> Thanks to all for the replies on this one, especially the outline below. > A bit of additional info - I do use VPN's for connection security, so I'm > not really worried about MITM attacks via rogue AP's.
Why not? Before relying on VPNs for wireless security, I'd advise you to do a careful review of your IPsec/IKE implementation. A rogue AP can do a lot of damage to a VPN implementation -- like injecting disassociation and deauthenticate frames at will. In addition, many IPsec implementations rely on group pre-shared keys (that's required by IKE Main Mode when the client has a dynamic IP address). That means that there is effectively no IKE authentication between client and server -- and some implementations don't even authenticate the VPN server to the client after the IPsec SA is set up, they just use CHAP. Since a group secret isn't a secret at all, this allows any authorized user to set up a rogue VPN server. And if the installation does something really foolish, like deriving the group pre-shared key from a password, then the group pre-shared key can be cracked by an outsider, because IKE Main Mode is vulnerable to offline dictionary attack. Ironically, IKE Aggressive Mode does a better job in the dynamic client case, since you can have individual pre-shared keys for each client, although the identity exchange is exposed on the wire. However, many VPN clients don't support Aggressive Mode, so you may be out of luck. The bottom line is that IPsec/IKE VPNs are no panacea when dealing with clients that have a dynamic IP address. Most of these issues don't arise with point-to-point implementations, since in that case, both ends of the VPN connection typically have a fixed IP address, and so IKE Main Mode allows for individual pre-shared keys (and identity protection). -- general wireless list, a bawug thing <http://www.bawug.org/> [un]subscribe: http://lists.bawug.org/mailman/listinfo/wireless
