How secure is a VPN in SA

0 views
Skip to first unread message

steven

unread,
Jun 6, 2007, 5:14:13 AM6/6/07
to WhitehatAfrica
I have setup various VPN links using a variety of routers and
configurations, and always been under the assumption that they are
fairly well secured if setup correctly. Now I understand that the
level of security will differ depending on your particular setup.
However I guy I know who runs a rather large ISP claims that under the
current SA infrastructure VPN's are simply not secure at all.

Does anybody have any thoughts on this, am I blissfully unaware, is
there some truth behind this?

Thanks
Steven

rob hunter

unread,
Jun 6, 2007, 5:28:58 AM6/6/07
to Whiteha...@googlegroups.com
it all depends on what he actually means.

Julius Francis

unread,
Jun 6, 2007, 5:35:41 AM6/6/07
to Whiteha...@googlegroups.com
In my experience it is not the VPN tunnels themselves, but the key
management.

1. Using pre-shared secrets -- these are often not strong enough or changed
often enough. It's all good and well to enforce a password policy for users
detailing complexity, history, length and expiry, but very often VPN tunnels
use the same weak pre-shared secret for years and years on end.

2. Pre-shared secrets are often exchanged via email between firewall techies
of different organisations. In addition to disclosing weak pre-shared keys
via an insecure medium, often email is archived insecurely (.pst files on
desktops) or during numerous emails that travel up and down between firewall
techies who troubleshoot the tunnels. I have lost track of the numerous
occasions that I have seen inadvertently disclosed "secrets" by just
scrolling through the email history of an escalated problem.

Not all organisations have proper PKI infrastructures, so Shared "Secrets"
are most often used. In addition, not all firewall techies understand or
know how to use PGP or even GNUPG and those that do, can't be bothered
because they sometimes have to coach the person on the other side of the
tunnel, who speaks a foreign language and is in a different timezone.

So I wouldn't say that VPN tunnels are insecure, but that the key management
surrounding them is an issue.

Thanks
Steven


No virus found in this incoming message.
Checked by AVG Free Edition.
Version: 7.5.472 / Virus Database: 269.8.9/834 - Release Date: 2007/06/05
14:38

No virus found in this outgoing message.
Checked by AVG Free Edition.
Version: 7.5.472 / Virus Database: 269.8.9/834 - Release Date: 2007/06/05
14:38

Frans Sauermann

unread,
Jun 7, 2007, 5:04:23 AM6/7/07
to WhitehatAfrica
Could you get him to eleborate the reasons why not?
e.g
1. The Telco Cisco VPN access routers use a bad encryption algorithm.
2. The VPN's use symmetric keys instead of assymetric (PKI) keys.
3. Private keys can easily be accessed.
4. The PKI designs are flawed.
5. The VPN's are not end-to-end.
6. The processes in managing VPN's are not secure

As far as the cliam goes that somebody like IS, SAIX or UUnet have
weak VPN's.... that is a very bold claim to make. The big backbones
segregate networks via switching mechanisms such as Frame Relay or
ATM, and on top of that they do IPSec or related VPN end-to-end..

Would be interesting to see why he makes that statement though, since
he may know things we don't...

rob hunter

unread,
Jun 8, 2007, 4:23:55 AM6/8/07
to Whiteha...@googlegroups.com

just to add ...

most isp's make use of MPLS for their VPN's. with  or without IPSEC, the traffic is segmented at a  routing level. to mess with this, the attacker would have to have intimate knowledge of the MPLS labels in use, and would have to be able to  inject traffic with the correct label. This afaik would only work asymmetrically, so in addition to this, if you were to attack the VPN at this level, you'd have to employ some kind of blind IP spoofing or some other method of doing what you need to do without ever seeing return traffic. Unless of course you'd managed to get into the management VRF/station of <insert ISP here>...

Regards

--Rob


steven

unread,
Jun 10, 2007, 1:43:57 PM6/10/07
to WhitehatAfrica
He has not elaborated in any details as to the reasons why he states
VPN are not secure, will try get some more information and post it if
I get any further information. I have spoken to several people
offline and I am basicalyl getting the same answers ass long the setup
is done correctly and you have good policy in place regardgin
passwords etc, no reason to think the VPN should be insecure.

Thanks
Steven

Hendrik Visage

unread,
Jun 11, 2007, 5:57:21 AM6/11/07
to Whiteha...@googlegroups.com
On 6/6/07, steven <techtron...@gmail.com> wrote:
>
> I have setup various VPN links using a variety of routers and
> configurations, and always been under the assumption that they are
> fairly well secured if setup correctly.

It depends on how secure the system is that you have set up.

> Now I understand that the
> level of security will differ depending on your particular setup.

You've just made a very good discovery about life the universe and Security ;^)

> However I guy I know who runs a rather large ISP claims that under the
> current SA infrastructure VPN's are simply not secure at all.

Again, it depends on what your definition and their definitions of
security entails.

> Does anybody have any thoughts on this, am I blissfully unaware, is
> there some truth behind this?

Yes.

All the MPLS based networks place the onus squarely on the provider to
ensure the security. Decide yourself about that risk and trust w.r.t.
their personel etc.

Something else, MPLS doesn't encrypt at all, and only segregates, so
it can very easily be capturer by govermetn agencies once the provider
have been informed about the need to capture the data.

In short:

(1) make sure you know the needs and security requirements of your clients
(2) make sure you know and understand the security (or lack there of)
provided by the provider
(3) Only then can you design a proper/secure network ;)

--
Hendrik Visage

Reply all
Reply to author
Forward
0 new messages