Professional Documents
Culture Documents
DanGoldberg MADJiCConsulting,Inc
http://www.madjic.net dan@madjic.net
VPNInsecurity Agenda
Whatisa VirtualPrivateNetwork(VPN)
Twoworkingdefinitions
VPNformats
VPNImplementations
SSHSecureShell SSLSecureSocketsLayer
VPNLimitations
SSH,supportsTCPtrafficonly
DependonClientPortforwarding
SymmetricorweakCrypto
Unicasttrafficonly
Theleastyouneedtoknow aboutcrypto
Encryptionalgorithm CryptographicHashalgorithm
Encryptionandhashes
Encryptionexample:
plaintext>|<agfoel23.!0clw
CryptographicHash
MD5createsa128bitchecksum SHA1creates160bytechecksum [dbg@madjicbox~]$sha1sumtmyfile.txt 07f775c5982e14ed7e8840016a0cf0f15bea599e myfile.txt Usedasachecksumtovalidatetwoinputsare thesame
Acryptographicsideshow
Notwoinputsaresupposedtoproducethe sameoutput
WhyInternetProtocolSecurity (IPSec)?
InternetProtocolversion4offersnopayload security
Simplechecksummingonheaders Transportmode(AuthenticationheaderAH)
IPSecprovides
Tunnelmode(EncapsulatingSecurityProtocol ESP)
AddsauthenticationtoexistingIPheader
Tunnelvs.Transportmode
TunnelmodeusesIPinIP
Transportvs.TunnelMode
TransportmodeaddstooriginalIPheader
Signspayloadandtransportstonexthop
Doesnotincludedynamicheaderdatainsignature (TTLetc)
IPSecAnatomy
Authentication&KeyExchange
ISAKMP(IKE) Authenticationmethod
Policy
Encryptionalgorithm
Hashingalgorithm
SecurityAssociations
Policymustmatchonbothends
TheSecurityassociationidentifiesthe instanceofIPSecanditsparameters
Keys!Keys!Who'sgotthe
keys?
Itiscriticaltorekeyperiodically
IPSecPolicyrequirements
IPSecPolicy
Encryptionalgorithm
Hashingalgorithm
Keylifetime
Somethingstolookoutfor
IPSecasaTunnel
CombineAHandESP
Site2siteVPNs RemoteAccess
Maninthemiddleattacks ModifyunencryptedportionsofIPheaderintransit
Seehttp://isc.sans.org/diary.php?date=20050509
http://www.niscc.gov.uk/niscc/docs/re2005050900385.pdf?lang=en
IPSecasaTransport
CombineAHandESPtoprotectpayload
Hosttohostcommunications Validatecommunicationsonaprivatenetwork
SomepacketswithIPSec
ThreepacketsandtheIPSectransforms
AnIPPacket IPheader Protocolheader
Payload
AnIPPacketintransportmode IPheader
AHheader Protocolheader Payload
Hosttohost
Hosttogateway
Gatewaytogateway (Sitetosite)
SomeWANdesigns
VPNspecific
Site2siteVPNRisks
TreatVPNtunnelsasWANlinks Determinetrustlevel
Note:researchshowsthatsome85%of attacksareinternal
WhereareVPNsused?
Connectiontypes
Remoteworkers Contractors
RiskMitigation
Authentication Accesscontrol
Logging Virusvectors
Portsandprotocols Services
Mitigationexample
PartneringandConnecting
Priortobuildinganylinkbetweentwoentities determine:
MitigationexampleII
Additionalmitigation
RecentVPNProduct
Cisco'sVPNconcentrator:
Vulnerabilities
http://www.niscc.gov.uk/niscc/docs/br20050627 00520.html?lang=en Nortelvpncleartextpasswordissue:http://www.net security.org/vuln.php?id=4065 NortelmalformedIKEpacketvulnerability: http://addict3d.org/index.php?page=viewarticle&type=sec urity&ID=4094 Cisco'smalformedIKEpacketvulnerability: http://www.cisco.com/en/US/products/products_security_ advisory09186a00802126a3.shtml
Conclusion