Virtual private networks make life easier for employees who can
access a company's network from virtually anywhere, but it also
makes it easier for a hacker to steal your sensitive information.
In this section of our network access learning guide, learn how to
test the security of your VPN, maintain VPN security, learn about
different types of VPNs and more.
Table of contents
Microsoft network access protection with NAP
and NAQC
Microsoft network endpoint security tips and
tactics
Remote access security measures for Windows
users
VPN security testing and maintenance
Microsoft Windows Firewall
security
Virtual private networks (VPNs) allow remote employees to access
their company's respective network. Of course, when a number of
VPNs are run through the internet, several security questions are
raised. Do my users need extra security? Does my network need extra
security precautions? How easily can a hacker access my network
through my employee's VPN connection?
While a VPN traditionally comes with its own extra precautionary
security measures, that does not mean that a VPN does not create
extra risk. Check out the tips below to learn how to give your VPN
a penetration test and read a series of
VPN quick tips.
Choose the best VPN technology for your enterprise learn to
maintain your VPN once it is deployed with this collection of
VPN security tips.
Pre-deployment education and decision making
IPsec VPNs extend your network's security
perimeter by connecting individual hosts or entire networks.
Preventing unauthorised access starts with verifying the
identity of those VPN tunnel endpoints. Using the wrong
authentication method can lead to interoperability issues or
corporate network compromise. This tip explores the IPsec VPN
identity and authentication options supported by the Internet
Key Exchange (IKE) standard, as well as common supplier
extensions like Extended Authentication (XAUTH). Readers will
learn valid parameter combinations and their security and
deployment implications.
Testing the security of your VPN deployment
Your VPN is a vital gateway into your network for your company's
road warriors, telecommuters and other remote users. Unfortunately,
it's also a gateway for the less-than-scrupulous predators prowling
the internet for access to your network. This tip looks at why it's
important to add your VPN to your pen testing process, and reviews
tools and tactics for testing both IPSec and SSL VPNs.
Troubleshooting and maintaining your VPN
Have you ever been in a situation where your users are having
trouble accessing your VPN? Perhaps this happens after you've
undergone a major systems upgrade, like installing Service Pack 2,
for example. Networking security expert Wes Noonan suggests that
you "verify your VPN settings on the routers to ensure that you are
using ms-chap for your ppp authentication and that you have
configured the ppp encrypt mppe command with the correct level of
encryption (auto, 40bit or 128bit)." For more information about
configuring
IOS based VPNs, click here.
If that doesn't work, maybe this advice from Kevin Beaver will
help. "If your VPN traffic is being blocked, you should be able to
go into Security Center and select "Windows firewall" under "manage
security settings." You can then click on the "exceptions" page on
the Windows firewall window that loads and select "add port." The
port numbers vary based on what kind of VPN you use. IPSec VPNs
typically use UDP port 500, and PPTP VPNs use TCP port 3389, so you
can try creating exceptions for them. Otherwise, you'll need to
contact your network administrator to get that info."
Alternative solutions to a VPN
Windows has two major mechanisms for allowing remote users
controlled, protected access on a server: the virtual private
network (VPN) and
remote desktop. These methods are designed
to solve different problems, so which should you use and when?
To help you answer that question, here is a technical overview
of each and offer comparisons in the following tip.
What is a remote desktop?
Unlike VPNs,
remote desktop in Windows 2000 or XP
Professional allows the user to run a functional clone of
another computer's desktop, giving him access to all the
programs, resources and accessories on that computer.
When to use one method over the other
VPNs have one big disadvantage that remote desktops do not. When
a user sets up a VPN connection, all network traffic on his
computer is redirected through the VPN. It's often difficult to
force a specific application to use a different network
interface.
A remote desktop connection, on the other hand, does not
commandeer the system's networking; it runs as a standalone network
application. Remote desktop connections can also (and probably
should) be encrypted at the option of the administrator, so they
rarely pose a security problem.
In some cases it's possible to choose either VPN or remote
desktop as your solution, although they will be deployed and used
in radically different ways and to different ends.
You can also check out an open source VPN solution, called
OpenVPN.
Pen testing your VPN
Your VPN is a vital gateway into your network for your company's
road warriors, telecommuters and other remote users. This tip looks
at why it's important to add
< VPN>to your list of
concerns.
A Virtual Private Network (VPN)
is like a large sign, saying "sensitive data here." Hackers know
that when they've found a VPN, they've hit the jackpot, because it
means somebody is trying to secure something confidential.
Therefore, like any other gateway, your VPN needs to go through a
thorough penetration test to check
for vulnerabilities. It's easy to overlook VPNs when administering
a network penetration test, as it's
often assumed that they're the most secure part of it. But, they're
not and they're a magnet for hackers.
Pen testing a VPN is straightforward, and there are some common
tools for the job. It's not much different from the rest of your
pen testing routine and should be part of it.
There are two types of VPNs: IPSec and SSL.
Which VPN you are running will determine how you conduct the pen
test. Regardless, there are three basic steps to pen testing your
VPN:
- Scout the terrain and plan the attack.
- Exploit known vulnerabilities -- then close or patch them.
- Test for default user accounts -- then shut them
down.
The exploit phase of the test must go in one of two directions.
Testing an IPSec VPN is very different from testing an SSL VPN. The
IPSec VPN is network-based, while the SSL VPN is web-based. In
fact, the SSL VPN is essentially a web application and should be
tested as such.
IPsec VPNs
For IPSec VPNs, NTA Monitor has a
tool called IKE-scan, which can fingerprint many VPN suppliers and
models. With that information, a hacker can search the web for
details of attacks against specific suppliers. Exploits have been
found and posted for Cisco, Nortel, Check Point and Watchguard
devices. The tool can't fingerprint every VPN model, but it can
reveal the type of authentication used in the VPN – useful
information for a prowling cracker. Other tools, like IKEProbe and
IKECrack, take advantage of weaknesses in the pre-shared key (PSK)
authentication used in IPSec VPNs. The hashes captured by these
tools can then be run through ordinary password crackers, such as
Cain and Abel, to steal passwords for malicious access to the VPN
and, of course, the corporate network.
Finally, IPSec VPNs, like any firewall or network device, have default user
accounts. These accounts are used for initial installation and
aren't needed after that. Either remove them or change their names,
where possible. The same goes for any administrative accounts used
for routine maintenance. Change default passwords.
SSL VPNs
For SSL VPNs, the same tools for
scanning a web application can be used. Tools, such as Webinspect
and Watchfire, can check for web threats like cross-site scripting
(XSS), SQL injection, buffer overflows, weak authentication and
old-fashioned parameter manipulation. The scan results can be
followed by either automatic or manual tests to verify the
vulnerabilities. Again, an SSL VPN is just a web application. Test
it like one.