[ale] KISS: Is Sniffing a Real Threat in a modern Switched LAN?
neal at mnopltd.com
neal at mnopltd.com
Thu Mar 11 11:50:35 EST 2021
So, if the 11th commandment is:
- thou shalt never commit online banking on anything but a wired office
connection, and make sure thy windows firewall is active.
- never bank when anyone other than staff are in upstairs wifi range.
have we pretty much covered it? Yes, I could be a scold about specific
online banking practices, but that's not my remit. I'm adding a linux
music audio server and letting the little kiddies print stuff.
regards,
Neal
On 2021-03-11 09:42, DJ-Pfulio via Ale wrote:
> Any wifi without requiring a full VPN to secure it is a failure, IMHO.
> But most places probably think WPA2-PSK is secure. It might be or it
> might not be secure. Depends on lots of other stuff being exactly
> correct.
>
> OTOH, if wifi is for guest-only users, I wouldn't worry.
>
> For banking, there are many more steps needed. Non-personal bank
> accounts don't have the same insurance protections that individual
> accounts get.
> https://krebsonsecurity.com/online-banking-best-practices-for-businesses/
>
> +1 for using WinSCP.
>
> On 3/11/21 10:01 AM, Neal Rhodes via Ale wrote:
>> Ok, maybe slightly OT BUT there is a linux server involved...
>>
>> Again looking at what security is really needed, but going deeper.
>> What assets need protection? Turns out, everything is in the cloud.
>>
>> The question is: if we make a downstairs Wifi router be an access
>> point instead, do we really expose anything?
>>
>>
>> Primary EdgeRouter-X Router: (has 5 ports; Eth1-5 are all on
>> 192.168.1.x) - Eth0 - WAN port goes to Comcast Router; - Eth1 -
>> NetGear jgs524pe Switch in office - Office Win10 Desktop - https
>> access to Banking, Financials, Roster <== Primary Security Concern
>> - Polycon phone-set - Office Win10 Desktop - https access to Banking,
>> Financials, Roster <== Primary Security Concern - Linksys Wifi
>> Access Point - Office Notebooks
>>
>> - Eth2 - NetGear jgs524pe Switch downstairs - ASUS Wifi in Hall
>> downstairs, configured as Access Point - Ubuntu Desktop on Wired
>> port, running Jamulus on forwarded UDP port 22124 <== Can this be a
>> Threat? - Children in Community Schools doing Distance Learning with
>> personal notebooks <== Can this be a Threat?
>>
>> My understanding is that due to the nature of how a switch works, so
>> long as office staff always use wired connections to do HTTPS cloud
>> work, there is simply no way for anything downstairs, on a different
>> switch, do sniff the HTTPS traffic. Even other desktops on the same
>> switch in the office could not sniff the HTTPS traffic of the other
>> desktops. So long as those computers leave the windows firewall
>> running, don't allow RDP, etc, I don't see an exposure.
>>
>> It would seem dubious for Office computers to use Wifi connections
>> for banking, and we should make that a taboo.
>>
>> BUT, I can't see how an exploit could piggyback in on a child's
>> notebook and gain any sniffing access upstairs? Nor could a flaw in
>> the Jamulus server which ultimately provided a linux command line
>> result in getting access to financial computers.
>>
>> I was debating about firing up Samba on the Linux box to make it easy
>> to grab multi-track audio recordings, but... maybe we'd best not, and
>> use winScp instead.
>>
>> Thoughts?
>>
>> Neal _______________________________________________ Ale mailing
>> list Ale at ale.org https://mail.ale.org/mailman/listinfo/ale See JOBS,
>> ANNOUNCE and SCHOOLS lists at http://mail.ale.org/mailman/listinfo
>
>
> _______________________________________________
> Ale mailing list
> Ale at ale.org
> https://mail.ale.org/mailman/listinfo/ale
> See JOBS, ANNOUNCE and SCHOOLS lists at
> http://mail.ale.org/mailman/listinfo
More information about the Ale
mailing list