Re: VPN over wireless

"William4" <w4@xxxxxxxx> hath wroth:

...

The RSA key is for authentication, not authorization. That's a nice
feature to insure that nobody has spoofed or stolen your connection,
but is not necessary for the basic operation. All VPN clients can use
something local to provide authentication, such as the MAC address, IP
address, machine serial numbers, or X.509 certificate?


Do WEP/WPA/WPA2 encrypt each packet?

No. Only the payload data packets are encrypted. Management packets
are sent unencrypted. Therefore, MAC addresses are easily visible,
but IP addresses are encrypted.

- so that if you were to sniff the rf
as it were you would not be able to see data in the raw;

I prefer my data cooked, not raw. With a sniffer, all you see with a
sniffer are the encrypted data packets and the unencrypted management
packets.

over and above any
authenification etc. - without the key or a hack.

Ummm... it's called authentication.
The key exchange mechanism varies with the type of encryption. You
can find the details on how they work with Google. The problem with
WEP is primarily that the key exchange mechanism is seriously flawed.
That was fixed with WPA. WPA can be cracked with a trivial (less than
8 characters) key, using brute force (trial and error) so use a long
random key. WPA2 added additional security in the form of a different
authentication mechanism and a more complex encryption mechanism.

In that case, without using external (server & client VPN) software a wifi
link is probably more secure than then wired. [Now to just make it work
reliably ...]

True. I've found it much easier to just plug into a wired ethernet
switch (if available), than to sniff and decrypt wireless packets. Why
bang on the locked front door, when you can go around back and crawl
through a wide open window?

With a VPN, only the packets going between the VPN client and VPN
server (or VPN termination) are encrypted and secure. If you
subscribe to an online VPN service, such as:
<http://wireless.wikia.com/wiki/Wi-Fi#VPN_Service_Providers>
it's only secure between the VPN endpoints. The traffic between the
VPN server and the rest of the internet are unencrypted.

Says the one on wired lan with the wifi currently switched off..

It's rather difficult to sniff packets on equipment that's turned off.

Disclaimer: I are not a security expert.

--
Jeff Liebermann jeffl@xxxxxxxxxx
150 Felker St #D http://www.LearnByDestroying.com
Santa Cruz CA 95060 http://802.11junk.com
Skype: JeffLiebermann AE6KS 831-336-2558
.

Relevant Pages

  • Question about authentication and integrity check
    ... The stream is splitted in multiple packets, ... the wole transmission would have been needed to ... authentication but being not possible to identify the tampered packet, ... One clean solution would be move authenticated encryption from stream ...
    (sci.crypt)
  • Re: VPN -- the next consumer "turnkey"?
    ... >>It seems VPN is making it's way into more and more of the consumer wireless ... > encryption and processing is a rather large resource hog. ... None of the traffic hit the internet so ... WPA Encryption is intimately entangled with authentication. ...
    (alt.internet.wireless)
  • Re: rdp security + 2 factor authentication
    ... > I have read that RDP is considered secure without a VPN since RDP ... Here is an MS article on RDP encryption: ... Two factor authentication, without the hassle factor ...
    (microsoft.public.win2000.termserv.clients)
  • Re: VPN -- the next consumer "turnkey"?
    ... >incorporate VPN and it'll be a standard "turnkey"? ... encryption and processing is a rather large resource hog. ... securing a wireless LAN. ... WPA Encryption is intimately entangled with authentication. ...
    (alt.internet.wireless)
  • Re: Expectation from VPN (sbs2003premSp1)
    ... A connection between the VPN server and the VPN client 222.152.16.132 has ... your VPN server and the Internet allow GRE packets. ...
    (microsoft.public.windows.server.sbs)