[vpn] Clarity

Loki loki at fatelabs.com
Sat Nov 17 02:39:19 EST 2001


This is actually a really good post and could start a very interesting 
thread, a subject area I have great interest in from my own research. I've 
discussed this very question with several people and have come to several 
conclusions.

I think from my experience everyone believes that VPNs in general "have a 
possibility" of being compromised or circumvented. Albeit that every VPN I've 
pen-tested, I was either able to compromise with a root shell due to improper 
configurations, or able to completely circumvent due to flaws in bridging 
code wtihin the VPN. I should also state that all of these were 
hardware-based VPNs, not software-based implementations.

This is definately going to be an oppionated post, so if anyone disagrees, 
please take that in mind. But my oppinion is that VPNs continue to be and 
have been both improperly deployed as well as improperly BUILT. I believe 
VPNs to be nothing more than an expansion device of a local network to a 
remote location rather than an actual "security solution". I put more faith 
in firewalls and OS hardening rather than the security job I've seen VPNs put 
in place. So I will provide a multi-tiered answer. VPNs to me can be both an 
armed human as well as a simple school locker padlock when improperly 
configured. 

It continues to amaze me how much faith people put in VPN technology, often 
even seeing them deployed with NO firewalls in place. How vulnerable ARE 
VPNs? I guess my only answer is CAN BE VERY. I've done numerous government 
contracting audits as well as audits of financial institutions that allowed 
me to use their VPN to bridge attacks directly at their internal LAN. See my 
VPNet advisory at (www.fatelabs.com).

I'm interested in seeing feedback and additional comments on my response. 
Anyone have any similiar situations to add that they've encountered?

The best I can offer is for everyone to do strict auditing of their VPN 
configurations and setups. An improperly configured VPN can leave a 
swiss-cheese trapdoor to your most valued and secured assets on a LAN.

Loki
www.fatelabs.com


On Friday 16 November 2001 04:26 pm, Stephen Chowning wrote:
> A recent thread on this list had two people agreeing that all current
> implementations of vpn can be compromised. Since I didn't read any
> dissenting opinions, I assume that no-one disagrees. I hate to assume,
> so I am looking for people with opinions to chip in.
>
> If we assume (there's that word again) that all vpns can be hacked, my
> next question is how vulnerable are they? As I am pretty green here,
> could we equate it to auto theft? IOW, what level of auto security do
> vpns equate to? Factory doorlocks, easily compromised by the average
> shmo with a rock? The Club, little better than factory door locks? An
> alarm? An alarm with ignition disable? A trained attack dog? A trained,
> armed human? All of these CAN be compromised, but I sleep better with
> the armed guard on the job than I do with the factory door locks.
>
> Steve

-- 
==============================================
Loki
Founder, Chief Research Scientist
Fate Research Labs
United States VPN Division
----------------------------------------------------------------
[w] http://www.fatelabs.com
[e] loki at fatelabs.com
[p] 412-303-3115
==============================================

VPN is sponsored by SecurityFocus.com





More information about the VPN mailing list