Use a VPN to Secure Your Wireless Network

Batten down the 802.11b and HomeRF hatches

At the first annual Windows Embedded Developers Conference in early 2001, Microsoft set up an 802.11b network for more than 1000 attendees. The test network provided 10Mbps data-rate connections for email and for access to slide show presentations on a local server. The test network also provided Web access through a proxy server. The solution wasn't perfect—in particular, many attendees found their Pocket PCs almost useless for Web browsing (even with a fast Ethernet connection) because of their tiny displays. I ended up spending more time scrolling around a Web page than actually browsing. The technology, however, thrilled many other attendees, who used 802.11b PC Cards with their notebook PCs to achieve live, realtime Web and email access.

We're witnessing an explosion in the popularity of wireless LAN technologies. The 802.11b (aka Wi-Fi) specification*and the similar but lower-performance HomeRF specification*define a new protocol that supports wireless voice and data networking in both home and office environments. Both standards primarily take the form of NICs that communicate over radio rather than through cable. The technologies are embedded either in PCI cards that you can plug into desktop PCs or servers, or in PC Cards that you can use with notebook PCs and mobile devices. In some cases, the technologies are embedded in external devices that you can connect through a USB cable or directly to a router.

The great benefit of a wireless LAN is the freedom it gives you on your network. You can add, remove, and move devices at will—you simply plug a card into the device and install the software. Depending on the device and the way you've set up your network, you might need to set a static IP address, but if your network supports DHCP, you won't even have to do that. The 802.11b and HomeRF networking technologies are perfectly suited to mobile devices, offering the advantage of a high-speed (i.e., as fast as 10Mbps) connection without pinning you to a particular location. (For more information about Wi-Fi and a buyer's guide for devices, see Tom Iwanski, "802.11b Wireless Devices," July 2001.)

Unfortunately, the 802.11 and HomeRF specifications aren't secure—simply because radio signals are inherently insecure. But you can use a VPN to correct that limitation.

Security Concerns
A recent story in The Wall Street Journal ("Silicon Valley's Open Secrets," April 27, 2001) illustrates the potential security limitations of wireless LANs. The article describes how two young crackers drove around Silicon Valley with a notebook PC and 802.11b card and hacked into such companies as Sun Microsystems, 3Com, and Nortel Networks.

The disturbing part of the story is the crackers' apparent lack of sophistication—they merely installed an 802.11b card and started browsing for other PCs on the wireless LAN. I didn't need an overactive imagination to envision the ease with which a cracker might invade my own HomeRF network, which I'd initially configured with no security and with guest access enabled. Anyone with a Windows-based notebook and a HomeRF card could find my network and browse my computers. Judging from The Wall Street Journal story, most 802.11b networks are similarly insecure.

Use a VPN
VPN technology provides a secure way to use the Internet for private communications. Rather than communicate directly over the Internet, a VPN client establishes a secure connection with a VPN host. The client encrypts data packets, then passes them over the Internet to the host, which decrypts the packets. Although a cracker could intercept the encrypted packets as they pass over the Internet, he or she would need to first decrypt the packets to obtain any useful information. Such decryption is beyond the casual cracker's capability.

You can use Win2K's inherent VPN technology to secure a wireless LAN. On the day The Wall Street Journal story broke, I implemented a VPN on my HomeRF network. Here's how you do it.

  1. Set up your wireless LAN per the manufacturer's instructions.
  2. On each Win2K Professional client machine that belongs to the wireless LAN, go to Start, Settings, Network and Dial-up Connections. Right-click your wireless adapter and select Properties. Clear the Client for Microsoft Networks and File and Printer Sharing for Microsoft Networks check boxes. Make sure Internet Protocol (TCP/IP) remains selected, as Figure 1 shows. Click OK.
  3. On the Win2K Server machine, select Start, Settings, Network and Dial-up Connections, Make New Connection to start the Network Connection Wizard. Click Next, then select the Accept incoming connections check box. On the wizard's next screen, make sure that All connection devices remains cleared. On the following screen—the Incoming Virtual Private Connection page—click Allow Virtual Private Connection, then click Next. Choose the users to which you want to permit access to the virtual connection (don't select Guest). On the next screen, ensure that all networking components are selected. On the final page, which lists the name of the resulting connection, click Finish.
  4. On each client, select Start, Settings, Network and Dial-up Connections, Make New Connection to start the Network Connection Wizard. After clicking Next, select Connect to a private network through the Internet. On the next screen, click Do not dial the initial connection. On the following screen, enter the server's DNS name or IP address, then click Next. You can create the connection for all users or for only the logged-on user. Finally, you can edit the name of the connection. Click Finish.
  5. A Connect Virtual Private Connection dialog box appears on the client. To complete the connection, the user must type a username and password. The client now sees the server as if the two were connected directly on the LAN.

This procedure routes all browsing, as well as file and printer sharing, over the VPN. A cracker outside the building who has a wireless LAN card could see that a network exists but couldn't browse it. Of course, the cracker might guess that a VPN exists and try to access it. However, to do so, the cracker must guess a username and password. Obviously, if you plan to implement a VPN, you'll want to disable guest access and require nonblank passwords. Also, if you—like many of us—have created a too-obvious password for your Win2K Administrator account, now is the time to change it.

The only problem I've found with the VPN approach is that Internet Connection Sharing (ICS) fails: Attempts to browse the Web or perform other Internet-only tasks go through the VPN instead of directly over the wireless network. To fix this problem, open the Properties page (on the client) for the VPN connection that you've created. On the Networking tab, select Internet Protocol (TCP/IP) and click Properties. Click Advanced and clear the Use default gateway on remote network check box on the General tab. Click OK to close the Advanced TCP/IP Settings dialog box. Click OK again to close the Internet Protocol (TCP/IP) Properties dialog box, then click OK a third time to close the VPN connection's Properties dialog box. If the connection is active, you'll see the warning message Since this connection is currently active, some settings will not take effect until the next time you dial it. To effect your changes, you'll need to double-click the connection's taskbar icon, click Disconnect on the resulting Status dialog box, then reconnect from Network and Dial-up Connections. To learn more about Win2K's VPN technology, see Douglas Toombs, "Configure a Win2K VPN," September 2000.

Mobile VPNs
Clearly, wireless LANs are a natural fit for mobile devices. But how do you use a wireless Ethernet card to secure your Pocket PC or other Personal Digital Assistant (PDA)? Although Microsoft has built VPN support into Windows CE 3.0—which both Pocket PCs and the larger Handheld PC 2000 devices use—the company hasn't provided a VPN client for these devices.

Microsoft's enterprise white paper "Why Pocket PC?" ( lists third-party VPN support from Certicom and V-ONE. Unfortunately, the Certicom and V-ONE solutions don't let you connect a Windows CE device to a Win2K-hosted VPN. V-ONE's proprietary SmartGate VPN requires a server component as well as a client component. Certicom's movianVPN client works with enterprise VPNs from such big-name vendors as Alcatel, Axent, Check Point Software Technologies, Cisco Systems, Intel, Nortel Networks, and RADGUARD. The movianVPN client also supports Palm OS devices, as well as devices that run Windows CE. (V-ONE is developing a Palm V and Palm III version.)

You can use Win2K's built-in VPN support to secure a wireless LAN that runs on Windows-based notebooks and desktop PCs. However, if you want to provide secure access to the wireless LAN for other types of mobile devices, you'll need third-party software for the connection's client and server sides. I'll sign off with a question for Microsoft: Why didn't you provide necessary client software so that Windows CE devices could participate in a Win2K VPN?

Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.