> From: "David Suh" <[EMAIL PROTECTED]> > To: <[EMAIL PROTECTED]> > Date: Wed, 12 Jun 2002 16:26:16 -0400 > Subject: [leaf-user] Wireless security with LEAF and VPN > > I saw the original note from Charles Baker which mentioned > the 2002 issue of Linux Journal about setting up a wireless > home network. Unfortunately, the article is only available > to subscribers. So here goes... > > Is there a difference in the security arrangement at the > point in between the wireless access point and the client in > the two scenarios below? It would seem that in the scenario > A, implementing the VPN gateway with FreeS/WAN at the LRP box > secures you from the point of the company VPN to the LRP > router. However, once inside your LAN, the data that is > transmitted between the wireless access point and the client > is no longer secure (no encryption provided by the VPN). > > In scenario B, it would seem that because you are > masquerading to the point of the client, the data will be > encrypted over the wireless network for the entire length of > transmission from the company VPN to the end point at the client. > > Granted, you can implement further security measures over > your wireless LAN, but leaving that out of the discussion, > does scenario B offer more protection? Is there a fallacy in > my thought process here and that scenario B is just as > vulnerable? Could it be that hacker tools like Airsnort and > WEPcrack can still decrypt the data? > > > Scenario A > ________ _____ ________ _______ > | | | | |Wireless| | | > |Company |___(Internet)___| LRP |____| Access |__///__|Client | > | VPN | ( ) | VPN | | Point | |_______| > |________| |_____| |________| > > > Scenario B > ________ ______ ________ _______ > | | | LRP | |Wireless| | | > |Company |___(Internet)___|IPSec |___| Access |__///__|Client | > | VPN | ( ) | Masq | | Point | |VPN End| > |________| |______| |________| |_______|
Nice ASCI art by the way! Yes, they are different all right. Scenario A leaves the wireless link unencrypted (other than WEP, which isn't much use), scenario B keeps the wireless secure. Only catch is, the make 'B' work, you will need to have one IPSec tunnel across the internet to the gateway, then another from the gateway to the client. My understanding is that the IPSec would not successfully traverse the masq gateway without first decrypting and encrypting again. This is apparently the case with NAT, I'm assuming masq would have the same issues. Someone can correct me if I'm wrong about this. B is *much* more secure than WEP. We're comparing a 128 bit key (lucent gold) with a 2048 (I think?) key for frees/wan. The cracker would be 'snort'ing for quite some time... Governments aren't likely to break this key in a hurry, with serious computing power on their side. Brock _______________________________________________________________ Don't miss the 2002 Sprint PCS Application Developer's Conference August 25-28 in Las Vegas - http://devcon.sprintpcs.com/adp/index.cfm?source=osdntextlink ------------------------------------------------------------------------ leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
