Tom's Guide | Tom's Hardware | Tom's Games | PC Safety Suite
 |
 |
 |
Comment:
I have never heard or read of a VPN being hacked. Since a VPN is a tunnel thru the internet I have to wonder why you would need to encrypt the data going thru that tunnel.
Isn't that just adding overhead?
Isn't the point of ipsec is to prevent someone with a packet sniffer from intercepting and reading the data?
Have you ever heard or read of someone sniffing a VPN?Give a person a fish, they eat for a day. Suggest they internet search and they learn a skill for a lifetime.
+1 |   |
The idea is to prevent a "man a the middle attack". If you search google for that, you get a lot of results.
+1 | |
They go hand in hand.
"Internet Protocol security (IPSec)
An Internet Engineering Task Force (IETF) standard that provides authentication and encryption over the Internet. IPSec is widely used with virtual private networks (VPNs)."
"Virtual Private Network (VPN)A network constructed by using public wires to connect nodes. VPNs use encryption, such as Internet Protocol security (IPSec), and other security mechanisms to make sure only authorized users can access the network and that the data cannot be intercepted."
From MS press 70-290
PUBLISHED BY
Microsoft Press
A Division of Microsoft Corporation
One Microsoft Way
Redmond, Washington 98052-6399
+1 | |
I understand MITM attacks. I have never read of a MITM attack or packet sniff of a VPN. I would have to take from your responses that you also have never heard or read of an attack of an existing tunnel.
If you can't crack the tunnel why use ipsec to encrypt the data stream?
This isn't a question of what or why use ipsec or what a vpn is.
The very fact we do use ipsec tells me there must be a way to hack a vpn. Even ipsec can be hacked which is why there is ESP which provides another layer of security in ipsec.
Since I have never read or heard of a existing tunnel being hacked I have to wonder WHY we would add extra overhead with ipsec.
I am not talking hacking a vpn device which is a hack to gain access to resources behind the vpn device. I am talking about actually breaking into the tunnel to then copy the data stream.
It appears to me you can't do a MITM attack of a vpn tunnel.
I would apprieciate any links or of someone who has actually experienced a hacked vpn tunnel. Know your enemy is the best defense.
Give a person a fish you feed them for a day.
Ask a person to internet search and they learn a skill for a lifetime.
+1 | |
hi wanderer. i'm still learning about the nuts and bolts of VPNs myself, but i'll throw some ideas in.
1. No, you definitely cannot packet sniff a VPN within the endpoints.
2. I have never come across a VPN being cracked, even with the supposedly weak PPTP. Depends on whether you work for banks, military etc. I suppose. I don't, and my customers (all small businesses) are safe.
3. VPN is encrypted anyway, that's what provides the 'privacy.' Part of the problem here is the tunnel metaphor, which is spatial. In reality it's a linear, serial stream of bits. The only way to ensure privacy when all the bits flow through the NICs on the journey is to encrypt the latter segments. A VPN, as i imagine it, is saying "Here's all the bits needed to route the packet to it's destination, don't try to read the other bits which follow, you won't be able to...just pass it on."
4. So all the data is encrypted anyway once it hits the VPN startpoint, until it hits the VPN endpoint.
5. In fact, VPN's are considered really different, when in fact the tunneling goes on in normal OSI based networking. In TCP/IP, the data is 'encapsulated' by TCP. TCP is then encapsulated by IP. IP is then enscapsulated by Ethernet. VPNs follow this model, the only basic difference being the encapsulated packets are encrypted, so that the payloads can't be read by 'nosy' TCP/IP modules on the way. (As you'd know, a packet passes through about 20 NIC's on an average Internet journey)
5. The reason you might have a 'double dose' of encryption (i.e. encrypt the data before it reaches the VPN) is if you wanted them protected on the LANs past the VPN. VPN's are usually at borders of networks.
6. IPsec does not specify what type of encryption is used, but commonly it is IDEA or 3DES. PPTP uses RC4. With stronger keys (>127bits) you're safe. So no, you can't break into the VPN tunnel midstream. Let me put it this way, if IDEA, 3DES, and RC4 are being cracked, the whole world is in trouble, not just your customers.
7. IPsec can operate in tunnel or transport mode. Transport mode is just data encryption. The IP headers clearly state the addresses of the VPN endpoints. Anyone sniffing the packets can get the VPN router addresses and try to spoof them, but they would still need the shared encryption key. In transport mode, the IP headers are encrypted, and secondary IP headers are used, which specify penultimate routers as endpoints. These penultimate routers (which I assume are just different NICs on the same VPN endpoint) then decrypt the IP header and pass the packet on to the true IP destination. However I am unsure of this because I never use tunnel mode. In fact, I just use PPTP. It works.
8. As you'd know, most security issues come from the inside. VPNs aren't the problem.
"If we don't succeed, we run the risk of failure." - BILL CLINTON
+1 | |
Thanks retroguy. That more like it. Yes I agree you can't do a MITM attack of a VPN.
Funny how we just take stuff we have been doing for granted without questioning the reasoning behind it.
Retroguy you might want to look at this article concerning PPTP. It is crackable.
http://www.cnn.com/TECH/computing/9...
Thanks again for your input.
Give a person a fish, they eat for a day. Suggest they internet search and they learn a skill for a lifetime.
+1 | |
i'm a bit different - i tend to question things right from the start. sometimes this has a negative spinoff though. i had one tutor tell me (in effect) "just use it and shut up."
thanks for the article. Yes, PPTP is vulnerable but again I would go back to basic question of general security - how in demand is the target? A toyota corolla versus a Maserati....
I also suspect that guy who cracked PPTP so easily with L0phtcrack was attacking the 40bit PPTP, not the 128bit.
I mainly deal with businesses 10 users and under. For them the ease and cost of PPTP (e.g. native, easy client side software on Windows, and Mac) is rewarding.
For juicier targets I would recommend IPsec.
"If we don't succeed, we run the risk of failure." - BILL CLINTON
+1 | |
Your concept of MITM (man in the middle) attack is off. It's not someone breaking in to your tunnel it's someone pretending to be the end point, so your tunnel actually ends with them, and they in turn connect to the real end point on your behalf.
That way all your data is transmitted to them first, they get to read your goodies, credit card numbers, ssns, email to a gay lover...lol, and anything else, because the data is not encrypted, and then pass it on to the real end point so you think you're connected.
Think it doesnt happen...it happens all the time..
So crack the VPN tunnel NO...MITM attack I bet you can find plenty of references.
I know several ways to MITM. Take my advise don't take IPSec for granted or beware.
D
+1 | |
dknowledge do you have any internet based examples of what you describe?
What you describe IS a MITM attack and I have yet to find a single example of this on the internet concerning a VPN. Even the hack sites only talk about attacking a VPN server or device to then gain access and not compromizing the tunnel. Once you compromise the device THEN you can redirect the tunnel. Of course at that point any monitoring of the vpn devices/logs would instantly alert the admins.
Jefro vpns by their very nature of PSK and other verification algorithms secure the tunnel. Ipsec secures the data not the tunnel.
You can think of a vpn as a water pipe with meters at each end. If someone pricks the pipe to steal some of the water the end points automatically go down cutting off all the water since the meters detect the pressure drop.
Now a MITM has to T into the hose without either end detecting this. I have yet to find documentation that supports this is even possible.
This is not the case with a PTP or FR link where you can have access to a device in the middle and copy the data stream, without anyone knowing/detecting the difference, to then hack. After getting passwords, etc you can then perform the MITM attack without either end knowing it.
The focus of my question is how can you do a MITM attack on a VPN without taking it down. If you can't break into the VPN tunnel why use IPSEC? After all if a hacker has compromized the vpn device it wouldn't be that hard for them to then gain access to the resources behind the vpn device. Why bother with a ipsec stream at that point?
Again this isn't a question of why/how to use vpns or ipsec. I am not planning on changing how I setup or manage our VPN's. I see a gap in the knowledge base, which I believe I have clearly identified, which has led to this discussion.
Thanks for participating.
Give a person a fish, they eat for a day. Suggest they internet search and they learn a skill for a lifetime.
+1 | |
Quote from retroguy:
(As you'd know, a packet passes through about 20 NIC's on an average Internet journey)Don't you mean routers, not NICs? And if one of those routers are compromised, can't packets be captured, encrypted or not, and analysed later?
+1 | |
... you're kidding right..a google search alone on man in the middle attacks is like 53,000 entries!
And it all concerns VPNs cause it usually has to do with diffie-helman.
...the MITM isn't about trying to get into your network for goodies, it's about watching the data your transmitting because thats where there is sensative data like transmitting your credit card numbers with your date of birth, and your mother's maiden name, and the verification number all at the same time.....why fish around in a PC for that when you simply monitor a transmission of an unsuspecting victim thinking their privately transmitting to eBay their secret data, or your bank account...THATS WHY U BOTHER WITH IPsec! So even if there is a MITM, your data is encrypted and I cant read it.
I outlined how it works...but your went back to thinking it's taking down the VPN to break in to it....you don't take it down, you put yourself as one of the end points so the VPN terminates to you, and you set up the VPN to the other end so you end up in the middle during setup of the VPN, not after it's up.
You try to use water as an example...suppose you're building a house, and I'm a sneaky neighbor, and one night I insert a T-valve before you're plumbing is complete so when your plumbing is finished you get water but so does my lawn and you never know I'm using your water...Get it?!? That's MITM
But to each his own...good luck with that.D
+1 | |
In general, PPTP-type VPN tunnels are easier to implement but less secure than those
of the certificate-based L2TP/IPSec type. Although PPTP-based VPN connections do
provide data confidentiality (captured packets cannot be interpreted without the
encryption key), they do not provide data integrity (proof that the data was not modified
in transit) or data origin authentication (proof that the data was sent by the authorized
user).This is why you would secure your VPN with ipsec. The advantage is that you authenticate the sender is not a middleman. See second post.
+1 | |
Using L2TP/IPSec
For L2TP/IPSec-type connections, the L2TP protocol provides VPN tunneling, and the
Encapsulation Security Payload (ESP) protocol (itself a feature of IPSec) provides data
encryption.
+1 | |
As for PSK's they useless.
"Preshared Keys and L2TP/IPSec The only case in which certificates are not required
for L2TP-based VPN connections is when both the VPN client and the VPN server are
running Windows Server 2003. In this case, you have the option to configure computer
authentication through the use of a preshared key: a shared string of plaintext that is used to encrypt and decrypt IPSec communication. Preshared keys are not considered a secure means of authentication and are therefore recommended only in test or temporary deployments."
All above posts reflect MS 70-291 text.However the bsd guys are almost exactly the same.
+1 | |
Well while we're throwing out all these official definitions
"PPTP-based VPN connections do
provide data confidentiality"PPTP itself DOES NOT provide data confidentiality....it has to use encrypting like MPPE (Microsoft Point-to-Point Encryption)...
D
+1 | |
Thank you everyone for your input.
response 6:
retroguy good point. I bet you are right about the 40bit. I played with that crack software years ago and it was pretty impressive.response 10:
don2006 it was easy to see nics as intefaces and retroguy was correct. Lets not dwell on symantecs.Your examples don't make sense. Why would you use a vpn to go to ebay? Who uses a vpn to buy stuff thereby sending their credit card info? I addressed your issue of MITM with my example of the water pipe. It can't happen since both end points would detect the break, log it, and depending on equipment wouldn't reconnect. Seems you are still thinking PtP and frame. If it happens all the time where is the proof? Got news articles? URLs? Feed them to me buddy! I would love to see how to compromise a active established vpn tunnel. Now understand I am not saying you can't [already addressed this above] but I sure don't see anything written about it [which isn't too surprising but there ought to be something somewhere].
response 11:
dknowledge please provide a single url in that list that discusses compromising the tunnel. I have done the search and could not fine that in the list.response 12/13/14
thanks jefro for the textbook quotes but how does that address the questions I have posed? Again please provide a single link that says a MITM can compromise the tunnel.
Do you really think that its ipsec that secures the tunnel???? Ipsec is hackable! Why do you think they developed ESP?Give a person a fish you feed them for a day.
Ask a person to internet search and they learn a skill for a lifetime.
+1 | |
dknowledge: IPsec in tunnelling mode prevents the MITM attack you describe. As for the others, let's get back to something I said, and if you want to do real-life security, rather than just computer concepts, try to learn from it.
(Paraphrasing response 6:)
the issue is how in demand the target is to a potential cracker. If not so much, then cost-effectiveness and ease of use/deployment is first and foremost, because that is what customers and users want. If in demand, then a much higher level of security is first and foremost.
To crack a PPTP link as you describe, your comp needs to impersonate the endpoint, capture packets, then begin cracking away with L0phtcrack or similar. With 256bit RC4 that's going to take you a while. (Or do you have an IBM z9 mainframe at your disposal?) VPN link will be down. Admin & ISP investigate. All that bother and risk for what? A company that makes hose-fittings? Just to get your ex-girlfriend's password? Just get someone to look at the post-it note on her monitor!
jefro: preshared keys useless? Please tell me how. They can and do work on hundreds of thousands of businesses around the world, where limited number of VPN routers and one admin means PKI too much hassle. (setup, troubleshooting...)
"If we don't succeed, we run the risk of failure." - BILL CLINTON
+1 | |
Microsoft documentation says that
" ...Preshared keys are not considered a secure means of authentication and are therefore recommended only in test or temporary deployments."Don't confuse Certificates with PSK's
As with all this stuff one companies term is not that of another's.
+1 | |
>>Don't confuse Certificates with PSK's
i didn't think i was, was I?PKI uses certificates.
preshared keys don't.
"If we don't succeed, we run the risk of failure." - BILL CLINTON
+1 | |
"If we don't succeed, we run the risk of failure." - BILL CLINTON
Hey retroguy, Bush said that, not Clinton
+1 | |
it certainly sounds like a 'bushism' now I think about it... :)
"If we don't succeed, we run the risk of failure." - BILL CLINTON
+1 | |
retroguy - We use IPSec to prevent MITM attack which is EXACTLY WHAT I SAID!!! The orig poster asked why do we use IPSec. That is why I described MITM attack. Do you ever actually read the posts ?!?!?!?!?
+1 | |
VPN with PSK is indeed not a secure implementation, and an
example of a MITM / Evil Twin combined attack is by the way
described here: http://folk.ntnu.no/maartman/blog. Since
distributing certificates can be a pain in the ass, many
universities and such actually uses PSK's and encourages
students to use VPN + PSK + IKE/ISAKMP aggressive mode
+XAUTH as authentication. Try googeling it.
 |
 port forwarding using tel...
|
Problem w/ TRENDnet route...
|
This post is quite old and has been locked from receiving new replies. Please create a new posting instead.
