VPN Security / Penetration Testing Resources
General IPSec / VPN Technical Documentation
- NTA VPN Flaws Whitepaper (2005)
This whitepaper from NTA has information on a wide range of VPN flaws, including the UDP Backoff Fingerpringing and IKE flaws mentioned during the talks. Although a few years old, it has a very good overview of a number of VPN issues, as well as commentary on the overall security of VPN implementations, from a company who specialise in penetration testing them.
- securityfocus: pentesting IPSec VPNs
An article on penetration testing IPSec VPNs from securityfocus.com. This is less thorough than the NTA paper, and has some overlap with it, but it makes a good companion read to the NTA paper.
- IKE Vulnerability risks (ppt)
A presentation by Ari Muittari at Nokia Networks for a "Masters Thesis Seminar". This is worth a browse.
- Microsoft technet: IPSec Best Practices
IPSec Best Practices from Microsoft Technet.
- WPAD Vulnerability (presented by Dan Kaminsky at schmoocon)
This is an extremely good example of an exploit that would work even through a firewalled VPN - all that's required being a DNS server configured for dynamic updates, and an environment not already configured for the WPAD system. Contrary to the blurb, this would hypothetically work on a totally non-Microsoft inrastructure, as WPAD is supported by Firefox and Opera.i
This vulnerability has been underplayed somewhat, and is made more severe by other factors, such as the fact that even in an environment supporting secure Dynamic DNS Updates there are still ways to exploit it. See this mailing list post which I made to the DailyDave mailing list for a brief overview of how it might be exploited and what some of the caveats are.
- Morris & Thompson - Password Security: A Case History (postscript file)
This is an almost timeless security resource still relevant today, even though it's almost 20 years old. There's a quote from this paper in the NTA paper linked above, and I quoted it (from the same place) in my talk too. If you don't have a postscript reader, you can convert the file from ps into a pdf file for free, online, at ps2pdf.com.
Commercial Products & Technologies designed to help remediate VPN risk
- Microsoft Cable Guy - IKE for IPSec SA
This is an introduction to IKE Negotiation for IPSec Security Associations from the Microsoft 'Cable Guy', and is an excellent technical primer for anyone interested in how this technology works.
- Building and Installing openSwan
A free chapter (ch3) from the book given away as a prize during my OpenSwan talk; this is available as a PDF from the publisher (packtpub)
General Security links
- Cisco Network Admission Control
NAC from Cisco is a technology designed to ensure compliance of device associating with a network. Although not an ultimate security mechanism, many businesses use this to ensure compliance of their VPN Clients prior to allowing traffic from them onto their network(s).
- Microsoft Network Access Protection (NAP)
NAP is technology in Windows Vista which interoperates with Cisco NAC, and provides similar services in windows environments. NAP is the successor to Microsoft's Network Access Quarantine Control (NAQC) technology.
- Cisco WebVPN product page
Cisco's WebVPN technology, confusingly, seems to encompass two distinct types of technology; delivering services like remote desktop and web-based applications over http(s) (not a VPN!), and an SSL-based VPN implementation which is installable via the web interface these services are delivered by.
- PWC/DTI Information Security Breaches Survey(s)
The Information Security Breaches Survey from the Department of Trade and Industry / Price Waterhouse Coopers. This has some interesting, if unexplained, statistics. There's an executive summary on the same page if you don't feel like reading through the whole thing.
(F|f)ree Open Source Projects that're in some way relevant
SSLBridge is an Open Source AJAX Application written in PHP which uses Samba to allow remote users access to SMB/CIFS resources via HTTPS. It authenticates to Active Directory, so it can be very effectively used in a Windows/Samba environment to allow external users gain access to file shares over the interweb, and it respects your existing permissions. Very cool.
IPCop is an open source linux firewall distribution designed to run on a dedicated PC and behave as an embedded / appliance / "hardware" firewall. IPCop is a great candidate for small office and home use, and includes VPN Software that you can use to easily setup site to site and roadwarrior VPNs. In conjunction with the IPCop addons that are available, IPCop can handle OpenVPN, OpenSwan, pptp/L2TP VPNs, and various other bits and pieces.
Open Source SSL VPN Package. Probably the best choice if you want an open source VPN stack to sit on existing linux/windows machines.
Free (as in beer) VPN service.
Highly Flexible Open Source IPSec implementation.
Open Source Web Application Security module / Application-Layer Firewall for the Apache Webserver. In many ways this has capabilities similar to the application-layer firewalling in Microsoft ISA Server