There's a lot of talk – especially from the VPN vendors – about using a VPN to secure wireless LAN (WLAN) communications. But do you really need to put forth the time, money, and effort required to do this? I've got two good arguments for it and two against it. Sure, there are probably dozes of other pros and cons, but this is what I'm seeing in the field from a practical perspective. Of course, you'll have to decide what matters to you, but here's my take on it.
Reason #1 for WLAN VPNs – VPNs are right up your alley
VPNs certainly aren't the easiest components of a network security infrastructure to setup or
manage. If you can walk the VPN walk and you won't have a steep learning curve, installing and
maintaining a VPN to secure your airwaves makes good sense – especially since it'll be second
nature to you. Barring any major technical innovations that complicate things in the future, if
it's easy for you now, it's hard to argue that it won't be easy long-term.
Reason #2 for WLAN VPNs – A VPN fits into your existing network architecture
If you're already relying on VPNs for external, and even untrusted internal network communications,
why not configure your VPN to support the WLAN. You can use the same authentication, integrity, and
encryption features present in your wired LAN VPN setup for your WLAN. You probably won't even have
to purchase any additional hardware (software licenses are a different
Requires Free Membership to View
issue) to make this happen
if your existing VPN system supports multiple network segments. Certain WLAN access points are
VPN-aware so look for that as well.
Reason #1 against WLAN VPNs – It's just extra overhead you don't need
Adding a VPN to your WLAN comes with a cost – and I'm not just referring to the purchase price of
hardware and licenses. A VPN requires ongoing maintenance and support. VPN systems must be
hardened, patched, and sometimes tweaked even though many vendors claim a "setup and forget"
solution. Also, don't forget extra failover systems you may need to put in place for business
continuity as well as ongoing support contract costs. If you do the right things to secure your
WLAN, do you really need to add another system (the VPN) into the mix? It can certainly be just
another point of potential failure and frustration.
Reason #2 against WLAN VPNs – WLANs can be secured by other means (really)
Hardening a small WLAN is not difficult at all. Larger WLAN deployments can take more time – but
it's certainly doable. WLAN hardening techniques are well-documented. There's WEP, SSID tweaks, and
other access point, wireless client, and 802.11 protocol settings that can really tighten down a
WLAN. On top of that, you can deploy WPA or the new WPA2 and 802.11i security settings
in your WLAN making it rock solid. A VPN is certainly not the only answer.
I'm prejudiced towards the more practical side of IT and security. The thing is, in this situation, there are practical aspects to both sides of the argument. A VPN can offer maximum security, but a properly hardened WLAN can offer maximum practicality at the lowest cost. So, do I believe a VPN is the ultimate solution to WLAN security? Probably not, but, like all things IT, it depends. The final call on whether to secure your WLAN using existing best practices and standards or to just setup a VPN is ultimately up to you. It really boils down to what you're trying to protect and what lengths you're willing to go to to protect it. As long as you take the necessary steps, your airwaves should be plenty secure.
Kevin Beaver is the founder and principal consultant of Atlanta, GA-based information security services firm Principle Logic, LLC. He has over 16 years of experience in IT and specializes in information security assessments and incident response. Kevin is the author of Hacking For Dummies by Wiley Publishing and the free ebook The Definitive Guide to Email Management and Securityby Realtimepublishers.com and co-author of the book The Practical Guide to HIPAA Privacy and Security Compliance by Auerbach Publications. He can be reached at kbeaver@principlelogic.com.
This was first published in September 2004