Thinkpads Forum

Let's say I am in a hotel or in the airport using a WiFi connection and I establsih a VPN session. (We use CISCO VPN Client Ver 4.x.x.) Is my connection secure or is it still easily penetrated to the point I cannot and should not be sending secure data, email, etc.?

Thanks.

What did your IT department say?

You don't want to know. They freak out when the word "wireless" is mentioned.

Thx.

VPNs are usually secure, though there is no perfect encryption scheme. Your IT department shouldnt mind the wireless connection so much if you are using a secure VPN though.

VPN security is independent of the type of connection. So for VPN only, it doesn't matter wired or wireless.

Now view the VPN as what it says - a tunnel riding securely inside your connection. If the VPN allows for split connections (internet as well as VPN) and most do today, then on wireless, be *absolutely* certain you have a software firewall. Otherwise, while an assailant probably cannot penetrate your VPN, they sure could screw up your machine if not secure.
... JD Hurst

It all depends on what kind of security encryption your office has setup for VPN (i.e. PPTP, IPSec, L2TP).

It seems most offices are still using PPTP these days and it is very insecure (especially when connecting from an open wireless network).

An example of an attack:
Let's say I'm somewhere with an open wireless network. On computer A (running linux), I connect to the wireless network and setup my ARP poisoning attack and begin sniffing. Computer B connects to the open wireless network, pulls up their VPN dialog, and connects using their username and password. Computer A then see computer B make its VPN connection and reports back the username and password. Now person on computer A has the username and password to VPN into computer B's office network.

Username and passwords can also be sniffed from SSL connections using this same ARP poisoning attack method. You may think because you have that "lock" displaying in your browser you can't be compromised but that isn't the case. While the data will continue to be encrypted, the hacker is still able to retrieve your username and password.

This is why it is not recommended to visit certain websites or perform certain tasks (i.e. check your POP email, connect to a company FTP site) when connected to an open wireless network.

Guys, thanks for the replies. I genuinely appreciate it.

The transport mode is listed as: IPSec/TCP

In short: IPSEC is very secure!


How secure a VPN connection is, depends on the type of VPN and the authentication method that is used.

PPTP
-----
All PPTP VPN's use the same authentication techniques as point-to-point (PPP) links. This is their main weaknes.
Some PPP-authentication types:
1) CHAP and PAP authentication --> client sends clear-text username and password to server.
2) MS-CHAP, MS-CHAP-v2 or EAP-TLS authentication --> server send a challenge (MD5?) to the connecting client, the password itself is not sent.

IPSEC
-----
L2TP/IPSEC VPN's create an encrypted tunnel based on certificates installed on the server and on the client.
Within this secure tunnel the authentication procedure is started. Even if an insecure authentication method is used and cleartext passwords are sent, sniffers only see the encrypted ipsec tunnel.

This probably sound link complete jibberish

techflavor wrote:It all depends on what kind of security encryption your office has setup for VPN (i.e. PPTP, IPSec, L2TP).

It seems most offices are still using PPTP these days and it is very insecure (especially when connecting from an open wireless network).

An example of an attack:
Let's say I'm somewhere with an open wireless network. On computer A (running linux), I connect to the wireless network and setup my ARP poisoning attack and begin sniffing. Computer B connects to the open wireless network, pulls up their VPN dialog, and connects using their username and password. Computer A then see computer B make its VPN connection and reports back the username and password. Now person on computer A has the username and password to VPN into computer B's office network.

Username and passwords can also be sniffed from SSL connections using this same ARP poisoning attack method. You may think because you have that "lock" displaying in your browser you can't be compromised but that isn't the case. While the data will continue to be encrypted, the hacker is still able to retrieve your username and password.

This is why it is not recommended to visit certain websites or perform certain tasks (i.e. check your POP email, connect to a company FTP site) when connected to an open wireless network.

Cisco VPNs deal with this attack using a 2 level authentification scheme; the user name and passwork for the VPN only allows you to connect to connect to the Cisco hardware at the far end. Once you are connected, you still need to connect to the domain using a a different user name/password combo. Check out the diagrm on this page that illustrates this,

This approach makes it much harder to crack the CISCO VPN setup just by using ARP packet poisoning. While you can connect to the concentrator on the far end, you still have to come up with another technique to reveal the domain login info as packet poisoning will not work once connected to the concentrator - you can not run any type of "man in the middle" attack between the concentrator and the domain.

To make things even more complicated, some (paranoid) organizations put the concentrator outside the domain in a DMZ so you have to logon onto the DMZ machine before you can then log onto the domain.

smugiri wrote: Cisco VPNs deal with this attack using a 2 level authentification scheme; the user name and passwork for the VPN only allows you to connect to connect to the Cisco hardware at the far end. Once you are connected, you still need to connect to the domain using a a different user name/password combo.

Yeah, that's correct. When I establish the VPN connection I have to create a log-in password that consists of three pieces. Two pieces of the password are static, the 3rd component is created by a hard token (random character generator).


Do I have to worry about checking my POP3 mailbox as mentioned above? Is that the real concern?

Thx.

uberT wrote:

smugiri wrote: Cisco VPNs deal with this attack using a 2 level authentification scheme; the user name and passwork for the VPN only allows you to connect to connect to the Cisco hardware at the far end. Once you are connected, you still need to connect to the domain using a a different user name/password combo.

Yeah, that's correct. When I establish the VPN connection I have to create a log-in password that consists of three pieces. Two pieces of the password are static, the 3rd component is created by a hard token (random character generator).


Do I have to worry about checking my POP3 mailbox as mentioned above? Is that the real concern?

Thx.

I don't think so, the Cisco VPN approach is about as safe as you can get. Unlike other tools that allow you to split the network and connect to the net separately without using the VPN, Cisco creates a virtual network adapter and sends ALL traffic over this adapter. So, all traffic is over IPSEC and possibly also over SSL. I think that this is about as safe as you can get with a commercial product.

If you still feel that you have to do something, add on a GOOD software firewall (not the windows default one, maybe zonealarm pro? I am not sure whats a good firewall for windows as I use linux most of the time.)

Check out this page in your Cisco VPN client help (assuming you installed to the default location)

C:\Program Files\Cisco Systems\VPN Client\help\vc525.html#1010052

For the record, nothing is 100% secure, any claims that something is... are made by idiots and idiots only.

That said, VPN over WiFi is generally considered _very_ safe (though not 100%). I personally wouldn't have a problem with that for all but the most secure data.... I personally wouldn't do that for a banking or medical institution for example, or military usage. But for just about all civilian data... I wouldn't question it.