Documents - Securing Corporation Wireless Networks using VPN
A Virtual Private Network (VPN), originally, is a way to use a public telecommunication infrastructure, such as the Internet, to provide remote offices or individual users with secure access to their organization's network [1]. In other words, with a VPN server installed in the office's network, a worker at home may connect to the office network and get authorized. Then, the remote user's computer behaves like it is physically attached to the office's network. VPN works by establishing a secure tunnel between the remote node and the trusted network. The functionality provided by VPN, however, is not limited by building virtual networks. It can be extended to of wireless connections.
Wireless connections are not secured. Any data sent from a wireless device, such as a notebook computer, to the wireless access point, such as a wireless router, can be eavesdropped by any third person in the nearby area. There is a built-in 802.11b security feature called Wired Equivalence Privacy (WEP). It is easy to enable, however, the WEP protocol is known vulnerable [2][3]. Moreover, all the devices using the same access point must have the same shared secret key. For example, if a coffee shop supports wireless Internet and enabled the WEP security feature, it needs to tell all customers about the secret key they are using. The secret key may be "coffee". Then a secret known by many people is no longer a secret.
This is why VPN technology is employed to carry out this security task. Consider a university decides to support wireless devices, and the campus installs 100 access points. The university needs to set up only one VPN server for its students to connect to. Then whenever the students need to enable wireless internet, they can secure their connection by getting authorized by the VPN server. Here is the scenario:
Originally:
In this figure, there are three entities. The first one is the university's wireline network, which is represented by the blue cloud. The second entity is the Internet, and the third entity is the notebook computer. If the notebook computer needs to access the Internet, it needs to go through the university's wireline network first. All signals, from the notebook computer to any access point of the network, are sent in plain text. A malicious student from the next classroom can easily eavesdrop all traffic.
After VPN is employed, the connection becomes the following:
Here all data from the notebook computer to the university's wireline network is encrypted, until the data reaches the VPN server, and gets decrypted. You may ask why, the credit card number is shown in plain text afterwards. But it is no longer the issue of wireless connections. All traffic from the university's wireline network to the Internet is unencrypted by default.
To secure the connection from the university's wireline network to the Internet until reaching the bank, we have to employ another technology, called the Secure Socket Layer(SSL). It has nothing to deal with the university. The bank has to support it. Nowadays most banks and online transactions (eg, PayPal.com) support SSL authentication. We may find the URL of the websites starting with https instead of http .
The tragic fact of these security features is the users are seldom making the full advantage of them. For instance, the built-in security feature of 802.11b network WEP is crackable, but it doesn't mean it is useless. It can provide us with the most basic defence against hackers. However, most wireless networks do not enable this feature. Another example is that even VPN server is supported by wireless networks, they are not mandatory, so most students do not use it. The main cause of it is it requires some setup procedures [4]. They often think: I don't have much secret. Didn't they ever think about people hacking into their student accounts and drop all the courses?
As a proof of concept, dear readers of this article are encouraged to try using VPNmonitor if your organization has a similar setting as the above scenarios. You will be surprised by the proportion of secured connection in a wireless network. VPNmonitor has a graphical representation of the network. All unencrypted data are dumped onto the screen. You may find it convincing to demonstrate this application to your fellow workers for the exposure of their privacy.
Author: Kelvin Tsang
Comments welcome: kelvin@vpn-monitor.com
References:
[1] http://www.whatis.com
[2] http://www.isaac.cs.berkeley.edu/isaac/wep-faq.html Insecurity of the WEP algorithm
[3] http://wepcrack.sourceforge.net/ WEPCrack
[4] http://www.onecomputerguy.com/networking/xp_vpn_server.htm WinXP set up VPN server
[5] http://www.kismetwireless.net/ Kismet
Copyright notice: All material on vpn-monitor.com is the property and responsibility of its author; for reprint rights, please contact the us directly.
Comments:
Add comment now:
