Chapter 7 - 07 - Discuss Fundamentals of VPN and its importance in Network Security - 09_ocred_fax_ocred.pdf
Document Details
Uploaded by barrejamesteacher
null
Comptia
Tags
Related
- Chapter 7 - 07 - Discuss Fundamentals of VPN and its importance in Network Security - 01_ocred.pdf
- Chapter 7 - 07 - Discuss Fundamentals of VPN and its importance in Network Security - 10_ocred.pdf
- Chapter 7 - 07 - Discuss Fundamentals of VPN and its importance in Network Security - 11_ocred.pdf
- VPN Concentrators PDF
- Chapter 7 - 07 - Discuss Fundamentals of VPN and its importance in Network Security - 06_ocred_fax_ocred.pdf
- Chapter 7 - 07 - Discuss Fundamentals of VPN and its importance in Network Security - 12_ocred_fax_ocred.pdf
Full Transcript
Certified Cybersecurity Technician Exam 212-82 Network Security Control...
Certified Cybersecurity Technician Exam 212-82 Network Security Controls — Technical Controls Examples of a VPN 1 OpenVPN provides flexible VPN solutionsto i 1 Sl et A L | 1 Itis It is a VPN server software solution thatcan secure data communicationsfor Internet securedata |i SoftEther OpenVPN 'i VPN be deployed on-premises on-premises usingstandard using standard privacy, remote access for employees, employees, securing | VPN server':, or virtual servers vi rtuara appliances, — ogron or on the ecloud 1 “‘ 10T, or for networking Cloud data centers !' PP d 1 1 1 1 (1) OpenVPN Connection (vpngate_101.99.74.214 (7) tep_443) (vpngate_101.99.74214 tep_443) -- 0oQ XX :: et (1hie T2B toceman ]Sl (T sover Vo - Saliihasas VOVP SSareMesager %x Cumrert Cunert State: Sate: Comnecting Connecting :! 8 Manage VPN Server “localhost™ "localhost” 1 (Wed Nov 1317 (Wed Nov Attemgting to1o estabish 2019 Atemgting 1700:43 2019 13 0043 connecton TCP connecton establsh TCP with (AF with | msmo:ygn [AF_INET]101 214 99 74 214 o A 44] hex ]| st v e ['..-.4....,...4 [y [ e e [ Ve o Pa— s [y T A T 0 ot Tl Wed Nov 13 170043 170043 2019 2015 wuuc.zusm MANAGEMENT >sm: >STATE 1573644643, TCP[COMNE 1573644643 TCP_CONNI i ]1 [@ectim [EXsH Crerw S T FWesidone__.. 1. (). X] [}o 2() Wed Nov 13 17.00.44 00 44 2019 TCP connecten connecton establshed estabished with [AF | INET]lOI”H?MMJ INET‘]IOI ”7‘ 2" M3 ] Wed Nov 13 1700 44 2019 TCP_CLIENT ik local: inot TCP_CUENT ink fnot bound) ] (Wed Wed Nov 13 17.00.44 17.00.44 TCPZCUENT 2019 TCP, cusurnmnirk remote (AF_| [AF_| msmolesn INET]lOl”?IZHu) 218443 ] Wed Nov 13 17.00.44 2019 MANAGEMENT >STATE 1573644648 17.00.84 1573644644 WAIT....., ]| Ai RN eodesthe ey b RCoGB. STGrmster o S B'1 I : Wed Nov 13 1700 44 2019 MANAGEMENT >STATE 17.00.44 >sur£157)6uwaur 1573644644 AL/7 | Wed Nov 1 i ater o, Le! s Vied Novo 13 1700 Wedod ov 4 2013 17.00:44 VERIFTHEY OKOK:OK. dethe1. 2019 VERIFY cegthe 1. C-GB, Manchests,o LeSarod. Manchester, STeGraater LaSafrd. O«COMODK LeSaford, 0-COMOC BT [——Tm] :P eel | i weBas | [Damemnens [ubtvhehs | Mo e ;| Dae Lo Wed Nov 13 17 1700:44 2015 VERIFY 00:44 2019 VERIFY OK: degth=0, degth=0. OU«Doman Control Valdated, OUsDoman Control Valdat OUsPostiveSSL Widcar ' Masaguract of pssarers Nsogenert Jahsrorn VEN Soner VW e 000 ad btk e [inont Irmaton ety 108 Settige Wed Nov 13 170045 12 17.00:45 Cortrol Channel TLS¥1 2019 Corerol TLS¥12.2, cpher cpher TLSv1 TLSY1 2ZECONE RSA AES?SSGCM SN»\J! ECOHE RSA-AES256GCM SHAYE L Uplave:(stst (AP port VP port “ W 1700 Wed Nov 13 170045 45 2019 2019 [* opengw opengw net] Peer Connection Connection Intuated Intuated weh [AF_INET]101 [AF_INET]101 443 99 74 214 443 {' | gy s s Chowe Come g4 Ve Nov Wed Now 13131717.00.46 03,46 2019 2019 MANAGEMENT. MAMAIEMENT >STATESSTATE 1573644646 1573644646 GET_CONFI..... GET_CORFIG, |! e Pt gl et e B8 , 1 ey e o o v v faryrons 1700.46 Wed Nov 13 17.00.46 2019 SENT CONTROL [" cpengw net] PUSH PUSH_REQUEST (statuss1)n REOUEST&M : F L ATIW ) ey 8L. ".. o e | W B s e ol ML oS :: 0 0 tan tan Contg ey Btesn: Btes 080B cut: out: 168 OpenVPNGUI 1114007248 OpenVPHGUI 1114002248 ]: V8 [ispiionry| Il @ o [masnnsons| [ [ mecrrimes irion | ||| || cvenmian oemimamia s g o Oiscornact. R Rocormech ‘ Hde Vide :. Dyami Dyneme DAL Letig Letiog B s AP VI AAse Leting. g fl u VP RCate Sty — [ Febey "W [ 1 Convent Convent satrawe DOV matrawe VEOSUUIR0SOT VIOSUUIR0LOT soMtether s0Mtether rmt rmt https//openvpn.net https://openvpn.net https://www.softether.org https.//www.softether.org All Rights Reserved. Reproduction kks Strictly served. Reproduction Strictly Prohibited Prohibites Examples of a VPN = OpenVPN Source: https://openvpn.net OpenVPN provides flexible VPN solutions to secure data communications for Internet privacy, remote access for employees, securing 10T, or for networking cloud data centers. It is a VPN server software solution that can be deployed on premises using standard servers or virtual appliances; it can also be deployed on the cloud. 3J OpenVPN Connection (vpngate_101.99.74.214_tcp_443) (vpngate_101,99.74.214 _tcp_443) - aO X Curmrent State: Connecting Curent Wed Wed Nov Nov 13 17.00:43 13 17.00.:43 2019 2019 Attempting Atempting toto establish establsh TCP TCP connection connection with wih [AF_INET]101.99.74 [AF_INET]101 99 74 214443 214 443 [nor [nor AA Wed Wed Nov Nov 13 17.00:43 13 17.00:43 2019 2019 MANAGEMENT: MANAGEMENT: >STATE 1573644643, >STATE: TCP_CONNECT... 1573644643 TCP_CONNECT...... Wed Wed Nov Nov 13 13 17.00:44 2019 17.00:44 2019 TCP TCP connection connection established estabished with wih [AF_INET]101.99.74.214.443 [AF_INET]T01.99.74 214443 Wed Wed Nov Nov 13 13 17.00:44 2019 TCP_CLIENT 17.00:44 2019 TCP_CLIENT ink ink local: local: ot (hot bound) bound) Wed Wed Nov Nov 13 13 17.00:44 17.00:44 2019 TCP_CLIENT 2019 ink remote: TCP_CLIENT knk remote: [AF_INET]101.99.74 [AF_INET]101.9974 214:443 214:443 Wed Wed Nov Nov 13 13 17.00.44 17:.00:442019 MANAGEMENT: 2019 MANAGEMENT: >STATE >STATE: 1573644644 1573644644 WAIT....., WAIT,... Wed Nov 12 17.00:44 2019 MANAGEMENT: >STATE 1573644644 AUTH...... Wed Nov 13 17.00:44 2019 TLS: Intial packet from [AF_INET]101.99.74 [AF_INET]101,99.74 214:443, 5id=93903 5329390307070 09409d 2bd( Wed Nov 13 17.00:44 2019 VERIFY OK:OK: depthe2, depth«2, C«GB, ST«Greater Manchester, L=Salford, L«Salford, 0«COMODC Wed Nov 13 17.00:44 2019 VERIFY VERIFY OK: depth=1, C=GB. ST=Greater Manchester, L=Sa¥ford, L=Sa¥ford, 0=COMODC 0=COMODC Wed Nov 13 17:00:44 2019 OU«Postive VERIFY OK: depth«0, OU«Domain Control Validated, OUsPostive SSL Widcar SSL Wed Nov 13 17.00:45 2019 Control Channel: TLSv1.2. cipher TLSv1.2 ECDHE-RSA-AES256GCM-SHA38 ECDHE-RSA-AES256 GCM-SHA38 Wed Nov 13 12 17.00:45 2019 [[" opengw net] Peer Connection Intiated with [AF_INET]101.99.74 214443 214:443 Wed Nov 13 17.00:46 2019 MANAGEMENT: >STATE: >STATE 1573644646 1573644646 GET_CONFIG...... Wed I\Vcd Nov 13 17.00.46 2019 SENT CONTROL [*[" opengw net]: net]): PUSH_REQUEST (status«1) < > 0B out: 168 Bytesin: OpenVPNGUI 111400248 OpenVPN GUI 11.1400/248 Disconnect Reconnect Hde Figure 7.117: Screenshot of OpenVPN Module 07 Page 949 Certified Cybersecurity Technician Copyright © by EG-Council Certified Cybersecurity Technician Exam 212-82 Network Security Controls — Technical Controls SoftEther VPN Source: https://www.softether.org OpenVPN provides flexible VPN solutions to secure data communications for Internet privacy, remote access for employees, securing 10T, or for networking Cloud data centers. It is a VPN server software solution that can be deployed on-premises using standard servers or virtual appliances, or on the cloud. 8 localhost (This server) - SoftEther VPN Server Manager > ¢ g Manage VPN Server "localhost” Virtual Hub Name Status Type Users Groups Sessions MAC Tables IP Tables [@ca-ven Online Standalone 1 0 0 0 0 < > I Manage Virtual Hub Online Offline View Status Create a Virtual Hub Propegrties Delete Management of Listeners: VPN Server and Network Information and Settings: Listener List (TCP/IP port): I Encryptionand Network £ &) | Clustering Configuration Port Number Status Create P, cHTCP4a43 Listening B View Server Status o Clustering Status o TCP 992 Listening i : eHTCP 1194 Listening g : S ‘ Show List of o TCP 5555 Listening Start About this VPN ¥ | TCP/IP Connections kY “'L). Stop {1(0)1\:5 ‘ Edit Config AR ocal prigge setting @ Layer 3 Switch Setting fi IPsec/|2TPSetting & | OpenVPN/MS-SSTP Setting ‘ Dynamic DNS Setting M@ | VPN Azure Setting & VPN Gate Setting Refresh Exit Current DDNS Hostname: VPN599380507.softether.net Figure 7.118: Screenshot of SoftEther VPN Module 07 Page 950 Certified Cybersecurity Technician Copyright © by EG-Council Certified Cybersecurity Technician Exam 212-82 Network Security Controls — Technical Controls VPN Security Risks VPN Fingerprinting Man-in-the-Middle Attacks Insecure Storage of Lack of Account Lockout Authentication Credentials Lack of Account Lockout Username Enumeration Vulnerabilities Poor Default Configurations Vulnerabilities Poor Guidance and Offline Password Cracking Documentation VPN Security Risks Discussed below are the various VPN-related security risks. = VPN Fingerprinting The VPN fingerprinting technique allows the attacker to access useful information such as the type of connections implemented, devices used, and OSes deployed. Some systems, such as Cisco PIX and Nortel Contivity, potentially reveal crucial data such as the general type of devices deployed for building the network, while other systems display software version details. * Insecure Storage of Authentication Credentials Certain security issues occur if the credentials are not stored and protected appropriately. These security issues are due to an insecure method of storing authentication credentials by VPN clients. The following are common VPN issues with authentication and credentials: o Storing the username unencrypted in a file or a registry o Storing the password in a scrambled form o Storing credentials in plaintext in memory o Weak registry or file permissions for stored credentials = Username Enumeration Vulnerabilities Many remote-access VPNs use the IKE aggressive mode with a pre-shared key authentication method. The client sends an IKE packet to the VPN server, which Module 07 Page 951 Certified Cybersecurity Technician Copyright © by EC-Council Certified Cybersecurity Technician Exam 212-82 Network Security Controls — Technical Controls responds using another IKE packet. These packets contain several payloads; the identity payload contains the username, and the hash payload contains the password. An attacker can confirm the difference between valid and invalid usernames from their computational differences. Furthermore, an attacker can guess the correct password using the IKE aggressive mode and easily uncover the hash from the VPN server. This hash can be used with a brute-force attack to obtain the password. = Offline Password Cracking Offline password cracking is one of the most common flaws of a VPN. An attacker can crack a password offline by gaining access to the password hashes. Once the attacker obtains the user credentials, they can easily gain hash access from the VPN server. Simple passwords containing simple words can increase the frequency of password cracking. = Man-in-the-middle Attacks Attackers may use insecure authentication protocols such as IKE to perform man-in-the- middle attacks on a VPN. In this type of attack, an attacker intercepts the communication between the client and server and obtains the client’s authentication to the server. Man-in-the-middle attacks occur during data transfer through the VPN and allow an attacker to intercept, insert, delete, and modify messages; reflect messages back to the sender; replay old messages; and redirect messages. = Lack of Account Lockout The main aim of using the account lockout feature is to restrict the number of login attempts to a certain limit. If a user keeps attempting to login beyond the limit, the account is automatically locked out. This feature prevents password cracking attacks such as brute forcing and dictionary attacks. Attackers can take advantage of the lack of an account lockout feature to gain account credentials, and the lack of such a feature reduces the security of the account. = Poor Default Configurations Almost all organizations have an automated configuration setup. However, if the organization uses the default configuration for the VPN, attackers may exploit these default configurations to compromise the security of the VPN. The default configurations support many ciphers and modes, ESP, and AH. An attacker with access to the client machine can prompt the end user to use a weaker cipher, which will make the attack easier. The end user may not notice that the cipher and configuration was changed, because the VPN will continue to function normally. = Poor Guidance and Documentation Poor guidance can lead to security vulnerabilities in the configuration and implementation of a VPN. An incorrect implementation provides an opportunity for attackers to gain access to the VPN. Module 07 Page 952 Certified Cybersecurity Technician Copyright © by EC-Council Certified Cybersecurity Technician Exam 212-82 Network Security Controls —- Technical Controls The following are situations where this guidance is required: o Using weak ciphers such as export-grade or single DES, which can be cracked easily o Using weak key authentication techniques such as a pre-shared key with the IKE aggressive mode, which sends the username and vulnerable offline password to crack if a valid username is identified o Choosing the AH protocol, which does not encrypt VPN traffic Module 07 Page 953 Certified Cybersecurity Cybersecurity Technician EG-Council Technician Copyright © by EG-Counell