[vpn] wep

Ryan Malayter rmalayter at bai.org
Mon Jun 3 17:44:14 EDT 2002 

From: Kenneth Erickson [mailto:erickskl at yahoo.com] 
>Thank you Your right they weren't mentioned.  
>It just seemed like that might be another way 
>to hook up two buildings.

It could be done if he has windows servers on both sides, each with an
extra NIC. Even if all protocol bindings except Ipsec/L2TP/PPTP were
removed from the wireless-side NICs, the setup would not be as secure as
having an actual stateful inspection firewall on each side of the
wireless connection. Nor would it be as easy to set up.

>Since WEP is swiss cheese, what do you think 
>about establishing some form of security on all of the
>clients and servers that are on the intra-net then 
>placeing the Access Point on the inside of the firewall?

That's not a bad idea, but it's a heck of a lot more work than buying
two firewall/VPN devices and connecting them with an IPsec tunnel. Then
the "Swiss cheese" portion of his network is blocked from access to the
LAN, which should be (reasonably) trustworthy.

Requiring IPsec to every client and with every connection isn't out of
the question, but I'm sure it will cause a lot of issues. Perhaps, not
every protocol, service, application, or operating system in use is
compatible with the encryption solution. Certainly diagnosing LAN
problems with a sniffer will become much more difficult. And the more
devices that have a shared secret, the more chances of that secret being
compromised and the security negated.

Of course, securing all network traffic to and from clients is desirable
if the physical security of the existing LAN in each building is poor.
(One can often get into wiring closets simply by wearing a tool belt and
carrying a clipboard!) But if that's the case, the physical security of
client devices (which hold the encryption keys for the secured LAN) is
probably quite poor as well. In such a situation, would a physically
insecure network be made any safer by simply turning on encryption on
all the clients and server? Not by much.

Regards,
:::Ryan Malayter
:::Network Engineer
:::Bank Administration Institute
:::Chicago, Illinois, USA
:::PGP Key: http://www.malayter.com/pgp-public.txt

VPN is sponsored by SecurityFocus.com

More information about the VPN mailing list