May 12th, 2007
Why VPN can't replace Wi-Fi security
This entry is also available as a PDF download.
Every time the subject of wireless LAN security comes up, people ask me about VPN as a solution for securing Wi-Fi. (Wi-Fi is the common marketing name for 802.11 wireless LANs). I’ve always told people that VPN security shouldn’t be a substitute for good Wi-Fi security, and I even posted a comprehensive guide to enterprise wireless LAN security, but a loyal group of VPN-only supporters has always argued for a VPN-only alternative. I’m going to explain VPN and Wi-Fi security as best I can and why there is a right time and right place for each architecture.
The VPN-only camp
The VPN-only camp consists of companies that have a vested interest in selling VPN solutions and some individuals who are more familiar with VPN than Wi-Fi security so therefore everything looks like a VPN-type problem because that’s within their comfort range. It’s a classic case of when all you have is a hammer, everything looks like a nail. They’ll tell you to not worry about Wi-Fi security and just use VPN. The typical argument from the VPN-only camp is that the IEEE 802.11 standards body can’t be trusted to come up with a good solution for Wi-Fi security. To bolster their claims that Wi-Fi can’t be trusted, the VPN-only camp will cite the example of the WEP debacle and/or they’ll even point out how “WPA is cracked.”
Was WPA really cracked?
Anyone who states that “WPA was cracked” doesn’t really understand what WPA is or what cracked means. What they’re actually referring to is the fact that a certain simple mode of WPA (designed primarily for home use), which uses PSK (pre-shared keys), can be cracked when a simple, easy-to-guess PSK is in use. But that’s only an example of a poor deployment of WPA-PSK. A simple 10-character alpha-numeric random PSK (or greater) will make it impractical to crack with dictionary attacks. I can just as easily point out that the same mistakes can be made in certain VPN deployments that also make use of pre-shared keys.
Is WEP a permanent indictment of IEEE 802.11?
There is no question that WEP is completely broken beyond redemption. 802.11 WEP encryption was designed during the late 90s during a time of strict U.S. export restrictions, when good cryptography was considered advanced munitions. I’ve had sources familiar with that process tell me that stronger encryption algorithms were shunned for fear of Wi-Fi products being banned for export. Not surprisingly, it took less than two years for the cryptographic researchers (Fluhrer-Mantin-Shamir) to demonstrate serious flaws with WEP. But something designed in the late 90s for exportability should not be a permanent indictment of Wi-Fi security or the competence of the IEEE 802.11 standards body. If that’s the standard we’re going to judge by, we can pretty much shun everything on the Internet. Moving beyond the WEP debacle, the Wi-Fi industry couldn’t wait for the IEEE to fix the standard, so they adopted TKIP (a patched version of WEP) with the WPA industry standard.
Bad implementations should be shunned, not entire categories
There are other bad implementations of VPN and Wi-Fi that have poorly designed authentication mechanisms. ASLEAP, for example, is a tool that will easily crack both LEAP Wi-Fi 802.1x authentication and PPTP VPN authentication in nearly identical fashion, yet both protocols are (unfortunately) very popular. The argument should be made against poor cryptographic implementations, not against Wi-Fi security in general.
<Next page - Wi-Fi and VPN security defined>
George Ou is Technical Director of ZDNet. See his full profile and disclosure of his industry affiliations.
