I am trying to understand the downsides of using VPNs instead of
802.1x, and so far I only found some minor issues such as lack of support for multicasting and some minor problems related to roaming.Is it more costly to deploy VPN or 802.1x with RADIUS servers ?
Are VPNs more vulnerable to certain types of attacks, and if so what are they ?
Thanks for the help.
Merl
The purpose of a VPN and 802.1x are very different. It would be a great help if you would disclose what you are trying to accomplish and what you have to work with.
A VPN provides access to a remote network through an unsecure "tunnel". This tunnel can cross the internet without fear of sniffing or hijacking because of encryption and authentication mechanisms. When working, a VPN will deliver a totally transparent connection to whatever is on the other other end of the tunnel. It's as if you were plugged into the remote network directly. Since the traffic visible across the internet is encrypted and authenticated, security is excellent.
802.1x is simply authentication. Are you who you claim to be. This can be via a variety of keys ranging from a MAC address to an X.509 certificate. Upon authentication, the RADIUS (remote authentication dial-in user service) delivers a token that enable access to the internet, network, LAN, wireless, or whatever. It's also being used for desktop policy enforement, but I don't wanna go there. 802.1x does NOT provide any additional security from sniffing and decryption. Protection from spoofing depends largely on implimentation.Many hardware routers are able to initiate and terminate a VPN connection. Usually, they have some limits as to the number of tunnels and connections. 5 or 10 is typical for the $100 VPN routers. I'm not thrilled with Linksys BEFVP41 VPN routers, but they are cheap and mostly work.
A RADIUS server is usually a Linux box running some LDAP implimentation. Cost is consirably more than a cheapo VPN router. However, if you're dealing with hundreds of remote VPN connections, the price of VPN routers go up considerably.
All networks are vulnerable to various Dos and DDoS attacks. A VPN will not help there. VPN's can also be setup with insecure encryption or no encryption at all. If the connection details and keys are known, VPN clients can be spoofed or the connection hijacked. Some forms of VPN (i.e. PPTP) are unreliable. Cheap home router can easily route the kids worm and spyware infested game machine into the corporate LAN via a VPN. Despite these problems, VPN's are still considered the most secure method of crossing the hostile internet.
Throughput is generally lower when you add that overhead, unless you have a Linksys VPN router or the Buffalo SRG.
Oops. That should be though a "secure" tunnel.
Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.