Early WLANs frequently re-used remote access VPN clients to overcome the limitations of WEP and related security concerns. But, given improvements in Wi-Fi security, does VPN still have a role to play in enterprise wireless? What are the practical benefits and limitations of using VPN over wireless? This tip discusses where to make best use of VPNs and how to smooth over conflicts between WLAN roaming and VPN tunnels.
How VPNs can help
VPN tunnels have long been used to provide confidentiality and integrity for data over untrusted networks like the Internet. Today, many companies use tunnels to secure traffic from remote workers to a VPN gateway at the edge of the company network. That gateway is responsible for authenticating users and controlling which destinations can be reached.
Today, VPNs are also being leveraged for endpoint security enforcement, either alone or in conjunction with a broader Network Access Control (NAC) deployment. Endpoint devices are checked for compliance before being granted network access. For example, a worker on a public PC may only be permitted to check e-mail, while a worker on a company laptop may be given access to sensitive servers. A laptop missing patches or infected with a Trojan may be directed a quarantine server for remediation. Wireless users can benefit from these same security measures.
- Like WEP or Wi-Fi Protected Access (WPA) version 1 or 2, VPN tunnels can obscure traffic sent over the air. WEP/WPA/WPA2 protect only the airlink, while VPN tunnels extend over any intervening network. That may not be important "on campus," but it is critical when using residential or hotspot WLAN or carrier mobile broadband network.
- Like WPA2-Enterprise, VPN gateways can authenticate wireless users, based on passwords, two-factor tokens, smart cards, or certificates. But 802.1X provides all-or-nothing access to the physical or virtual LAN, while Layer 3 and 4 VPNs can limit reachable destinations and applications. More granular policies can be important in large WLANs with widely-varied user communities.
- Depending on the product, both WPA2-Enterprise and VPNs may enforce endpoint security. However, a broader NAC deployment can more easily enforce one consistent set of rules, using one agent platform, across all kinds of networks, local or remote. Some NAC solutions rely on 802.1X; others VPN.
How VPNs can hinder
There are many VPN tunneling standards, including the Point-to-Point Tunneling Protocol (PPTP), Internet Protocol Security (IPsec), and the Secure Sockets Layer protocol (SSL). VPN products and security properties vary quite a bit, and that directly impacts how well they do or do not satisfy your wireless needs.
For example, PPTP is the weakest common VPN protocol, but it is also easy to use. PPTP clients are embedded in many operating systems, including Pocket PC and Mac OS, and little configuration is required. At the opposite end of the spectrum, IPsec offers robust security, supported by complex configurations and installed VPN clients. In between lays SSL VPN -- more secure than PPTP, and easier to deploy than IPsec.
This diversity makes it hard to compare VPNs to each other, much less to WPA2. But we can still make general observations about how traditional VPNs hinder wireless.
- WEP, WPA and WPA2 protect all link layer data, including LAN broadcast and multicast. VPNs leave more traffic exposed, and it can be hard to prevent "leakage" before the tunnel is launched. This can be especially true for devices used in both trusted (on-campus) and untrusted (hotspot) WLANs, where different VPN policies may be needed.
- VPNs may dovetail with remote security measures, but tend to be picky about network topology. For example, WPA2-Enterprise can assign VLAN tags to wireless stations, supporting LAN access controls that are location and subnet independent. VPNs often use virtual IPs for this purpose, which can require route and filter changes across your network.
- Although WPA2-Enterprise incurs delay when wireless stations roam, network layer VPN tunnels usually break when stations roam between IP subnets. Putting all wireless users in a single subnet can avoid this, but can be impossible in very large WLANs.
- IPsec VPNs that require specific client software can be impractical in WLANs with guests or devices that cannot run off-the-shelf clients (e.g., wireless scanners, smartphones, VoWi-Fi handsets). However, similar problems can face WPA2-Enterprise installations that require a specific 802.1X supplicant.
Most enterprises will end up securing their wireless workforce with a combination of VPNs and WPA2. As wireless infrastructure matures, many will upgrade on-campus networks to WPA2-Enterprise. VPNs will persist for protecting mobile workers using both carrier networks and wireless hotspots, and for teleworkers in home WLANs. Companies rarely have any control over these remote networks and security conditions vary. Mandating VPNs for all off-campus wireless may well be the only way to enforce company-defined policies in those environments.
So, how can you circumvent VPN challenges when using wireless LANs?
- Combine your VPN client with endpoint security software that checks to make sure the VPN is running whenever a wireless link connects, and breaks the wireless connection if the VPN tunnel goes down. Configure personal firewalls to stop non-VPN traffic from entering or leaving through wireless.
- VPN disruption due to roaming may not be an issue for users at single-AP home WLANs and Internet cafes. Workers who need to stay connected when moving between locations may want a mobile VPN. Mobile VPN products, available from NetMotion, Columbitech, RadioIP, and SmithMicro, provide tunnel and session persistence when clients move between networks. Some even queue traffic received when a device moves briefly out of range. Supporting technologies vary, but mobile VPNs typically require client software.
- When using a VPN to secure on-campus workers, use a wireless gateway or switch that provides "mobility" or "subnet roaming." Such features are proprietary, but often let VPN clients keep the same virtual IP when roaming between subnets. However, application disruption may still occur when stations leave wireless coverage (e.g., inside elevators, between buildings).
- Finally, to support guests and other devices that cannot run VPN client software, use an SSL VPN or captive portal. Captive portals don't encrypt data, but can be used to control and track network usage. SSL VPNs encrypt data by using Web browsers as client platforms, and may thus be feasible even on guest devices.
To learn more about VPNs and wireless mobility, read this Information Security Magazine feature on revamping remote access, or watch this searchSecurity webcast on evolving technologies for secure remote access.
>> Read the next tip: Wireless AP placement basics
This was first published in July 2009