Wifi and VPN access

WERAracer
WERAracer used Ask the Experts™
on
what is the danger of using wifi to vpn into your company from home. Should it be disallowed?  Where can I find the risks?
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Commented:
If you maintain current antivirus on the wifi system you use to VPN into your company using 128-bit encryption or higher, there should be no reason why not to use it. All of your data is encapsulated into a VPN tunnel and requires a "key" in order to be read.

Cisco makes a good VPN client for this purpose.
http://www.cisco.com/en/US/products/sw/secursw/ps2308/  
Commented:
If Public wifi = not ideal, Private-secured wifi=recommended.
Dave HoweSoftware and Hardware Engineer
Commented:
There is no risk - in fact, there is *less* risk than using a public pc for the same purpose.

That is because you will be using your own (presumably trusted) device as an endpoint, whereas a public pc may have a keylogger or other dubious additions.

vpn technology relies on trusted endpoints - the client AND the server must both be secure, whereas no intermediate hop (such as a router, wired or unwired) needs to be. deliberate steps are taken to make sure the endpoints correctly identify one another, and there are currently no valid man-in-the-middle attacks against IPSEC or SSL vpns.
Istvan KalmarHead of IT Security Division
Top Expert 2010
Commented:
Hi,

If you use Microsoft VPN, somebody able to caprure your username!
If you use Cisco vpn with Agressiv mode spomebody able to crack your vpn!
If somebody make a honeypot, ho able to monitor all of your not encrypted traffic!
Dave HoweSoftware and Hardware Engineer
Commented:
pptp isn't great, but to be honest, a username isn't much of a compromise; they could probably get that just by looking to see what email you send (or if you are foolish enough to have MS networking open, just ask with a NBTSTAT -A). however, I don't know anyone who uses the ms pptp any more - not even MS, who recommend you use the ipsec modes of their servers instead. It was possible at one point to perform a lanman lptcrack attack against the pptp login process, but that was long since fixed.

cisco vpn aggressive mode potential for compromise was discussed and dismissed back in 2003 - unless you have found a newer way, in which case the IPSEC working group would love to hear from you about it. The Pliam attack merely gives an attack route for offline precomputation - unlike forward brute force tools (such as ikecrack) which require interaction with the vpn server, it is possible to use sniffed packets to significantly reduce the search keyspace down to a small (say, 512) number of candidate keys when attempting to compromise a PSK. The amount of data required to be captured for this is scarily small - a single exchange of keys is often enough - but unless the keys chosen are weak, still requires a computationally infeasible brute force attack in order to identify the candidate keys for online testing. The attack is also inapplicable if certificates are used for IKE instead of a PSK.

finally, honeypots don't work that way - honeypots are designed to attract attackers into a seemingly undefended system, in order to study their attack methodologies - obviously not applicable. It would be pointless anyhow - there are plenty of free tools out there to sniff packets from wifi if the key is known, and quite a few more to attempt to brute force the key. It should be understood and accepted that unsecured wifi (or wifi with a single, fixed key) is vulnerable to sniffing - given you have the CISCO Wireless Field Engineer qualification you should be aware of that, given it is covered in the training material.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial