CertiGuide to Security+  9  Chapter 3:  Infrastructure Security (Domain 3.0; 20%)       9  3.1  Devices

3.1.7  Telecom / PBX (Private Branch Exchange) 1 2 3.1.9  IDS (Intrusion Detection System)

Security Issues with VPNs

One security issue with VPNs is that your communication is at the mercy of the Internet. While communication using a VPN is generally secure, it’s not without potential problems. If an area of the net is slow one afternoon, your VPN communication speed for any communications traveling across that portion of the net, will be slow. If there’s an outage at an ISP, one or more sites may be temporarily knocked off your VPN. If an attacker decides to DoS one or more routers at sites involved in your VPN, their communications will be impaired. If a script kiddie exploitable flaw that crashes your particular brand of VPN is found, prepare to stop what you’re doing periodically and reset the VPN, until the vendor fixes the flaw.

Another issue with VPNs is that, depending on the technology you use, you may find that some information about your network and communications, such as packets’ source and destination IP addresses, is not encrypted. If it is important to you to keep this information private, make sure that the VPN you select will do so, or perhaps incorporate the use of NAT in your network so that the only exposed address within your network is the NAT server.

On a related note, another issue with VPNs is their potential susceptibility to “man in the middle” attacks, which intercept the communication, take note of the IP addresses involved and then impersonate either the client or server side. (Note that if good encryption is used, this is not trivial to accomplish.)

Another security issue with VPNs is related to encryption. If an attacker knows the information transmitted across your VPN is very valuable (perhaps credit card or wire transfer information), they may be willing to spend considerable amounts of time and money to attempt to break the encryption being used. Practically speaking, most VPN encryption mechanisms are sufficiently secure, but remember that DES was not considered reasonably breakable, 30 years ago. Be aware that the passage of time may render certain encryption mechanisms ineffective.

Before implementing a VPN, consider whether interoperability is a factor, as it often is when your VPN includes an extranet consisting of your network and your business partners’ networks. In that situation, it may not be feasible to merely dictate to your partners that they must use certain VPN hardware or software to communicate with your site. Your options may be limited to the hardware or software your partner’s existing VPN supports, in order to communicate with them.

Windows includes VPN capability right out of the box, via PPTP and IPSec.

On Linux, two packages commonly used to implement VPN’s are ssh (discussed in section 2.1.6) and FreeS/WAN, an open source IPSec utility. If it isn’t supplied as part of your favorite “distro,” check the http://www.freeswan.org site for download locations. Information about configuring FreeS/WAN can be found in Hack Proofing Lin²⁸⁸ux by Stanger et. al.

For more information about VPNs, see Virtual Private Networking – A View from the Trenches²⁸⁹ by Bruce Perlmutter and Jonathan Zarkower.

3.1.7  Telecom / PBX (Private Branch Exchange) 1 2 3.1.9  IDS (Intrusion Detection System)