VPN Protection of Wireless Networks

Gary Flynn flynngn at jmu.edu
Thu Dec 13 21:05:27 GMT 2001


In October I asked about vendor lockins on various security options 
for wireless networks.  VPN protection was mentioned quite often. 
>From my reading, effective VPN protection would require each individual 
user to have a unique key or digital certificate. Are people actually 
doing that? If so, how are you handling the administration of handing 
out and revoking keys and certificates? What, if anything is done to 
educate the end user of the importance of keeping them secret?

>From a Cisco web page:

"The wildcard pre-shared key feature is vulnerable to IP spoofing, 
 specifically the man-in-the-middle attack. An attacker can 
 potentially redirect all traffic between the IPSec peers to go 
 through an IKE proxy. If an attacker knows the pre-shared key 
 and can redirect all traffic between the IPSec peers to go through 
 an IKE proxy, the attacker can read and modify the IPSec-protected 
 data without detection."

http://www.cisco.com/univercd/cc/td/doc/product/iaabu/csvpnc/csvpnsg/icl3encr.htm#29351

One philosophy I've heard about wireless is not to worry about
securing it more than your wireless network. However, it sounds to
me like this type of man-in-the-middle attack is different from
those against SSH and SSL. With the attacks I've seen against SSH or 
SSL a user gets a warning message about a changed host key or 
mismatched certificate. The Cisco doc says the MIM attack against
IKE can be done without detection.

Without individual keys or certificates, it would seem to me that
a wireless network depending upon VPN technology is less secure
than one depending upon WEP. True?

thanks,
-- 
Gary Flynn
Security Engineer - Technical Services
James Madison University

Please R.U.N.S.A.F.E.
http://www.jmu.edu/computing/runsafe



More information about the unisog mailing list