure 5-23)
WPA— Cowpatty (see Figure 5-24)
LEAP— ASLeap (see Figure 5-25)
Remember, these are free tools that are readily available on the Internet. At this point, the wireless network has been found and access to the network can be established. So what is the big deal? Is it simply that the user can now use that link for free Internet access? No! The big deal is that once the hacker’s computer is on the same network as the corporate laptop, it has Layer 3 access and can attempt to exploit that system. The security, which was the firewall between the network and the Internet, is no longer in play and has been bypassed. If that laptop isn’t further protected, it can be a sitting duck — a sitting duck that very well may be connected to the corporate LAN as it’s being exploited! Figure 5-26 illustrates this point.
Think back to Chapter 4 for a moment. That chapter showed in detail how a computer that is on the same network can launch attacks directly against
Mobile NAC and the Wireless Threat 157
Figure 5-24 Cowpatty
Figure 5-25 ASLeap
other computers on the network. That is one of the primary threats with this attack. If that corporate laptop isn’t patched, doesn’t have a personal firewall, doesn’t have antivirus software running and up to date, and so on, then it can be exploited by an intruder on that network.
N O T E Any computer that utilizes wireless connectivity needs to have a personal firewall. Hardware firewalls alone will not provide the necessary protection, because they are in place to stop systems outside the network from breaking into the network. They are not in a position to stop one computer on the LAN from attacking another computer on the same LAN.
In this particular example, the corporation may have very well thought that the hardware-based firewall alone was adequate protection. The thinking would have been that the corporation was trying to protect the remote network.
158 Chapter 5 ■ Understanding the Need for Mobile NAC
The firewall has been bypassed and no longer
protects the corporate laptop. Coporate Laptop Access PointWireless DeviceVPN
Internet A hacker connects to the wireless LAN
and directly attacks the corporate laptop.
Cable Modem with Firewall
VPN Device
Corporate Network
Figure 5-26 Access obtained to the corporate network
This is the wrong way of looking at it. The remote host is actually what needed to be protected. This is where Mobile NAC can help.
Following are some ways that Mobile NAC would help mitigate this type of attack:
Ensuring the mobile laptop had all necessary patches. This would help by removing the vulnerabilities to direct attacks.
Ensuring that the personal firewall and all other security software was running and configured properly. This would help stop exploits as they were run against the corporate laptop.
Disallowing the corporate laptop from connecting to the wireless net- work if its security posture was deficient.
As with the other examples, LAN-based NAC wouldn’t provide the neces- sary protection. Using LAN-based NAC in a home office scenario is not really practical.