Republished with permission from WatchGuard Technologies, Inc.


Isolate Your Wireless Network on External

by David M. Piscitello, President, Core Competence, Inc.

Fans of the television show X-Files may recall a Season 9 episode entitled "Trust No 1." I now only watch episodes containing seasons-past flashbacks of Special Agents Mulder and Scully. However, in this particular episode the setting of several scenes was especially interesting:

Dana Scully enters an Internet café with William and logs onto a private mail box. Waiting for her is a message from Mulder, who expresses his desire to return home to her and to William. As Scully begins her reply . . .

Ever since I saw the technically maligned movie The Net, starring Sandra Bullock, I'm intrigued at how inaccurately the Internet, and especially security, are presented on the big and little screens. Ever the networking nerd, as I watched this X-Files episode I wondered, "Is she using her laptop or a public PC? LAN or wireless?" Ever the security nerd, I realize the irony of the episode title: "IT DOES NOT MATTER, TRUST NO 1."

As Scully begins her reply, a woman who has entered the café with a baby leaves to argue with a man outside. Scully goes to the un- attended baby . . .

. . . and in the process, abandons the computer and, presumably, the window in which she's composing a private and ostensibly authenticated reply to Mulder. Anyone could read it, or possibly modify it while she's not looking. Trust No 1, indeed!

Doggett accosts the Man on the Street before he is about to break into Scully's apartment. The Man will not reveal anything, only muttering, 'They're watching."

Exactly. "They" are watching. Whether your employees connect from home over dial-up, cable modem or DSL; from a hotel's cable network; or from a LAN or WLAN  from an Internet café or from anywhere in your office building or campus, every mobile computer poses a security risk. All of them must be treated as untrusted systems until they prove otherwise. And this means employing the most conservative method of connecting client computers to your trusted network: through the External, or public, interface on your firewall.

When Optional Is Not an Option

Both Lisa Phifer's "Stopping WiFi Intruders" and Corey Nachreiner's "Isolating Your Wireless Network: An Optional Solution" emphasize the importance of isolating wireless LAN users from your trusted networks. Corey suggests using the Optional interface for WiFi that you deploy in your office building or campus. The security measures he recommends you apply to the Optional interface apply equally well to the External interface: secondary IP addressing for wireless users, authentication enabled via the Firebox, and policies that restrict the selection of services and hosts WiFi users may access.

One reason I feel "Trust No 1" is a correct approach is because both the "wireless at the office" and the road warrior user communities create similar security problems:

  • None of these users' systems are protected by your Internet (or interdepartmental) firewalls. WiFi-enabled laptops can be scanned, attacked and compromised directly over the radio frequencies they use. Road warriors' systems are vulnerable to attack through any network service they use: if they can reach the Internet, the Internet can reach them.
  • All of these users' systems are vulnerable to passive monitoring (also known as sniffing), replay, and masquerade attacks. They all need some form of encryption and authentication that's difficult to compromise.

Furthermore, users whose systems spend time connected to any network other than your trusted network can:

  • Download content that will have circumvented server-based anti-virus or other server-based content inspection measures, including Web Blocker.
  • Unwittingly download a malicious executable (a DDoS zombie agent or rootkit) via e-mail or casual browsing.

  • Expose sensitive information to unauthorized parties (for example, through an unprotected shared folder, or Web- or ftp-accessible file) who can copy or modify this information for whatever nefarious or malicious purpose.

Lastly, employees who are "wireless at the office" may also use LANs or wireless elsewhere. So while WLANs do present some unique problems to an organization, they are collectively one more worry among many mobile user problems.

Equal Treatment

If you buy into the proposition that WLAN users should not be connected to trusted networks, then grant as well that WLAN access demands at least the same strong security measures as remote access. Use the group authentication and privacy measures built into WLAN equipment. Admittedly, they are weak, so use them as a complement to, rather than a substitute for, MUVPN's stronger user authentication, data privacy and message integrity. Though they are flawed today, the 802.11 and 802.1 standards will be markedly improved when the revisions under consideration are eventually adopted, and you'll be glad you implement them. This is consistent with the layered security philosophy the LiveSecurity Advisors have harped on forever.

In fact, while we're on the topic, you would be well-advised to add another layer. Protect all mobile computers with personal firewall and anti-virus software. Fred Avolio has mentioned how disk and file encryption, and boot level passwords can protect your organization from attacks initiated from stolen laptops. These attacks can debilitate a company and should be considered in the overall security policy you compose and implement.

The next day, Scully e-mails Mulder with hopes that he is still alive and will someday see her again . . .

The likelihood that ultra-paranoid Fox Mulder will believe the e-mail he's received is really from Scully greatly increases if he is assured that the FBI takes remote access -- whether WiFi or other -- seriously. Digitally signed and encrypted e-mail would be nice, too, but that's a topic for a future column. The main point here: when you're implementing your WLAN, pay attention to the little bit of Fox Mulder that's in each of us, and Trust No 1. Relegate wireless to your External interface. ##

Copyright© 2002, WatchGuard Technologies, Inc. All rights reserved. WatchGuard, LiveSecurity, Firebox and ServerLock are trademarks or registered trademarks of WatchGuard Technologies, Inc. in the United States and other countries.

Copyright © 1996 - 2002 WatchGuard Technologies, Inc. All rights reserved.