cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1070
Views
0
Helpful
8
Replies

Wireless is only secure using VPN client on PC?

patrick.hurley
Level 3
Level 3

I have heard that Cisco is telling its customers that because of the security issues associated with wireless that if they really want to be secure they need to use VPN client software and concentrators. That means putting all of the wireless access points in a vlan that is in the same subnet as the public interface of the VPN concentrator and using the VPN client to access the private interfaces subnets. Is this the short term strategy? Is the long term strategy to have IPSec be part of the wireless system?

8 Replies 8

william.ong
Level 1
Level 1

One "better than average" WLAN security technique is to use dynamic WEP key generation by using EAP. This can be done by installing Cisco Secure ACS server and enable EAP on the AP and client. This will generate dynamic WEP key to encrypt the session between the client and AP. This is pretty much like using VPN since all packets are encrypted but without the more robust and complexity of PKI and IPSec.

I have heard that there are security issues associated even with this more robust technique. What have you heard?

The advantage of VPN is to mix and match multi-vendor AP and cards. If you environment is pure CISCO and do not expect users to get their own cards, then LEAP with 128-bit WEP should be sufficient.

VPN may be the best solution to go today as with LEAP/Cisco Secure with dynamic WEP key, there are still possibilities to hack the keys in an 90 minutes interval time today.

This is depressing as I just spent much time researching the security of Leap/Cisco Secure w/dynamic WEP. What is used to hack it within 90 minutes? My lastest search was targeted at Airsnort?

Thanks

We are using LEAP with dynamic WEP. I set my ACS server to re-authenticate users at 10 minute intervals. This generates a new dynamic WEP key for each user. Even if someone is able to capture enough packets (1,000,000), from 1 user in this 10 minute period, the dynamic WEP key is already invalid by the time they can use it.

Ah yes,I know this. I think I was reading into the question. I was reading WEP but thinking the CRC-32 Checksum vulnerability. I guess this is why the questioned wasn't answered on the Web cast this morning. I was asking the wrong question.

Thanks

michael.arthur
Level 1
Level 1

You don't need to put all the AP's on the same VLAN. Put an inbound ACL on the router i/f that only permits traffic from to the IP address of the public i/f on the VPN concentrator(s). Also, use an IP-Helper statement on the router i/f to point users on that wireless network to a DHCP server. The user will then be forced to establish a VPN session in order to access network resources. This option is also pretty darn scalable because you can use a similar ACL on any other wireless subnet in your company.

Review Cisco Networking for a $25 gift card