Table of contents
Microsoft network access protection with NAP and NAQC
Microsoft network endpoint security tips and tactics
Remote access security measures for Windows users
VPN security testing and maintenance
Microsoft Windows Firewall security
|NAP and NAQC|
Virtual private networks (VPNs) allow remote employees to access their company's respective network. Of course, when a number of VPNs are run through the internet, several security questions are raised. Do my users need extra security? Does my network need extra security precautions? How easily can a hacker access my network through my employee's VPN connection?
While a VPN traditionally comes with its own extra precautionary security measures, that does not mean that a VPN does not create extra risk. Check out the tips below to learn how to give your VPN a penetration test and read a series of VPN quick tips.
Choose the best VPN technology for your enterprise learn to maintain your VPN once it is deployed with this collection of VPN security tips.
Pre-deployment education and decision making
IPsec VPNs extend your network's security perimeter by connecting individual hosts or entire networks. Preventing unauthorised access starts with verifying the identity of those VPN tunnel endpoints. Using the wrong authentication method can lead to interoperability issues or corporate network compromise. This tip explores the IPsec VPN identity and authentication options supported by the Internet Key Exchange (IKE) standard, as well as common supplier extensions like Extended Authentication (XAUTH). Readers will learn valid parameter combinations and their security and deployment implications.
Testing the security of your VPN deployment
Your VPN is a vital gateway into your network for your company's road warriors, telecommuters and other remote users. Unfortunately, it's also a gateway for the less-than-scrupulous predators prowling the internet for access to your network. This tip looks at why it's important to add your VPN to your pen testing process, and reviews tools and tactics for testing both IPSec and SSL VPNs.
Troubleshooting and maintaining your VPN
Have you ever been in a situation where your users are having trouble accessing your VPN? Perhaps this happens after you've undergone a major systems upgrade, like installing Service Pack 2, for example. Networking security expert Wes Noonan suggests that you "verify your VPN settings on the routers to ensure that you are using ms-chap for your ppp authentication and that you have configured the ppp encrypt mppe command with the correct level of encryption (auto, 40bit or 128bit)." For more information about configuring IOS based VPNs, click here.
If that doesn't work, maybe this advice from Kevin Beaver will help. "If your VPN traffic is being blocked, you should be able to go into Security Center and select "Windows firewall" under "manage security settings." You can then click on the "exceptions" page on the Windows firewall window that loads and select "add port." The port numbers vary based on what kind of VPN you use. IPSec VPNs typically use UDP port 500, and PPTP VPNs use TCP port 3389, so you can try creating exceptions for them. Otherwise, you'll need to contact your network administrator to get that info."
Alternative solutions to a VPN
Windows has two major mechanisms for allowing remote users controlled, protected access on a server: the virtual private network (VPN) and remote desktop. These methods are designed to solve different problems, so which should you use and when? To help you answer that question, here is a technical overview of each and offer comparisons in the following tip.
What is a remote desktop?
Unlike VPNs, remote desktop in Windows 2000 or XP Professional allows the user to run a functional clone of another computer's desktop, giving him access to all the programs, resources and accessories on that computer.
When to use one method over the other
VPNs have one big disadvantage that remote desktops do not. When a user sets up a VPN connection, all network traffic on his computer is redirected through the VPN. It's often difficult to force a specific application to use a different network interface.
A remote desktop connection, on the other hand, does not commandeer the system's networking; it runs as a standalone network application. Remote desktop connections can also (and probably should) be encrypted at the option of the administrator, so they rarely pose a security problem.
In some cases it's possible to choose either VPN or remote desktop as your solution, although they will be deployed and used in radically different ways and to different ends.
You can also check out an open source VPN solution, called OpenVPN.
Pen testing your VPN
Your VPN is a vital gateway into your network for your company's road warriors, telecommuters and other remote users. This tip looks at why it's important to add to your list of concerns.
A Virtual Private Network (VPN) is like a large sign, saying "sensitive data here." Hackers know that when they've found a VPN, they've hit the jackpot, because it means somebody is trying to secure something confidential. Therefore, like any other gateway, your VPN needs to go through a thorough penetration test to check for vulnerabilities. It's easy to overlook VPNs when administering a network penetration test, as it's often assumed that they're the most secure part of it. But, they're not and they're a magnet for hackers.
Pen testing a VPN is straightforward, and there are some common tools for the job. It's not much different from the rest of your pen testing routine and should be part of it.
- Scout the terrain and plan the attack.
- Exploit known vulnerabilities -- then close or patch them.
- Test for default user accounts -- then shut them down.
The exploit phase of the test must go in one of two directions. Testing an IPSec VPN is very different from testing an SSL VPN. The IPSec VPN is network-based, while the SSL VPN is web-based. In fact, the SSL VPN is essentially a web application and should be tested as such.
For IPSec VPNs, NTA Monitor has a tool called IKE-scan, which can fingerprint many VPN suppliers and models. With that information, a hacker can search the web for details of attacks against specific suppliers. Exploits have been found and posted for Cisco, Nortel, Check Point and Watchguard devices. The tool can't fingerprint every VPN model, but it can reveal the type of authentication used in the VPN – useful information for a prowling cracker. Other tools, like IKEProbe and IKECrack, take advantage of weaknesses in the pre-shared key (PSK) authentication used in IPSec VPNs. The hashes captured by these tools can then be run through ordinary password crackers, such as Cain and Abel, to steal passwords for malicious access to the VPN and, of course, the corporate network.
Finally, IPSec VPNs, like any firewall or network device, have default user accounts. These accounts are used for initial installation and aren't needed after that. Either remove them or change their names, where possible. The same goes for any administrative accounts used for routine maintenance. Change default passwords.
For SSL VPNs, the same tools for scanning a web application can be used. Tools, such as Webinspect and Watchfire, can check for web threats like cross-site scripting (XSS), SQL injection, buffer overflows, weak authentication and old-fashioned parameter manipulation. The scan results can be followed by either automatic or manual tests to verify the vulnerabilities. Again, an SSL VPN is just a web application. Test it like one.
This was first published in July 2007