802.11b+WEP+VPN+IAS = security?

jare · 03-07-2003

Hi,
I am building a wireless LAN to our company. It would be a 802.11b with WEP,VPN and IAS (interner authentication service). Is there a test or program for Windows to test security etc... from the WLAN ???
With Regards
Jare

-=heineken=- · 03-07-2003

This sounds somewhat like the Cisco LEAP configuration of having WEP with the internal IV hashed, an IPsec VPN and using IAS authentication as Radius.... Is that what you are implementing?

jare · 03-08-2003

I have Nortel contivity VPN client software and server, Orinoco AP-1000 stations (about 30) and windows 2000 server running IAS (RADIUS). I am looking for a standard test to test our security level...

agentgrn · 03-08-2003

The Contivity VPN client is what my company uses for remote access, and it's an IPsec client, so even if someone does break WEP, it'll be next to imposbile to break the IPsec stream.

That said, there are a few more things to do to button up.

Connect the 30 APs or so onto the same wireless backbone network and feed it into an unused port on your firewall (or add a port, if necessary) and configure the following rules:

1.) Allow DHCP.
2.) Allow VPN setup and traffic to/from the VPN server only. (IKE, AH, ESP)
3.) Deny everything else.

For management purposes, put your APs on a separate subnet on the same wire. Use a strong password and logging. Not sure on the Orinoco AP's, but disable management over the wireless interface.

There really aren't any security test kits, per se. You'd essentially have to read around and try to break into your own network, or hire a professional to make a complete assesment.

jare · 03-09-2003

Hi,
And thanks for answering ...but we won't have a firewall between WLAN and LAN (althoug we would like to have it). I think that the security is allright but I need to proof it via a somekind standard test =)

Have anybody implemented network configuration like ours ??
Any problems with roaming or authentication ?? Best solutions to THIS hardware/software:
WK2000 servers running IAS
Active Directory Domain
Orinoco AP-1000 Wireless stations
Nortel Contivity VPN client software
Nortel Contivity 510 (or something) VPN server
Wireless clients are Windows NT4 (in fork truks)

agentgrn · 03-09-2003

This might come across wrong, but what's the point of running the Contivity client if the WLAN isn't going to be separated from the LAN? Seems like another layer of overhead to me, especially if the same services are being offered over the WLAN and the LAN at the same time.

If you don't have a firewall solution in place, you could get broken into without too much difficulty. 30 APs and requisite clients will generate enough traffic for someone to scoop up enough weak keys for an attempted WEP break. Once your nefarious individual has the key, all that needs to be done is spoof the MAC address of one of your clients, and you won't be able to figure out who.

The point of the FW, is that if anyone does indeed go through the trouble and gets onto the WLAN, then they're paralyzed unless they can snoop and break an IPsec stream. This can be avoided as easily as having a *nix box with a couple of NICs in it. All-in-all, WLAN segments should be trusted as much as your Internet connection...nada.

If you're going to jump through the hoops and spend some good bread and resources on the Nortel VPN solution, and configuring RADIUS, you should be able to firewall the wireless segment. If your security is as important as you suggest it is, you're better off going overboard instead of going "good enough".

jare · 03-09-2003

Okay ...but tell if I am wrong here... I have always thought that the VPN will secure the radiopath more or less good ? And when I have the radiopath secured...who will break into WLAN ?
Comments ...

agentgrn · 03-10-2003

The VPN only secures the data transmitted from the client to the VPN server. It doesn't make the transmission any more secure in and of itself. In fact, running VPN traffic may generate more WLAN traffic due to the overhead introduced, making the key sniffing goal that much easier.

The WLAN and LAN need to be kept separate by a firewall or filtered routing device in order to ensure security.

One scenario that could happen is that someone figures out the VPN client really isn't required to access the LAN...then there's a risk for stuff to be sniffed out of the air and logged. Even if specific protocol or UN/PW information is gleaned from the potential broken network, the hacker then only has to snoop around. If your company is big enough to require 30 access points, it's possible any information on the LAN could have some value to someone. A firewall is the only device that can prevent this.

03-07-2003	#1 (permalink)
jare Registered Member Join Date: Mar 2003 Posts: 6	802.11b+WEP+VPN+IAS = security? Hi, I am building a wireless LAN to our company. It would be a 802.11b with WEP,VPN and IAS (interner authentication service). Is there a test or program for Windows to test security etc... from the WLAN ??? With Regards Jare

03-08-2003	#4 (permalink)
agentgrn KB1JQO - Packin' Heat Join Date: May 2002 Location: Worcester, MA Posts: 517	The Contivity VPN client is what my company uses for remote access, and it's an IPsec client, so even if someone does break WEP, it'll be next to imposbile to break the IPsec stream. That said, there are a few more things to do to button up. Connect the 30 APs or so onto the same wireless backbone network and feed it into an unused port on your firewall (or add a port, if necessary) and configure the following rules: 1.) Allow DHCP. 2.) Allow VPN setup and traffic to/from the VPN server only. (IKE, AH, ESP) 3.) Deny everything else. For management purposes, put your APs on a separate subnet on the same wire. Use a strong password and logging. Not sure on the Orinoco AP's, but disable management over the wireless interface. There really aren't any security test kits, per se. You'd essentially have to read around and try to break into your own network, or hire a professional to make a complete assesment. __________________ -A.G.-

03-09-2003	#6 (permalink)
agentgrn KB1JQO - Packin' Heat Join Date: May 2002 Location: Worcester, MA Posts: 517	This might come across wrong, but what's the point of running the Contivity client if the WLAN isn't going to be separated from the LAN? Seems like another layer of overhead to me, especially if the same services are being offered over the WLAN and the LAN at the same time. If you don't have a firewall solution in place, you could get broken into without too much difficulty. 30 APs and requisite clients will generate enough traffic for someone to scoop up enough weak keys for an attempted WEP break. Once your nefarious individual has the key, all that needs to be done is spoof the MAC address of one of your clients, and you won't be able to figure out who. The point of the FW, is that if anyone does indeed go through the trouble and gets onto the WLAN, then they're paralyzed unless they can snoop and break an IPsec stream. This can be avoided as easily as having a *nix box with a couple of NICs in it. All-in-all, WLAN segments should be trusted as much as your Internet connection...nada. If you're going to jump through the hoops and spend some good bread and resources on the Nortel VPN solution, and configuring RADIUS, you should be able to firewall the wireless segment. If your security is as important as you suggest it is, you're better off going overboard instead of going "good enough". __________________ -A.G.-

03-10-2003	#8 (permalink)
agentgrn KB1JQO - Packin' Heat Join Date: May 2002 Location: Worcester, MA Posts: 517	The VPN only secures the data transmitted from the client to the VPN server. It doesn't make the transmission any more secure in and of itself. In fact, running VPN traffic may generate more WLAN traffic due to the overhead introduced, making the key sniffing goal that much easier. The WLAN and LAN need to be kept separate by a firewall or filtered routing device in order to ensure security. One scenario that could happen is that someone figures out the VPN client really isn't required to access the LAN...then there's a risk for stuff to be sniffed out of the air and logged. Even if specific protocol or UN/PW information is gleaned from the potential broken network, the hacker then only has to snoop around. If your company is big enough to require 30 access points, it's possible any information on the LAN could have some value to someone. A firewall is the only device that can prevent this. __________________ -A.G.-

Thread Tools
Show Printable Version Email this Page
Display Modes
Linear Mode Switch to Hybrid Mode Switch to Threaded Mode

03-07-2003	#2 (permalink)
-=heineken=- Shrewd Stumbler Join Date: Oct 2002 Location: Toronto Posts: 316	This sounds somewhat like the Cisco LEAP configuration of having WEP with the internal IV hashed, an IPsec VPN and using IAS authentication as Radius.... Is that what you are implementing?

03-08-2003	#3 (permalink)
jare Registered Member Join Date: Mar 2003 Posts: 6	I have Nortel contivity VPN client software and server, Orinoco AP-1000 stations (about 30) and windows 2000 server running IAS (RADIUS). I am looking for a standard test to test our security level...

03-09-2003	#5 (permalink)
jare Registered Member Join Date: Mar 2003 Posts: 6	Hi, And thanks for answering ...but we won't have a firewall between WLAN and LAN (althoug we would like to have it). I think that the security is allright but I need to proof it via a somekind standard test =) Have anybody implemented network configuration like ours ?? Any problems with roaming or authentication ?? Best solutions to THIS hardware/software: WK2000 servers running IAS Active Directory Domain Orinoco AP-1000 Wireless stations Nortel Contivity VPN client software Nortel Contivity 510 (or something) VPN server Wireless clients are Windows NT4 (in fork truks)

03-09-2003	#7 (permalink)
jare Registered Member Join Date: Mar 2003 Posts: 6	Okay ...but tell if I am wrong here... I have always thought that the VPN will secure the radiopath more or less good ? And when I have the radiopath secured...who will break into WLAN ? Comments ...