Well, that depends. For example, if you aren't using some form of strong authentication (i.e. smart cards, SecureID tokens, etc.) then its possible for someone to steal a laptop, use something like Cain (from the package Cain & Able) to extract their password from the registry. With that and a known wireless laptop, the attacker can then access your whole network from the parking lot (or the neighbor's house, or 7 miles away, etc.)
While the same password vulnerability exists for non-wireless environments, it does mean that the attacker would have to have physical access to the building to use the credentials. Jon -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Paul Schmehl Sent: Wednesday, April 14, 2004 12:42 PM To: Email List: Full Disclosure Subject: Re: [Full-Disclosure] Cisco LEAP exploit tool... --On Wednesday, April 14, 2004 09:17:56 AM -0500 Ron DuFresne <[EMAIL PROTECTED]> wrote: > > All wireless traffic should be treated as unsecured, and pushed > through a DMZ/encryption tunneled setup. Puttiing wireless AP's > directly on the LAN is a major blunder. > Well, that really depends, doesn't it. We're doing IPSEC using AES for wireless on a test network. It's a good deal more secure than our wired network, which is still plain text. Or did you just assume that everyone is using WEP? Paul Schmehl ([EMAIL PROTECTED]) Adjunct Information Security Officer The University of Texas at Dallas AVIEN Founding Member http://www.utdallas.edu _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
