I have a big wireless network, and I would like to know if there is a mechanism of assuring users legitimacy:
I have 10 access points in the company and all have the same WPA-PSK password. I want a mechanism for protecting users if anyone broke wireless encryption or stole the key from a legitimate user. I want to protect them from sniffing attacks .. and I want a mechanism to ban a sepcific user from the network even if he accessed the wireless network, I want him to be banned from accessing any network facility
I cant use radios servers, and does IpSec help me with my problem (preventing new attackers and stop a specific user) ?
In universities, they don't encrypt WLAN at all but use VPN for providing access. With this, intruders can only access WLAN but they can't do anything.
An enterprise WPA2 (cert based access) would probably work too, but your hardware has to support it. Search for 802.1x (it also works with wired networks if you have the right switches).
Related
Every time I purchase an IoT device (smart lock, bell, plug, etc.), there usually is also a way to use it by going to http://192.168.1.x but there NEVER seems to be a way to communicate it using HTTPS securely. Is this a big problem for HTTPS? Is there a solution for this? I don't want someone on my network to look at what I am sending to my device over http but I can't use https either. What can I do?
I know that TLS certificates require a hostname to verify the authenticity but these IoT devices only tell me to open the control panel using http and local IP. Does that mean all my communication with my smart device is in plain text and open for everyone to read?
Does that mean all my communication with my smart device is in plain text ...
If it is plain HTTP then yes.
... and open for everyone to read?
If everybody can read the communication inside your local network then yes. Fortunately in most local networks this is not the case. For example if you have your own WLAN which is properly secured with WPA2 and a strong password then only the ones which know this password can access the local network - but these would be able to sniff the traffic to the IoT device then.
... but there NEVER seems to be a way to communicate it using HTTPS securely.
This depends on the actual device, i.e. some might offer HTTPS but many still don't. If this is a problem for you since your network is open to potential attackers then you better put these devices in a separate network where only you have access to.
Sorry for rather dumb question, but I seriously have no idea about this topic.
There is a company network that allows each laptop to access the company server. I can access the network, when I am connected to the wifi of the router of the company.
Now the next step would be, to connect my Laptop from my home wifi (internet) to the network of the company.
My questions are:
Is this possible at all?
If yes, what would be the correct terms to search for resources on this topic
Are there any security considerations?
From my understanding there might be the possibility to access the network, by accessing directly the ip of the router? And then have the router somehow authenticate my machine?
It's weird but I would love to be able from my home.
-Yes
-Lots of ways(VPN,Hamachi,RDP)
-each of them has their own flaws but mostly secure as long as you keep your ip to yourself
more of this:
https://resolve.co.uk/blog/article/how-to-connect-to-your-work-network-from-outside-the-office
I would like to create iOS device configuration profile, which should force user to access VPN, I was able to create configuration profile successfully and was able to send all device traffic via VPN(by selecting ‘Send All Traffic’ check box), but on device still user see option to On/Off switch for VPN, in other word they are able to turn off VPN, my ‘Send All Traffic via VPN’ setting works only if on device user turn on VPN toggle switch.
I would like to disable VPN toggle button switch, so after installation of Device configuration profile, user should not able to turn off VPN, Any suggestion\input exactly what I should write in .mobileconfig file so device disable ‘VPN toggle’ switch.
Thanks
Suresh
Please be aware that there's a new feature in iOS 8 called "Always-on VPN"
Excerpt from here https://www.apple.com/br/privacy/docs/iOS_Security_Guide_Oct_2014.pdf
iOS 8 introduces Always-on VPN, which can be configured for devices managed via
MDM and supervised using Apple Configurator or the Device Enrollment Program. This
eliminates the need for users to turn on VPN to enable protection when connecting to
Wi-Fi networks. Always-on VPN gives an organization full control over device traffic by
tunneling all IP traffic back to the organization. The default tunneling protocol, IKEv2,
secures traffic transmission with data encryption. The organization can now monitor and
filter traffic to and from its devices, secure data within its network, and restrict device
access to the Internet
Please be aware that there is a difference between device regarded as managed (actually apps and settings are managed) and devices regarded as supervised. You supervise a device on initial registration, something you want to do only for corporate owned devices, not BYOD.
Cheers
Jens
There is no configuration profile with a restriction which will prevent a user from turning VPN off.
The closest you can get is to configure "Enable VPN on Demand". This way, if some applications try to access any hosts which match iOS will turn VPN automatically.
Look at this page: http://www.enterpriseios.com/wiki/On_Demand_VPN_Explained
Say if i have the IP of a user x.x.x.x , then using the IP can i track all the activities that the user is doing ? How can i do this ?
how can i check which web pages is the user opening or something similar
please guide
No, you cannot. Traffic is point-to-point and knowing the address of a point is not enough to know the traffic going to/from that point. It's like asking if you can read someones (snail) mail just because you know their house address.
In order to "snoop" that fully, you need to be in the middle where all traffic passes through your node (liking having the postman give you the mail and then you giving it to the owner of the house).
If you have a machine, the traffic from the user is reaching it (e.g. you're connected to the same switch) then probably yes. The most trivial way is using network sniffer (Wireshark for windows, tcpdump for Linux).
However if the used surf SSL secured site (a.k.a https) than you will see only encrypted content
Geolocation is not accurate because the primary source for IP address data is the Regional Internet Registries. They do not hold a database for information about individual IP addresses, but information about ranges of IP addresses that have been assigned to certain organizations. Such an organization has free reign over the IP addresses they get and they do not need to give location information to the RIRs. In other words, only your ISP knows your exact location. If you want to find the location of a user you will have to ask your ISP, and they will most probably deny your request.
You can't sniff packets sent from someone, unless you are part of the same subnet - you would have to be connected to the same switch and be on the same Virtual LAN as that user. Even if you somehow find the physical location of a user and connect to the same switch, the ISP has most likely sat up port security, which would deny access to your MAC address.
In conclusion, unless you are already connected to the same switch, you can't track that user's activities.
If you are connected to the same switch, you can install one of the popular packet sniffer utilities such as Wireshark and set it to promiscuous mode.
I would be interested in hearing from anyone that has successfully established a VPN connection through a Sonicwall (TZ-100) device on to a SBS-2008 network as I currently have VPN access (through the Sonicwall Global VPN Client), but I am currently using a local user account from the firewall device.
As I am not establishing the VPN request using my Windows-AD username and password, I am having to enter my windows credentials to access network resources. Launching Outlook does not show my mail (even if I type in my password when promted). If I type in \\MyServerName\SharedFolder into Explorer, then I see the 'offline' sync folders stored on my laptop. On the otherhand, if I type \\192.168.100.10\SharedFolder (lets assume this is the LAN IP4 address for my server), then once I enter my windows credentials, I can see ALL the 'online' folders. Currently, for mail, I am using OWA while connected on the VPN. This current approach is not ideal. I feel there is a DNS, NETBIOS problem with my current set up.
Question, so that I can work from home in a 'normal uninterrupted' manner, do I need to activate 1. Radius by itself?, 2. LDAP by itself? or 3. Radius + LDAP together? Any pointers would be helpful as I would like to approach the Sonicwall support team armed with a little more info and having read some friendly material.
The problem was resolved by changing the DNS address on the Sonicwall device to the server rather than inherritting the external DNS addresses from the ISP. Also the DHCP service was routed to the server for VPN traffic.
There is no need to set up any additional services on the server to get LDAP running on the Sonicwall device. With a little help from the Sonicwall support, my network now works as one would expect.