Virtual private networks (VPNs) are meant to secure connections for remote users over WANs, but many high-profile...
breaches have enterprises questioning overall VPN security. In this Q&A with Rainer Enders, VPN security CTO of Americas at NCP engineering, you will learn why VPN security breaches happen and what you can do to eliminate this risk.
How do VPN security breaches usually happen?
Rainer Enders: While VPNs are supposedly a secure technology, I think there are many ways to breach VPN security.
A common way is the man-in-the-middle attack. These mainly happen when people have access to either a wireless or wired LAN [or WAN]. This [insider access] makes it possible for somebody to snoop on a connection, gather information on the connection setup and use the credentials, if obtained, for an attack on the session.
Another potential breach could be from obtaining physical access or listening in to a VPN-enabled device. This could happen if somebody loses their laptop or mobile device and the VPN is enabled. That VPN client [could also be] configured in a non-optimal manner -- where the credentials are already in there, so all [that] the hacker needs to do is click ‘connect’ and the VPN tunnel [could] open without even requiring an entering of a password.
Obtaining VPN security information -- such as the [IP] address of the VPN endpoint, the configuration parameters, user credentials and so forth -- would be another way of breaching a VPN. That information could be obtained via insider knowledge of somebody maybe leaving the company, or getting fired. … A lot of networks don't get changed very often and VPN connections remain static for a long time, so if someone leaves the company, there are chances that they will still have the information of how to get in there. [This information could also be obtained] via social engineering, which is happening a lot … where users are asked to provide this kind of information [via malicious emails or phone calls].
A fourth way of breaching a VPN would be to exploit a bug or flaw in an authentication system. There may be a defect in the firmware that could be exploited, or some other shortcoming in the authentication system, such as an SSL certificate [authentication] that could be spoofed or recreated maliciously. There may even be a known bug in a VPN concentrator where [a hacker] could crash the system and obtain access.
Why do hackers try to breach VPNs? What information are attackers usually looking for?
Enders: I would say these are the top four categories [of hackers]:
- The insiders -- people who left the company who might be disgruntled and want to cause the company harm.
- The people who are after viable financial information -- such as credit card numbers or bank account numbers where they can initiate bank transfers.
- The people with a political agenda -- where they just want to make political statements of some shape or form.
- The script-kiddy hackers are the biggest class. Very often [VPN breaches] come from hackers trying to satisfy their curiosity, test a theory or do a proof-of-concept; it's just purely to figure something out or try to prove that a flaw exists or something can be hacked.
The bad news is that there are really a lot of ways to breach a VPN system, but the good news is that they're often not aiming at [stealing] any information. If information is being aimed for at all, I think it's mostly financial information. For example, credit card information that can be exploited in another way, like to perform fraudulent transactions via the network.
What types of VPNs (i.e., SSL, IPsec, etc.) are most susceptible to VPN security breaches?
Enders: There is no 100% secure VPN technology -- period. Each technology has its specific challenges. However, I think it's fair to say that of the two prevalent VPN technologies -- SSL and IPsec VPNs -- the SSL VPN is a bit less secure than IPsec overall due to the nature of the technology.
IPsec, being an IETF standard, has security at its core, and it's a much more mature technology. Also, IPsec is tightly controlled and linked to an application-specific client, versus SSL where you would just use a browser. We know that Internet browsers all have their own weaknesses, flaws and issues, and there are many attack vectors against those browsers, which put into question the whole security model of SSL. Three critical pieces of VPNs are secrecy, integrity and authenticity; and the authenticity for SSL is put into question by that whole certificate authority (CA) model, because certificate authorities are not very tightly controlled.
Is there any way an MPLS VPN could be breached?
MPLS VPNs are a good style [of] VPN. Of course, all the generic attacks that apply to all the other VPN architectures also apply to MPLS VPNs, such as the social engineering and insider attacks.
How should enterprise IT implement proper VPN security?
Enders: Network and IT security is a very broad and complex framework, [and] technology is only a piece of that entire puzzle. An overall security model must embrace technology, security policy and communication and training -- where individuals bring that security message and foster that mindset of security.
A company should employ best-of-breed technology with the strongest track record for secure access [VPNs] -- which clearly is IPsec. IPsec -- with a managed client, a managed client firewall and an integrated managed VPN system that ties into your identity management system -- really offers the maximum protection. And its implementation aspect is important.
When enterprises are looking for a VPN solution, is the most expensive VPN the most secure?
Enders: Network managers should focus on overall system costs. That entails cost of operation and cost of potentially dealing with security breaches. Consider cost of major upgrades and the scalability of the solution. Consider support for a broad range of operating platforms, like desktops and mobile devices. Just make sure that you have technology that covers everything. Because what we see very often is that companies deploy a slew of different technologies, which … means that a network … [engineer] has to learn more technologies. More technologies means more complexity. More complexity typically means more room for errors. More room for errors, means errors will happen. That means you have a lowered security profile, right? If they have to use different clients or different access technology on the user side, [this] introduces room for errors, which again means more errors, more complexity, less security. It's a very simple equation.
So I would really advise to look at the overall picture, the cost of operations and the cost of dealing with potential security breaches. You definitely want to look at what level of security you need, pick the right technology that matches your exposure and implement it in the right way.
How should enterprises balance the usability of their VPN with enterprise security measures?
The usability [of a VPN] is a very important aspect from both sides: the end user and the network engineer. If … [IT] has good usability, they can spend a lot less time managing the actual VPN and will have more free time for other important relevant tasks, like managing firewall rules, monitoring access, researching ongoing security issues and so forth. That's also something that very often is overlooked -- managing such an environment should be easy and manageable, because that really also improves the acceptance of the solution and better usability. Typically, it also leads to fewer errors and a much more secure solution overall.