ITKnowledge Exchange member "Jeremy54" had a question Wireless and VPN and our resident wireless guru, Lisa Phifer offered her advice. Here is the Q&A.
|ITKnowledge Exchange member "Jeremy54" asked:
Would you consider a Microsoft VPN tunnel established through a WEP encrypted access point to be secure? If not, how easy is it for someone to steal data passed through the tunnel? Are there any good references for judging relative security levels from the various configurations/solutions available?
Lisa Phifer WRITES:
There are two kinds of Microsoft VPN tunnels:
1) Microsoft added a Point to Point Tunneling Protocol (PPTP) VPN client to a Windows Dial-Up Networking upgrade for Windows 95, and PPTP has been included in every Microsoft operating system released since that time, including Pocket PC 2002. Although its most significant flaws were fixed is MS-CHAPv2 years ago, PPTP is generally considered a weak VPN tunneling protocol. To learn more, visit this URL: http://www.counterpane.com/pptp.html
2) Starting with Windows 2000, Microsoft enhanced DUN with an L2TP over IPsec VPN client. By default, every Windows VPN connection attempts to negotiate L2TP over IPsec first, then falls back to PPTP. However, connections can be explicitly configured to use PPTP or L2TP only. For example, on Windows XP, open the VPN connection's Properties panel, choose the Network tab, and pick either L2TP or PPTP under "Type of VPN." IPsec is generally considered a strong VPN tunneling protocol, particularly when configured to employ strong cryptographic algorithms and avoid vulnerable options like IKE Aggressive Mode and Extended Authentication (XAUTH). To learn more about IPsec, visit this URL: http://www.vpnc.org/vpn-standards.html
Both VPNs provide cryptographic protection for wireless data payload. Someone capturing WLAN traffic will be able to see all 802.11 management and control frames, as well as the IP headers carried in 802.11 data frames. They will also be able to see cleartext parts of VPN-encrypted packets -- for example, usernames or IDs or hashed passwords that might be sent in PPTP and IPsec (IKE) packets when a tunnel is established. Someone can't steal the data passed inside the encrypted tunnel, but they can try to use exposed headers to attack the WLAN or the VPN. For example, someone might aim a "cracking" tool at your VPN gateway to try to guess a legitimate user's password or shared secret, then gain access to the network behind the VPN.
You can help deflect these attacks by enabling WEP or WPA or WPA2 on your AP. All VPN packets, including IP headers and VPN tunnel establishment packets, passed between wireless stations and the AP will then be encrypted. WEP is notoriously easy to crack; visit this URL to learn more: http://www.drizzle.com/~aboba/IEEE/ . WPA and WPA2 can be cracked when used with easy-to-guess Preshared Secret Keys (PSKs); visit this URL for guidelines on choosing good PSKs:
Want to join in on a similar conversation? Register for ITKnowledge Exchange and fill out your profile so you can immediately begin asking specific sets of people your IT questions and also help out your fellow wireless and mobile computing aficionados. Anyone can read answers already provided to questions, but only registered ITKnowledge Exchange members can ask questions or add to threads.
Read all the answers to this question.
Not on ITKnowledge Exchange yet? Register today.