[vpn] Securing 802.11b in W2K environment?

Dave Sroelov dave at ascomputer.com
Fri Nov 2 17:57:57 EST 2001

i haven't been watching this entire thread in detail, but i figured i would add
a couple of things.  sorry if any of this is redundant.

putting the wireless on the outside of the firewall is a good idea.  putting it
on a DMZ is also good if you have the capability.  even though you are using a
VPN to connect, there is no reason not to use WEP anyway.  while WEP may not be
the most secure thing on the planet, it will cut out some of the freeloaders.
also, make sure your wireless device is not broadcasting SSID.  one more thing
you should probably do is restrict the MAC addresses that the wireless can talk

all of this stuff can be broken if you try hard enough, but the SSID, MAC
address, and WEP should be enough to keep most people off your wireless and keep
the freeloading down.  with VPN being the only access to your internal network,
you should be pretty much secure.


Kent Dallas wrote:

> Mark,
> I agree with the suggestions that David Gillett has offered, but thought I
> would offer another alternative.
> You could take the connection between your cable modem and your 10bT Win2K
> NIC and place a hub in between them.  Then add your 802.11b access point to
> the hub, instead of placing your access point on the private network switch.
> This solution effectively moves your access point from inside the firewall
> to outside the firewall.  You will then be face with the issue of assigning
> IP addresses to your wireless clients.  If you have only one or very few,
> you may wish to receive additional public addresses from the cable modem
> provider via DHCP.  Otherwise, you could get away with only a single
> additional public IP address by using another Internet Connection Sharing
> box with DHCP or a small router, and create an "unsecured, private" network.
> Then enable VPN on the 10bT segment into your Win2K Pro box, and allow VPN
> connections from the "outside" in ZoneAlarm Pro, and run VPN clients on each
> of the wireless clients.
> This solution keeps your private network "wired".  It treats your 802.11b
> network with no more respect than the Internet itself.  It has the side
> benefit of enabling VPN capability to your private wired network from
> anywhere on the Internet (which you can limit to particular addresses, if
> desired).  If you go with the "unsecured private" network option, make sure
> your VPN solution can traverse NAT.  And if you use the public IP option for
> the wireless clients, be sure to run firewall software on them as well.
> Unlike David's solution, however, you are still exposed to freeloaders on
> the 802.11b network sharing your Internet bandwidth (but at least not your
> private wired network).
> Ah, the price we pay for convenience...
> (Note:  It is not fair to say that WEP is broken, exploitable perhaps, but
> not broken.  Properly configured and authenticated WEP is non-trivial to
> crack.  It requires some expertise and resources, but may be sufficient for
> many applications.  You did say, "truly secure", which is not a description
> of WEP.)
> Regards,
> Kent Dallas
> -----Original Message-----
> From: Spencer, Mark (SUF) [mailto:Mark.Spencer at suf.state.ma.us]
> Sent: Thursday, November 01, 2001 3:23 PM
> To: 'vpn at securityfocus.com'
> Subject: [vpn] Securing 802.11b in W2K environment?
> Now that the WEP security of 802.11b has been shown to be broken and
> exploitable, I have seen lots of articles on the net about how
> people are securing their wireless solutions using virtual private
> network technology.
> Only problem though is that all the articles I have found talk about
> people using OpenBSD, Linux, and other non-MS operating systems.
> I run Windows 2000 Professional on all my PC's. What is the most
> intuitive and cost effective way I can truly secure my 802.11b wireless
> products??
> My network looks like the following:
> A broadband cable Internet connection plugs directly into my Windows
> 2000 Professional workstation through a 10baseT NIC.  I have a second
> NIC, 100baseTX, in this same machine connected to an eight port
> switch.  On this gateway machine are running ZoneAlarm Pro for
> firewall functionality and Sygate Home Network for Internet sharing.
> Plugged into the switch is a Linksys WAP11 access point.
> So, the wireless products are operating on the inside of my network,
> inside the firewall.  I need to find a way to encrypt communications
> at the lowest level from my wireless devices to the gateway machine.
> That way my wireless LAN traffic will be protected, and once the
> encryption is terminated at the gateway machine, hopefully the
> wireless devices pass through my Internet connection sharing just as
> if they were normally connected to my switch via Category 5 ethernet.
> Any guidance is greatly appreciated!
> Mark
> VPN is sponsored by SecurityFocus.com
> VPN is sponsored by SecurityFocus.com

-------------- next part --------------
VPN is sponsored by SecurityFocus.com

More information about the VPN mailing list