[vpn] Clarity

Rick Smith at Secure Computing rick_smith at securecomputing.com
Wed Nov 21 18:01:37 EST 2001


At 06:00 PM 11/19/2001, Stephen Chowning wrote:

>The threat model that I am focusing on is
>hardware/software vulnerabilities of the VPN hardware/software itself from
>the average black hat who might be trying to access my system just to see
>what is there, or a slightly more focused attacker, after my clients'
>personal and valuable info. Reasonable due diligence protection, IOW.

So your focus is on external attacks -- the external attacker can either 
attack your traffic in transit by trying to break the crypto, or remotely 
attack the endpoint systems. IPSEC crypto is pretty hard to break, assuming 
you've set up respectably large keys (1k or larger public keys, 128-bit or 
larger secret keys). So that leaves the endpoint systems.

>Forgive my ignorance, but by "improper configurations" does he mean that
>the device was set up incorrectly, thus implying that correct config would
>eliminate this flaw? If so, this would mean that the person configing the
>device was flawed, not the technology itself.

I can't speak for Loki, but I think it is important to recognize that the 
vendors of commercial computer systems don't spend a lot of time verifying 
that their systems can resist attacks. As a result, the system may have 
flaws that permit a penetration regardless of how tightly it's configured. 
Moreover, it can be hard to figure out what a "proper configuration" might be.

In some cases you might feel obligated to open a particular type of 
vulnerability in order to support a critical business activity. It's like 
operating a retail store: you can keep out the shoplifters by locking all 
the doors. But that locks out the customers, too, and does away with the 
whole point of running the business in the first place. So you have to 
strike a balance.

>Loki admits that his testing does not extend to software based VPN's. Is
>there any consensus as to their vulnerabilities? Better than hardware?

The fundamental risk with a 'software VPN' is that the attacker might go 
after whatever OS you've loaded your VPN product onto, since the OS itself 
might have flaws.

In theory, a hardware VPN could reduce such risks by using a proprietary, 
or at least a preconfigured, OS that's "hardened" to address security 
concerns. I haven't looked at Loki's reports, so I don't know if he's 
finding flaws in the VPN components or in the underlying OS components. If 
it's the latter, then the hardware vendors aren't getting a benefit out of 
the potential for OS preconfiguration and tailoring.

In any case, it's not clear that there deserves to be a real distinction 
between "software" and "hardware" VPNs as far as security goes.

Often, a "hardware VPN" is simply a software product for which the vendor 
provides the VPN software and a commercial OS pre-loaded on some hardware. 
The distinction might be more real if a "hardware VPN" always relied on a 
proprietary OS of some sort. That might make our Sidewinder appear to be a 
"hardware VPN" even though it's often sold as a software product.

In any case, a proprietary OS can be a double edged sword. We've had good 
fortune with Sidewinder's SecureOS, since the security mechanisms generally 
work the way we hoped they would. Other vendors, notably in the routing 
arena, haven't been so fortunate with the security of their proprietary OSes.


Rick.
smith at securecomputing.com            roseville, minnesota
"Authentication" in bookstores http://www.visi.com/crypto/


VPN is sponsored by SecurityFocus.com





More information about the VPN mailing list