Security UPDATE About Wi-Fi Security June 16
Security UPDATE About Wi-Fi Security June 16
by Windows .NET Magazine
In Focus: More About Wi-Fi Security
by Mark Joseph Edwards.
Last week, I wrote about problems with particular Linksys and NETGEAR
wireless Access Points (APs). I suggested that people might consider
putting their APs behind a firewall to better protect the systems from
access by outsiders who might approach the units from a WAN link. This
practice might protect wireless APs against any unknown
vulnerabilities that intruders might discover. Even if your APs have
built-in firewalls of their own, consider also using a firewall
external to them. The approach makes sense, but while cruising the
Internet last week, I came across an old, but interesting article,
"WiFi Security Checklist," at the Security Technique Web site that
made me realize that I had overlooked another potential problem that
you might want to consider.
As you know, wireless protocols are vulnerable to a variety of
attacks. APs' very nature makes them prone to granting access to users
outside your immediate working environment. And of course, once
someone has connected to one of your APs, he or she is part of your
network. This situation raises the question of how much of your
network is exposed to your APs. If you have no additional barriers in
place and your APs are essentially inside your trusted network, an
intruder will also be inside your trusted network after he or she
connects to one of your APs. I doubt that you want to leave that
gaping hole open.
So in addition to putting a firewall in between your APs and external
networks (whether they be the Internet, partner networks, remote
offices, or other networks), you should probably consider putting a
firewall behind your APs. In that sort of configuration, you could use
some sort of VPN in which wireless clients tunnel back into your
private network for access to network resources. That way, if an
intruder connects to one of your APs, he or she will have far less to
work with when trying to penetrate your overall network.
Or, if your environment uses Remote Authentication Dial-In User
Service (RADIUS), you might consider using RADIUS to pass routing
restrictions to your APs. For example, Randy Franklin Smith explains
in "A Secure Wireless Network Is Possible," Windows & .NET Magazine,
May 2004, that if a visiting business partner connects to your AP,
RADIUS could pass a routing restriction to the AP that allows him or
her access only to the Internet and not your internal network. If you
subscribe to the print magazine, you can read Smith's article on our
Web site.
Security News and Features
Recent Security Vulnerabilities
If you subscribe to this newsletter, you also receive Security
Alerts, which inform you about recently discovered security
vulnerabilities.
News: New IE Flaws Might Allow Code Injection
On June 7, Jelmer Kuperus posted a message to the Full Disclosure
mailing list to report the existence of new vulnerabilities in
Microsoft Internet Explorer (IE) and exploits that take advantage of
those flaws. As a result, we might see Microsoft release at least one
new IE patch before its next scheduled security patch release date of
July 15.
Windows Connections October 24-27, Orlando, Florida.
Save these dates for the Fall Windows Connections conference,
which will run concurrently with Microsoft Exchange Connections.
Register early and receive admission to both conferences for one low
price. Learn firsthand from Microsoft product architects and the best
third-party experts.
Attend the Black Hat Briefings & Training USA Event - July 24-29.
This is the world's premier technical IT security conference,
hosting 2,000 delegates from 30 nations. Featuring 27 hands-on
training courses and 10 conference tracks with presentations by
security experts and "underground" security specialists. Early-bird
registration deadline is July 1!
Exchange 2003 SP1
Before you install Exchange 2003 SP1, read the release notes. They
contain a number of notices that could apply to your site and might
affect the order in which you upgrade servers. You also need to apply
the hotfix described by the Microsoft article "FIX: IIS 6.0
compression corruption causes access violations, before you install the
service pack. After you have the SP1 installation files, run the
update.exe program as you would for any other service pack.
During the installation, the Information Store service, WWW service,
and other Exchange processes are stopped, which interrupts service to
users. Therefore, you should plan to perform the upgrade at a time
when users don't need to access Exchange.
A new version of the Exchange Server Deployment Tools is available
from the link below. You can use the deployment tools to assist you in
the upgrade process. The tools offer new features, including enhanced
support for consolidating sites in a mixed-mode environment (i.e., an
environment containing a mix of servers running any combination of
Exchange 2003, Exchange 2000 Server, and Exchange Server 5.5).
Featured Thread: Extranet Security Setup
(One message in this thread)
A reader wants to create an Active Server Pages (ASP) extranet
application that will give his customers access to information such as
the work his company has done for them, the costs, and any scheduled
work. Each user should be able to view his or her own information but
not other customers' information. All the information is stored in one
database, so he's thinking about using views in SQL Server 2000 to
ensure that customers see only their own information. You can read the
reader's plans for his application and offer advice at
New and Improved IP Network Access
by Jason Bovberg
Increased Control Over IP Network Access and Security
MetaInfo and Perfigo announced a joint marketing and integration
alliance in which the companies will provide and support integration
between MetaInfo's Meta IP SAFE DHCP and Perfigo's SecureSmart and
CleanMachines products. By integrating the companies' complementary
technologies, customers will be able to control and protect against
unauthenticated access, viruses, worms, and policy noncompliance at
the IP layer. While authenticating the machine's identity, the Meta IP
SAFE DHCP server simultaneously requests network security validation
and policy compliance checks from CleanMachines. CleanMachines
conducts administrator-defined network and device-based scans that can
find security vulnerabilities, such as viruses, outdated patches,
spyware, and worms.
