A Recent report 1 suggested that VPNs are not as secure as they claimto be.
VPN services claim that they provide privacy and anonymity. They studiedthese claims in various VPN services. They analyzed a few of the most popular VPNs.They decided to investigate the internals and the infrastructures. They tested the VPNs using two kinds of attacks: passive monitoring, and DNS hijacking. Passive monitoring iswhen a user’s unencrypted information is collected by a third party, and DNShijacking is when the user’s browser is being redirected to a controlled Web serverwhich pretends to be a popular site like Twitter2. What theirexperiment revealed is very agitating, that most of the VPN services sufferfrom IPv6 traf?c leakage. Majority of the VPNs leaked information and not only theinformation of the websites the user was accessing but also the content of theuser’s communications.
They also investigated the security of various mobileplatforms which use VPNs and revealed that they were much more secure when theyuse iOS, however, were vulnerable when using Android. They also talked about more sophisticated DNShijacking attacks that allow all traf?c to be transparently captured. To make things worse, most of theVPNs that were part of the experiment used Point-to-Point Tunneling Protocolwith MS-CHAPv2 authentications, which according to TechReport, makes themvulnerable to brute force hacks 10. Akamai argued that “VPNs are a Weak Security Solution and ManagementBurden for Third Party Remote Access. If your company routinely interacts withthird parties — consultants, contractors, suppliers, partners, and customers —who need remote access to enterprise applications hosted in your data centerenvironment or hybrid cloud, a VPN is a poor solution. After all, you don’twant to give untrusted third parties carte-blanche access to the network whenall they need is access to a limited number of applications. Typically, thirdparties only need access to a given application for a limited time.
The time ittakes to configure, manage, and deploy a separate set of subnets for third parties— coupled with managing user moves, adds, and changes — are all time-intensiveactivities. Whether the process takes days or weeks, it is clearly animpediment to business. If your company routinely interacts with third parties— consultants, contractors, suppliers, partners, and customers — who needremote access to enterprise applications hosted in your data center environmentor hybrid cloud, a VPN is a poor solution. After all, you don’t want to giveuntrusted third parties carte-blanche access to the network when all they needis access to a limited number of applications. Typically, third parties onlyneed access to a given application for a limited time. The time it takes toconfigure, manage, and deploy a separate set of subnets for third parties —coupled with managing user moves, adds, and changes — are all time-intensiveactivities. Whether the process takes days or weeks, it is clearly animpediment to business.
“VPNs have always been considered a secure mechanism fortransmitting sensitive data between client and server applications for remoteworkers. VPN technology is well known and is widely deployed across the world. TtheSOX mandates have pushed organizations to deliver end-to-end VPN security. Thismeans that the VPN itself is not enough. Moreover, many VPN systems do not providethe ability to easily manage and maintain the security of the clients utilizingthe VPN solution. This includes visibility into client-loaded software toensure the clients are up to date, as well as the ability to “push”out updates to the clients. Another research 9 revealedthat Nine in ten SSL VPNs use encryption method that are not up to date, whichultimately puts corporate data at risk An Internet research publicly-accessibleSSL VPN servers was conducted by HTB(High Tech Bridge).
From of four million randomly selected IPv4addresses including popular suppliers such as Cisco, 10,436 randomly selectedpublicly available SSL VPN servers were scanned which revealed the followingproblems:1. Quite a few VPN services haveSSLv2 and approximately 77% of SSL VPN services use SSLv3 protocol which isbeing considered obsolete now. Both these protocols have various vulnerabilitiesand both are unsafe.2. About 76 per cent of SSL VPNSuse an untrusted SSL certificate, which might result in a man-in-the-middle attacks.Hackers might be able to set up a counterfeit server impersonating the realdeal before harvesting data sent over a supposedly allegedly “secure” VPNconnection. Usage by corporates of default pre-installed certificate from thevendor is the main cause of this problem in practice, according to HTB.
3. A similar 74 per cent ofcertificates have an insecure SHA-1 signature, while five per cent make use ofeven older MD5 technology. By 1 January 2017, the majority of web browsers planto deprecate and stop accepting SHA-1 signed certificates, since the ageingtechnology is no strong enough to withstand potential attacks.4. Around 41 per cent of SSLVPNs use insecure 1024-bit keys for their RSA certificates. RSA certificate isused for authentication and encryption key exchange. RSA key lengths below 2048are considered insecure because they open the door to attacks, some based on advancesin code breaking and crypto-analysis.
5. One in 10 of SSL VPN serversthat rely on OpenSSL (e.g. Fortinet), are still vulnerable to Heartbleed.
Theinfamous Heartbleed vulnerability, discovered in April 2014, affected allproducts using or relying on OpenSSL, creating a straightforward way for hackers to extract sensitive datasuch as encryption keys and more from the memory of unmatched systems.6. Only three per cent of scanned SSL VPNs are compliantwith PCI DSS requirements, and none was found compliant with NIST guidelines.The credit card industry’s PCI DSS requirements and NIST guidelines from the USset out baseline security standards for organisation handling credit cardtransactions or government data.? ?? VPNs can be broadly categorizedas follows: 1. A firewall-based VPN is onethat is equipped with both firewall and VPN capabilities. This type of VPNmakes use of the security mechanisms in firewalls to restrict access to aninternal network. The features it provides include address translation, userauthentication, real time alarms and extensive logging.
2. A hardware-based VPN offershigh network throughput, better performance and more reliability, since thereis no processor overhead. However, it is also more expensive. 3. A software-based VPN providesthe most flexibility in how traffic is managed. This type is suitable when VPNendpoints are not controlled by the same party, and where different firewallsand routers are used. It can be used with hardware encryption accelerators toenhance performance. 4.
An SSL VPN3 allows users toconnect to VPN devices using a web browser. The SSL (Secure Sockets Layer)protocol or TLS (Transport Layer Security) protocol is used to encrypt trafficbetween the web browser and the SSL VPN device. One advantage of using SSL VPNsis ease of use, because all standard web browsers support the SSL protocol,therefore users do not need to do any software installation or configuration.VPNTunnelingThereare two types of tunneling that are being commonly used-1.Voluntary and 2.Compulsory. Involuntary tunneling, the VPN client manages connection setup.
The client firstmakes a connection to the carrier network provider (an ISP in the case ofInternet VPNs). Then, the VPN client application creates the tunnel to a VPN serverover this live connection.Incompulsory tunneling, the carrier network provider manages VPN connectionsetup. When the client first makes an ordinary connection to the carrier, thecarrier in turn immediately brokers a VPN connection between that client and aVPN server. From the client point of view, VPN connections are set up in justone step compared to the two-step procedure required for voluntary tunnels.
CompulsoryVPN tunneling authenticates clients and associates them with specific VPN serversusing logic built into the broker device. This network device is sometimescalled the VPN Front End Processor (FEP), Network Access Server (NAS) or Pointof Presence Server (POS) 9.