May 1st, 2003, 07:01 PM
I was taking a class from this Cisco security expert, and he relayed to us something i didn't know and I thought it was pretty cool, I don't have much expertise in VPNs But this guy said that you can sniff on the external Lan just by useing a specialy crafted packet. He said that VPN offer no security what so ever, all they provide is Buisness Mangement. Anyway thought that was interesting.
May 1st, 2003, 07:22 PM
this sounds like rubbish; if a VPN is set up correctly, all traffic going through it will be encrypted. VPNs, when used correctly, provide a hell of a lot of security for data that needs to get to a destination without being readable in the transmission.
I'm assuming a the specially crafted packet is probably just using awkward TCP flags or some other strange bits set; any real firewall can filter exclusively allowing incoming traffic-denying all other stuff. i.e. on a webserver using openbsd as the OS, you might use a rule like this:
pass in on $external_interface all proto tcp port 80 flags S/SAFRUP (max 250)
this only allows incoming packets with the SYN flag set, all others unset, and will only allow 250 entries in the state table.
Have you filled out an ID-10-T or PEBKAK form lately?
May 1st, 2003, 07:24 PM
You can just consider VPN a means to get traffic from Point A to Point B in an encrypted fashion. If you provide no further restrictions, either through your concentrator, router, or firewall, they will be able to do anything that you could do over a normal session...Be it work, transmit a virus, or attack a network with one of your IP's...
The only thing VPN buys you is that no one between the two endpoints of the tunnel should be able to sniff your traffic and obtain sensitive data (would require some massive number crunching to break depending on your encryption setup). Depending again on the setup, it may give further benefits of limiting holes in firewall rules to allow only the concentrator in and require authentication of users just to enter network...
Just some random thoughts on the matter...
There is only one constant, one universal, it is the only real truth: causality. Action. Reaction. Cause and effect...There is no escape from it, we are forever slaves to it. Our only hope, our only peace is to understand it, to understand the 'why'. 'Why' is what separates us from them, you from me. 'Why' is the only real social power, without it you are powerless.
(Merovingian - Matrix Reloaded)
May 5th, 2003, 02:41 AM
I'm with nebulus on this point. Think of vpn as your driveway, anyone can drive down it - but they have to come from : a) the street to your garage
or : b) your garage to the street
May 5th, 2003, 08:24 AM
I don't know what you understand by VPN but there is 3 ways to do it.
1- IPsec An IP header and an ESP encaps with encryption of the entire IP source frame is an effective protection against Man In the Middle (MIM) attack.
2- MPLS use the "Virtual Routing Forwarder" VRF to separate routing tables of customer. CISCO syas that separate coroporate domain efficiently & they often make a refeerence to banking corporation that use VRF over an ISP.
But I suspect they enhance their security by using IPsec in overlay.
3- a simple GRE tunnel is a VPN. If no frame are encrypted then packets may be sniffed or forged by a MIM to insecure the private network. I think that the CISCO guy was talking about such VPN.
But remember, as the 2 fellows say, that once you secure your system against MIM, their is still a danger from the inside!
[shadow] SHARING KNOWLEDGE[/shadow]
May 9th, 2003, 10:36 PM
Cisco men work much with GRE/Tunnelling, especially in the migration case from IPv4 to IPv6. It may be vulnerable some how.
Back from the begining, anybody remember what is VPN created for ? What is the main purpose of VPN and then to IP sec ?
VPN, first and foremost, are developed to replace the inexpensive LEASE-LINE or anyother packetswitch network. By using the public Internet, security issues are taken in to consideration, so come IP Sec and other encryption technology.
However, as it become more and more popular, more researchers from all over the work are developing more features, and soon become one of the key network technology.
Let\'s go to Paramount Great America !!!! LFC (LookingForChick)
May 10th, 2003, 02:05 PM
This is complete hor$e$hit. I worked for a VPN company for a few years and I can say without any doubt that you have been given false information. For the moment, forget about the techinal explanation why this is untrue. Let's start with common sense. A vulnerability like this would have been churned through bugtraq ten times over.
But this guy said that you can sniff on the external Lan just by useing a specialy crafted packet. He said that VPN offer no security what so ever, all they provide is Buisness Mangement.
As for the technical explanation, think for a moment how a VPN works. It encapsulates, encrypts and protects data from manipulation. In my case, the VPN would only pass traffic from a proprietary client. You could try replay attacks but that would fail because we continuously changed session keys. You could try a MITM attack but that wouldn't work because the payload is encrypted. You could try to blow through the VPN gateway itself but the service is rock solid and has been pounded by the best in the business.
I'd go ask the Cisco expert for a proof of concept demonstation. I wouldn't hold your breath for the results.
Our scars have the power to remind us that our past was real. -- Hannibal Lecter.
Talent is God given. Be humble. Fame is man-given. Be grateful. Conceit is self-given. Be careful. -- John Wooden
June 8th, 2003, 05:53 AM
What is MIME attact? Anyone explain for me?