Page 248 - StudyBook.pdf
P. 248

232    Chapter 4 • Communication Security: Wireless

                 When a VPN is required for access to a corporate network from a wireless net-
             work subnet, all traffic between the two networks is encrypted within the VPN
             tunnel. If using static WEP, a VPN ensures a higher degree of confidentiality for
             traffic. Even if the WEP encryption is cracked, the hacker would still have to crack
             the VPN encryption to see the corporate traffic, which is much more difficult. If a
             wireless laptop is stolen and the theft unreported, the thief would have to know the
             user credentials to gain access to the VPN.



              NOTE
                  It is important to ensure that the user does not configure the VPN con-
                  nection to save the username and password. Although this makes it
                  more convenient for the user, who does not have to type the account
                  name and password each time they use the VPN connection, it provides
                  a thief with the credentials needed to access the VPN.




                 Of course, this kind of configuration is still vulnerable to attack. If, for example,
             an attacker has somehow acquired user names and passwords (or the user has saved
             them in the VPN connection configuration), they can still access the wired net-
             work through the VPN.Another consideration is the additional overhead of
             encryption used in the VPN tunnel. If also using WEP, the combined loss of band-
             width as a result of the encryption could easily be noticeable.Again, administrators
             have to compare the benefits of implementing a VPN for wireless clients in a DMZ
             against the cost of deployment in terms of hardware, software, management, loss of
             bandwidth, and other factors.
                 Setting up this kind of configuration can be a relatively complex undertaking,
             depending on a number of factors. If, for example, 802.1x authentication is being
             used, it is important to ensure that 802.1x-related traffic can pass between the
             wireless and wired network without a VPN tunnel. If using ISA server to separate
             networks, you would have to publish the RADIUS server on the corporate net-
             work to the wireless network.

             Temporal Key Integrity Protocol

             As noted earlier, the use of WEP in combination with 802.1x authentication and
             EAP-TLS, while providing a much higher standard of security, does not mitigate all
             the potential threats to the confidentiality and integrity of the data.As an interim
             solution until the IEEE 802.11i standard is implemented and finalized, many ven-



          www.syngress.com
   243   244   245   246   247   248   249   250   251   252   253