3

Multi-homed is the term that I have heard for being connected to a LAN at the same time as being connected to the internet via something like a wireless connection.

I have heard that this is so serious that certain large companies I have heard of make it an instantly fireable offense.

The way it's been explain is that Joe Hacker will compromise the machine via the internet connection and then have access to the LAN.

My questions on this is,

  1. Is this really a massive security hole?
  2. How (if any) does this differ from being connected to a VPN? Is that not the same thing.
  3. How (if any) does this differ from being connected to a LAN and public wireless network at the same time?
  4. How do you protect from this, both for the being connected to the LAN and being connected wireless and also the VPN scenario?
Robert MacLean
  • 2,186
  • 5
  • 28
  • 44
  • Bypassing company security policies or controls can often be an instantly fireable offense. This is just a (major) form of bypassing those security controls. – romandas Jul 22 '09 at 23:45

4 Answers4

6

  1. Massive is debatable but it is a security issue. Your laptop machine (in this case) is directly connected to the Internet and the LAN without any of the corporate firewall measures in place to protect one from the other.

  2. A VPN is an encrypted session providing access for an outside machine to internal resources. In many ways it is similar on the surface where an infected PC could still cause issues for the LAN but in this case, the traffic is traveling through corporate devices (VPN server, firewall, etc.) that are often monitored and can be further secured with intrusion detection and other services that can minimize the risk. By contrast, in your example, the PC is the only thing between the intruder and the LAN.

  3. I'm not sure the difference here as "public wireless network" typically means "Internet" to me. But the same holds true, the PC is acting as the bridge between networks and it is not secured or designed for that purpose.

  4. Remote access from unsecured machines is always a challenge for security. This is why many corporate machines are equipped with firewall software like Symantec Endpoint Security and required to access the LAN via approved methods (VPN) which are further secured with intrusion protection, virus scanning, and other security mechanisms.

Kevin Kuphal
  • 9,064
  • 1
  • 34
  • 41
  • @Point 2. Don't most vpns split tunnel by default? Our current Checkpoint does and so did our ancient Cisco pix – prestomation Jul 22 '09 at 21:05
  • @prestomation: you have to explicitly turn on split tunneling in the Pix/ASA series. Now the fact that their setup wizard makes it look like a normal part of the setup as well as making it look like you HAVE to set it up ... is another matter entirely. – Zypher Jul 22 '09 at 21:31
4

Essentially, it routes around the security put in place by the company, either with an inbound connection or outbound connection or both. Some of these security measures include restricting employee access to the internet. As such, picking up another wireless connection completely works around the firewall set up on outbound connections. Not only does this allow employees to screw around on company time, but it may also introduce viruses into the internal network through compromised websites.

Alternatively, it can provide a hacker with a direct route into the corporate network, from which they can launch attacks. Similar issues have happened in the past where someone set up their own modem for dialup access into the company, without asking the IT department. Attackers then were able to get complete access to the internal network. It's kind of like the fortress at Helm's Deep. Having stone walls 17 feet thick doesn't matter much when someone digs a hole through it for a drain.

Ernie
  • 5,324
  • 6
  • 30
  • 37
4

Multihoming is having a connection to two different network connections at the same time. Such as two network cards. However, the security problems extend to more than just that, such as you described with additional virtual network connections being tunneled over the single physical connection.

Network security professionals to take these sorts of configurations seriously, as it increases the attack surface of the network they're trying to defend. When you bridge a workstation between the corporate intranet and the public internet (via something like a ClearWire modem), it does indeed bypass all the corporate protections and your machine is the only thing standing between the two. Therefore, the security managers have to pay attention to it.

  1. Is this really a massive security hole? Pretty large, yes, Though it can be mitigated if managed correctly. The key being to manage it. Rogue ClearWire modems or 3G network dongles do not qualify as 'managed' and thus incur the maximum penalty.
  2. How (if any) does this differ from being connected to a VPN? Is that not the same thing? If the VPN is managed by the company, there are standards they can put in place on that VPN to make sure the traffic is managed. Or if it isn't, at least be able to tell which user was responsible for the bad traffic that managed to get through. On the other hand, if the VPN is one you're running to your home network somehow, that counts as 'unmanaged' and will be treated as #1. Even if your home network is firewalled six was from Sunday.
  3. How (if any) does this differ from being connected to a LAN and public wireless network at the same time? As far as the security manager is concerned, establishing a VPN connection to some unidentified remote part of the Internet and connecting to a public wireless network are exactly the same thing as far as risk management goes.
  4. How do you protect from this? It's a cat and mouse game. To prevent VPN connections outbound, Firewalls are configured to attempt to block VPN-like traffic. To prevent wireless connections, asset-inventory and network-access-control software can identify workstations with more network connections than authorized, which will trigger whatever actions are needed. Users are wiley, and will find ways around most network access controls (almost anything can be tunneled over HTTP these days), so this game is continually evolving.

The thing to keep in mind is that from a Security Manager's point of view, there is no real difference, risk-wise, between a VPN to your home network, a wireless connection to the Starbucks downstairs, or a ClearWire modem naked on the internet. Each of these have varying levels of risk, but it is impossible to truly automatically discriminate between them. Thus, each has to be treated as if the remote connection is pointed at the naked internet.

sysadmin1138
  • 131,083
  • 18
  • 173
  • 296
  • 1
    A lot of organizations require corporate (or government) laptops to be used as the VPN endpoint as well, instead of your home computer you surf pr0n with. – romandas Jul 23 '09 at 00:00
0

I've never heard multi-homed used in this context. Multi-homed generally means that one machine has it's foot into two or more networks via multiple adapter cards.

What you're describing is internet browsing while logged onto a lan. While there are risks to this, the risks have little to nothing to do with whether you're doing them at the same time or not.

There are numerous steps you can take to mitigate those risks. Is it a massive security hole? It can be.

I supposed you could consider being connected to a vpn as "multi-homed" if you're using split tunneling.

Edited to add

Websurfing from a multi-homed firewall for instance, would not be the best of ideas.

GregD
  • 8,713
  • 1
  • 23
  • 35