Problem solve Get help with specific problems with your technologies, process and projects.

Implementing VPN with access points (and sources for free VPN clients)

I work at a UK doctors surgery and have recently purchased two Dell laptops with wireless B /G cards. The current clinical system uses telnet to create a connection to a SCO Unix server. Because of the nature of the data I'd like to implement an IPsec VPN (preferably) - I've been reading things about VPN's though discussing the vulnerabilities on the wireless side before VPN authentication i.e. access points really need to have a built in VPN server or be VPN aware. One of the options I'm considering is adding a network card to a Windows 2000 Domain server and connecting the access point to the public interface using a crossover cable and implementing a VPN solution using routing and remote access.

Could you give me a few options to look at including VPN software (free preferably) and possibly access point hardware that is VPN aware?
VPNs and 802.11 security address different security threats. 802.11 WPA and 802.1X restrict unauthorized access to the wireless LAN itself - for example, preventing unauthenticated stations from getting past the AP and inhibiting eavesdropping on the airlink. IPsec and other VPNs restrict unauthorized access to a network or servers that exist somewhere on the wired side of the AP - preventing outsiders from getting past your firewall/VPN gateway and eavesdropping all the way from the wireless station (VPN client) to the protected network (VPN gateway). It often makes sense to use both. For example, WAP and 802.1X on your AP to make sure your WLAN resources aren't wasted by intruders, and VPN on your firewall to make sure hackers can't listen to confidential traffic or access data on your server.

There are advantages to having VPN functionality on the AP (placing your VPN gateway at the edge of your WLAN). One is simplicity - companies like Colubris Networks, SonicWALL, and WatchGuard offer single-box AP+VPN solutions that make it easier to deploy a secure WLAN without investing in a separate VPN/firewall or integrating 2+ boxes. Another is security - you are less likely to accidentally leave your AP or stations exposed to outsiders if VPN is required for every WLAN connection to your AP/VPN box. There is also the advantage of eliminating double-encryption. But there are also disadvantages. For example, what happens when you want to additional APs to increase capacity or physical coverage? What happens if you want to upgrade your AP from 802.11b to 802.11g (for example)? What happens if you want to ensure high availability? This is the classic tradeoff between all-in-one appliances vs. integrating point-solutions in sequence. Consider these tradeoffs before deciding what will work best for you.

The solution you mention - putting your AP on one of the interfaces of your domain server and using Win2000 L2TP/IPsec for VPN support - has both benefits and disadvantages. The obvious benefit is that you'll be re-using a VPN platform you already have, with "free" VPN software. By putting the AP on a separate interface, you avoid exposing the rest of your network to wireless attack, and presumably will use Win2000 firewalling features to avoid forwarding non-VPN traffic from the wireless LAN onto your server or into your wired network. The main disadvantage is that you are putting additional load and DoS risk directly onto your Win2000 domain server. Unless you have capacity to spare, you may not want your server doing all your firewalling. You would also need to carefully harden your server to reduce risk of attack. This solution by itself does nothing to protect the WLAN, so you'll still need to consider using 802.11 security on the AP. You can get away without RADIUS if you use the pre-shared secret mode of WPA. (Since you are starting fresh now, steer clear of the old WEP.)

Since you just have a few clients using telnet to a SCO server, you may want to consider other alternatives. For example, you could use Secure Shell with freeware or inexpensive software clients, since SSH is no doubt already on your SCO server. To learn more about Secure Shell, here are some sites: VanDyke, OpenSSH, and SSH Communications. In this case, you could still use your Win2000 server to allow only Secure Shell (port 22) to your SCO server, and nothing else from the WLAN. You could use public keys for authentication with Secure Shell, which gives you stronger authentication that WPA or even IPsec with preshared secrets. (Note: You can use IPsec or 802.1X with certificates bound to public keys; however, Secure Shell lets you use raw public keys without requir

This was last published in July 2003

Dig Deeper on Wireless LAN (WLAN)