Problem solve Get help with specific problems with your technologies, process and projects.

Would you consider a Microsoft VPN tunnel through a WEP encrypted access point to be secure?

Would you consider a Microsoft VPN tunnel through a WEP encrypted access point to be secure?
Let's break your question down into three parts: 1) Is WEP encryption secure? The answer to this is definitely "no" -- Wired Equivalent Privacy as defined by the IEEE 802.11 standard has been broken, and open source / shareware tools like Airsnort, WEPcrack, and WEPlab are readily available to "crack" (recover) WEP keys from encrypted traffic. You can learn more about WEP vulnerabilities from Bernard Aboba's website, including the Flurher-Mantin-Shamir (FMS) paper on WEP key scheduling weaknesses.

2) Are Microsoft VPN tunnels secure? The answer to this depends on what you mean by "Microsoft VPN." Since Windows 95, all MS operating systems have shipped with Dial-Up Networking VPN connections that use the Point to Point Tunneling Protocol (PPTP). Starting with Windows 2000, Microsoft added the Layer Two Tunneling Protocol (L2TP) over IPsec to Dial-Up Networking. By default, MS DUN VPN connections try L2TP over IPsec first, then fall back to PPTP if L2TP/IPsec fails. In addition, you can use Windows IPsec without L2TP by directly configuring and activating IPsec policies outside of DUN.

PPTP is widely considered to be flawed. Although most of the early problems with PPTP have been corrected, several vulnerabilities remain, largely associated with PPTP's control channel. To learn more about PPTP vulnerabilities, read Bruce Schneier's analysis and Microsoft's response. IPsec, with or without L2TP, is widely considered to be a robust method of providing confidentiality, integrity, data source authentication, and anti-replay services. To learn more about IPsec and security (including known vulnerabilities), follows links to papers posted at the VPN Consortium's website or the VPN Labs website.

3) Ultimately, WEP, PPTP, L2TP, and IPsec are only security protocols. To know whether any WLAN deployment is secure enough, you must start by identifying your requirements. Do you need to prevent eavesdropping on data over the air? If so, these protocols -- properly implemented and configured -- can help you stop eavesdropping. Do you need to prevent unauthorized use of your wireless network or host? If so, you'll need much more -- for example, firewalls between your APs and protected network, and endpoint security measures on wireless hosts. To learn more about other wireless security requirements, risks, and countermeasures, I recommend visiting the CWNP WLAN Security webpage.

This was last published in May 2005

Dig Deeper on Network Security Monitoring and Analysis

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.