Audit and Assurance

Expand all | Collapse all

Gues Wifi in a company

  • 1.  Gues Wifi in a company

    Posted 09 Feb, 2020 08:20
    Hello, 

    could you please specify the risk here in this situation:

    We have an office with 50 employees, medium risk data. 
    A router is there called guest, where each employee first should connect to, and if a visitor comes to the company we also provide him the guest wifi password.
    Next, the employees connect to VPN to access the servers and work on the Company applications. But initially it is a guest wifi which could be shared with visitors who comes to the reception to the company.

    The IT people mention it is no risk because there is a VPN and employees ultimately connect to the VPN. There is no multifactor VPN.

    What is the risk here ? Could you please help me to describe the risk exactly and what is the solution.

    Thanks for your help.

    Best Regards Folks

    ------------------------------
    Marat Kaisseov
    ------------------------------


  • 2.  RE: Gues Wifi in a company

    Posted 10 Feb, 2020 01:27
    Hi Marat,

    There definately is a risk.
    Imagine your workers connecting to the guest wifi, and (accidentally) downloading malware, which would result in an infected pc. If the pc would then connect to the server via VPN, there is a chance the infection may spread.
    Another risk is, that if your corporate firewall should block certain sites, people may prefer to do their thing over the guest wifi, which is probably not blocking anything
    Yet another one ... when people stop working at your office, they could still have free wifi....
    Also, if "corporate" and "non-corporate" users reside on the same wifi, how easy would it be to infect "corporate" wifi-users.

    In terms of a solution, it boils down to a layered defense.
    - harden your laptops and see to it that they have up-to-date enpoint protection
    - in terms of the wifi, you would like to know who is connecting to it, and what they are doing. There are several ways to achieve this. The simplest way is setting up a captive portal, where people should log in, read the disclaimer, etc. A more complex way to do it, is to add 802.1x to the wifi. "known clients" authenticate, and get separated from the others. Admission control can than be done by a NAC/NAP solution.

    Personally, what I prefer to do is set up two separate wifi's, on separate networks.
    - corporate wifi with 802.1x authentication and network admission control. 802.1x can be integrated with Active Directory/Ldap, which allows you to revoke access for people that no longer work at your company. Also, as the wifis are speparated, you could enforce different firewall rulesets for each wifi. A rule may even be, that on the corporate wifi, the only thing a user can connect to is the vpn server. Or your access contol solution, could block the user access to the vpn, as long as there is no updated endpoint protection on the laptop. You can also wonder, once access to the corporate wifi is regulated, would you still require the VPN?
    You could use WPA2 PSK... but then again, people no longer working with you, could still have access.

    - guest wifi (with bandwidth limiting), so guests can't consume the entire bandwidth, combined with a captive portal. Guests receive a voucher that is valid for 8hours, that they can use to log in to the captive portal. At least you then know who was active on the wifi. Also, after the voucher expires, they will lose all access.

    In terms of wifi, we also only provide "guest" access in specific locations, such as meeting rooms. All other locations are fitted with the "corporate" wifi.

    There is also a risk in terms of the VPN and the employees, if employees are not terminated properly. Once they move to another company, you must make sure that the user account is disabled/removed. If not, you may (unwillingly) be granting VPN access to someone that no longer works with you. (hence, a risk in integrity, confidentialty and availability of your medium risk data may rise).

    There is a lot more to it, but this is basically the general idea.
    - keep guests and your workforce separated
    - layered defence (defense in depth)
    - have means to grant & revoke access
    - add logging to who is doing what
    - access control.... no following security standards -> no access (as otherwise, unsecure systems could connect to servers)

    I hope it helps.


    ------------------------------
    Sven De Preter

    Sr. Network & Systems Administrator
    Corporate DPO Team Member

    Certs:
    - CompTIA CSCP (Stackable)
    - CompTIA CCAP (Stackable)
    - CompTIA Cloud+ ce
    - CompTIA Security+ ce
    - CompTIA Network+ ce

    Feel free to connect with me on LinkedIn: https://www.linkedin.com/in/svendepreter/
    ------------------------------



  • 3.  RE: Gues Wifi in a company

    Posted 11 Feb, 2020 06:41
    Hi Sven,

    Well the IT can challenge you like this,
    If you have a laptop and you want to go to starbucks then you connect to startbucks wifi and enter the company network through vpn.
    Next, the guest still cannot access youtube and there is a high filter on the guest wifi router.

    Could you please provide more solid examples where is the risk.

    ------------------------------
    Marat Kaisseov
    ------------------------------



  • 4.  RE: Gues Wifi in a company

    Posted 11 Feb, 2020 07:31
    True ...but at that point, you are required to use a VPN because you are basically at an untrusted location, using an internet that is used by many visitors at the same time.

    However, since you know nothing about the wireless, or the users connected to it, we can assume that:

    - It's easy to spawn an access point somewhere, that mimics the original access point, which logs all your data packets, potentially exposing information about your VPN. Also, I can make it so, that you get redirected to my "malicious portal", and need to fill in some kind of personal data .... Which in turn can lead to privacy or financial issues. (Maybe I make you pay a few bucks for using the wifi). Such a "malicious" access point may also do some kind of proxying, in such a way that this device can potentially become a "man-in-the-middle" attack device.

    - If your VPN uses a split tunnel , that means that some of your traffic will not be going through the VPN. You may use a split tunnel system, to allow access to your corporate servers, while keeping ordinary web-surfing outside of the VPN (This is sometimes done to reduce loads on the corporate internet line). This could result in data being sniffed, that could impact you personally. All it takes is one unsecure connection, over which you post a username and password. This also implies, that if you have an infected laptop, it can reach a command and control center, it can be issued commands, and may do bad things to your corporate servers.

    - It's easy to connect to the network, as a malicious user, and attack other devices connected to it. In this case, your computer .... If I can hack your device through the public wifi network, I really don't care if you are using a VPN or not. So, here lies a risk of "lack of protection" of your laptop, due to the untrusted nature, and potentially harmful WiFi Connection. Maybe by doing so, i can harvest your VPN credentials....

    - Another thing about those public wifi's, and I've experienced this many times, is that your vpn will not always want to connect, due to some restrictions set on the network. Sometimes, this can be fixed by "upgrading" to a commercial access by paying x amount, for y period. (Which seemlessly brings me back to the  potential of a malicious portal)

    As far as I'm concerned there are 3 types of Wireless Networks
    - Public Access : everyone can connect, and basically these networks are the most insecure ones as they are the easiest to abuse. The use of a VPN is mandatory, but the VPN itself will not protect your laptop from any harm. "This is like directly connecting to the internet, which is a very secure place *cough*"

    - Guest Access (Corporate): Within your corporate walls, you facilitate wireless for your visitors. This also is basically an untrusted wireless network, as all devices connected to it could basically attack eachother. However, you have full control over this wireless network. If a device containing malware should connect to this network, it will not have access to other corporate resources. Corporate users should be denied access to this network, or should be redirected to the corporate wifi.
    The guest access should have some form of captive portal installed, and it may be wise to use a system of vouchers.
    If not, do you really want that wifi-password to stay on someone's computer forever? Give them free internet whenever they are close to the building?
    What if one of your corporate workers gets a viral infection on his laptop, do you think a vpn is going to cure that?
    This is why this guest access should be split from the private access.
    You can consider this to be your own "private internet", which you control, where you define the settings and define who can have access on which term.

    - Private Access (Corporate): This should be a secure wireless network that is only used by your employees. Even though this wifi is considered "trusted", we should make sure that devices connecting to it, are checked with a network access solution, just to make sure they do not bring malware into the organization. This network should have a 802.1x authentication.
    The reason for this private access wireless, is just to make sure that untrusted devices do not get mixed with trusted devices.
    Do note that it's perfectly ok, to use a vpn on this network too ... Even though it will impact performance and throughput.

    The risk does not really form itself in the use  VPN. But in the configuration of the laptop, as well as how and where you are allowed to use it.

    ------------------------------
    Sven De Preter

    Sr. Network & Systems Administrator
    Corporate DPO Team Member

    Certs:
    - CompTIA CSCP (Stackable)
    - CompTIA CCAP (Stackable)
    - CompTIA Cloud+ ce
    - CompTIA Security+ ce
    - CompTIA Network+ ce

    Feel free to connect with me on LinkedIn: https://www.linkedin.com/in/svendepreter/
    ------------------------------



  • 5.  RE: Gues Wifi in a company

    Posted 12 Feb, 2020 05:53
    Hi Sven,

    Slightly off the topic, is there any 'free' way to test separation between corporate and guest wifi? Trying to avoid cost of pen test.

    appreciate your guidance.

    ------------------------------
    Pratik Shah
    Information Security Manager
    ------------------------------



  • 6.  RE: Gues Wifi in a company

    Posted 12 Feb, 2020 07:31
    Edited by Sven De Preter 12 Feb, 2020 08:16
    I'll try to explain it in simple terms using basic networking technology and a simple setup.
    Let's look at the setup below and things will start to make more sense.




    When you configure such a solution (in it's simplest way), you can see this as 3 different, separate, networks:
    - network 1, which has an ip range of for example 10.0.0.0/24 for hosting your corporate wireless users
    - network 2, which has an ip range of for example 10.1.0.0/24 for hosting your wireless guests
    - network 3, which has an ip range of for example 10.2.0.0/24 for hosting your datacenter

    So basically, all these networks use your firewall to reach the internet. Also, these ranges are not overlapping. On your switches, they are also defined as different vlans. (But that may be a bit to technical, already). Anyway, the goal of using different vlans, is that only devices in the same vlan can communicate with eachother.

    When you look at the firewall, each network interface has an IP assigned to it, so it can communicate with the devices on the network attached to that interface.
    In our example, the firewall setup may look like this:
    - Interface 1 : directly connected to the internet
    - interface 2 : connected to vlan 1, IP address 10.0.0.1/24, so it can communicate with "network 1 : corporate wifi"
    - interface 3 : connected to vlan 2, IP address 10.1.0.1/24, so it can communicate with "network 2 : guest wifi"
    - interface 4 : connected to vlan 3, IP address 10.2.0.1/24, so it can communicate with "network 3 : datacenter"

    As you know, a firewall defines the communication rules between the above networks and these rules are tested sequencially. So if a rule is found, the rest is not even checked anymore. The end of the list is an implicit Deny, so all traffic that didn't trigger a rule, is dropped or denied.

    So, if you want to regulate the traffic between these interfaces, a simple ruleset could be:

    ALLOW NETWORK 1 (corporate wifi) TO NETWORK 3 (datacenter)
    ALLOW NETWORK 1 (corporate wifi) TO INTERNET
    DENY NETWORK 1 (corporate wifi) to NETWORK 2 (guest wifi) 

    ALLOW NETWORK 2 (guest wifi) TO INTERNET
    DENY NETWORK 2 (guest wifi) to NETWORK 1 (corporate wifi)
    DENY NETWORK 2 (guest wifi) to NETWORK 3 (datacenter)

    ALLOW NETWORK 3 (Datacenter) TO INTERNET
    ALLOW NETWORK 3 (Datacenter) TO NETWORK 1 (corporate wifi)
    DENY NETWORK 3 TO NETWORK 2 (guest wifi)

    In the above scenario, you could enforce the use of a vpn as well on the corporate wifi.

    All this would take, is to change the first block of the ruleset in:
    ALLOW NETWORK 1 (corporate wifi) TO VPN SERVER (Probably the interface IP of network 1 on the firewall, or a device in your datacenter)
    DENY NETWORK 1 to INTERNET
    DENY NETWORK 1 to NETWORK 2
    DENY NETWORK 2 to NETWORK 3

    So, there is really no need for a pen test, as your IT admins should be able to present you with documentation on how the networks were set-up.
    Do note, that this setup, also allows your network admins to provide a "wired" access to your guests, while still keeping them segregated from your corporate workforce.

    Testing can be as simple as connecting to each wireless network, and trying to connect to something in your datacenter. It should work when coming from the Corporate wifi, or from within the datacenter, but not from the guest wireless
    You can also have a few linux devices (with for example SSH enabled) on network 1 and network 2, then try to ssh from a device on network 1 to a device on network 2. This should only work, if both devices are on the same network.
    Also, the logging in your firewall should reflect these tests.

    Another advantage of such a setup, is that you could use Bandwidth management or QoS, so that the guest wifi is always limited to maximum 20% of your total internet capacity or that traffic coming from the datacenter has highest priority, followed by your corporate wireless, followed by your guest wireless.
    This way you have granular control over the bandwidth consumption and prioretization of the traffic.

    It can become really complex, especially if you are using 802.1x combined with Radius and Active Directory. But the idea stays the same. (You could see this 802.1x as an alternative for a VPN. On the vpn, you would need to authenticate. This also happens on when using local networks combined with 802.1x. Even though 802.1x does not encrypt your traffic, it authenticates you to the network, and can trigger network admission control.

    There is a lot more to it, but i hope this helps in showing how it's setup, once you understand this, it will be easier to understand how to test such setups.

    I hope this helps.​

    ------------------------------
    Sven De Preter

    Sr. Network & Systems Administrator
    Corporate DPO Team Member

    Certs:
    - CompTIA CSCP (Stackable)
    - CompTIA CCAP (Stackable)
    - CompTIA Cloud+ ce
    - CompTIA Security+ ce
    - CompTIA Network+ ce

    Feel free to connect with me on LinkedIn: https://www.linkedin.com/in/svendepreter/
    ------------------------------