Yesterday, I marveled at Microsoft’s Virtual WiFi technology, and how it could possibly unclog some of the choke-points in our home networks. But the same technology could open up many holes in corporate WLANs, according to Pejman Roshan, who left a comment on the previous post. Roshan, who has literally written a book about enterprise wireless LANs warns that people should take a shine to this new WiFi technology with caution.
Am I the only person asking why this is useful? I can only see this as a way for an insider to connect one vWiFi connection to the corporate network and another virtual ad hoc to the Starbucks, or worse some unsanctioned, unprotected network, and WinXP bridges the two together!
Instead he suggests, corporations consumers could be better off with Indoor Mesh. Microsoft offers an Indoor Mesh add on to WinXP. Since I am no expert on wireless security, I guess I would defer to Roshan on this one. I am pretty sure Glenn would have something to add.
Hi Om-
Just to be clear, I don’t see MSFTs implementation of indoor/neighborhood mesh as ready for corporations either, rather something folks at home can play with that is more secure that Virtual WiFi.
Thanks,
Pej
It’s already theoretically possible to make unauthorized bridges anywhere you have more than one network connection (ethernet, Wi-fi, cellular modem) so I consider that to be Somebody Else’s Problem. 😉
However, look through the other end of the telescope. This is also a way for an access point to handle multiple SSIDs without making the visitor reconfigure his laptop. For example, a company’s Marketing and R&D departments could have their own virtual networks and security protocols but bring their laptops to each other’s department. Or a Starbucks could handle multiple Wi-Fi carriers on one box (were the vendors to allow it).
Hi Bob-
I agree that that moving from one WLAN to another has issues in changing WLAN parameters. Companies like Cisco (with the NICs and Aironet Client Utility), MeetingHouse (with their Aegis supplicant) and Funk (with the supplicant) have auto profile selection which does this automagically.
This is a challenge, but I think there are more secure ways to solve it.
Regards,
Pej
I agree with Pej. We use the Cisco NICs with Aironet Client Utility at the university that I work for, and the Automatic Profile Selection works great when moving from work to home. The only set back that I have with the ACU is that it doesn’t support WPA-PSK even though the Cisco Access Points do support it. So, I have to use Windows wireless configuration in order to connect using WPA-PSK at my home.
This is already solved, actually. It’s called end-point security. Any corporation concerned enough about its security to require authentication by user and systems–that is 802.1X for port-based logins to prevent rogue wired and Wi-Fi devices–should also be considering end-point security.
This is an increasingly large class of software for many platforms, primarily Windows (of course) that provides deep system locking of resources. With the right end-point security, a laptop user would be unable to bridge, unable to install virtual Wi-Fi, unable to add a Wi-Fi card, unable to do…all kinds of things.
It seems onerous, but the fact that it’s so easy to bridge connections and render powerful security less through to any authenticated users makes end-point security a necessity for companies that have any purpose in protecting their networks in the first place.
It’s got a good side effect: the less users can make unauthorized changes on their corporate computers, the easier job IT has in troubleshooting.
I’m sure people will dogpile on me for saying that giving users less control is better. Very patronizing, right? But this is about corporate security not about individual rights and these kinds of examples show how readily corporate networks can be compromised even with good intentions.
People can choose as individuals to have their own laptops, their own data networks.
Glenn-
I agree with you. Endpoint security and HIPS are crucial solutions for defense in depth and adaptive threat defense.
Endpoint security has the challenge of penetration and ubiquity. What percentage of enterprises have endpoint security in place? I would bet its in the single digits. How many have a strategy to get endpoint in place? I bet its the same.
Regardless of whether these is a solution to block this type of solution, I think its irresponsible for companies like Microsoft, who are tout security as core to their business, to release software that makes networks inherently insecure.
Pej
“I think its irresponsible for companies like Microsoft, who are tout security as core to their business, to release software that makes networks inherently insecure.”: Network sharing, built into every copy of Windows XP, has more or less the same functionality — you can plug an AP into an Ethernet port of a laptop with an authenticated Wi-Fi connection.
The genie is way way out of the bottle. But you’re right that they should be mentioning and incorporating security into the design of options like this.
AnchorFree created a wireless security product that protects you when you are wireless. The software is called hotspotshield, you can download it at hotspotshield.anchorfree.com