Chapter 7 - 07 - Discuss Fundamentals of VPN and its importance in Network Security - 09_ocred.pdf
Document Details
Uploaded by barrejamesteacher
null
OCR
Tags
Related
- Chapter 7 - 07 - Discuss Fundamentals of VPN and its importance in Network Security - 04_ocred.pdf
- Chapter 7 - 07 - Discuss Fundamentals of VPN and its importance in Network Security - 12_ocred.pdf
- Chapter 7 - 07 - Discuss Fundamentals of VPN and its importance in Network Security - 08_ocred_fax_ocred.pdf
- Secure Network Design PDF
- Chapter 3: Securing Network PDF
- VPNs: Architecture, Advantages, and Disadvantages PDF
Full Transcript
Certified Cybersecurity Technician Network Security Controls — Technical Controls Exam 212-82 Examples of a VPN 1 Sl et A L secure data communicationsfor Internet privacy, remote access for employees, securing 10T, or for networking Cloud data centers OpenVPN 1 1 i i | 1 ' It is a VPN server softwar...
Certified Cybersecurity Technician Network Security Controls — Technical Controls Exam 212-82 Examples of a VPN 1 Sl et A L secure data communicationsfor Internet privacy, remote access for employees, securing 10T, or for networking Cloud data centers OpenVPN 1 1 i i | 1 ' It is a VPN server software solution thatcan be deployed on-premises using standard server':, or vi rtuara — ogron e “‘ PP d SoftEther VPN 1 1 - (1) OpenVPN Connection (vpngate_101.99.74214 tep_443) X 0o Cunert Sate: Connecting ! with (AF | msmo:ygn 214 o A (Wed Nov 13 1700:43 2019 Attemgting 1o estabish TCP connecton Wed Wed Wed (Wed Wed Wed Nov Nov Nov Nov Nov Nov 13 13 13 13 13 13 1 : 170043 2015 MANAGEMENT >STATE 1573644643 TCP_CONNI 17 00 44 2019 TCP connecton estabished with [AF | INET‘]IOI ”7‘ 2" M3 1700 44 2019 TCP_CLIENT ik local: fnot bound) 17.00.44 2019 TCPZCUENT irk remote [AF_| INET]lOl”?IZHu) 17.00.44 2019 MANAGEMENT >STATE 1573644644 WAIT....., 1700 44 2019 MANAGEMENT >sur£157)6uwaur i e destheey b C-GB, STGrmster. Manchests,o LeSarod S Viedod Novo 13 1700 4 2013 VERIFTHEY OKOK. dethe1. LaSafrd. 0-COMOC Wed Nov 13 1700:44 2015 VERIFY OK: degth=0. OU«Doman Control Valdat Wed Nov 13 170045 2019 Cortrol Channel TLS¥12, cpher TLSY1 ZECONE RSA AES?SSGCM SN»\J! ' Ve Now 1317 03,46 2019 MAMAIEMENT SSTATE 1573644646 GET_CONFI...... B' [@ectim [y e Crerw I | ! e gl e B8. o F L e | weBas | [Damemnens VEN e ad btk “ Chowe ) , ety W ey L W e B o s Oiscornact OpenVPNGUI 1114007248 Rocormech ‘ : Vide : 1 () Mo ;| Dae 4 v v 0 tan ey V8 [ispiionry| @ [masnnsons| [ [ irion | | | oemimamia. s Dyneme DAL Letiog Convent DOV satrawe VEOSUUIR0SOT VI Ase Leting. u R : ol ML : Btesn:0B out: 168 0 ot [} ] (). T s o [ e FT :P BT Masaguract of pssarers (st (AP port :. Manage VPN Server "localhost” [ st v | ] ] ] ] | | L Wed Nov 13 1700 45 2019 [* opengw net] Peer Connection Intuated weh [AF_INET]101 99 74 214 443 Wed Nov 13 1700.46 2019 SENT CONTROL [" cpengw net] PUSH_REQUEST (statuss1) 1 8 x ]Sl as VP Sare Vo et (T T2 — Febey [ soMtether rmt https://openvpn.net https.//www.softether.org All Rights Reserved. Reproduction ks Strictly Prohibites Examples of a VPN = OpenVPN Source: https://openvpn.net OpenVPN provides flexible VPN solutions to secure data communications for Internet privacy, remote access for employees, securing 10T, or for networking cloud data centers. It is a VPN server software solution that can be deployed on premises using standard servers or virtual appliances; it can also be deployed on the cloud. 3J OpenVPN Connection (vpngate_101,99.74.214 _tcp_443) - a X Curent State: Connecting Wed Nov 13 17.00:43 2019 Attempting to establish TCP connection with [AF_INET]101.99.74 214443 [nor A Wed Nov 13 17.00:43 2019 MANAGEMENT: >STATE: 1573644643 TCP_CONNECT...... Wed Nov 13 17.00:44 2019 TCP connection established with [AF_INET]101.99.74.214.443 Wed Nov 13 17.00:44 2019 TCP_CLIENT ink local: (hot bound) Wed Wed Wed Wed Wed Nov Nov Nov Nov Nov 13 13 12 13 13 17.00:44 17:.00:44 17.00:44 17.00:44 17.00:44 2019 2019 2019 2019 2019 TCP_CLIENT knk remote: [AF_INET]101.99.74 214:443 MANAGEMENT: >STATE 1573644644 WAIT....., MANAGEMENT: >STATE 1573644644 AUTH...... TLS: Intial packet from [AF_INET]101.99.74 214:443, 5id=9390370 09d 2bd( VERIFY OK: depthe2, C«GB, ST«Greater Manchester, L=Salford, 0«COMODC Wed Wed Wed Wed Nov Nov Nov Nov 13 13 13 13 17.00:45 17.00:45 17.00:46 17.00.46 2019 2019 2019 2019 Control Channel: TLSv1.2. cipher TLSv1.2 ECDHE-RSA-AES256GCM-SHA38 [ opengw net] Peer Connection Intiated with [AF_INET]101.99.74 214:443 MANAGEMENT: >STATE 1573644646 GET_CONFIG...... SENT CONTROL [" opengw net]: PUSH_REQUEST (status«1) Wed Nov 13 17.00:44 2019 VERIFY OK: depth=1, C=GB. ST=Greater Manchester, L=Sa¥ford, 0=COMODC Wed Nov 13 17:00:44 2019 VERIFY OK: depth«0, OU«Domain Control Validated, OUsPostive SSL Widcar < > Bytesin: 0B out: 168 Disconnect OpenVPN GUI 11.1400/248 Reconnect Hde Figure 7.117: Screenshot of OpenVPN Module 07 Page 949 Certified Cybersecurity Technician Copyright © by EG-Council Certified Cybersecurity Technician Network Security Controls — Technical Controls Exam 212-82 SoftEther VPN Source: https://www.softether.org OpenVPN provides flexible VPN solutions to secure data communications for Internet privacy, remote access for employees, securing 10T, or for networking Cloud data centers. It is a VPN server software solution that can be deployed on-premises using standard servers or virtual appliances, or on the cloud. 8 localhost (This server) - SoftEther VPN Server Manager g > ¢ Manage VPN Server "localhost” Virtual Hub Name [@ca-ven Status Type Users Groups Sessions MAC Tables IP Tables Online Standalone 1 0 0 0 0 < I > Manage Virtual Hub Online Offline Management of Listeners: View Status Port Number Status Listening eHTCP 1194 o TCP 5555 Listening Listening o TCP 992 Encryptionand Network Create Listening i Start B View Server Status g : S About this VPN Delete AR ocal prigge setting @ ‘ Dynamic DNS Setting M@ | I £ &) | Clustering Configuration P, : ¥ o ‘ kY “'L) Stop Current DDNS Hostname: Propegrties VPN Server and Network Information and Settings: Listener List (TCP/IP port): cHTCP4a43 Create a Virtual Hub Clustering Status |. {1(0)1\:5 ‘ Layer 3 Switch Setting fi IPsec/|2TPSetting VPN Azure Setting & VPN Gate Setting Show List of TCP/IP Connections Edit Config & | OpenVPN/MS-SSTP Setting Refresh Exit VPN599380507.softether.net Figure 7.118: Screenshot of SoftEther VPN Module 07 Page 950 Certified Cybersecurity Technician Copyright © by EG-Council Certified Cybersecurity Technician Network Security Controls — Technical Controls Exam 212-82 VPN Security Risks VPN Fingerprinting Man-in-the-Middle Attacks Insecure Storage of Authentication Credentials Lack of Account Lockout Username Enumeration Vulnerabilities Poor Default Configurations Poor Guidance and Documentation Offline Password Cracking VPN Security Risks Discussed below are the various VPN-related security risks. = VPN Fingerprinting The VPN fingerprinting technique allows the attacker to access useful information such as the type of connections implemented, devices used, and OSes deployed. Some systems, such as Cisco PIX and Nortel Contivity, potentially reveal crucial data such as the general type of devices deployed for building the network, while other systems display software version details. * Insecure Storage of Authentication Credentials Certain security issues occur if the credentials appropriately. These security issues are due to authentication credentials by VPN clients. are not stored and protected an insecure method of storing The following are common VPN issues with authentication and credentials: = o Storing the username unencrypted in a file or a registry o Storing the password in a scrambled form o Storing credentials in plaintext in memory o Weak registry or file permissions for stored credentials Username Enumeration Vulnerabilities Many remote-access VPNs use the IKE authentication method. The client sends Module 07 Page 951 aggressive mode with a pre-shared key an IKE packet to the VPN server, which Certified Cybersecurity Technician Copyright © by EC-Council Certified Cybersecurity Technician Exam 212-82 Network Security Controls — Technical Controls responds using another IKE packet. These packets contain several payloads; the identity payload contains the username, and the hash payload contains the password. An attacker can confirm the difference between valid and invalid usernames from their computational differences. Furthermore, an attacker can guess the correct password using the IKE aggressive mode and easily uncover the hash from the VPN server. This hash can be used with a brute-force attack to obtain the password. = Offline Password Cracking Offline password cracking is one of the most common flaws of a VPN. An attacker can crack a password offline by gaining access to the password hashes. Once the attacker obtains the user credentials, they can easily gain hash access from the VPN server. Simple passwords containing simple words can increase the frequency of password cracking. = Man-in-the-middle Attacks Attackers may use insecure authentication protocols such as IKE to perform man-in-the- middle attacks on a VPN. In this type of attack, an attacker intercepts the communication between the client and server and obtains the client’s authentication to the server. Man-in-the-middle attacks occur during data transfer through the VPN and allow an attacker to intercept, insert, delete, and modify messages; back to the sender; replay old messages; and redirect messages. = reflect messages Lack of Account Lockout The main aim of using the account lockout feature is to restrict the number of login attempts to a certain limit. If a user keeps attempting to login beyond the limit, the account is automatically locked out. This feature prevents password cracking attacks such as brute forcing and dictionary attacks. Attackers can take advantage of the lack of an account lockout feature to gain account credentials, and the lack of such a feature reduces the security of the account. = Poor Default Configurations Almost all organizations have an automated configuration setup. However, if the organization uses the default configuration for the VPN, attackers may exploit these default configurations to compromise the security of the VPN. The default configurations support many ciphers and modes, ESP, and AH. An attacker with access to the client machine can prompt the end user to use a weaker cipher, which will make the attack easier. The end user may not notice that the cipher and configuration was changed, because the VPN will continue to function normally. = Poor Guidance and Documentation Poor guidance implementation can lead to security vulnerabilities of a VPN. An incorrect implementation in the provides configuration and an opportunity for attackers to gain access to the VPN. Module 07 Page 952 Certified Cybersecurity Technician Copyright © by EC-Council Certified Cybersecurity Technician Network Security Controls — Technical Controls Exam 212-82 The following are situations where this guidance is required: o Using weak ciphers such as export-grade or single DES, which can be cracked easily o Using weak key authentication techniques such as a pre-shared key with the IKE aggressive mode, which sends the username and vulnerable offline password to crack if a valid username is identified o Choosing the AH protocol, which does not encrypt VPN traffic Module 07 Page 953 Certified Cybersecurity Technician Copyright © by EG-Council