Previous Section  < Day Day Up >  Next Section

Chapter 14. Guarding the Airwaves: Deploying Higher-Layer Wireless VPNs

"For an invincible defence, conseal your form."

ŚCao Cao

"Formlessness means being so subtle and secret that no one can spy on you."

ŚMei Yaochen

A virtual private network (VPN) is a way to use a public telecommunication infrastructure, such as the Internet, to provide remote offices or individual users with secure access to their organization's network. Because 802.11 LANs use unlicensed frequency bands and can be easily accessible to outsiders either accidentally or with malicious intent, wireless networking provides an important area for VPN deployment and maintenance. Whereas the deployment of wired VPNs is usually restricted to specific cases of telecommuters and remote branch offices, the wireless world is entirely different, and deploying a VPN can be applicable to any wireless link if a high level of security is needed. This includes connections between hosts on a WLAN as well as point-to-point links between wireless bridges. Of course, when 802.11i is finally out and widely implemented, the need for wireless VPN deployment will decrease, but not disappear. As reviewed in the Attack chapters, even before the final draft is released, 802.11i standard implementations already have a handful of security problems. We are quite confident that new attacks against the novel standard will appear and spread as time passes. Besides, in a highly secure environment, one cannot completely rely on a single safeguard, or a single network layer safeguard. Also, there would be security-conscious network managers who prefer to trust tested and tried defense mechanisms, such as IPSec. In the case of point-to-point wireless links it is easier and more economical to deploy a network-to-network VPN than 802.11i-based defenses, including the RADIUS server and user credentials database, while using 802.11i with PSK and no 802.1x is not a good security solution for a high throughput network-to-network link. Either way, wireless VPNs are here to stay and surely deserve a place of their own in this book.

A VPN is the opposite of an expensive system of owned or leased lines that can be used by only one organization. The goal of a VPN is to provide the organization with the same capabilities at a much lower cost. Compare it to point-to-point bridged wireless connectivity solutions, which can also substitute expensive leased lines. VPN and wireless technologies do not compete, but complement each other.

A VPN works by using the shared public infrastructure, while maintaining privacy through security procedures and tunneling protocols such as the Layer Two Tunneling Protocol (L2TP). In effect, the protocols, by encrypting data at the sending end and decrypting it at the receiving end, send the data through a "tunnel" that cannot be entered by data that is not properly encrypted. An additional level of security involves encrypting not only the data, but also the originating and receiving network addresses.[1] A WLAN can be compared to a shared public network infrastructure or, in some cases (hot spots, community nodes), is a shared public network infrastructure.

[1] definition

Let's examine the term VPN more closely and try to explain each component in detail, so readers who never encountered VPNs in the real world will have a clear understanding of what we imply here.

The virtual part of the term entails mutually exclusive and peaceful coexistence of two separate networks within single network segments, be it coexistence of IP, IPX, and DDP on the same LAN, or IP, IPSec, and L2TP traffic going through the Internet cloud. The private part acknowledges that the interaction and the underlying network are only understandable to the endpoints of the channel and not to anyone else. Later, you will see that it applies to both secrecy and authenticity of transmitted data. The final network part is pretty much self-explanatory and is a generally accepted definition. Any number of devices that have some common way of communicating with each other, irrespective of their geographic location, constitute a network.

It is a common misconception that a VPN must encrypt the bypassing data, but that is not necessarily true. The VPN is said to comply with three criteria: confidentiality, integrity, and availability. You have to note that no VPN is resistant to DoS or DDoS attacks and cannot guarantee availability on the physical layer due to its virtual nature and reliance on the underlying protocols. Two of the most important VPN features, especially in the wireless communication where you have limited control over the signal spread, are integrity and, most important, confidentiality of the passing data. Take a real-life situation when someone has managed to bypass the WEP encryption and connect to a WLAN. In the non-VPN scenario, he or she will be able to sniff the data and interfere with network operation. However, if the packets are authenticated, man-in-the-middle attacks are nearly impossible to perform, while the data can still be intercepted. Addition of an encryption element to the VPN mitigates the threat presented by data interception.

Therefore, we tend to see VPNs not as strict isolation of communication, but rather a communication that runs in a more controlled environment with exclusively defined groups of permitted participants.

    Previous Section  < Day Day Up >  Next Section