I am trying to understand the downsides of using VPNs instead of
802.1x, and so far I only found some minor issues such as lack of
support for multicasting and some minor problems related to roaming.

Is it more costly to deploy VPN or 802.1x with RADIUS servers ?

Are VPNs more vulnerable to certain types of attacks, and if so what
are they ?

Thanks for the help.

Merl

Throughput is generally lower when you add that overhead, unless you have a
Linksys VPN router or the Buffalo SRG.

On 11 Mar 2005 07:42:59 -0800, merl_bush***@mail.com (Merl Bushkin)
wrote:

The purpose of a VPN and 802.1x are very different.  It would be a
great help if you would disclose what you are trying to accomplish and
what you have to work with.

A VPN provides access to a remote network through an unsecure
"tunnel".  This tunnel can cross the internet without fear of sniffing
or hijacking because of encryption and authentication mechanisms.
When working, a VPN will deliver a totally transparent connection to
whatever is on the other other end of the tunnel.  It's as if you were
plugged into the remote network directly.  Since the traffic visible
across the internet is encrypted and authenticated, security is
excellent.

802.1x is simply authentication.  Are you who you claim to be.  This
can be via a variety of keys ranging from a MAC address to an X.509
certificate.  Upon authentication, the RADIUS (remote authentication
dial-in user service) delivers a token that enable access to the
internet, network, LAN, wireless, or whatever.  It's also being used
for desktop policy enforement, but I don't wanna go there.  802.1x
does NOT provide any additional security from sniffing and decryption.
Protection from spoofing depends largely on implimentation.

Many hardware routers are able to initiate and terminate a VPN
connection.  Usually, they have some limits as to the number of
tunnels and connections.  5 or 10 is typical for the $100 VPN routers.
I'm not thrilled with Linksys BEFVP41 VPN routers, but they are cheap
and mostly work.

A RADIUS server is usually a Linux box running some LDAP
implimentation.  Cost is consirably more than a cheapo VPN router.
However, if you're dealing with hundreds of remote VPN connections,
the price of VPN routers go up considerably.

All networks are vulnerable to various Dos and DDoS attacks.  A VPN
will not help there.  VPN's can also be setup with insecure encryption
or no encryption at all.  If the connection details and keys are
known, VPN clients can be spoofed or the connection hijacked.  Some
forms of VPN (i.e. PPTP) are unreliable.  Cheap home router can easily
route the kids worm and spyware infested game machine into the
corporate LAN via a VPN.  Despite these problems, VPN's are still
considered the most secure method of crossing the hostile internet.

On Fri, 11 Mar 2005 09:50:01 -0800, Jeff Liebermann
<je***@comix.santa-cruz.ca.us> wrote:

Oops.  That should be though a "secure" tunnel.

Need EASY network - 210' clear line of site
Best Home Based Wireless Router
PCMCIA or USB?
Belkin Pre-N Wifi - Speed problem
Linksys WRT54G now a brick....but wireless works...
2 Computers...1 Antenna?
Centrino 11g connection problems
Linksys Wireless Router B to Belkin USB Adapter G
DWL-G120's in Ad-Hoc setup
Setting up NETGEAR wireless router to new DSL service