Using an SSL VPN instead of wireless encryption
Last Post: January 30, 2009:
-
Forum,
I have a user in higher education that is considering using an SSL VPN concentrator instead of wireless encryption because he says that it is too complicated for multiple clients to set up their laptops to use WPA/WPA2 encryption. I am trying to dissuade the user due to the cost of a VPN concentrator that would handle thousands of users at a time.
What are the pros/cons of his approach, besides the added additional cost, troubleshooting possible client configuration, etc?
Thanks -
Who are the clients that will be using the system? College students and their personal laptops?
GT -
Good question! It all depends on the security posture that the organization's security policy makers (CISO- CSO) have assessed as vital for the information assurance (IA) of the users on the WLAN.
http://www.infosectoday.com/Articles/SSL_VPN.htm
FTR,
We are considering using both the advantages of Wireless Encryption and the SSL VPN . We have been using the SSL for Remote Access , but adding it to the wireless is like using a NAC appliance with the host posture assessment for viruses, patches , etc. -
GT, This is for college students, faculty, their personal laptops.
Comp, thanks for the article.
Some issues that I'm worried about is that it creates another layer of complexity, another device to manage. The helpdesk will also have to troubleshoot whatever software is installed on each laptop and there are some clients, linux maybe, that will not be supported. Troubleshoot the RF, then troubleshoot the VPN connection.
I'm also concerned that most VPN appliances are designed with remote access users in mind who's speed is limited due to their internet connections? Will it be able to scale for hundreds of 802.11n users that they have who will be pushing traffic over 100m? What about redundancy? Also, if you are doing VPN over an open network, the ip address of the client's endpoint is in the clear and is also fair game for any type of attack, because the encryption is occurring at layer 3, instead of layer 2 where endpoint ip addresses are not visible to anyone. If you decide to use something like wep or WPA-PSK, everyone has the key, so the IP addresses are once again visible and fair game for anyone to start attacking an endpoint. If I do some type of PSK encryption, I'm getting the user to configure his/her endpoint, anyway, so maybe they should go all the way and do some WPA/WPA2 enterprise configuration and be done with it..
I suspect that there now is some requirement for posture checking, but would a separate posture checking appliance, combined with wireless encryption offer more features than a VPN concentrator?
Are there any other pros or cons that I am missing? -
There are some "validated" (no pun intended) concerns with using SSL (Web based authentication) that require the domain that uses them to take added measures of caution.
See this website...it is quite interesting of a read...I too learned something new---- EV SSL's is the way to go.
http://www.evsslguide.com/evsslcertificate/step4a.html -
I've been researching this as well. From a support side it seems a whole lot easier than 802.11i on student machines. I have found a few Universities that are using SSL VPN for accessing wireless.
Depaul
http://findarticles.com/p/articles/mi_m0CMN/is_/ai_n29476094
George Washington Univ is using Juniper. Link to PDF
http://www.juniper.net/solutions/customer_profiles/352269.pdf -
Boognish,
Thanks for the articles.
This is good information. -
Boognish,
Thanks for the articles.
This is good information.
Yes, indeed!
Juniper is what we are looking at as well. -
I came across Cloudpath as well. Sounds interesting..
http://www.cloudpath.net/product_overview.php
Automated wireless configuration. Every network owns a 15 page document specifying how to configure a machine for wireless network access. Quite frankly, configuring network access is tedious, and most users would rather visit the support desk. Using an open SSID, a CD, a USB flash drive, or GPO, XpressConnect automatically configures each device for secure wireless access in about one minute. This includes establishing the wireless profile, disabling third party wireless utilities, configuring the 802.1X supplicant, automatically attaching to the secure network, and guiding the user through the 802.1X authentication. XpressConnect can even configure each machine for the best security supported by the NIC, reducing the classic security versus supportability conflict. -
boognish Escribi?3:
I came across Cloudpath as well. Sounds interesting..
http://www.cloudpath.net/product_overview.php
Automated wireless configuration. Every network owns a 15 page document specifying how to configure a machine for wireless network access. Quite frankly, configuring network access is tedious, and most users would rather visit the support desk. Using an open SSID, a CD, a USB flash drive, or GPO, XpressConnect automatically configures each device for secure wireless access in about one minute. This includes establishing the wireless profile, disabling third party wireless utilities, configuring the 802.1X supplicant, automatically attaching to the secure network, and guiding the user through the 802.1X authentication. XpressConnect can even configure each machine for the best security supported by the NIC, reducing the classic security versus supportability conflict.
This is by far the best approach. Like many have stated above, ONLY encrypting the data on your wireless LAN leaves the network itself open for anyone with a downloadable script to wreak havoc on your network and resources. Yeah your data might be protected, but you need to protect the basic ACCESS to your infrastructure also. This is your first line of defense when it come to intrusion prevention. Only encrypting your data is like not locking the bank, but only the vault at night.
- 1