Defeating Evil Twin

The other day i was discussing with thrill about detecting and defeating Evil Twin and what are the best options beside using WEP or WPA. For folks who still don't know, both WEP and WPA can be broken and is not considered secure. Check my previous post and you will find the tools needed to break those keys. Apparently, it boils down to two options, but i will let you guys decide which one is more secure.

Thrill was suggesting about placing an Access Point in the DMZ area and make the IP a private one. A VPN server would also be needed to be setup in the DMZ area for listening to clients who wants to connect to the AP and use the wireless service. In that manner, an attacker who tries to setup an Evil Twin will not have access to the DMZ area because he would first need to use a VPN client to connect to the VPN server before any surfing can continue. This has several advantages and disadvantages and it all depends how you looked at it. The advantages being that all the traffic will be encrypted because it will be tunneled through a VPN server first before going out to the internet. Second being that SSID can be broadcast and no WEP/WPA security is needed. Of course if you are being paranoid, you can also include WPA key as an option. And third, it will defeat most Evil Twin. Below is a diagram which depicts the whole scenario.

According to thrill, its not necessary to implement a DMZ zone. It could be another extra network card on the VPN server that is going to have itself and the AP connected to it. Thrill quoted: "The trick is to not allow routing through this interface, and to set up a VPN server on that machine listening ONLY on that interface. And maybe a DHCP server on that interface as well. This is how this network becomes secure, and someone setting up an Evil Twin wouldn't be able to duplicate. And even if they did, the VPN client can be set up to authenticate a server side certificate easy enough." I wont say this is 100% secure, but it is the best solution he can think of and i do agree that it is good solution. The downside of this setup is every user needs to install OpenVPN client software on their machine and needs to be notified of the setup. That's a hassle.

On the other side, thrill also quote: "using 802.1x authentication along with using a Radius server for logging in the user. Some of you may have already heard of the technology, it's using the Odyssey client by Funk Software, along with their Steel Belted Radius. Using Cisco APs we were able to enable rotating WEP keys that were only given to the client if their Certificate could be authenticated, once they were connected to the wireless network, they then needed to authenticate their user/password via the radius which pointed to the LDAP portion of AD. The trick for rotating SSID/WEP keys is using a certificate to authenticate to the actual AP. The AP is set up to point to a radius server which has the certificate on it, then the client sends the AP the supplication requesting the SSID/Key, the AP forwards the request to the Radius server which authenticates the certificate and sends an OK to the AP, who in turn sends the client the SSID/Key to authenticate." Below depicts the scenarion:

Whichever is better, if something becomes too hard to use or requires too many steps, most people will be lazy and don't care about it. But then again, it all depends on the organization on how they want to implement their systems. Just my opinion.