Why VPN can't replace Wi-Fi security

Why VPN can't replace Wi-Fi security

Summary: This entry is also available as a PDF download.Every time the subject of wireless LAN security comes up, people ask me about VPN as a solution for securing Wi-Fi.

TOPICS: Networking, Wi-Fi

This entry is also available as a PDF download.

Every time the subject of wireless LAN security comes up, people ask me about VPN as a solution for securing Wi-Fi. (Wi-Fi is the common marketing name for 802.11 wireless LANs).  I've always told people that VPN security shouldn't be a substitute for good Wi-Fi security, and I even posted a comprehensive guide to enterprise wireless LAN security, but a loyal group of VPN-only supporters has always argued for a VPN-only alternative.  I'm going to explain VPN and Wi-Fi security as best I can and why there is a right time and right place for each architecture.

The VPN-only camp The VPN-only camp consists of companies that have a vested interest in selling VPN solutions and some individuals who are more familiar with VPN than Wi-Fi security so therefore everything looks like a VPN-type problem because that's within their comfort range.  It's a classic case of when all you have is a hammer, everything looks like a nail.  They'll tell you to not worry about Wi-Fi security and just use VPN. The typical argument from the VPN-only camp is that the IEEE 802.11 standards body can't be trusted to come up with a good solution for Wi-Fi security.  To bolster their claims that Wi-Fi can't be trusted, the VPN-only camp will cite the example of the WEP debacle and/or they'll even point out how "WPA is cracked."

Was WPA really cracked? Anyone who states that "WPA was cracked" doesn't really understand what WPA is or what cracked means.  What they're actually referring to is the fact that a certain simple mode of WPA (designed primarily for home use), which uses PSK (pre-shared keys), can be cracked when a simple, easy-to-guess PSK is in use.  But that's only an example of a poor deployment of WPA-PSK. A simple 10-character alpha-numeric random PSK (or greater) will make it impractical to crack with dictionary attacks.  I can just as easily point out that the same mistakes can be made in certain VPN deployments that also make use of pre-shared keys.

Is WEP a permanent indictment of IEEE 802.11? There is no question that WEP is completely broken beyond redemption.  802.11 WEP encryption was designed during the late 90s during a time of strict U.S. export restrictions, when good cryptography was considered advanced munitions. I've had sources familiar with that process tell me that stronger encryption algorithms were shunned for fear of Wi-Fi products being banned for export.  Not surprisingly, it took less than two years for the cryptographic researchers (Fluhrer-Mantin-Shamir) to demonstrate serious flaws with WEP.  But something designed in the late 90s for exportability should not be a permanent indictment of Wi-Fi security or the competence of the IEEE 802.11 standards body.  If that's the standard we're going to judge by, we can pretty much shun everything on the Internet.  Moving beyond the WEP debacle, the Wi-Fi industry couldn't wait for the IEEE to fix the standard, so they adopted TKIP (a patched version of WEP) with the WPA industry standard.

Bad implementations should be shunned, not entire categories There are other bad implementations of VPN and Wi-Fi that have poorly designed authentication mechanisms.  ASLEAP, for example, is a tool that will easily crack both LEAP Wi-Fi 802.1x authentication and PPTP VPN authentication in nearly identical fashion, yet both protocols are (unfortunately) very popular.  The argument should be made against poor cryptographic implementations, not against Wi-Fi security in general.

<Next page - Wi-Fi and VPN security defined>

Wi-Fi and VPN security defined

Modern Wi-Fi security WPA or WPA2 security came from an industry association called the Wi-Fi Alliance, and both incorporate solid cryptographic principles and algorithms.  WPA was based on the original draft of the 802.11i standard, and WPA2 was based on the finalized version of 802.11i.  Wi-Fi encryption happens on the "data link layer" (Layer 2 of the OSI model) and happens transparently in hardware and firmware.  Note that there are exceptions to the Layer 2 rule with the advent of switched Wi-Fi topology, where access points all tunnel to a centrally managed switch.

For encryption, the only difference between WPA and WPA2 is that WPA2 mandates both TKIP (a proper implementation of RC4) and AES encryption (good enough for top secret government security), whereas WPA mandated only TKIP encryption with optional AES support.  Neither TKIP or AES is considered broken, though AES is unquestionably superior.

WPA/WPA2 has two modes of authentication and access control: home PSK mode and enterprise 802.1x mode.  For home mode, the use of multiple rounds of hashing makes dictionary attacks painfully slow and the implementation of a "salt" in the key rules out the use of pre-computed hash tables (unless attacking a common SSID).  The enterprise mode of WPA calls for 802.1x, which is a standard for port-based network access control that is open to a wide range of EAP (Extensible Authentication Protocol) types.  The stronger EAP types, like EAP-TLS, PEAP, or EAP-TTLS, use PKI digital certificates for strong authentication.  Weaker EAP types, such as Cisco LEAP, transmit hashed passwords in the clear and are easy to crack with dictionary attacks.  Other weak implementations, like Cisco EAP-FAST, are typically deployed with anonymous digital certificates, which make them almost as easy to attack as LEAP.

Modern VPN security VPN (virtual private network) is a privacy technology where the encryption usually happens at the network layer (Layer 3 of the OSI model) with technology such as IPSEC, PPTP, and L2TP.  More recent VPN implementations have moved to SSL tunneling for ease of firewall, NAT, and proxy traversal (bypass) where the encryption happens at the presentation layer (Layer 6 of the OSI model).  Note that most VPN solutions emulate a Layer 2 connection by encapsulating Layer 2 within Layer 3 IPSEC or Layer 6 SSL.  Layer 2 emulation allows the VPN client to have a virtual IP address on the remote LAN it's connecting to.  Some SSL-tunneling VPN (not to be confused with application layer SSL-VPN) vendors, like Cisco, use ActiveX and/or Java installers to make it possible to rapidly deploy the VPN client from a Web-based install.  Microsoft will soon begin to incorporate a new SSL-tunneling technology, called SSTP, into Windows' built-in VPN client, which currently supports only PPTP and L2TP.

Encryption and authentication used in VPN vary depending on the implementation.  Implementations such as PPTP VPN use RC4 (40-, 56-, and 128-bit), whereas IPSEC and L2TP can use a wide range of encryption algorithms, like DES (56-bit), 3DES (168-bit), and AES (128-, 192-, and 256-bit).  Authentication mechanisms in VPN can be weak, like PPTP, which transmits hashed passwords in the clear, or they can be strong PKI-based implementations, like L2TP, which uses server and client digital certificates.  Some IPSEC solutions will have the option of using a pre-shared key or PKI-based digital certificates.  If this sounds a lot like Wi-Fi security above, it's not your imagination -- the principles of cryptography are universal.

<Next page - Where VPN and Wi-Fi security fits in>

Where VPN and Wi-Fi security fit in

VPN and Wi-Fi security each has its role in network security.  VPNs allow you to connect securely over any network (including the Internet) whether you're using a dial-up modem or a Wi-Fi hotspot connection.  This allows VPN to work from virtually anywhere in the world that provides Internet access.  Wi-Fi security, on the other hand, offers you security only at the data link layer between your mobile device and the wireless access point, which usually means it can only work locally in a LAN environment.  But Wi-Fi security solutions provide significantly more speed, less overhead, and less complexity.  The purpose of Wi-Fi security is to give you equal or better security than using a wired connection to the LAN with an equal level of functionality.

When you're using a VPN connection, the connection to the LAN over the Internet doesn't happen until the user logs in and fires up the VPN client software and manually starts a connection.  With Wi-Fi security, it is possible to use machine authentication to securely connect the computer before the user even logs into the PC.  That means maintenance tasks like Windows Update, enterprise management tools, group policy updates prior to or during login, and new user login can all be supported.  When a user wakes and logs into a laptop, it automatically and instantly logs the user into the wireless LAN with no user interaction.  Centralized management and distribution of Wi-Fi client configuration make Wi-Fi security very appealing to the enterprise.  There are also cases where VPN simply can't do the job at all because many embedded devices, like Wi-Fi VoIP phones, Wi-Fi label printers, and Wi-Fi barcode scanners, can't support VPN but they will support Wi-Fi WPA/WPA2 security.

Wi-Fi security coexisting with VPN security

In the network topology diagram above, we have a hybrid solution where both VPN and Wi-Fi security are deployed in an enterprise network.  The VPN gateway provides encrypted connections to users coming from the Internet, while the access points (more than one represented) provide wireless LAN connectivity for local devices.  The Wi-Fi network here is a closed network, where access control and authentication are performed BEFORE a Wi-Fi association is granted and the encryption is performed in hardware for everything at Layer 2 and above.  This topology utilizes a centralized RADIUS authentication model that is shared by all the access points and VPN gateways.  The access points and VPN gateway are the network access devices that forward RADIUS authentication requests to the RADIUS server, which in turn checks with the user directory (LDAP, Active Directory, Novell, etc.) for verification.  This offers true single sign-on for both Wi-Fi and VPN security with no waste in hardware.

VPN-only network-layer security

In the network topology above, VPN is the only solution being used to cover both VPN and Wi-Fi users.  It works to a limited extent such that laptops, Windows Mobile, Windows CE, and portable Linux devices can connect to the internal LAN as if they were connected with a VPN via an Internet hotspot.  But embedded devices, like Wi-Fi VoIP phones, Wi-Fi label printers, and barcode scanners, aren't so fortunate; they aren't supported by this architecture.  The performance is bottlenecked at the VPN gateway, which may require an upgrade to a gigabit-capable gateway.  Local Wi-Fi users are forced to go through a two-phase connection, where they first connect to the Wi-Fi network and then fire up their VPN software.

The AES encryption hardware in the access points and wireless network cards sit idle while the software VPN client eats up memory, MTU packet overhead, and clock cycles on the CPU.  Seamless fast roaming from access point to access point becomes more difficult.  Hackers can jump onto the wireless access points and play dirty tricks, like starving the DHCP server by filling it up with bogus requests, or possibly perform other Layer 2 attacks.  Hackers can probe for weaknesses in the other legitimate Wi-Fi clients because everyone is on the same subnet, and you had better hope everyone has a host-based firewall that's locked down tight.

Forcing a VPN-only topology means:

  • More expensive gigabit-capable VPN gateway
  • Saving nothing on Wi-Fi related infrastructure
  • Getting less performance and more overhead
  • Getting less compatibility to embedded devices
  • Offering less manageability with no pre-login connectivity
  • Allowing the hacker to get onto your open Wi-Fi network and probe your network and Wi-Fi clients for weaknesses

It's clear that the best approach is to use the right tool for the right job.  VPN security is like a hammer and Wi-Fi security is like the screwdriver.  You can't use a screwdriver to drive in a nail, and you wouldn't use a hammer to drive in a screw.  You can force a screw in with a hammer, but it won't always give you the desired results.

<Home - Start of article>

Topics: Networking, Wi-Fi

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • Er ah, What?

    Seriously, this is probably 'George Ou' at his best.
    D T Schmitz
    • Thanks, and I thought you were going to rip my head off for not suggesting

      Thanks, and I thought you were going to rip my head off for not suggesting SSH :).
      • O'Reilly Press: Virtual Private Networks, 2nd Ed.

        [url=http://www.oreilly.com/catalog/vpn2/]A book worth acquiring[/url]

        It dedicates Chapter 8 to SSH, which can be just as effective as some of the more expensive VPN solutions, e.g., ppp over ssh is practicable.

        Thanks again George ;)
        D T Schmitz
        • You can pretty much tunnel over anything

          You can pretty much tunnel over anything. There are even ways to tunnel over DNS or ICMP. SSH is one of the more common home-grown solutions out there because anyone with a Linux/FreeBSD box can do it.
    • totally agree

      As always, George, your blogs are a great read.
      • Thanks - nt

  • hmm.

    George Ou must speak with some really stupid people.
    • You mean people who say VPN is the only way to go?

      You mean people who say VPN is the only way to go? Ah they're extremely common. In fact they're probably the ones that voted this blog down.
      • Anonymous voting ...

        You know, I've always thought the "anonymous voting" feature was kind of dumb, not to mention cowardly. Anyone can set up 30 separate ZDNet accounts and vote an issue up or down based on their own opinion. What would be a better idea would be to have all users choose a reply category of either "agree", "disagree", or "neutral" when commenting on blog entries. That would be a truer measure (moreso than anonymous, anyway) of whether a blog entry was considered worthwhile. It could also save the blogger (and other commenters) some time by sorting, reviewing, and replying to the comments by category.

        Just a thought...
        • Yeah but even that lets them vote anonymously

          They can still create 30 accounts and type in their messages as if they were different people. Everyone that posts here is essentially anonymous.
          • But it would be more work...

            It would be more time consuming for them to have to type even the shortest message than to just click the up or down vote.

            On the other hand, wouldn't you like every subject line like this recorded with a vote? "George, I've admired your blogs you've posted, and I agree with you." :-)

          • True, it would be a little more work than just clicking up/down

  • George, I've admired your blogs you've posted, and I agree with you.

    I don't buy into rumors who claimed VPN is a better solution to security than Wi-Fi. Either (well, no offense to them) they don't understand how Wi-Fi security works or they don't have Wi-Fi access points/routers and put security encryption (I'll suggest WPA2-AES with strongest LEAP and non-dictionary password, if possible) into work with wireless adapters that support the strongest WPA2-AES encryption.
    Grayson Peddie
    • LEAP should be banned

      LEAP should be banned because it's impossible to have human-usable passwords that can withstand a 45-million password/sec dictionary attack. There's no "salt" implemented in LEAP (MSCHAPv2) and there's only a few rounds of hashing which makes the offline attack extremely fast. WPA-PSK mode is susceptible to offline attacks but the "salt" makes pre-computed tables unlikely and the hundred rounds of SHA makes offline password cracking extremely slow. If I had my choice, I'd ban any system that permitted offline cracking though WPA-PSK is about as good as it gets.

      Even EAP-FAST should be shunned because it almost always defaults to using anonymous server certificates because that's how Cisco markets it. LEAP and EAP-FAST are proprietary lockins. The Cisco client doesn't support machine-authentication and even Cisco tells you to use the Microsoft client if you want that. You also can't do group policy management of the Cisco client and it's limited in hardware support.

      If you want an open and secure solution, EAP-TLS, PEAP, or EAP-TTLS are the only ways to go. PEAP is probably the most universally supported and it's supported in the Microsoft client which permits easy management and machine-authentication.
      • I was about to mention EAP-TLS, PEAP, or EAP-TTLS

        instead of LEAP but didn't remember those... Far too many of them to remember like EAP-TLS--heh.

        So after WEP and LEAP is banned and LEAP-FAST should be banned, hmmmm... I wonder what's next?

        I didn't advocate using LEAP, though...
        Grayson Peddie
        • The default EAP-FAST is the big problem

          The default EAP-FAST is the big problem. Unfortunately that's how people tend to deploy it because it's so easy to use anonymous server certificates. Their other ways of deploying EAP-FAST are unusable. The other reason is that it's a proprietary Cisco technology that locks you in to their Access Points. Why in the world would you want to lock yourself in? The Cisco client also doesn't support machine logon or group policy management.
          • Seems this is the reason for me to not trust Cisco...

            I wouldn't lock-in to LEAP-FAST...

            I thought about building a server with Windows Server Longhorn (Server Core) installed and put in a wireless access point PCI card. I can trust Windows for network management.

            Even though I have some network experience, I'm a hobbyist and I use a computer at home, so I don't see any sense of building a RADIUS server (it'll be unusual if I do that) and that WPA2-AES is good enough for me.
            Grayson Peddie
          • Cisco produces fine hardware and they helped invent PEAP

            Cisco produces fine hardware and they helped invent PEAP along with Microsoft and RSA. Nothing wrong with using Cisco wireless gear, just be sure to avoid LEAP or EAP-FAST and use open PEAP which Cisco fully supports.

            The same applies to Cisco routers. You should avoid using their proprietary routing protocols like EIGRP and stick with OSPF so you can be more interoperable.
          • EIGRP Rocks...

            I only wish that Cisco would standardise it and release it to the public as an open standard.

            Either that or improve OSPF performance and load-balancing.
          • You have a point there

            Some Cisco stuff like EIGRP or their alternative to 802.1q trunking is quite good unlike LEAP and EAP-FAST which have no redeming value. However, I prefer to standardize if possible with OSPF and dot1q.