Consider the threats and possible attacks against your VPN and how to mitigate each one. A VPN can be a critical component of your information security infrastructure. A properly implemented VPN addresses a number of common attacks against your infrastructure, including eavesdropping, man-in-the-middle, replay, and others. However, while your VPN can mitigate attacks, it also opens up an entirely new set of security issues.

Remember, VPNs are essentially network devices and subject to many of the same security issues you would find in a router or a switch. If you are running a software VPN, then your VPN can have many of the issues you find on your network’s servers.

A hardware VPN solution can suffer from a number of security vulnerabilities, including:

• Weak default password
• Insecure default configuration or misconfiguration by the installer

One of the most common and easily exploited vulnerabilities on any hardware network device is the default password. Vendors set an initial password on their equipment. Usually, all it takes to discover this password is a quick search on the Internet; often, it is not particularly hard to guess. Try the vendor name, “admin,” or “password,” and odds are good that you will be able to log on. It seems like a sensible mechanism—the vendor does not want to distribute its equipment without a password, so it sets a standard password that is easy for the installer to remember.

The potential problem occurs when the installer forgets to change that password. It is not uncommon for an installer to leave the password in place for the duration of the installation. Typing in “admin” after each reboot is much easier than typing in “$$Th!s!sAS3cur3P@ssw0rd!!” every time you make a change requiring a reboot. The problem occurs when either the installer forgets to change the password when the work is done, or an attack occurs while the installer is in the middle of the installation.

Imagine that the installer has a few additional settings to change, but it’s 6:00 p.m. on a Friday and he’s ready for the weekend. He decides to come in early Monday to finish the configuration. For the entire weekend, the VPN that you are counting on to provide secure access to your network is on the Internet with the password “admin.” The best way to address this type of vulnerability is through stringent system configuration procedures and strong awareness training for your support staff and contractors. Disciplinary action when an installer fails to follow the instructions is also remarkably effective at getting the message across.

The second common issue with hardware VPNs is a device that is installed in the default configuration. Very few network devices come out of the box in a fully secure configuration. For example, an important configuration setting is disabling split tunneling. A default VPN configuration might not disable that setting; instead, it may require modifying the configuration to disable the feature. If you are completing your first install, it is tempting to just change enough of the configuration to get the VPN up and running and avoid any unfamiliar settings.

A related issue occurs when an inexperienced installer modifies the configuration without understanding the impact of the changes. For example, an installer with a limited understanding of encryption protocols might decide that using the Data Encryption Standard (DES) algorithm for VPN encryption would be “good enough” and would improve performance over a higher encryption algorithm like 3DES. The installer probably read somewhere that the longer the key length used for encryption, the higher the impact on performance. This is often true, but longer key lengths usually mean more secure communications. Installer-induced security threats are some of the hardest to track down. Because they were caused by someone with a limited understanding of what they were doing, the installer’s ability to help you track down the issues is equally limited.

To mitigate the risk of these issues, make sure that you train your installer (or yourself) before installing the VPN. If you do not have the time or justification for training on the product, then engage a vendor or systems integrator to assist with the install or even complete it for you. Once the installation goes online, it pays to have an expert perform a vulnerability or penetration test against your VPN. It never hurts to have an expert check your work.

A software VPN solution can suffer from the following:

• OS vulnerabilities
• OS misconfiguration
• Application conflicts
• Instability
• Viruses and malware

Although software VPN solutions are not typical in corporate environments, they are common in smaller organizations, academic environments, and other areas where a hardware VPN does not meet business requirements or exceeds the budget. The main threats to software VPN solutions arise in the OS. Operating systems like UNIX or Microsoft Windows consist of highly complex coding. Each is designed to support a number of business-related tasks and are more highly complex than the OS found on hardware-based VPNs. As a result, the software-related threats can be much more complex.

Operating systems contain millions of lines of software code, and as with anything written by people, they can contain mistakes. Those mistakes are what attackers seek to exploit when attacking an OS. Exploits may include buffer overflows, privilege escalation, or any number of other issues. As a result, if you run your VPN on a general-purpose OS, your VPN becomes susceptible to the same software vulnerabilities as your OS. In addition, software VPNs have many more possible OS configuration errors than hardware VPNs.

Some organizations run VPN software on a server that supports multiple applications. For example, the VPN server might also be a SQL server, a web server, or a file server. If this is the case in your environment, be aware of potential vulnerabilities created by application conflicts. This could be a matter of two applications that contend for resources on the servers causing issues, but it could also be the chance that one of the applications opens a new vulnerability in the VPN software. Think about a VPN server that is also a web server. If the web server is configured incorrectly, you could expose the VPN configuration files to an attacker through the web server interface. In that case, you could configure your VPN server securely but still have an attacker pull a copy of your configuration files out of a web directory, bypassing your security.

Another potential threat associated with software VPNs is instability. Many information security professionals are reluctant to run software VPNs due to the challenges of the operating system crashing and taking the VPN with it. Many security professionals wouldn’t ever want to run a VPN that could be taken out by a “blue screen of death”—the nickname for the Microsoft server crash screen.

Finally, OSs are vulnerable to viruses and other forms of malware. These would include Trojan horses, rootkits, or any of the other destructive malware currently active on the Internet. Any of these infections could compromise the security of your VPN, as well as your internal network.

If you are planning to run a software VPN, be sure to run it on a dedicated server, double-check both the OS configuration and the VPN configuration, and keep the OS fully patched and up to date. When your VPN is fully configured, run a vulnerability management tool against it, or have a professional come in and conduct a penetration test. Moreover, be sure to install and maintain current antivirus and anti-malware software on the server. It is a good idea to install a firewall application and an intrusion detection/prevention (IDS/IPS) application to ensure that your VPN remains secure.

Vulnerabilities common to both hardware and software VPN implementations include:

• DoS attacks
• Missing patches
• Backdoor attacks
• Unpublished vulnerability in the code
• Weak client security
• Weak authentication
• Hairpinning
• Credential sharing

In a DoS attack, the attacker is trying to prevent others from accessing the VPN service. Attackers use specially crafted packets designed to crash the VPN or, more likely, direct a flood of traffic at the VPN in an attempt to overload it. This is not a very common attack because of the large amounts of traffic required to overload most companies’ network infrastructures. Generally, you will not see a VPN targeted with a DoS attack; VPN attacks are typically designed to allow the attacker access to the internal network. DoS is more common against popular websites like Twitter or Facebook, where there is significant publicity, or against online merchants that may be susceptible to blackmail. When your website is a significant source of revenue, a DoS attack can be very expensive.

Any hardware or software platform that can run VPN software is vulnerable; that is the nature of any computer technology. When these vulnerabilities are discovered, the vendor will typically develop a patch or an update to address the issue. If you do not keep your VPN current, you leave your network open to these issues, and attackers will try to exploit known vulnerabilities with your VPN.

A backdoor account attack is pretty rare, but can happen in some instances. An example of the traditional backdoor attack was featured in the classic movie War Games, where the system developer left a user account and password on a secure system in case he needed to get back into the system. This account was exploited by an attacker (in the movie, a kid just trying to play online games)—nearly causing the end of the world. Needless to say, the issues in your environment will not be quite as dramatic, but these are still of concern. Code running on VPNs and OSs is closely scrutinized, so system developers are less likely to be a threat, but what about a system administrator who thinks he is about to be fired? Or a vendor who comes in to support your VPN, creates an account for support, and forgets to delete it before leaving? The best way to mitigate this type of attack is through scheduled auditing of all accounts on your VPN, as well as strong, documented procedures for how and when accounts are created and deleted. This particularly applies to accounts with elevated privileges or on systems accessible from the Internet.

One of the trickiest—and fortunately rarest—security threats is an unpublished vulnerability in the VPN code. Researchers or potential attackers can discover an unpublished vulnerability. If it is unpublished, it means the vendor is not yet aware of it, and thus has not yet developed a patch or an update. This is known as a zero-day attack. These are probably the most difficult threats you will face because there is not a lot you can do beyond following security best practices, creating a layered security environment, and monitoring the behavior of your environment for anomalies. Should you encounter this issue, be sure to follow your incident response process and work with the vendor to identify the issue and create a patch.

Another vulnerability is not directly on the VPN, but in the devices connecting to the VPN. VPNs offer significant security advantages, but if the client at the other end of the connection is not secure, then your network is at risk. To mitigate this risk, use a standard client configuration, which includes antivirus, anti-malware, firewall, and maybe even intrusion-detection software. Also make sure that the only clients connecting to the VPN are company-owned. Permitting personal assets to connect to your network opens a number of additional issues, because you are not able to supervise the configuration of those systems. All it takes is one employee whose child clicks on the video link that a friend sent (generally with a comment like “check out this video I took of you”), and you could end up with a virus on your network when the employee connects to the VPN using the same system.

A final vulnerability to consider is the challenge of weak authentication. Your VPN is really only as secure as your authentication mechanism. If you are authenticating via user ID and password, you run the risk of someone guessing or stealing those credentials and accessing your network without permission. To mitigate this risk, rely on either token-based or biometric authentication methods instead of—or in addition to—a user ID and password. If you must use a user ID and password for authentication, be sure to properly train users in the use of strong passwords.

A familiarity with the various threats, attacks, and mitigations is critical to the long-term support of your VPN and your total network. Be aware that no list of threats and attacks can be all-inclusive because attackers are constantly developing new methods for compromising networks. In the absence of specific threats and attacks, rely on good security practices to keep things safe.