On Wed, 9 Oct 2002, Bernard Aboba wrote:
> The bottom line is that IPsec/IKE VPNs are no panacea when dealing with
> clients that have a dynamic IP address.
So true; if only this were emblazoned on the first page of the vpn
vendors' documentation, it might save a lot of agony ..
A would-be attacker in the scenario we're talking about (corporate
WLAN with internal access only via VPN client) would not be able to
operate undetected for long. His pseudo-vpn server wouldn't be able to
actually route internal traffic for the clients it pretends to authenticate.
Users (my users, at least :) would quickly complain that things were
not working. However, a hostile operator at, say, a conference with a
WLAN, where many attendees would be contacting their respective home
networks, could have a field day intercepting IKE packets. At that
point, you need both mutual IKE authentication AND a strong remote-access
authenticator; fixed, replayable passwords are toast.
--
Eric Sorenson - EXPLOSIVE Networking - http://explosive.net
--
general wireless list, a bawug thing <http://www.bawug.org/>
[un]subscribe: http://lists.bawug.org/mailman/listinfo/wireless
