Date: | October 15, 2008 / year-entry #340 |
Tags: | tipssupport |
Orig Link: | https://blogs.msdn.microsoft.com/oldnewthing/20081015-00/?p=20563 |
Comments: | 8 |
Summary: | As a follow-up to my tip on speeding up connecting via RAS and a SmartCard, I've been told that another trick you can do is to disable your wireless networking card before initiating the VPN connection. Wireless networking cards are a huge attack surface, and the VPN software spends a lot of time trying to... |
As a follow-up to my tip on speeding up connecting via RAS and a SmartCard, I've been told that another trick you can do is to disable your wireless networking card before initiating the VPN connection. Wireless networking cards are a huge attack surface, and the VPN software spends a lot of time trying to secure it. I don't have a wireless networking card on the machine I use at home to connect to the work network, so I haven't tried it, but who knows, maybe it'll work for you. |
Comments (8)
Comments are closed. |
Sounds very vague. Perhaps you could get your source to elaborate?
My VPN software (OpenVPN) doesn’t touch any wifi hardware when connecting, other than actually using the card to connect.
A disconnected wifi card surely has no greater attack surface than a disconnected wired NIC?
Indeed, it sounds strange to me too. The VPN software might indeed have to jump through a dozen hoops to secure the wireless connection. But I really doubt it is continuously spending CPU time to ignore the wireless connection.
I’d love to know what it’s "securing" too. Perhaps run procmon while connecting, and post a little comment here?
What if I access the VPN with my wireless connection?
Tom: don’t trust OpenVPN over wireless connections, a thousand times so if you are using redirect-gateway. If the wireless connection goes down and then back up, its "real" routes pushed by the DHCP server will override the OpenVPN routes. I discovered this the hard way
Hyperion: You can try the OpenVPN option that uses route.exe to set routes instead of using the normal API calls. I think those are persistent…
Yes, but OpenVPN is no "solution", it’s just an excellent excellent tool/product.
Microsoft definitively uses such bogus software that checks whether your handbrake is on äh I mean, whether your virus scammer äh scanner is running and whether windows update is on, etc…
From a security perpective this is *always* rubbish because you easily can and should fool that software and waive it with an "all is okay" packet.
Sadly there is MUCH too less informationen about sending fake status reports to such "solutions".
Of course it’s also a matter of policy or termination
(unless you don’t disassemble your laptop or have the admin passwort and there is no virtualization or trusted computing involved)
Christian: I think I agree.
Yesterday I struggled with Vista’s built in zip-support. It refused to unzip .js files, so I removed the script host association for those files. Then it refused to unzip files that had no extension… I was lost for words. I usually unzip using the command line, but this time I needed to avoid one directory in particular and the visual approach seemed easier.
Then I needed to send a .js file to a MSN contact and was told I had no virus scanner installed. WTF? I told it to use C:nonsense.exe as its scanner, and the upload went well. However, that screwed up my downloads of course, since c:nonsense.exe does not actually exist.
Pre-emptive Raymond snarky comment: Yes, I realise you are not to blame, wrong team and all… I still would like to point out that most security software is overkill and just an annoyance to advanced users.