Myth #2: Even with 802.11i, you still need a VPN to

Once a network security professional learns that the physical layer of the network can be extended outside a room, building, or even across town, by an intruder with a high-gain antenna, it’s only natural to get skittish about allowing access points on the LAN. When you consider security options for this type of network that has an openly accessible physical layer, comparisons to the Internet are inevitably made.

IPSec and SSL VPNs have long been a logical way to secure users accessing the network via WAN connections, so it makes sense that people would choose those same options to secure a wireless LAN. To make matters worse, many network security veterans have been bombarded with news items telling them how vulnerable Wi-Fi networks are to intrusion—WEP or no WEP.

When WEP was fixed with the introduction of WPA in 2003, many people noticed. When 802.11i and WPA2 were introduced in 2004, even more people noticed. But few people who knew about WPA and WPA2 really knew the ins and outs of how they make wireless networks secure.

WPA fixed WEP by introducing TKIP (Temporal Key Integrity Protocol) encryption and using 802.1X/EAP or WPA-PSK as secure authentication methods. TKIP is an encryption type based on the same ciph er as WEP. While TKIP fixes the flaws in WEP, perhaps even more important is the fact that it kept the same cipher as WEP so that legacy equipment could be upgraded with improved software, not hardware.

Even when WPA became widely available, security professionals still had good reason to recommend VPNs for some secure Wi-Fi environments. TKIP’s use of the RC4 encryption cipher meant that certain organizations (Department of Defense, financial services, etc.) would be unable to comply with tough regulatory standards for IT security unless IPSec or SSL were employed.

When WPA2 was released, all of that changed. WPA2 uses CCMP (Counter Mode CBC-MAC Protocol) encryption. This is significant because the cipher used in CCMP is AES. The AES cipher is the strongest cipher used with IPSec VPNs, and it has no known flaws. The end result is that using CCMP on an 802.11i network provides encryption that is as strong as the strongest IPSec VPN.


Some network security professionals who acknowledge the encryption strength of 802.11i still prefer VPNs because authentication on IPSec and SSL connections is known to be secure. In fact, there are very real concerns when certain types of authentication are used in concert with CCMP encryption. WPA-PSK and 802.1X/EAP-LEAP authentication are both vulnerable to dictionary attacks.

Even though vulnerable WPA2 authentication methods do exist, several secure authentication methods are available as well. When a Wi-Fi network is designed using the 802.1X framework with EAP-TLS, EAP-TTLS, or PEAP authentication, wireless credentials are kept private using tunneling technology similar to SSL. Devices that use CCMP encryption with any of the aforementioned types of authentication are easily identified with the WPA2 Enterprise certification.

The development of WPA2 Enterprise has been an important step in the security evolution of Wi-Fi networks. For some IT security folks, however, being just as secure as an IPSec or SSL VPN isn’t quite enough. Seasoned security people know VPNs. They may not really know WPA2 Enterprise and, therefore, may be unwilling to adopt it when VPNs are readily available. For that reason, it’s important to understand that WPA2 Enterprise is not just as good as an IPSec VPN –it’s better.

WPA2 Enterprise offers benefits over wireless VPN connections in terms of cost, performance, availability, and support. There are numerous ways to express the advantages of WPA2 Enterprise, but a look at the intrinsic nature of each technology is the most revealing way to understand it. Wi-Fi is a layer 2 technology and WPA2 Enterprise secures the network at layer 2. IPSec is a layer 3 technology, which makes it fundamentally less scalable, secure, and manageable for securing a layer 2 link.