Tackling Security Vulnerabilities in

VPN-based Wireless Deployments

Lookman Fazal,
Sachin Ganu,
Martin Lappes,
A. S. Krishnakumar,
P. Krishnan
Outline

 Introduction
 The Hidden Wireless Router(HWR)
 Possible Solutions to the HWR
 Experiments and Observations

2
Introduction(1/2)

 Many enterprises are using a VPN-based architecture

as the “best practice” method to secure their wireless
networks

3
Introduction(2/2)

 The current architecture remains vulnerable to attacks

if the VPN server can be bypassed
 This paper describes and demonstrates how the
attacker can bypass the VPN server to break into the
corporate intranet

4
The Hidden Wireless
Router(HWR)(1/2)
 The problem consists in the assumption that
 All wireless clients will access the network through the
VPN server

H is a dual-
NIC laptop

5
The Hidden Wireless
Router(HWR)(2/2)
 It is rather trivial to enable a dual-NIC laptop to be a
NAT router. In Windows,
1. Enabling connection sharing on the wired interface
2. Configuring the wireless interface to use DHCP
 Several ways for the machine to get set up in this
configuration
 Viruses and worms
 Misconfiguration by users
 ...
 During the attack, the user of H may not know it is
being used by R as a gateway 6
Possible Solutions to the
HWR(1/4)
 Client-based solutions
 Software could be put on clients to warn users when
connection sharing is detected, and
 such software could also enforce disabling IP packet
forwarding on client machines
 This solution can be hard to enforce
 Non-client-based solutions
 Monitor-based solutions
 Access point-based solutions

7
Possible Solutions to the
HWR(2/4)
 Monitor-based solutions
 Passive methods
 Traffic from a wireless station that is not destined to the
VPN server but to another wireless station is the key
 Whether the sniffer possesses the key of the wireless
network or not, the HWR can be detected
 The sniffer may maintain a list of permissible addresses
 Active methods
 The sniffer acts as a rogue client
 It tries to establish a connection to a server in the wired
network
8
Possible Solutions to the
HWR(3/4)
 Locating and Controlling HWRs
 Location-estimation techniques based on signal-strength
measurements(used in passive methods)
 The HWR may be located from the wired side(used in
active methods)
 After the HWR is located, either the wireless or the wired
network connection of the HWR needs to be disabled

9
Possible Solutions to the
HWR(4/4)
 Access point-based solutions
 The AP can prevent the HWR scenario by frame filtering
based on MAC source and destination address
 The list of permissible addresses is limited to a few
entries (e.g., primary and backup VPN servers)

10
Experiments and
Observations(1/2)
 Effect of Enabling VPN on the HWR
 Enabling the IPsec-based VPN client on H disrupted the
operation of the HWR, and H's wireless interface cannot
be reached
 Activating the PPTP-based VPN seems to disrupt the
operation of the HWR; however, the non-routable IP
address on H can be reached

11
Experiments and
Observations(2/2)
 HWR with Single Physical Interface
 H is disconnected from the wired network and
connection sharing between the PPTP interface and the
wireless interface is enabled
 Packets arriving at H get NAT-forwarded to the PPTP
interface

12