Evaluating Wireless Security Risks
Mark Lee is a desktop technician at a large law firm. Law firms are among the slowest adopters of new technologies, and Mark's employer is no exception. The organization has, to date, not deployed a wireless network. After bringing up the benefits of wireless networks at a recent meeting with the IT staff, Mark was told that the company will not be deploying a wireless network for several years, if ever.
The lack of an IT-configured wireless network has not entirely stopped their adoption, however. Yesterday, Mark noticed a junior attorney surfing the web with his laptop in the lunch room, without a network cable. When Mark asked the attorney how he was connected to the network, he confessed that he plugged a consumer WAP into the network port in his office.
Which of the following are potential risks of having a rogue wireless network in the office? (Choose all that apply and explain your reasons.)
a. An attacker with a wireless network card could join their Active Directory domain.
b. An attacker could access hosts on the internal network from the lobby of the building with a wireless-enabled mobile computer.
c. An attacker could use a wireless network card to capture traffic between two wired network hosts.
d. An attacker could use the company's Internet connection from the lobby of the building with a wireless-enabled mobile computer.
e. An attacker could capture an attorney's e-mail credentials as the attorney downloads his messages across the wireless link.
Scenario 12-2: Establishing a Wireless Networking Policy
After evaluating the risks of a rogue wireless network, Mark Lee decides that he must convince the IT director that the company needs a wireless network security policy even if they do not want to sponsor a wireless network. Which of the following strategies would reduce the risk of a security breech resulting from a rogue wireless network? (Choose all that apply and explain your reasons.)
a. Deploying an IT-managed WAP with WEP encryption and 802.1X authentication.
b. Publishing instructions for other employees to access the current employee-managed WAP.
c. Educating internal employees about the risks associated with wireless networks.
d. Publishing a wireless network security policy forbidding employee-managed WAPs.
e. Deploying an IT-managed WAP using open network authentication without encryption.
f. Publishing a wireless network security policy allowing employee-managed WAPs, as long as they have authentication and encryption enabled.