• We’re currently investigating an issue related to the forum theme and styling that is impacting page layout and visual formatting. The problem has been identified, and we are actively working on a resolution. There is no impact to user data or functionality, this is strictly a front-end display issue. We’ll post an update once the fix has been deployed. Thanks for your patience while we get this sorted.

Which is more secure....

Drakkon

Drakkon

Diamond Member
Would it work to have a VPN setup with wpa disabled be secure at all? how much less secoure would it be compared to a wirless connection with WEP/WPA enabled?

EDIT: is there any way to have a "secure" connection wirlessly without enabling WEP/WPA? (i guess thats what im trying to get at)
 
An open / unencrypted connection that communicates client --> VPN concentrator is very secure (at least, as secure as you make it).

If you use weak passwords / passphrases, then it's not very secure. If you enforce a reasonably strong passord / passphrase system (or certificates, etc), then it's pretty solid.

WPA would be just as weak if you used weak passwords / passphrases. It's important to use complex composition (i.e., Mix upper & lower case, intersperse some non-alpha characters and / or numbers, etc).

For example "my wireless" would suck as a passphrase, it's prone to dictionary and / or brute force attacks. Something like "I Like My Wireless" would be better (because it's longer and has some caps thrown in), but still uses "normal" words and can be whacked pretty easy (even with the Initial Caps).

Something like "I1 L2ike my3 Wire4less!" is much stronger, because it is not predictable (well, it sort of is, because of the position and value of the numbers) and has no "normal" words to match up to a dictionary attack.

Longer is better, as a rule ... within the limits of what the users will tolerate. Since a WPA-PSK or group password (for VPN) is usually only entered once at setup time, it's usually not too painful.

The last piece is that the passwords / passphrases must change occasionally ... just to cover the possibility of someone wanting to get into your system bad enough to dedicate the CPU time necessary to do a brute force attack. Programs like L0ftcrack and john the ripper don't have to be attended, you pretty much turn ''em loose on a password file and let 'em run.

I've had john the ripper running against my password files (to test 'em for strength) for over a month without a hit (on a Sparc Ultra 60 dual processor machine).

SO, the bottom line (sorry to get windy on ya): Yes, a VPN over an open connection will be ~ as strong as as WPA with the same parameters. Both are stronger than WEP of any length (with or without MAC filtering) (with or without SSID broadcast). "Security through obscurity" doesn't work when someone is actively sniffing for signals.

FWIW


Scott
 
Just remember not to allow split-tunneling on the VPN clients, and run a software firewall on them.

If you arent using WPA/WEP, it's easy for someone to spoof their way onto the wireless network. While they might not be able to see what your computer is transmitting because of the VPN, if you have split-tunneling enabled or dont have the VPN connected at the time then they'll likely be able to send traffic to your PC. That means they could potentially compromise the PC, and a compromised PC initiating a VPN tunnel = a compromised VPN tunnel.

Something to keep in mind.
 
You must log in or register to reply here.

TRENDING THREADS

Back
Top