Re: VPN vs. Cisco LEAP for wireless security ?

From: Lanwench [MVP - Exchange] (lanwench@heybuddy.donotsendme.unsolicitedmail.atyahoo.com)
Date: 04/01/03

Next message: Motherchucker: "Re: Speaking of FTP..."
Previous message: Dan: "Locking Computer"
In reply to: Marlon Brown: "VPN vs. Cisco LEAP for wireless security ?"
Next in thread: Marlon Brown: "Re: VPN vs. Cisco LEAP for wireless security ?"
Reply: Marlon Brown: "Re: VPN vs. Cisco LEAP for wireless security ?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

From: "Lanwench [MVP - Exchange]" <lanwench@heybuddy.donotsendme.unsolicitedmail.atyahoo.com>
Date: Tue, 1 Apr 2003 13:59:58 -0500

Can't take credit for this answer - ran yer Q by my husband & business
partner and he wrote you a nice little novel in response!

Apples and oranges, my friends...but both are still in the fruitbasket.

<or>

The answer is that neither is a complete solution.

LEAP in a corporate environment is not a question of "if" or of "what else"
as it would be plainly nuts to do otherwise. LEAP can tie into you're A/D,
so you can use ordinary remote access policies to determine who could even
use the wireless, and then (assuming you have adequate user account password
strength policies) assure that only authorized users could get in.

LEAP would accomplish a number of things--namely if properly configured
(along with properly configured access points and wireless clients) it would
significantly security harden the basic wireless transport itself, and allow
integration into access control and auditing mechanisms such as RADIUS.

Steps/What Each Would Accomplish:

1. Use LEAP/if properly configured would prevent someone from even getting
an IP address if they do not possess proper credentials--KEEP OUT THE
ORDINARY HACKS. Scrubs at this level can do no harm/compromise no data if
they can't get past the front door.

2. Do not let broadcast SSID associate. Keep out the total neophytes.

3. Use Aironet Extensions, the latest version of the client and access point
firmware, and the latest client software and driver, use MMC hashing and
automatic WEP key rotation/The former addressed the initial 40 bit
vulnerability to WEP, restoring it to near 128-bit encryption strength. The
latter if configured with a fairly short interval (say 10 minutes tops)
would have each client automagically renegotiate/change the WEP key in use
on the fly on that interval, making a hack/decrypt pretty much impossible up
to and including the NSA--not enough traffic would exist on any given
dynamic key to lend itself to any sort of statistical decrypt. FRUSTRATE THE
CLEVER HACKS (ones using a wireless sniffer) in that they could see packets
flying by, but could not access the network nor decrypt the contents of the
packets.

4. VPN does nothing to guard the front door, so to speak--which is what the
above steps try to accomplish--keeping the burglar from getting past the
front door. VPN would only serve to encrypt whatever traffic (speak Greek so
the burglar doesn't understand you, but hey, he's already in your living
room unhooking your TV) was secured in this fashion, and would not help
secure the network infrastructure itself. This solution tends to be
problematic in that it requires a VPN client of some sort/configuration,
which the blessed user usually neglects to de-activate when they connect to
a wireline network in your shop...and nothing works, and your help desk gets
inundated with calls. A more elegant solution would be to implement IPSec
policies...but that is assuming that it is a W2K and above only shop....

Marlon Brown wrote:
> Does it make sense use VPN to provide wireless security in my
> environment ? I mean, all our sites are interconnected through Fiber
> to our Main Office router.
>
> We do have hundreds of Cisco AP and we currently deploying LEAP to
> provide wireless security.
> Now a co-worker is saying that VPN is a good option to provide
> wireless security and would save us work, since we don't need to
> setup a protocol like LEAP.
>
> For me launching a VPN client to provide encryption is fine, but then
> people in the parking lot is still going to be access IP addresses
> from our DHCP servers and I think that is a security issue, right ?

Next message: Motherchucker: "Re: Speaking of FTP..."
Previous message: Dan: "Locking Computer"
In reply to: Marlon Brown: "VPN vs. Cisco LEAP for wireless security ?"
Next in thread: Marlon Brown: "Re: VPN vs. Cisco LEAP for wireless security ?"
Reply: Marlon Brown: "Re: VPN vs. Cisco LEAP for wireless security ?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages

Re: VPN vs. Cisco LEAP for wireless security ?
... > (along with properly configured access points and wireless clients) it ... the latest version of the client and access ... > problematic in that it requires a VPN client of some sort/configuration, ... >> Does it make sense use VPN to provide wireless security in my ...
(microsoft.public.security)
Re: Wireless Access Point on external router?
... it will work automatically for any wireless client PC that you ... switch to RWW and stop caring about VPN). ... I shouldn't put the WAP outside of ISA. ...
(microsoft.public.windows.server.sbs)
Re: Gaming adapter as access point
... remember is that *ALL* 802.11 wireless is bridging. ... Linksys WRT54G/GS with DD-WRT firmware in client mode. ... have to study VPN ... then act as a router on the LAN side. ...
(alt.internet.wireless)
Re: VPN connection question
... if it's noty vital for you and you can get away with using PPTP then I ... Trick is that I use them on both ends, so no VPN ... BEFVP41 if hardwired or BEFSX41 if wireless on their side. ... built in client for the laptop. ...
(Ubuntu)
Re: Anyone know of a utility to disable the wireless when a computer is plugged into the wired netwo
... I think you mean "wireless switches". ... Wireless networks are not needed or deployed. ... As long as the VPN shim is controlling the routing, ... It's also possible for a VPN client ...
(alt.internet.wireless)