Originally posted by: MulLa
Hi all,
How easy is it to hack into a VPN box with preshared key?
Assuming you're using a reasonably secure VPN device, such as a PIX, or a Netscreen, as well as IPSec/ISAKMP using 3DES encryption. It's fairly difficult to crack 3DES encryption. The goal is to get the key you use to encrypt/decrypt your data. You'd need to set your security-association lifetimes low enough so that a new key is generated often enough to deter anyone who might try to find your key. You can use something like an 8-hour lifetime if you want to. You might go as low as 15 minutes for *extremely* sensitive links.
3DES is pretty secure, AES is supposed to be a little more secure and a lot more efficient. I say it's "supposed" to be because compared to 3DES, it hasn't been around as long. Time will tell, but it is the current government standard.
ISAKMP handles the rekey procedure for IPSec. So it's safe to assume that if someone hijacked your ISAKMP session, they'd recieve your newly renegotiated 3DES key and have the key for your actual data tunnel. That said, ISAKMP is pretty hard to break into. It's got all sorts of mechanisms to prevent tampering with packets enroute, and other attacks.
While I wont say what lifetime's I use when I configure devices, I'll put it in a range. Anywhere between 15 minutes and 8 hours for IPSec, and 8 hours to 24 hours for ISAKMP.
It is FAR easier to break into a remote machine that is connected via VPN than it is to actually hijack the VPN tunnel itself. If you break into the machine and get control of it, you'll also get control of the VPN tunnel unless there is another layer of authentication that you have to pass through before you get access to any resources on the other side (read: username/password).
Personally, I think you ought to buy some books about VPN's and how to secure end systems to make sure you know what you're getting yourself into. I dont know how your company works, but I know of someone who brought up the idea of VPN with his company, was put in charge of implementing it for home users, didn't put in the right controls and had a virus wipe out half of his company's server farm and is now in search of a new job.
If you think I'm just preaching doom, just leave all your home users with unrestricted access to your network for a few months and see what happens. Eventually somethings going to get by your AV software.
I think it was Spidey that said VPN's are the demise of all network security. That's pretty close to the truth. You gotta know how to secure em, and to do that you gotta understand the technology and what you're dealing with.
But I do have one very stupid question. If I put Exchange in the DMZ, I would have to open up a whole lot of ports at the internal firewall for the LAN to access the exchange don't I? Then at the external firewall I just open up ones that are relevant to the services that I wanted to provide over the internet.
Facebook
Twitter