Given the wide spread use of VPNs, extended functionality that they provide, economy of use, and their transparency to the user, it was just a matter of time before the bad guys began to target VPNs. Some of the reasons the VPNs are targeted include the following:

So, what are the ways the VPNs can be compromised? Understanding this will help us to understand what we should look for from an investigation perspective.

To get started, let's take one more quick look at the structure of a VPN. At one end is the VPN server and at the other is the VPN client. Both of these are connected to each other using a secure tunnel. From a security perspective, the easiest points to compromise are the two end points. Usually, the VPN client is the least protected and is used in all sorts of low security areas, such as airports and free Wi-Fi zones. VPN clients are deployed in hand-held/portable devices as well. One aspect of the VPN client running on devices such as this is availability. From a bad guy's perspective, the longer they have access to a device, the higher are the chances of being able to compromise it. This may not be the case when we look at remote users using VPN clients. Conversely, the VPN server (as part of its job description) is constantly available and seeking connections. Therefore, both of the end points are likely to be subject to different types of attacks when the objective is to take advantage of their vulnerabilities.

Currently, IPSec is the most important protocol when it comes to VPNs. It is largely considered the most secure of all the VPN implementations. Unfortunately, it is also the most complex to correctly implement. Administrators with expertise and experience are required to implement IPSec effectively. The lack of such administrators leads to default configurations or misconfigurations, which contribute to a weak security posture in a surprisingly large number of cases.

One of the easiest and actually very common methods of getting unfettered access to corporate networks is by the theft of company laptops. A lot of users tend to save their VPN access credentials on their remote devices/computers, therefore, a loss of such laptop can mean the loss of data from the company's network. VPN cached credentials including data stored in the registry may be retrieved and used for malicious purposes.

Another method of gaining access to VPNs is by compromising the client or server machine by infecting the system or by a man-in-the-middle (MITM) attack. In the event the machine is infected, user credentials may be compromised and misused.

Some methods of securing such compromises are by having client whole disk encryption (WDE) in case of theft, strong firewall and virus protection to prevent client and server compromises, authentication using tokens and access control systems with user provisioning, and identity systems with the VPN administration.

Another example is forgetting to disable the VPN account of terminated employees. In 2005, this was the cause of a massive attack on Walmart's network that was breached and internal data was accessible to the ex-employee. This included payment card information. This attack lasted for a period of about 18 months and was only detected by accident (and a bit of foolishness by the attacker).

An interesting case involved an ex-employee selling off a used VPN gateway, which was found by the buyer to be still configured to access the corporate network long after the employee had left the organization.

In 2010, a high-profile vulnerability involving IPv6 and PPTP was made public. This exposed the IP address, MAC address, and computer name. More recently, in 2015, researchers from Sapienza University of Rome and Queen Mary University of London discovered security vulnerabilities in 14 popular VPN providers. It was found that some of these were exposing a user's complete browsing history. These vulnerabilities were classified as IPv6 traffic leakage and DNS hijacking.

Clientless VPN products also pose a security risk. These aggregate the data retrieved from different sites and serve it up so that it appears to be from the SSL VPN. This allows a malicious website to be also served up to the viewer while seeming to come from a single source via the SSL VPN. The bad guy could hijack a user session or capture the user's keystrokes and gain access to the VPN.

The Internet Key Exchange (IKE) Aggressive Mode (AM) can also cause a serious breach of information security on older clients. IPSec, when negotiating a tunnel connection, performs an exchange of information between two clients. This key exchange can happen in either the Main mode or the Aggressive mode. While the Main mode uses a six-way handshake, the Aggressive Mode uses a three-way handshake. During the AM handshake, the VPN device sends the hashed PSK in an unencrypted form. This allows an attacker to carry out an attack using tools such as L0phtcrack, psk-crack, Cain, John the Ripper, and so on.

While the previously mentioned methods of VPN compromise are, by no means, exhaustive, the key for the investigators is the logs that document all the network interactions and indicators of compromise. This helps us identify who did what, where, when, and how.

Information captured needs to include the following:

All the investigations would require us to look at these audit trails to successfully move our network forensic investigations forward.