Wireless & VPN

Data Management
Would you consider a Microsoft VPN tunnel established through a WEP encrypted access point to be secure? If not, how easy is it for someone to steal data passed through the tunnel? Are there any good references for judging relative security levels from the various configurations/solutions available? Thanks, Jeremy

Answer Wiki

Thanks. We'll let you know when a new response is added.

There are two kinds of Microsoft VPN tunnels:

1) Microsoft added a Point to Point Tunneling Protocol (PPTP) VPN client to a Windows Dial-Up Networking upgrade for Windows 95, and PPTP has been included in every Microsoft operating system released since that time, including Pocket PC 2002. Although its most significant flaws were fixed is MS-CHAPv2 years ago, PPTP is generally considered a weak VPN tunneling protocol. To learn more, visit this URL: http://www.counterpane.com/pptp.html

2) Starting with Windows 2000, Microsoft enhanced DUN with an L2TP over IPsec VPN client. By default, every Windows VPN connection attempts to negotiate L2TP over IPsec first, then falls back to PPTP. However, connections can be explicitly configured to use PPTP or L2TP only. For example, on Windows XP, open the VPN connection’s Properties panel, choose the Network tab, and pick either L2TP or PPTP under “Type of VPN.” IPsec is generally considered a strong VPN tunneling protocol, particularly when configured to employ strong cryptographic algorithms and avoid vulnerable options like IKE Aggressive Mode and Extended Authentication (XAUTH). To learn more about IPsec, visit this URL: http://www.vpnc.org/vpn-standards.html

Both VPNs provide cryptographic protection for wireless data payload. Someone capturing WLAN traffic will be able to see all 802.11 management and control frames, as well as the IP headers carried in 802.11 data frames. They will also be able to see cleartext parts of VPN-encrypted packets — for example, usernames or IDs or hashed passwords that might be sent in PPTP and IPsec (IKE) packets when a tunnel is established. Someone can’t steal the data passed inside the encrypted tunnel, but they can try to use exposed headers to attack the WLAN or the VPN. For example, someone might aim a “cracking” tool at your VPN gateway to try to guess a legitimate user’s password or shared secret, then gain access to the network behind the VPN.

You can help deflect these attacks by enabling WEP or WPA or WPA2 on your AP. All VPN packets, including IP headers and VPN tunnel establishment packets, passed between wireless stations and the AP will then be encrypted. WEP is notoriously easy to crack; visit this URL to learn more: http://www.drizzle.com/~aboba/IEEE/ . WPA and WPA2 can be cracked when used with easy-to-guess Preshared Secret Keys (PSKs); visit this URL for guidelines on choosing good PSKs: https://searchmobilecomputing.techtarget.com/tip/0,289483,sid40_gci1026652,00.html

Discuss This Question:  

There was an error processing your information. Please try again later.
Thanks. We'll let you know when a new response is added.
Send me notifications when members answer or reply to this question.

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to:

To follow this tag...

There was an error processing your information. Please try again later.

Thanks! We'll email you when relevant content is added and updated.


Share this item with your network: