Securing traffic at endpoints of a WLAN
On the wireless LAN tip, using a VPN is great, but
what about the possibility of a "hijacked" connection?
The traffic in the VPN pipe is secure, but what
about the endpoints?
With a VPN covering the wireless connection, it would
be impossible to "hijack" the connection in the classical
sense. For those not familiar with the term, a "hijacked"
session is one in which the the attacker can take over
the connection of a legitimate user, after the legitimate
user has completed the authentication process.
The VPN prevents this, because the encrypted channel
essentially provides continuous authentication. That is,
there is no way for the attacker to insert himself into
the middle of that stream without having the same encryption
algorithm and key.
Now, as you point out, security at the endpoints is critical.
Your endpoints are your mobile user and whatever server is
on the far side of the VPN. Whatever security you would
normally provide for those units if connected by a wired
LAN is the minimum you would want in the wireless environment.
Because the mobile user may have additional security concerns
due to location, the security required may need to be greater
than for a wired LAN.
One other note, a VPN will provide protection for
confidentiality and integrity, but will do nothing for
availability. If an attacker just wants to keep your access
points from providing service, he just needs to generate
enough requests for connection. Even though the connections
won't go through, as he won't be able to create the
proper VPN tunnel, it could cause a denial of service for
your access point. How likely this scenario is for your
environment is something that should be assessed during a security assessment of your network.
For more information on this topic, visit these other searchSecurity resources:
Best Web Links: Infrastructure and Network Security
This was first published in January 2002