On 11 Mar 2005 07:42:59 -0800,
(E-Mail Removed) (Merl Bushkin)
wrote:
>I am trying to understand the downsides of using VPNs instead of
>802.1x, and so far I only found some minor issues such as lack of
>support for multicasting and some minor problems related to roaming.
>
The purpose of a VPN and 802.1x are very different. It would be a
great help if you would disclose what you are trying to accomplish and
what you have to work with.
A VPN provides access to a remote network through an unsecure
"tunnel". This tunnel can cross the internet without fear of sniffing
or hijacking because of encryption and authentication mechanisms.
When working, a VPN will deliver a totally transparent connection to
whatever is on the other other end of the tunnel. It's as if you were
plugged into the remote network directly. Since the traffic visible
across the internet is encrypted and authenticated, security is
excellent.
802.1x is simply authentication. Are you who you claim to be. This
can be via a variety of keys ranging from a MAC address to an X.509
certificate. Upon authentication, the RADIUS (remote authentication
dial-in user service) delivers a token that enable access to the
internet, network, LAN, wireless, or whatever. It's also being used
for desktop policy enforement, but I don't wanna go there. 802.1x
does NOT provide any additional security from sniffing and decryption.
Protection from spoofing depends largely on implimentation.
>Is it more costly to deploy VPN or 802.1x with RADIUS servers ?
Many hardware routers are able to initiate and terminate a VPN
connection. Usually, they have some limits as to the number of
tunnels and connections. 5 or 10 is typical for the $100 VPN routers.
I'm not thrilled with Linksys BEFVP41 VPN routers, but they are cheap
and mostly work.
A RADIUS server is usually a Linux box running some LDAP
implimentation. Cost is consirably more than a cheapo VPN router.
However, if you're dealing with hundreds of remote VPN connections,
the price of VPN routers go up considerably.
>Are VPNs more vulnerable to certain types of attacks, and if so what
>are they ?
All networks are vulnerable to various Dos and DDoS attacks. A VPN
will not help there. VPN's can also be setup with insecure encryption
or no encryption at all. If the connection details and keys are
known, VPN clients can be spoofed or the connection hijacked. Some
forms of VPN (i.e. PPTP) are unreliable. Cheap home router can easily
route the kids worm and spyware infested game machine into the
corporate LAN via a VPN. Despite these problems, VPN's are still
considered the most secure method of crossing the hostile internet.
--
Jeff Liebermann
(E-Mail Removed)
150 Felker St #D
http://www.LearnByDestroying.com
Santa Cruz CA 95060 AE6KS 831-336-2558
Linear Mode
