[vpn] Clarity

Stephen Chowning schowning at home.com
Mon Nov 19 19:00:51 EST 2001 


Sandy Harris wrote:

> Stephen Chowning wrote:
>
> > A recent thread on this list had two people agreeing that all current
> > implementations of vpn can be compromised. Since I didn't read any
> > dissenting opinions, I assume that no-one disagrees. I hate to assume,
> > so I am looking for people with opinions to chip in.
>
> It is not particularly interesting or useful to speak of whether some
> system "can be compromised" without specifying some sort of threat
> model.

A very thorough analysis, thanks Sandy. Very helpful. I understand all of
the brute force and circumvent methods of attack, i.e. physical security,
and high tech "Sneakers" type attacks, and either accept the risk, or can
take steps to secure the data. The threat model that I am focusing on is
hardware/software vulnerabilities of the VPN hardware/software itself from
the average black hat who might be trying to access my system just to see
what is there, or a slightly more focused attacker, after my clients'
personal and valuable info. Reasonable due diligence protection, IOW.

Loki states: "Albeit that every VPN I've pen-tested, I was either able to
compromise with a root shell due to improper configurations, or able to
completely circumvent due to flaws in bridging code within the VPN."

Forgive my ignorance, but by "improper configurations" does he mean that
the device was set up incorrectly, thus implying that correct config would
eliminate this flaw? If so, this would mean that the person configing the
device was flawed, not the technology itself.

The second item, flaws in bridging code is greek to me. Perhaps someone
would be kind enough to elaborate in a way that a newbie would understand.

Loki admits that his testing does not extend to software based VPN's. Is
there any consensus as to their vulnerabilities? Better than hardware?

>
>
> If the opponent has huge resources and no restrictions so he can do
> more-or-less anything, then he can likely break most anything. For
> one thing, there's "rubber hose cryptography"; torture the sysadmin
> until you get the key. Or bribery, blackmail, ... Or hi-tech spy-tech
> using anything from a hidden video camera that records your screen
> and keystrokes to gadgets that do the same at a distance by decoding
> radiation from your computer.
>
> Also, even assuming the VPN software is perfect, it depends on many
> other things for its security.
>
> If the underlying operating system is insecure, then once an EvilDoer
> has root on that, he'll likely have no trouble breaking the VPN. To
> have any hope of a secure VPN, you need secure hosts.
>
> Be extremely reluctant to run anything but VPN software on your VPN
> gateway. Consider putting the firewall on a separate machine, in
> front of the VPN gate. Don't even think about putting mail or web
> servers, or user accounts, or disks shared by NFS or SMB, or ...
> on your VPN gate, or on the firewall. If you do install those,
> then a hole in them gives the enemy root on your gateway and
> compromises your VPN.
>
> There are also lots of policy and procedure questions. Can I get
> physical access to your VPN machine? If so, can I reboot it off a
> floppy I've brought and read your disks? That will break your VPN.
>
> Can an employee tap your internal network and pull the VPN machine's
> root password out of some dumb admin's unencrypted link to it? Can
> I get the whole disk contents by stealing a backup tape? Did you
> change the password after you fired whats-his-name?
>
> If your VPN uses IPsec and your threat model allows the assumptions
> that:
>         your gateways are adequately physically secure
>         all admin staff with privileged access are trustworthy
>         your OS is secure against remote exploits
>          (some combination of OS choice, your careful setup, and
>          continuous moitoring of both logs and vulnerability
>          reports, possibly a firewall in front of the gateway)
>         you administer the gateways competently
>         you take sensible precautions against attacks from within
>          your organisation
>          (SSH for all remote logins, switched ethernets to
>           make eavesdropping harder, possibly internal firewalls)
>
> Then the IPsec protocols look completely secure to me. Of course,
> that doesn't mean a flawed implementation will be secure.
>
> VPN is sponsored by SecurityFocus.com

--
--If you try to fail, and then succeed, what've you really done?--



VPN is sponsored by SecurityFocus.com

More information about the VPN mailing list