How IPSec can help WiFi

VPN Client Product

	Datasheet
	VPN SSL vs IPSec
	VPN USB Stick features
	USB Stick vs Token
	VPN IPSec & Wifi

VPN Client FAQs

Support

Home > Products > VPN Client > VPN WiFi

Secure the lowest common denominator

"The fortress mentality doesn’t fit anymore new technologies".

We are moving to a model where any devices can interact with any services. That model by definition doesn’t allow you to draw boundary wall around everything. "We are definitely entering the borderless era and companies have to re think security policy" says Roger Simon, TheGreenBow CEO.

If you can’t draw a line around the enterprise and say everybody outside is not safe, then you have to secure the lowest common denominator. The machine, the PDA or the application. What’s needed then is a Central Policy Server to have coherent security policy and global view across the enterprise.

Massive adoption of a non secure wireless technology

There is no doubt about the massive adoption of WiFi across the board (Home/Soho, SMB, Large enterprises). But massive adoption can also slow down evolutions towards secured wireless networks.

WiFi provides a number of benefits among which you can count mobility, ease of deployment, lost cost, value added service (Hotspot), ... This is the dreamed technology for users but in the same time, security issues give IT managers nightmares. How IPSec can help to secure WiFi Hotspots ?

WiFi security wholes ??

It is not surprising if you look back on the history of 802.11 protocol specification which is the reference design for all WiFi products today. The 802.11 protocol was designed with very close range usage in mind and to substitute LAN. You’ll find a security layer in there called "WEP" (Wired Equivalent Privacy). Hacker proof ?

Product implementations are unfortunately not secure enough and a number of hacker tools are available on the web (i.e. dwepcrack, airsnort, bsdairtools, ...) allowing you to brake any WEP security configuration without deep security knowledge.

There is more. A large number of deployed wireless networks today suffer from bad configuration, "off the shelf" or default configuration. You can blame the lack of security skills, IT resources (small business), difficulties to implement security policies within large organizations, home worker ad hoc implementation, shared resources (HotSpot) and more.

Legal implications

Remote workers, soho and residential may face legal issues as their (wireless) network can give access to Internet to anyone. In the event an attack is traced back to your DSL access it would be very difficult to demonstrate you’re not involved.

This is a serious threat. "War driving" are organized street parties with sophisticated software and equipment to identify "open" WiFi areas to launch worms or attacks. Once marked with specific labels (i.e. war chalking), those areas can be reused by others. And you don’t know.

What’s next …

Fortunately though, WEP is evolving. A report (i.e. Fluhrer, Mantin, and Shamir 2001) pointed cryptographic weaknesses. WPA (Wireless Protected Access) and RSN more recently appeared to be the replacement of WEP. See 802.11 evolution table below.

The next product generation (802.11i*) will be almost unbreakable by today’s standards. But two major issues remain.

Millions of wireless access points (WiFi), gateways and routers have now been deployed and it will take another cycle before they will be replaced. Hardware prices will not drop as more features are added and migration projects include a lot of hidden costs for IT organizations. IPSec can help secure some of thousands deployed HotSpot or WiFi networks today.

And the human factor is the weak link for 100% security. Password choice and storage, password renewal frequency, security key management, security burden bypassed by end user, ...

We recommend you implement security policies and proceed with regular security audits (See also TheGreenBow Services).

Check list to prevent "casual" intruders

(See configuration guides on TheGreenBow Support)

Deactivate SSID Broadcast.
Change default SSID. Default network IDs are known by all hackers.
Choose a generic network name with no corporate or owner info in it.
Change default encryption key
Despite weaknesses, activate WEP.
Activate Mac address filter in all Access Points.

Enterprise !! Check list to prevent Hacker attacks

1.	Install an IPsec VPN Client on WiFi laptops and PCs, enable IPSec on all Access Points (see Gateway Configuration Manual database)
2.	Place all Access Points within demilitarized zone (DMZ), separated enterprise LAN with a Firewall.
3.	Install an intrusion detection system into DMZ.
4.	Install Personal Firewall on wireless laptops and PCs.

HotSpot !!! Check list to prevent Hacker attacks

1.	Make an IPsec VPN Client (75sec download) available on your home page for download onto WiFi laptops and PCs by your customers. Multiple tunnels can be established to access several Enterprises in the same time.
2.	Make also available your IPSec configuration file in case software is installed already.
3.	Enable IPSec on all Access Points (see Gateway Configuration Manual database) and activate embedded Gateway Firewall feature.
4.	You’ve built yourself a Secured HotSpot Cafe (WiFi).

TheGreenBow IPSec VPN Client is also available integrated with a Personal Firewall.

Standard WiFi 802.11x evolution

Comparison between WEP and 802.11i

WiFi/IPSec Readings and References

Wireless LAN Security
CERTA (French Gouv.)
WiFi Network News
WiFi Alliance
SC Magazine (May 2004)