VPNInsecurity

DanGoldberg MADJiCConsulting,Inc
http://www.madjic.net dan@madjic.net

VPNInsecurity Agenda

WhatareVPNs HowdoVPNswork Abriefcryptosidetrip VPNanatomy BasicWANdesigns VPNrisks Riskmitigation

Whatisa VirtualPrivateNetwork(VPN)

Twoworkingdefinitions

Privatecommunicationsoveranonprivate medium Anetworktransportingtrusteddataoveran untrustednetwork(Internet) Hosttohost Hosttogateway(Remoteaccess) Gatewaytogateway(Sitetosite)

VPNformats

VPNImplementations

SSHSecureShell SSLSecureSocketsLayer

OpenSSL&Stunnel OpenVPN CommercialSSLVPN

Cryptcat(netcatwithcrypto) L2TPLayer2transportprotocol PPTPPointtopointtunnelingprotocol IPSecInternetProtocolSecurity

VPNLimitations

SSH,supportsTCPtrafficonly

DependonClientPortforwarding

SSHSecureShell SSLSecureSocketsLayer Cryptcat L2TPLayer2transportprotocol PPTPPointtopointtunnelingprotocol IPSecInternetProtocolSecurity

SymmetricorweakCrypto

Unicasttrafficonly

Theleastyouneedtoknow aboutcrypto

CryptographyisusedtopermitAlicetotalk toBob Elviscanlisteninbutnotchangeor understandthemessage Therearetwotoolsusedtoproducethisend inIPSecVPNsandPublicKeyCrypto

Encryptionalgorithm CryptographicHashalgorithm

Encryptionandhashes

Encryptionexample:

plaintext>|<agfoel23.!0clw

CryptographicHash
MD5createsa128bitchecksum SHA1creates160bytechecksum [dbg@madjicbox~]$sha1sumtmyfile.txt 07f775c5982e14ed7e8840016a0cf0f15bea599e myfile.txt Usedasachecksumtovalidatetwoinputsare thesame

Acryptographicsideshow

Hey!Iheardthathashesarebroken!?! http://www.cits.rub.de/MD5Collisions/ Hashesarenotsupposedtocollide

Notwoinputsaresupposedtoproducethe sameoutput

Somedo! ThelinkabovetellsthestoryofAliceandher Boss(Bob)inwhichBosssignsadocument withaknowncollision;ouch!

WhyInternetProtocolSecurity (IPSec)?

InternetProtocolversion4offersnopayload security

Simplechecksummingonheaders Transportmode(AuthenticationheaderAH)

IPSecprovides

Tunnelmode(EncapsulatingSecurityProtocol ESP)

AddsauthenticationtoexistingIPheader

EncryptsandpackagesoriginalIPpacketinsidea newIPheadertransmittedbysecuritygateway Receivinggatewayreversestheprocess

Tunnelvs.Transportmode

TunnelmodeusesIPinIP

EncapsulatedSecurityProtocol(ESP) Encryptsentirepacketatsecuritygateway includingoriginalheader AddsentireIPnewheadertopacket Transportstosecuritygatewaybasedonpolicy ProtectsdataandIPaddressesofhostsbehind securitygateway

Transportvs.TunnelMode

TransportmodeaddstooriginalIPheader

Signspayloadandtransportstonexthop

InsertsadditionalheadersinIPheaderwithhash /checksum Protectsdatafrommaninthemiddle DoesnotprovideprivacyofdatainpayloadorIP addresses! NATbreakstransportmode

Doesnotincludedynamicheaderdatainsignature (TTLetc)

IPSecAnatomy

IKEInternetkeyexchange ISAKMPInternetSecurityAssociationand KeyManagementProtocol AHAuthenticationHeader ESPEncapsulatingSecurityProtocol

Authentication&KeyExchange

ISAKMP(IKE) Authenticationmethod

Policy

certificate sharedsecret DES 3DES MD5 SHA1

Encryptionalgorithm

Hashingalgorithm

IdentifyendpointsbyDNSorIP KeyLifetimemeasuredinmegabytesandortime (minutesorhours)

SecurityAssociations

Policymustmatchonbothends

Onesideinitiatescommunications;aSecurity PolicyIdentifier(SPI)iscreatedwhichidentifies aSecurityAssociation(SA)inaSecurityPolicy Database(SPD). SPDholdsalltheSPIsahostknowsabout

TheSecurityassociationidentifiesthe instanceofIPSecanditsparameters

Keys!Keys!Who'sgotthe

Cryptokeymaterialissensitive Howdoweexchangekeys IKEInternetkeyexchange

keys?

HybridISAKMP,andOakley UDPport500 Managekeyexchange,securityassociations, andkeymanagement

Itiscriticaltorekeyperiodically

IPSecPolicyrequirements

IPSecPolicy

Encryptionalgorithm

DES 3DES SHA1 MD5

Hashingalgorithm

Keylifetime

Bytes(manyimplementationsdefaultto8megabytes) Minutesorhours(manyimplementationsdefaultto24 hours)

Somethingstolookoutfor

IPSecasaTunnel

CombineAHandESP

Site2siteVPNs RemoteAccess

Maninthemiddleattacks ModifyunencryptedportionsofIPheaderintransit

Seehttp://isc.sans.org/diary.php?date=20050509
http://www.niscc.gov.uk/niscc/docs/re2005050900385.pdf?lang=en

IPSecasaTransport

CombineAHandESPtoprotectpayload

Hosttohostcommunications Validatecommunicationsonaprivatenetwork

SomepacketswithIPSec

ThreepacketsandtheIPSectransforms
AnIPPacket IPheader Protocolheader
Payload

AnIPPacketintransportmode IPheader
AHheader Protocolheader Payload

AnIPPacketintunnelmode ESPIPheader IPheader Protocolheader

Payload

Hosttohost

Inhosttohostmodecommunications betweenspecifiedhostsuseIPSec Usefulinservertoserverconnections Typicallydoesnotrequireadditionalsecurity atupperlayerssuchasAAA Allothercommunicationsareclear

Hosttogateway

Commonlyusedforremoteaccesssystems RequiresAAAforaccess DoesnotreplaceAAAforsystemsonthe network Splittunnelingunintendedaccess

Gatewaytogateway (Sitetosite)

CommonlyusedforWAN DoesnotrequireAAAforaccess DoesnotreplaceAAAforsystemsonthe network Networkcontrolsmustbeimplemented

SomeWANdesigns

HubandSpoke Ring Mesh WANconsider:

Routing complexityandnumberoflinks ImpactofcryptoonCPUutilization PertunnelimpactonVPNgateway

VPNspecific

Site2siteVPNRisks

TreatVPNtunnelsasWANlinks Determinetrustlevel

TrustedInternal Semitrustedremoteusers,businesspartners withcommonriskmodel Untrustedeveryoneelse

Note:researchshowsthatsome85%of attacksareinternal

WhereareVPNsused?

Connectiontypes

Internal Businesstobusiness Businesstocustomer Remoteusers

Remoteworkers Contractors

RiskMitigation

Considertheriskmodelforeachlocationthat isconnectedand; Foreachnetwork,host,&servicelevel considerappropriate

Authentication Accesscontrol

Logging Virusvectors

Portsandprotocols Services

Mitigationexample

AlwaysconsiderImpliedAccess SiteAandSiteBshareasitetositeVPN PolicypermitsallhostsatsiteAtoaccess FTPserverbyIPaddress FTPserverhasFTPd,andSSHdrunning FTPuseraccountsarestoredin/etc/passwd Whatistheactualaccessbetweenthetwo sites?

PartneringandConnecting

Priortobuildinganylinkbetweentwoentities determine:

Whoarethecontactpointsoneachend Whatpolicywillgoverntheconnection Whocontrolsandmanagesthepoliciesoneach device Thechangemanagementprocess

MitigationexampleII

CompanyAandCompanyBshareasiteto siteVPN CompanyA'spacketfilterpolicylimits accessbetweenhosts(byIP)andports whicharepermittedbetweenthem CompanyBpermitsalltrafficbetweenboth sites Duringatechnicalconcallnoonecan identifythepolicyowneratcompanyB

Additionalmitigation

TerminateallVPNsonaseparateLAN segment FirewalltheVPNsegmentfromtheinternal LAN PermitaccessbysourceanddestinationIP andport/protocolasrequired Thisrequiresplanningandunderstanding whatthecommunicationneedsofallgroups Beawareofimpliedaccessviasplittunnels

RecentVPNProduct

Cisco'sVPNconcentrator:

Vulnerabilities

http://www.niscc.gov.uk/niscc/docs/br20050627 00520.html?lang=en Nortelvpncleartextpasswordissue:http://www.net security.org/vuln.php?id=4065 NortelmalformedIKEpacketvulnerability: http://addict3d.org/index.php?page=viewarticle&type=sec urity&ID=4094 Cisco'smalformedIKEpacketvulnerability: http://www.cisco.com/en/US/products/products_security_ advisory09186a00802126a3.shtml

Conclusion

TreatVPNslikeanyWANlink Employtheprincipleofleastprivilege WhendeployingVPNsdeterminesecurity andaccessrequirementsinadvance LimitaccessbetweenVPNsegmentsand LANsegmentsthenpermittrafficasneeded