[vpn] wep

Ryan Malayter rmalayter at bai.org
Mon Jun 3 18:29:15 EDT 2002 

One other thing... It might be best to look for Firewall/VPN devices
which support the emerging IPcomp standard for compression before IPsec
encryption. That 802.11b connection will feel a lot quicker.

Devices from Cisco, Alcatel, Nokia/Checkpoint, and others support this,
as does the Linux-based freeS/WAN suite. Unfortunately, the
bargain-basement devices from NETGEAR I mentioned earlier do not, nor
could I find any reference to IPcomp when searching SonicWall and
WatchGuard sites.


-----Original Message-----
From: Ryan Malayter 
Sent: Monday, June 03, 2002 4:44 PM
To: Kenneth Erickson; vpn at securityfocus.com
Subject: RE: [vpn] wep


From: Kenneth Erickson [mailto:erickskl at yahoo.com] 
>Thank you Your right they weren't mentioned.  
>It just seemed like that might be another way 
>to hook up two buildings.

It could be done if he has windows servers on both sides, each with an
extra NIC. Even if all protocol bindings except Ipsec/L2TP/PPTP were
removed from the wireless-side NICs, the setup would not be as secure as
having an actual stateful inspection firewall on each side of the
wireless connection. Nor would it be as easy to set up.

>Since WEP is swiss cheese, what do you think 
>about establishing some form of security on all of the
>clients and servers that are on the intra-net then 
>placeing the Access Point on the inside of the firewall?

That's not a bad idea, but it's a heck of a lot more work than buying
two firewall/VPN devices and connecting them with an IPsec tunnel. Then
the "Swiss cheese" portion of his network is blocked from access to the
LAN, which should be (reasonably) trustworthy.

Requiring IPsec to every client and with every connection isn't out of
the question, but I'm sure it will cause a lot of issues. Perhaps, not
every protocol, service, application, or operating system in use is
compatible with the encryption solution. Certainly diagnosing LAN
problems with a sniffer will become much more difficult. And the more
devices that have a shared secret, the more chances of that secret being
compromised and the security negated.

Of course, securing all network traffic to and from clients is desirable
if the physical security of the existing LAN in each building is poor.
(One can often get into wiring closets simply by wearing a tool belt and
carrying a clipboard!) But if that's the case, the physical security of
client devices (which hold the encryption keys for the secured LAN) is
probably quite poor as well. In such a situation, would a physically
insecure network be made any safer by simply turning on encryption on
all the clients and server? Not by much.

Regards,
:::Ryan Malayter
:::Network Engineer
:::Bank Administration Institute
:::Chicago, Illinois, USA
:::PGP Key: http://www.malayter.com/pgp-public.txt

VPN is sponsored by SecurityFocus.com


VPN is sponsored by SecurityFocus.com

More information about the VPN mailing list