I don't think I'm the only one who thinks that security is on the mind of everyone who is thinking wireless. WEP falls on its face, we all know that, but if I may ask; Why haven't more decided to make clients VPN into their network? It seems like the answer to almost ever security problem, except that of someone possibly hacking your server (if that is what you choose to VPN into). Is there something that I'm missing? or ...

Anyway, I'm curious as to your thoughts. I've been going over this in my mind for the past few weeks and I haven't found a hole. Thanks,

I've posted this elsewhere, so here's an abbreviated version:
VPNs protect user data, not your wireless network.
They cost a bit of $$$ if you don't already have the infrastructure in place.
The VPN architecture requires that you leave your APs and a DHCP server in the clear. These are vulnerable to attack. APs and clients not protected by some form of WEP or EAP are subject to disassociation attacks.
VPN enc/decr is done in software. This can be a performance issue for PDAs. Also, most wireless cards do WEP in software as well, so if you try to do some basic protecting of the WLAN via WEP, your clients are getting a double-whammy of enc/decr CPU burden.

An 802.1x-based EAP-solution is more secure than VPN is for wireless, more scalable, and will perform better if properly designed and implemented.

refresh my memory.. there is no way to protect oneself from dissasociation attacks short of lining ones building with tin foil and frisking people who come in, is there?

this is the last peice of the puzzle that .11i is going to fix, right?

Originally posted by joel.hazel
Why haven't more decided to make clients VPN into their network? It seems like the answer to almost ever security problem...

It can be an administrative nightmare. Have to run VPN software not only on the server side, but the client side. When (not if) client starts to have connectivity problems, that's just one more layer of app that needs to be eliminated as the cause. I see 'VPN' and I just say 'Ughhh.....'

And it only addresses one aspect of network security: data stream integrity and security. It does not address people getting onto your WLAN (and be extension your wired LAN), which is also a huge concern.

Originally posted by jatkins679
It can be an administrative nightmare. Have to run VPN software not only on the server side, but the client side. '

I agree that setting up the VPN server can be a pain. I spent too many hours fighting the thing to get it to work the first time, but ever since it has just been a breeze. I wonder though, about you saying that they have to run software on the client side? Most of the users that you'll be dealing with are going to be running windows. Sad but true, but also its fairly easy to set up a VPN connection. Make new connection, etc. Is this what you meant? or where you thinking something different?

And it only addresses one aspect of network security: data stream integrity and security. It does not address people getting onto your WLAN (and be extension your wired LAN), which is also a huge concern.

Correct. When I originally posted I was thinking just data stream integrity, however I should add using backend authentication such as a Radius server, would seem to be a solution to attackers getting onto your net. While they may be able to associate with the AP, they shouldn't be able to hit anywhere on your net. That is at least how it's been explained to me... but admittedly I'm no hacker and I'm sure there are tricks out there for every hurdle. Anyway, I hope this clears up any confusion as to my original post.

WEP provides no security at all. I found an appliance that Greener Pastures Innovation makes that uses LDAP and Radius for authentication and requires no WEP key (or any other key) management. This means that it can use any and all kinds of AP.

-an

Aaron1128, if Greener Pastures is using LDAP and RADIUS, it's doing 802.1x. If it's using 802.1x, the encryption is the WEP implementation of RC4. The diff is that 802.1x-based EAP solutions change the key so often that you can never capture enough packets to run a cryptanalysis on them.

Most EAP solutions can run on any enterprise-grade, 802.1x-capable APs (exception is LEAP, which is Cisco proprietary, but being licensed). Ya got yer PEAP (best), ya got yer LEAP, ya got yer EAP-TLS (pain to build and manage), ya gots yer EAP-TTLS (proprietary), EAP-MD5 (no good, only one-way authentication).

To do a VPN over wireless, you have to set a DHCP server in the clear. That means that you must let untrusted people past your APs to get to the DHCP server. I do not like that AT ALL.

The disassociation attack is remedied by broadcast key rotation, I believe, which you won't get with VPN. If someone knows different, please enlighten me.

Originally posted by oshea85
To do a VPN over wireless, you have to set a DHCP server in the clear. That means that you must let untrusted people past your APs to get to the DHCP server. I do not like that AT ALL.


Oshea, I'm not sure if I'm following you completely. Do you mean that you have to have a VPN server -and- a DHCP server in the clear? If yes to that answer, I've set up my VPN server to send out the DHCP addies once authenticated. It seems that this approach isn't too vulernable but again I might be missing something. Your thoughts welcome.

Right, but don't your client devices need to pull an IP address to talk IP to your VPN server to set up a tunnel so they can pull another IP address that's valid inside the tunnel?

Not an expert on VPN, but this is how I've seen it built.

Nope, I own a coffee shop and all I need is a gateway that keeps the non-paying loiterers off my network, but I need to manage about 50 or so new and old users on a daily basis. I got it out of the box, plugged my 2 cable wires into the box and ran through the setup screen. It didn't ask me for any WEP keys, and I'm using my own AP that I bought several months back.

I asked these guys and they even confirmed that no WEP keys are being issued.

-an

Aaron, then you're not really providing "security" your just providing access control, which is something different.

Oshea,

Correct, they do have to have an IP address to be able to connect to the VPN server. I've just been setting them up with static addresses though, instead of DHCP. #1, we don't have the money for another server. #2 as you've said, I didn't want anything more than I had to, to be out in the open. #3 it gives me an opportunity to sit down with the customer and yack at em. A little PR work while they are still fresh. :p

-shrug- I dont know cause I've had little experience in hardening a network, but I thought this was the best way of going about it? Again, any thoughts are appreciated. Last thing I want to do is have an open hole for some hacker to get through.

802.1x is hampered by the fact that all of the common EAP-types are either very cumbersome and administratively heavy (EAP-TLS, with a full PKI) or have had vulnerabilities demonstrated against them (EAP-TTLS, EAP-MD5, EAP-PEAP). LEAP has been cracked.

Using an IPSec VPN? Why? All broadcast and multicast traffic is unencrypted, anyone with a wireless card can perform an ARP poisoning DoS attack (by design or accident), and there have been man in the middle attacks against some vendor's XAUTH implementations.

JoeTampa, do have documentation to support your claim that LEAP has been cracked? I'd love to see that.

I"ve implemented PEAP, and I thought it wasn't hard to build at all. I'm not aware of vulnerabilities. Can you share?

Also, I guess the solution is the one your firm provides? What do you guys make again?

No documentation on the LEAP exploit, but it is getting around. It results from the use of MS-CHAPv2; If the passwords are not strong, they can be gained through a standard dictionary attack immediately. Google LEAP and MS-CHAPv2 and you should find plenty of references.


As far as PEAP, goes, look here: http://eprint.iacr.org/2002/163.pdf

I try not to discuss my company's products in forums such as this, since I am not a salesguy, but if you contact me off-forum I will provide information on our product. And yes, it does solve the problem.

Originally posted by JoeTampa
Using an IPSec VPN? Why? All broadcast and multicast traffic is unencrypted, anyone with a wireless card can perform an ARP poisoning DoS attack (by design or accident), and there have been man in the middle attacks against some vendor's XAUTH implementations.

Joe,

Could you explain ARP poisioning? Or direct me to a link or two? I'd appreciate it.

Sure. In IPSec, the client takes the original packet (addressed, say, to a web site) and encapsulates that in an IPSec packet addressed to the IPSec gateway. The client then ARPs the gateway, and forms an Ethernet frame using the MAC address contained in the ARP reply from the gateway as the destination MAC address for the frame, and sends it. All other stations disregard that frame since the dest MAC is not theirs.

Now, consider what happens if someone else is associated with the Access Point and assigns themself the same IP address as the gateway. The legit client tries to ARP the gateway and gets two replies - one from the gateway, one from the attacker. He will use the first one he receives - and if it's the attacker's, the frame is sent to the attacker and the gateway ignores it. The attacker likely can't decrypt it and discards it.

In a worst-case scenario, the attacker also assumes the IPs of the client stations, and answers ARP queries from the gateway for the clients. Thus, it's likely that the whole WLAN will get snarled, epecially when you consider the extra retries that the client and intended recepient will have to go through.

How do you prevent this? If you're using IPSec, you can't, unless you either:

1) find and disable the attacker
2) use 100% static ARP tables (which is worse than administering WEP keys)
3) Rewrite TCP/IP <<grin>>


We encrypt everything (including broadcast traffic) at layer 2 for this and other reasons.


Here's a white paper with more detail on ARP Poisoning:

http://www.eecs.umich.edu/~aprakash/security/reviews/Niranjan-ARP.txt

Are either of you aware of any 'labs' out there that can help you through setting up PEAP, or any of the other protocols? It sounds as if relying on VPN isn't my end all to security for my WLAN. I've read through a number of articles about what PEAP, etc do, but none that explain anything about how to go abouts and set them up. Anyway, thanks for your responses. They've proven enlightening.

Joel Hazel
Network Admin
Blue Spruce Broadband

P.S. JoeTampa, thanks for the info on arp poisoning. I wasn't aware of that vulnerbility at all.

Not really, and that's part of the problem. At N+I in Atlanta last year, we had plenty of people wander over from the "802.1x Zone" complaining that they'd tried to set it up and had been frustrated.

As far as not knowing about the ARP Poisoning in IPSec, yeah, not a lot of people stopped to think about what happens when your entire IPSec network is in a single broadcast domain. I usualy tell people to plug a sniffer into their LAN and capture/examine broadcast traffic only. When they see what WON'T be encrypted under IPSec/WLAN, they start to get the picture. Just to whet your appertite, think about NetBIOS broadcasts, Cicso Discovery Protocol, ARP, etc, and you'll see that in most networks, you can gain a significant amount of intelligence before you ever start an attack. I mean, what's the point of giving your AP an obscure SSID to protect your company's identity if your NETBIOS and/or DHCP broadcasts are screaming your domain name in packets that IPSec won't encrypt by design?

Joe, I think your company probably has an excellent solution to WLAN security, but doesn't your solution require proprietary hardware?

Originally posted by aaron1128
WEP provides no security at all. I found an appliance that Greener Pastures Innovation makes that uses LDAP and Radius for authentication and requires no WEP key (or any other key) management. This means that it can use any and all kinds of AP.

-an
what's Greener Pastures' website n the pdt? thnx

I have been tasked to look into wireless connectivity using a VPN solution for security and authentication. We have numerous Physicians who have PDAs and personal laptops that want access to the network. We have a huge existing wireless infrastructure using Cisco Aironet APs(350s and 1200s), and we are using LEAP as a authentication protocol. We already have PHDs using company provided laptops and tablets for wireless access, but the hospital is looking for ways to save money and they seem to think that if we can minimize the purchasing of Cisco wireless NICs and wireless devices for PHDs this will help our budget. So their vision is that a PHD can come in, use his own personal laptop/PDA using either the built in Wireless NIC or some other NIC to get access to the network, and use VPN for security and access, since the majority of devices are non LEAP compatible.

I have heard that the VPN solution is an administrative night mare and that roaming between APs is difficult. Plus this solution is not very secure. I would appreciate feed back, PROS vs CONS so I can begin to put this all together.

Thank-You for every ones help

Oshea: Yes, we do have our own hardware gateway, plus client software and optional policy/authentication server software.

Fokro: You can glean a good amount of info just reading this and other threads in this forum, but you might want to contact me off-list and we can arrange a phone call to discuss all the pros and cons as they are quite lengthy.


- Joe