Lounge with no Guest network

egrizzlyegrizzly B.Sc (Info. Systems), CISSP, CCNA, CCNP, Security+Member Posts: 454 ■■■■□□□□□□

Seriously guys, for you pentesters out there.  So I ran into a lounge with no guest network.  ALL their employees along with ALL the guests that come to that lounge to hangout all use the same network called Lounge10Net.  Their claim to security is that they have a forced VPN policy on employee laptops.  So my dumb question to you is this - An area with no guest network is more vulnerable to hacker attacks right? VPN or no VPN. 

Can you all from the penetration testing side pls detail the risks they face from a malicious actor
B.Sc (Info. Systems), CISSP, CCNA, CCNP, Security+

Comments

  • JDMurrayJDMurray MSIT InfoSec, CISSP, SSCP, GSEC, EnCE, C|EH, CySA+, PenTest+, CASP+, Security+ Surf City, USAAdmin Posts: 12,200 Admin
    edited April 7
    It sounds like anyone with VPN credentials that can successfully authenticate is considered sufficiently trustworthy to use the network. This implies that all humans accessing the network are pre-validated (i.e., cleared) before being given VPN creds. What are the applications hosted on the network that the guests have access to once authenticated to the VPN?
  • egrizzlyegrizzly B.Sc (Info. Systems), CISSP, CCNA, CCNP, Security+ Member Posts: 454 ■■■■□□□□□□
    How you been JD.  Hope easter was good.

    To your comment. Well, not quite.  At the lounge it's a mixture of public users (i.e. the lounge patrons) as well as employees.  The employees have automatic VPN in their laptops.  However for public guests....well, they're just public guests and their's not even any way to see if they're not using malware infested laptops before even approaching whether or not they're using VPN on the computers.

    Anyways...I wanted to just throw this situation out there in the woods of pentesters to see what their opinions are.
    B.Sc (Info. Systems), CISSP, CCNA, CCNP, Security+
  • JDMurrayJDMurray MSIT InfoSec, CISSP, SSCP, GSEC, EnCE, C|EH, CySA+, PenTest+, CASP+, Security+ Surf City, USAAdmin Posts: 12,200 Admin
    The non-authenticated 'guests' must have much greater restrictions (i.e., much less privileges) than the VPN-authenticated users. There may be very little that is discoverable from the guest environment for a pentester to make use of. That's why I asked what kind of apps the guests have access to. If it's typical social media apps, like Discord and Mastodon, then security is applied at the app-level rather than at the network-level.
  • egrizzlyegrizzly B.Sc (Info. Systems), CISSP, CCNA, CCNP, Security+ Member Posts: 454 ■■■■□□□□□□
    The guests can get to the internet and fully utilize internet-based apps like Facebook, Twitter, etc.  Public guests do not have access to any internal corporate apps.
    B.Sc (Info. Systems), CISSP, CCNA, CCNP, Security+
  • JDMurrayJDMurray MSIT InfoSec, CISSP, SSCP, GSEC, EnCE, C|EH, CySA+, PenTest+, CASP+, Security+ Surf City, USAAdmin Posts: 12,200 Admin
    The guests are connecting to the business' Wi-Fi and then getting access to the Internet but can't get to the corporate network? My inexpensive Asus Wi-Fi router can provide that same access for guests in my home.
Sign In or Register to comment.