This paper details the common VPN flaws and explains their root causes. However it is suspected that many other organisations have vulnerable VPNs that they assume are secure. These organisations now know the problems, and in most cases have fixed them. After the testing they discovered that the VPN was actually the weakest point in their perimeter. It was also found that the organisations being tested generally felt that their VPN was invisible and impenetrable, and that the VPN security testing was just a tick in the box. After several such flaws had been reported, it was noticed that the same issues were occurring again and again in different vendors products. Some of the vulnerabilities that have been discovered during the testing were previously unknown, and these were reported to the vendors in accordance with NTA Monitor s disclosure policy. What has been found is quite shocking: most of the VPNs that were tested have had remotely exploitable vulnerabilities, and often these would allow an attacker to gain unauthorised access to the VPN, view or alter VPN traffic, or disrupt the VPN server.
#FORTINET VPN DUNWOODY PASSWORD#
1Ģ Contents 1 Introduction 3 2 VPNs are Attractive Targets 3 3 Common VPN Flaws VPN Fingerprinting Insecure Storage of Authentication Credentials by VPN Clients Username Enumeration Vulnerabilities Offline Password Cracking Man-in-the-Middle Attacks Lack of Account Lockout Poor Default Configurations Poor Guidance and Documentation Conclusions 15 2ģ 1 Introduction In the three years since NTA Monitor started testing VPN security, they have tested many implementations from most of the major vendors. The paper shows that VPNs are far from the impenetrable systems that many people believe them to be, and that they can actually be the weak link in an otherwise secure system. Some of the problems that have been seen, such as the username enumeration issue, are new discoveries, while others are known limitations of the protocols, which are exposed due to poor configuration. The paper concentrates on remote access VPN configurations using the IPsec protocol, although some of the findings are also applicable to site-to-site VPNs. January 2005 Abstract This paper outlines some of the common VPN security flaws that NTA Monitor have found during the last three years while performing VPN security tests.
1 Common VPN Security Flaws Roy Hills, NTA Monitor Ltd.
0 kommentar(er)
