A virtual private network (VPN) allows different private networks to be connected over a public network. Because...
the communication between VPN endpoints goes over a public network, it must be properly secured to prevent eavesdropping.
There are many benefits of using a VPN service. One such benefit is the ability to access the company's internal network when not in the office, or to connect two physically dispersed internal networks into one unified internal network. Additionally, there are multiple available implementations of VPN protocols -- the most widely used are Internet Protocol Security (IPsec) and Transport Layer Security (SSL/TLS). Other available implementations include DTLS, MPPE, SSTP and more.
While VPNs offer these advantages, there are also a number of serious risks enterprises must be aware of. This article will concentrate on how to mitigate SSL VPN security issues.
How to check VPN security
Depending on the type of VPN being checked during a penetration test, there are different procedures to follow. Whatever type of VPN is used, the basic steps to pen test include:
- Reconnaissance: Determine the type of VPN being used and the port on which the VPN daemon is listening. This can be done by a port scanning tool like Nmap. Depending on the type of VPN, the service might be listening on UDP port 500 (IPSec), TCP port 1723, TCP port 443 (SSL VPN), UDP port 1194 (OpenVPN) or any other non-default port.
- Exploitation: After successfully identifying which port the VPN is associated with, fingerprint it to determine the exact vendor and version of the daemon, which can be determined by the Ike-scan tool. Then check whether the vendor contains any existing CVE vulnerabilities that can be exploited by an existing exploit as part of the Metasploit framework, or write a new exploit.
- Authentication: The daemon listening for incoming connections must properly check for credentials presented by the client. Don't just rely on the username and password presented by the client and use certificates that heighten the overall security of VPN service. There should also be a proper password policy in place that ensures strong passwords are used together with certificates to limit brute-force attacks.
See Infosec Institute's accompanying article on Cloud VPN Security Recommendations.
Hardening VPN security to prevent issues
To harden the OpenVPN security, edit its configuration file. This is usually passed to the OpenVPN daemon by the "--config" command-line option. If you use the "ps -ef" command and grep the OpenVPN processes, you can see where the configuration file is located and view it accordingly.
Keep these workflow and security considerations in mind when designing corporate VPNs.