[unisog] VPN Protection of Wireless Networks

Patrick Darden darden at armc.org
Fri Dec 14 16:20:36 GMT 2001


Gary,

I believe we are talking about the same thing.  The username/password pair
that I have been speaking about is the same as the pre-shared key you are
talking about.  Here's the process as I understand it.  During the ESP
negotiation phase (initial negotiation of an encrypted IPSEC tunnel) the
client sends the username to the VPN engine.  The VPNe knows by the
username which pre-shared key (password) to use.  They both begin using
that password.  The password itself is never sent.  Both endpoints of the
tunnel use that secret to encrypt, and if they don't start receiving
intelligible data, they disconnect and retry.  In addition, the VPNE
allows timed renegotiation at pre-set intervals.  We set ours to every 5
minutes, mimimizing the chances of a mitma.

--
--Patrick Darden                Internetworking Manager             
--                              706.354.3312    darden at armc.org
--                              Athens Regional Medical Center


On Fri, 14 Dec 2001, Gary Flynn wrote:

> Patrick Darden wrote:
> >  
> > We currently use a radius database for a different usernam/password for
> > each user.  We have them fill out a form, then we enter the information
> > for them, issue a username and password, etc.
> 
> OK, I'm not sure we're talking about the same thing.
> 
> I think I understand you have a VPN client that sends username/password
> authentication credentials to a VPN concentrator which, in turn, uses 
> a Radius backend. That is well and good. We're planning on doing the same
> thing.
> 
> However, that authentication session is protected by IPSEC. The VPN 
> client and concentrator need either keys or certificates to encrypt 
> the IPSEC session. If all the clients are configured to use the same key, 
> then any of the clients can hijack the IPSEC session (see the
> Cisco web site cited in my original post). This means the
> Radius usernames and passwords are available to anyone with
> access to the client and shared key.
> 
> -- 
> Gary Flynn
> Security Engineer - Technical Services
> James Madison University
> 
> Please R.U.N.S.A.F.E.
> http://www.jmu.edu/computing/runsafe
> 



More information about the unisog mailing list