Clinton, As you have it defined in your mail, the requirement on the PIX would need to be 'traffic from access point must be encrypted'. If that is the case you would be in good shape to protect the internal net. Then, to protect the laptop, make sure the wireless NIC is set up to only allow 'infrastructure' connectivity, not ad hoc or 'open' or whatever term the NIC mfg. uses to denote 'associate with any wireless entity I can find' - this will guard against the user's NIC assoc. with the intruder's system.
The other thing that wireless networks need to have is mutual authentication. If you don't run at least WEP or, better yet, 802.1x / EAP or Cisco's LEAP AND a RADIUS server, you have no way of knowing if the wireless device associating with your AP is legit. The radio wave is the weakest point. Granted, your equipment must support all of this. Cisco's does, possibly others. My experience is with the Cisco 350 AP and NICs. Lots of collegiate types will tell you all of this can be broken... Yeah, yeah, we know everything can be broken... This just gives you the most protection you can get. Some number - like 50-80% of wireless LANs - don't even employ WEP, so anything cuts down on your exposure. Another thing you can do for the VPN is deploy a 2-factor architecture: have the VPN users provide a token code / smart card AND have them authenticate with a user name and password. I used RSA ACE/Server and a Cisco VPN 3005 for our wireless VPN. Later we moved to the LEAP authentication scheme. Hope this helps. Eric -----Original Message----- From: jmiller [mailto:[EMAIL PROTECTED]] Sent: Saturday, June 29, 2002 8:54 PM To: [EMAIL PROTECTED] Subject: Re: Wireless VPN cracking. if they are using wepcrack, and have gained access to your WAP, can you not also assume that they have the username/password of a user that is autheticated on the vpn? JMiller ----- Original Message ----- From: "Clinton McDonald" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Thursday, June 27, 2002 4:49 PM Subject: Wireless VPN cracking. > Hello all.. > > I've got a couple of (hopefully!) quick questions regarding a wireless > VPN. > > I have set up a pix to terminate a VPN for our wireless users, to keep > all their network traffic secure. It looks vaguely like this: > > <<----------VPN--------------->> > Laptop ---> Access Point ---> Pix ---> Switch ---> Server > 172.16.0.1 10.1.1.11 > > The laptop is running the Cisco Secure VPN Client (3.5), and when the > VPN is connected, the Pix assigns the addresses 10.0.0.90-10.0.0.99 to > VPN users for the internal (wired) network. When the traffic gets to > the Pix, the VPN is terminated there, and there is no encryption on > the wired part of the network. > > My theory is that if anyone is sitting out in the car park with a > laptop with a wireless card, they can associate to the access point > all they like, but if they are not authorised VPN users, the Pix will > drop their traffic, and thus, stop them from getting into the internal > (wired) network. > > Questions are: > 1. Can someone in the car park crack into a VPN users laptop somehow, > and then get into the network (ie, bypass the pix and connect via the > other laptop? > > 2. If I ping from the server, to 10.0.0.90 (the VPN user), I get a > response. Should this be so? > > Thanks in advance.. > > Clinton McDonald CCNA >
