[vpn] Securing 802.11b in W2K environment?

Kent Dallas kent at dalliesin.com
Fri Nov 2 14:11:35 EST 2001


Mark,

I agree with the suggestions that David Gillett has offered, but thought I
would offer another alternative.

You could take the connection between your cable modem and your 10bT Win2K
NIC and place a hub in between them.  Then add your 802.11b access point to
the hub, instead of placing your access point on the private network switch.

This solution effectively moves your access point from inside the firewall
to outside the firewall.  You will then be face with the issue of assigning
IP addresses to your wireless clients.  If you have only one or very few,
you may wish to receive additional public addresses from the cable modem
provider via DHCP.  Otherwise, you could get away with only a single
additional public IP address by using another Internet Connection Sharing
box with DHCP or a small router, and create an "unsecured, private" network.

Then enable VPN on the 10bT segment into your Win2K Pro box, and allow VPN
connections from the "outside" in ZoneAlarm Pro, and run VPN clients on each
of the wireless clients.

This solution keeps your private network "wired".  It treats your 802.11b
network with no more respect than the Internet itself.  It has the side
benefit of enabling VPN capability to your private wired network from
anywhere on the Internet (which you can limit to particular addresses, if
desired).  If you go with the "unsecured private" network option, make sure
your VPN solution can traverse NAT.  And if you use the public IP option for
the wireless clients, be sure to run firewall software on them as well.

Unlike David's solution, however, you are still exposed to freeloaders on
the 802.11b network sharing your Internet bandwidth (but at least not your
private wired network).

Ah, the price we pay for convenience...

(Note:  It is not fair to say that WEP is broken, exploitable perhaps, but
not broken.  Properly configured and authenticated WEP is non-trivial to
crack.  It requires some expertise and resources, but may be sufficient for
many applications.  You did say, "truly secure", which is not a description
of WEP.)

Regards,
Kent Dallas

-----Original Message-----
From: Spencer, Mark (SUF) [mailto:Mark.Spencer at suf.state.ma.us]
Sent: Thursday, November 01, 2001 3:23 PM
To: 'vpn at securityfocus.com'
Subject: [vpn] Securing 802.11b in W2K environment?


Now that the WEP security of 802.11b has been shown to be broken and
exploitable, I have seen lots of articles on the net about how
people are securing their wireless solutions using virtual private
network technology.

Only problem though is that all the articles I have found talk about
people using OpenBSD, Linux, and other non-MS operating systems.

I run Windows 2000 Professional on all my PC's. What is the most
intuitive and cost effective way I can truly secure my 802.11b wireless
products??

My network looks like the following:

A broadband cable Internet connection plugs directly into my Windows
2000 Professional workstation through a 10baseT NIC.  I have a second
NIC, 100baseTX, in this same machine connected to an eight port
switch.  On this gateway machine are running ZoneAlarm Pro for
firewall functionality and Sygate Home Network for Internet sharing.
Plugged into the switch is a Linksys WAP11 access point.

So, the wireless products are operating on the inside of my network,
inside the firewall.  I need to find a way to encrypt communications
at the lowest level from my wireless devices to the gateway machine.
That way my wireless LAN traffic will be protected, and once the
encryption is terminated at the gateway machine, hopefully the
wireless devices pass through my Internet connection sharing just as
if they were normally connected to my switch via Category 5 ethernet.

Any guidance is greatly appreciated!

Mark

VPN is sponsored by SecurityFocus.com



VPN is sponsored by SecurityFocus.com





More information about the VPN mailing list