Tunnelling 101

For many business users, having instant access to data while on the move is now a necessity. But deploying and managing a secure VPN can be challenging. Barry Mansfield looks at the current trends and provides some pointers on tackling VPN security.

  • E-Mail
By  Barry Mansfield Published  September 30, 2007

It is hardly surprising that virtual private networks (VPNs) are an attractive target for hackers. VPNs carry sensitive information over an insecure network and remote access VPNs often allow full access to the internal network, while the traffic remains invisible to IDS monitoring tools.

With security improving in other areas - more organisations are learning the importance of installing firewalls, moving internet servers onto the DMZ and automatically patching servers - it makes sense that the VPN has become a more appealing target over time.

Back in 2005, at the conclusion of a three-year period of testing VPNs, British security outfit NTA Monitor revealed that a staggering 90% of remote access VPN systems featured exploitable vulnerabilities. The tests were mainly carried out for large organisations, including financial institutions that had the benefit of their own in-house security teams. The popular perception is that VPN systems are invulnerable, when in reality they are frequently the weak link in an otherwise secure enterprise system.

Many remote access VPNs have vulnerabilities that allow valid usernames to be guessed through a dictionary attack, due to the fact that they respond differently to valid and invalid usernames. One of the fundamental requirements of a username and password authentication scheme is that an incorrect login attempt should not leak information as to whether the username or password was incorrect. However, many VPN implementations have ignored this rule.

The fact that VPN usernames are often based on people's names or e-mail addresses makes it relatively easy for an attacker to use a dictionary attack to recover a number of usernames in a short time.

The popular perception is that VPNs are invulnerable. In reality, they are frequently the weak link in an otherwise secure enterprise system.

After a valid password has been obtained using IKE aggressive mode it is possible to obtain a hash from the VPN server and use this to stage an offline attack in order to crack the associated passwords. As this attack is offline, it will not appear on the VPN server log or cause account lockout. It is also extremely fast - hundred thousands of guesses per second is not an overestimation.

Target maths

While a VPN can provide reliable anywhere, anytime access to most enterprises, a VPN alone doesn't offer comprehensive endpoint security.

Shirley O'Sullivan, EMEA portfolio leader for security and application networking at Nortel Networks, which has over 100 million VPN clients deployed worldwide, believes two factor authentication is now a necessity for organisations looking to ensure optimum levels of VPN security. She also notes that there has been a shift away from IP security (IPsec) to secure sockets layer (SSL) as the encryption protocol of choice. "We don't think there is a place for just one or the other, though. You have to marry the technology to the customer ‘s specific requirements."

Add a Comment

Your display name This field is mandatory

Your e-mail address This field is mandatory (Your e-mail address won't be published)

Security code