VPN Protection of Wireless Networks
flynngn at jmu.edu
Thu Dec 13 21:05:27 GMT 2001
In October I asked about vendor lockins on various security options
for wireless networks. VPN protection was mentioned quite often.
>From my reading, effective VPN protection would require each individual
user to have a unique key or digital certificate. Are people actually
doing that? If so, how are you handling the administration of handing
out and revoking keys and certificates? What, if anything is done to
educate the end user of the importance of keeping them secret?
>From a Cisco web page:
"The wildcard pre-shared key feature is vulnerable to IP spoofing,
specifically the man-in-the-middle attack. An attacker can
potentially redirect all traffic between the IPSec peers to go
through an IKE proxy. If an attacker knows the pre-shared key
and can redirect all traffic between the IPSec peers to go through
an IKE proxy, the attacker can read and modify the IPSec-protected
data without detection."
One philosophy I've heard about wireless is not to worry about
securing it more than your wireless network. However, it sounds to
me like this type of man-in-the-middle attack is different from
those against SSH and SSL. With the attacks I've seen against SSH or
SSL a user gets a warning message about a changed host key or
mismatched certificate. The Cisco doc says the MIM attack against
IKE can be done without detection.
Without individual keys or certificates, it would seem to me that
a wireless network depending upon VPN technology is less secure
than one depending upon WEP. True?
Security Engineer - Technical Services
James Madison University
More information about the unisog