DeepSec Vienna 2007 7 Layers of Insecurity . ity r cu
s s
Se k to a r s e e's r k e o n eal a o ca ad w t d h f R r spe
-gr e o t
” y r N g muc e. gua us o
a e j it s f e ibl il a litt t a
s ol a m th This eakin i e v 3 i pos w
5 r nt S d to s
us d e e r P e
ly Sp ption. e l W inc ne t y al “
a r
V swor
p
s u
the -- a t rtu i
enc r pa
h i V
V C DeepSec Vienna 2007 7 Layers of Insecurity r om .c owing n unte de ung) r t foll i r e w
mons rbe on) t i a t a unde ite c k Be om i i be if n or r e a a ec t be w l
od ri r v N s h i i m ha st P t ye uc th V a or a e f Au nz ( n und be - e Ma ,
ify orbe ng t o nc n ze d n 3 v u o e
cr z 5 i ite e Li als nna ic tia rde e r l t mo e (
e s
ht i w. d e Nut c V a
rbr e lbe us ba nd , m e e le l e a a l v
s Re nc a ww S i m
nnt we s e e ie r , te ngs r r r r zt, rc rz e na f fe bu e nig p:// i e o if r me nut t raini r f n: Ei unde
it unte n ge is T ge htt om be
e n Pfe omm d / d
i c d be t s I k e , e r
v né e 7 f ht r t work Ar 0 f c e e e r ngunge
Re us s 0 i ng an mus non v v , i h y i i ni s d t n müs l t t a re 2 or
e e a a f r ür ul g
s fk it da
f Be : v v e i hor or a ri ri n b nt fre be r K ght e y
l
De Only Nur De Aut Aut m ri
Ar y e
m Cons nde e . e
e e
v
ha p e s .T
e a o lge ou ma
gr
o o N a Di f Mic C. Y Som
©
C DeepSec Vienna 2007 7 Layers of Insecurity N s P k V r -
o 3 5 w t e N
e es t i a g v 7 3 i 0
5 r olo 0
ks
n 2 r P r
e e l
b da t ttac a
ech
m p
A T
e u en
v a t g
o r
h i N A
©
V C DeepSec Vienna 2007 7 Layers of Insecurity . acy N v P V -
Pri 3 5 al s e irtu i g f V o o l o
7 n ays 0 h 0
W 2 c r
e e b us
T
m io
e
r
v N
a
o
P N V
©
V DeepSec Vienna 2007 7 Layers of Insecurity . N P V - IPv6
3 4/ 5 ) IPv c r e s fo
P I ty (
ri 7 y
0 t i 0 r
2
r u e
b c
m e
e
v
S
ative Secu ative
o
N N
P ©
I DeepSec Vienna 2007 7 Layers of Insecurity acks N P f IPv6 V - o
IPv4 3
lay att 5 art ) n ep ers c with y p e ov r m r atio n c s d o to sed P fro ti I
u ec ( n da n
ca o i 7 y an ti IPs 0 t be i 0 f m r ent 2 ectio r grity vali
u
e th cryp n o
b te c u
m
n e
Prot I A En e
v
sec can sec is sec is S esig
o
P P
N D I I
P © I DeepSec Vienna 2007 7 Layers of Insecurity SP) ad (E n N n ) P y t V aylo H -
atio P 3 gri c 5 (A ti te ticatio er rity n en en s th ead th l ss i e o h l Secu au au
n n c n n i o o o o i ti t 7 ig ti 0 r o 0 lating ca ect r i
2 r grity & P su e nn cryp
b te ent o ata o c m n
I En D C e
th e cap v
u
o S
N En A
P ©
I DeepSec Vienna 2007 7 Layers of Insecurity er ead N P V d h -
3 5 an ay ad ad o o yl yl atew e -g d pa pa s d e -to 7 de d ted ted 0 -en o 0 o
2 m r -to ort mo M e teway d cryp cryp
b el
sp c m Ga En En En
e
e nn v
o ran
u S
N T T
P ©
I DeepSec Vienna 2007 7 Layers of Insecurity s er E) met ) a N P ar V e (IK -
(SA 3 n n 5 ng o o a tiated i i t hare p o at s a i i s g keys c t oc n & n o i i e neg ss s s ey Exch o b A s p m
7 key y to 0 l A t
0
et K ith ed r 2 n y ua
r ds uri r t o
e i ect
b g
te r ee l m n
n u I Man Sec A e
nn
v c o
o e N SA C
©
S DeepSec Vienna 2007 7 Layers of Insecurity t ey ) en OI d K em D ) an ag E n KMP) o K I ti ( N a
man (IPSEC P I d e V ci (ISA - l O g e 3 an so D n 5 d co e y s a t As g to C h Mo ri c an e ity e Pro r x v RF
d i ch n E cu nt
i Secu ex y
ess r e 7 sed g 0 eme
0 K et Se et IP o g
2 n n t ag A r r r
e e es key rop
b l E E Main Mo te te n d m K K n n r I I I I Man e
v
E p e an
o t K
N H I
n ©
I DeepSec Vienna 2007 7 Layers of Insecurity e od kets) m y ex ac l l N e p P
v V ke i - mp li
s
3 o n s 5 c ess r o r e (few ash ti g ro g r c ta e e h e ag an n n s th
o men P ti e i I e ce
l m a g r r exch 7 u n i 0 u igh fo an
0 o g
i 2
r te- s
e nf in imp iffing
u b k
sec/IKE are very are very sec/IKE r o
m act: h
P c
k: med Sn B C I e
gs
p a v s i ey exch u t o
m t N I R K B
©
A DeepSec Vienna 2007 7 Layers of Insecurity g N P n V i - l
3 e 5 . n y g n o u l ) T o
P n t T n i P ech o P 7 ( 0
P
0 - l
2 PN T r o o
e t V
c b
-
t y
m o
e
t n v i
o
o o r N Earl
©
P P DeepSec Vienna 2007 7 Layers of Insecurity t E n s i -Po e GR o ag t-t n i an 28 bit key E m N 1
P r n V o ® Po - to o
i s 3 6 P h GR P-v2 5 t oft 5 C i A w H ticat ssion en h 40, eer w t se i Micros
th MSC e 1723/T
p o i w n
au v to
o
tw ft® r via (MPPE)
7 s S C4 r n 0 n n e L 0 so o ink o o v 2 ffe ses l ti ti
r
si e O o u P-T
cro
b
ses R P P
m P
U Mi EA Ses PPP e
cryp cryp
v T
o
P N En En PPT PPT
©
P DeepSec Vienna 2007 7 Layers of Insecurity P-v2 A s CH P/IPsec he st server 2T MS- n
as i L h r ga o
le a N ☺
P with V -
sed 3 PTP 5 IPsec essab tacks ys so t u P e u o at se sa n u s
el : MS s fin se g n s th d i eier i e g an n ath s u n vo m d len k a r PTP 7 u ch e p i a l 0 y P e igh
0
o e c r 2 y ke r r swo ce Sch
e W grad nt cti u
b p o r a eo ull
m act: h
r P k: med U Pas C F B e
p
v
s T p th i
o m n
n
P N R I I I
©
P DeepSec Vienna 2007 7 Layers of Insecurity l 5. o r c N o P t aye V - o r 3 n L 5 P
t o r g o n i p l p e n Su n N 7 u 0
0 T
VP
2 r
2 e )
b
r P
m e
e T
v y
ayer 2 ayer 2 o
2
a N L
L ©
( L DeepSec Vienna 2007 7 Layers of Insecurity ) n 5 r c i ort 1701 ) laye ticatio y C t e (p en A b th N d DP PN traff l (L P r V ntiali u V S) au - r
N s 3 l ho 5 ng fide e s (L fo n in U trato n el l nn 2, n e cen stro co n latio er n nn w o w tu su ay e a tu C i f tu e l es no es no ne rk Server s s v r cap k o 7 r r 0 li e
vid vid 0 o o v 2
s fo etwo cces r r r ks t
e O A b
p p N create
ai itiato
ses en oo m P P P P P
n P
W I L U e
v T
2T 2T 2T 2T 2T
o
2 N L L L L L
©
L DeepSec Vienna 2007 7 Layers of Insecurity er g t ssen f pa emen n o ag ) N th P i V an 2F - w
m ectio 3 (L
5 n ed g sp in bin er m d s n rwardin l i o es sessio e n co F 7 n 0 fte ay h vid 0 n o l o 2
m P r u r
s e T co b i p Sec el
ayer 2
m P P P
to P L I PPT
e
nn v
o T
r 2T 2T o
u
2 N p T L L
© L DeepSec Vienna 2007 7 Layers of Insecurity e. ivat ly Pr N l P V -
3 irtua 5 it's V t ye
d
7 ™ 0 0 N
2 n an r P e
b V pe
m n
e
e v s O
' o
t p
N I
©
O DeepSec Vienna 2007 7 Layers of Insecurity n o P ti TT ing H cryp ) SSL gh CP en u N en P nd V - hro a
Op
t w ce or T 3 n 5 e s i pa e on DP xes everyth s v e xi r l er e sed ro ticatio v p us 194 (U ultip O e en n
m is ba t i th
us 7 ™
ort 1 0 ™ ™ 0 ien N ab)
2 (
r
P es au e
VPN VPN
b V d i an ses p
m n
C U e en
en e v
o p
N Prov Op Server/cl Op
© O DeepSec Vienna 2007 7 Layers of Insecurity ke g ha n i s n nd an sc
S ha o L y n T ackets h S, p N d p o P V a D se - r
LS at all ticate u o 3 VPN g 5 pt n en o y , t r all th r p LS y certificates r receive key receive t/enc c key is L/T / n au & i n't start T re fo C d
s ca
ca atu 7 ™ stat n 0 ™
ecryp sen r 0 N g ker
2 o ects SS S key r P
si key e
VPN
b V ttac MAC ata d c /TL
m n
ti PSK A Prot D H e
en e v MAC
o p
N Op H SSL Sta
©
O DeepSec Vienna 2007 7 Layers of Insecurity t n e n cli A e o C od er c s p e t o fig ates r n c i N f a p P co
0.5)
V ™ -
execu se 2. 3 N sh 5 u u P s certi p
u can V r s o 0.0 to n r i . ates, c e ve 2 c ve p r er ™ s O
se
N m
t mali 7 u n us i u 0 ™
igh 0 h certificates o b t
nVP 2 i r
s icio e id w eck certifi l
pe VPN b k
h
a m
act: h c M
k: med Mal (O C V e en
p
T a v s i t o
m t N R I Op MI
©
A DeepSec Vienna 2007 7 Layers of Insecurity . l e nn u h T t N P V s wi -
n 3 5 ectio n on l C 7 el 0
0 H
2 r S
e
b S
m
ure Sh n
e e v
o p
N Sec
©
O DeepSec Vienna 2007 7 Layers of Insecurity p s c d r r , o et n n rases el t h in, e Passw tificatio g ds assp o m o N i en P rl d , V - e T eth ith p
3 st i w m rsh 5
ing
o s n d H , On r h I le , S b n key S o si PK r i n places orwa ticatio s, f os e e s o tect p l r en d X ard s s p r 7 l
d el O th 0
0 t C ne ero an d 2
r swo n b t ar f au e n r b o a er
tu
m ure Sh grity pro s K Sm Pas Po e
P
v H te
ot C o
n
S N L I T Sec
© S DeepSec Vienna 2007 7 Layers of Insecurity H v1 SS
N ) P t l V -
3 5 ks with s h k g g c i a attac t t ssin m/h s A u
i si ue y ks (very difficu ks (very 7 H g ed acks 0 al sertion 0 S
d r 2 w in ttac r S att o e
) a y/
b IP a n l m swo act: m M
k: l e e
P/ p T
v s i
ep p C o raffic an
m
N I T R Pas T MI R
O © ( DeepSec Vienna 2007 7 Layers of Insecurity s n o i N t P a V t -
3 n 5 e m e ere. l h p T t m u I
O 7 0 N
0 P 2
r
V e ey is
b
r K m
e e
v h
he
o t
N T
©
O DeepSec Vienna 2007 7 Layers of Insecurity PSK d l N P n V an ne o - s
n ti it 3 l n a 5 b o l o i to t su
2/3 tu a 128 t cap n sh i e En wf m P o 7
l e 0 I l 0 orts layer rietary VPN to p 2
r p
e p chi yp m
b I ses B r
m
n Prop U Su C e
v
PE N ama I
o
P N H tinc vtu C
©
V DeepSec Vienna 2007 7 Layers of Insecurity es. . . n cat i o f ms. ti keys N ta erti r P c u V
orith - g
3 men n 5 alg e
e yo l si e g r u imp
en han ecu c s
eck d wh n l 7 3 fu
ow 0 e 5 0
y 2 r
ect an r ays ch
ar e e b w t l se kn e car
m p Prot U B A e
mm v a N . . . .
o
h P N Su
©
V C DeepSec Vienna 2007 7 Layers of Insecurity N P V -
3 5 7 u 0 s? 0 o n 2
r Y o
e
b ti k
m n e es
v a
o h N Qu
©
T DeepSec Conference © November 2007
Chapter 53 Virtual Private Networks
Virtually Speaking of Real Security. D 7
eep L ayers o
“We use military-grade Sec encryption. This just speaks to
the need to safeguard one's Vien f I password with as much care as n secu
possible.” n a 2007 rity -- Vincent Sollitto
© November 2007 53 - VPN 1
99 - Things in Life 1 DeepSec Conference © November 2007
Copyright Information
Some rights reserved / Einige Rechte vorbehalten
Michael Kafka, René Pfeiffer, Sebastian Mayer C.a.T. Consulting and Trainings, Vienna, Austria
You may freely use, distribute and modify this work under following D agreement: 7
eep Diese Arbeit darf frei genutzt, verbreitet und bearbeitet werden unter L
folgenden Bedingungen: ayers o Sec Authors must be referenced (also for modification) Autoren müssen genannt werden (auch bei Bearbeitung)
Vien
Only for non commercial use f I Nur für nichtkommerzielle Nutzung n secu
Derivative work under same licence n
Derivative Arbeit unter selber Lizenz a 2007
http://www.creativecommons.com rity
© November 2007 53 - VPN 2
This presentation is published under the CreativeCommons License which can be viewed in detail on their hompage: http://creativecommons.org/licenses/by-nc-sa/2.0/at/ Read more on http://www.creativecommons.com
You are free:
to Share — to copy, distribute and transmit the work
to Remix — to adapt the work
Under the following conditions: Attribution. You must attribute the work in the manner specified by the author or licensor (but not in any way that suggests that they endorse you or your use of the work). Noncommercial. You may not use this work for commercial purposes.
Share Alike. If you alter, transform, or build upon this work, you may distribute the resulting work only under the same or similar license to this one.
● For any reuse or distribution, you must make clear to others the license terms of this work. The best way to do this is with a link to this web page. ● Any of the above conditions can be waived if you get permission from the copyright holder. ● Nothing in this license impairs or restricts the author's moral rights.
99 - Things in Life 2 DeepSec Conference © November 2007
Chapter 53 Virtual Private Networks
Agenda Technologies Attacks D 7
eep L ayers o Sec
Vien f I n secu n a 2007 rity
© November 2007 53 - VPN 3
99 - Things in Life 3 DeepSec Conference © November 2007
VPN Technologies
Various Ways of Virtual Privacy. D 7
eep L ayers o Sec
Vien f I n secu n a 2007 rity
© November 2007 53 - VPN 4
99 - Things in Life 4 DeepSec Conference © November 2007
IP Security (IPsec)
Native Security for IPv4/IPv6. D 7
eep L ayers o Sec
Vien f I n secu n a 2007 rity
© November 2007 53 - VPN 5
99 - Things in Life 5 DeepSec Conference © November 2007
IP Security (IPsec)
IPsec is mandatory part of IPv6 IPsec can be used with IPv4 Design of IPsec covers D 7
eep Encryption L ayers o
Integrity validation Sec Authentication
Vien Protection from replay attacks f I n secu n a 2007 rity
© November 2007 53 - VPN 6
99 - Things in Life 6 DeepSec Conference © November 2007
IPSec Protocols
Authentication header (AH) Connectionless integrity Data origin authentication D 7
eep Encapsulating Security Payload (ESP) L ayers o
Integrity & authentication Sec Encryption
Vien f I n secu n a 2007 rity
© November 2007 53 - VPN 7
99 - Things in Life 7 DeepSec Conference © November 2007
IPSec Modes
Transport mode End-to-end Encrypted payload D 7
eep Tunnel mode L ayers o
Gateway-to-gateway Sec Encrypted payload and header
Vien f I n secu n a 2007 rity
© November 2007 53 - VPN 8
Transport is usually used to secure host-to-host connections. In IPv6 all security and authentication is shifted to the IPsec component. This is the reason why IPsec is mandatory in IPv6. Other protocols such as OSPFv6 or others don't have their own mechanisms for authentication anymore.
99 - Things in Life 8 DeepSec Conference © November 2007
Security Association
Connected points share parameters Algorithms & keys Security Association (SA) D 7
eep SA needs to be negotiated L ayers o
Internet Key Exchange (IKE) Sec Manual keying
Vien f I n secu n a 2007 rity
© November 2007 53 - VPN 9
99 - Things in Life 9 DeepSec Conference © November 2007
Internet Key Exchange (IKE)
IKE proposed in RFCs Internet Security Association and Key Management Protocol (ISAKMP) D 7
eep Internet IP Security DOI (IPSEC DOI) L ayers o Handles key exchange and management Sec IKE Main Mode
Vien IKE Aggressive Mode f I n secu n a 2007 rity
© November 2007 53 - VPN 10
An architecture for the Internet Key Exchange Protocol
99 - Things in Life 10 DeepSec Conference © November 2007
Attacks on IPsec
Bugs in implementations IPsec/IKE are very complex Configuration errors likely D 7
eep Key exchange in aggressive mode L ayers o
Sniffing exchange (few packets) Sec Brute-force the hash
Vien Risk: medium f I n secu Impact: high n a 2007 rity
© November 2007 53 - VPN 11
Penetration Testing IPsec VPNs A Cryptographic Evaluation of IPsec Cryptography in Theory and Practice: The Case of Encryption in IPsec IPsec offers “too much” options. This can easily lead to implementation errors that may open doors for attackers. It also increases the possibility for errors in the source code of the IPSec stack. Nevertheless IPSec offers interoperability and a solid encryption with key management provided the administrators created a proper configuration. Mitigation: • Make sure IPsec parametersare fully defined and known to everyone dealing with administration. • Always use encryption and integrity checks (make sure integrity of packets gets really checked). • IPsec endpoints need to be inside DMZs so that decrypted traffic can still be inspected. • Don't use the aggressive mode (also known as quick mode) if possible. • Test the implementation of IPsec you use. Disagreement between developers and standard designers may lead to unpredicted results (see Lost in Translation: Theory and Practice in Cryptography for details).
99 - Things in Life 11 DeepSec Conference © November 2007
Point-to-Point Tunneling Protocol (PPTP)
Early VPN Technology. D 7
eep L ayers o Sec
Vien f I n secu n a 2007 rity
© November 2007 53 - VPN 12
99 - Things in Life 12 DeepSec Conference © November 2007
PPTP Overview
PPTP uses two sessions PPP link to peer with GRE Session on 1723/TCP to manage GRE D 7
eep PPTP offers authentication L ayers o
Microsoft® MSCHAP-v2 Sec EAP-TLS
Vien Encryption via Microsoft® Point-to-Point f I n
Encryption (MPPE) secu n Uses RC4 with 40, 56 or 128 bit keys a 2007 rity
© November 2007 53 - VPN 13
PPTP proposed in RFC 2637 FAQ on PPTP from Microsoft®
99 - Things in Life 13 DeepSec Conference © November 2007
PPTP Weakness
In theory PPTP is fine Bruce Schneier says so ☺
D In practice avoid MS PPTP with MS-CHAP-v2 7
eep Full key length not used L ayers o
Passwords use guessable hashes Sec Control channel attacks against server
Vien Upgrade path: use IPsec or L2TP/IPsec f I n secu Risk: medium n a 2007 Impact: high rity
© November 2007 53 - VPN 14
Frequently Asked Questions -- Microsoft's PPTP Implementation (Bruce Schneier's web site) Cryptanalysis of Microsoft's PPTP Authentication Extensions (MS-CHAPv2) Mitigation: • Avoid Microsoft® PPTP with MS-CHAP v2. • Use a strong password policy and change passwords periodically. • Use IPsec or L2/TP/IPsec
99 - Things in Life 14 DeepSec Conference © November 2007
Layer 2 Tunneling Protocol (L2TP)
Layer 2 VPN Support on Layer 5. D 7
eep L ayers o Sec
Vien f I n secu n a 2007 rity
© November 2007 53 - VPN 15
99 - Things in Life 15 DeepSec Conference © November 2007
L2TP Overview
L2TP creates a tunnel for VPN traffic Uses encapsulation in UDP (port 1701) Looks like layer 2, should be layer 5 D 7
eep L2TP Access Concentrator (LAC) L ayers o
Initiator of tunnel Sec L2TP Network Server (LNS)
Vien Waits for new tunnels f I n secu L2TP provides no strong authentication n a 2007 L2TP provides no confidentiality rity
© November 2007 53 - VPN 16
Layer 2 Tunnel Protocol (documentation from Cisco) U.S. Patent 5,918,019
99 - Things in Life 16 DeepSec Conference © November 2007
L2TP Tunnels
L2TP provides session management L2TP is often combined with IPSec D 7
eep PPTP L ayers o
Layer 2 Forwarding (L2F) Sec Tunnel may hinder inspection of passenger
Vien
protocol f I n secu n a 2007 rity
© November 2007 53 - VPN 17
99 - Things in Life 17 DeepSec Conference © November 2007
OpenVPN™
It's Open and yet it's Virtually Private. D 7
eep L ayers o Sec
Vien f I n secu n a 2007 rity
© November 2007 53 - VPN 18
99 - Things in Life 18 DeepSec Conference © November 2007
OpenVPN™ Overview
OpenVPN™ is based on OpenSSL Server/client in userspace OpenVPN™ multiplexes everything D 7
eep Uses port 1194 (UDP or TCP) L ayers o
Can (ab)use proxies through HTTP Sec Provides authentication and encryption
Vien f I n secu n a 2007 rity
© November 2007 53 - VPN 19
99 - Things in Life 19 DeepSec Conference © November 2007
OpenVPN™ Cryptography
Static key HMAC send/receive key Data decrypt/encrypt D 7
eep SSL/TLS keys & certificates L ayers o
HMAC signature for all VPN packets Sec Protects SSL/TLS, no DoS, no scanning
Vien OpenVPN™ can authenticate TLS handshake f I n secu PSK or static key is used n a 2007 Attacker can't start TLS at all rity
© November 2007 53 - VPN 20
99 - Things in Life 20 DeepSec Conference © November 2007
Attacks on OpenVPN™
MITM with certificates Valid but malicious certificates Check certificates, use a proper CA D 7
eep OpenVPN™ servers push configs L ayers o
Malicious server can execute code on client Sec (OpenVPN™ 2.0.0 to 2.0.5)
Vien Risk: medium f I
n
Impact: high secu n a 2007 rity
© November 2007 53 - VPN 21
Mitigation: • Establish a proper PKI for OpenVPN™ deployment. • Test your OpenVPN™ implementation with test tools and random data.
99 - Things in Life 21 DeepSec Conference © November 2007
OpenSSH
Secure Shell Connections with Tunnel. D 7
eep L ayers o Sec
Vien f I n secu n a 2007 rity
© November 2007 53 - VPN 22
99 - Things in Life 22 DeepSec Conference © November 2007
SSH and OpenSSH
Secure Shell replaces rsh, rlogin, telnet, rcp TCP tunnels possible Port and X forwarding D 7
eep Integrity protection, host identification L ayers o
Lots of authentication methods Sec Passwords or keys with passphrases
Vien Smart Cards, PKI, One Time Passwords f I n secu Kerberos n a 2007 rity
© November 2007 53 - VPN 23
99 - Things in Life 23 DeepSec Conference © November 2007
(Open)SSH Attacks
Replay/insertion attacks with SSH v1 MITM attacks (very difficult) Password guessing D 7
eep TCP/IP attacks L ayers o
Traffic analysis Sec Risk: low
Vien Impact: medium/high f I n secu n a 2007 rity
© November 2007 53 - VPN 24
OpenSSH knows different SSH protocols (v1, v1.5, v2, compatibility modes). SSH v1 has a weakness in its CRC-32 checksumming and may allow insertion attacks. There is also a possibility to stage a MITM attack, but this requires getting the private server host key. SSH can't do anything against TCP/IP attacks or traffic analysis (in terms of volume and addresses used). Mitigation: • Limit access to SSH ports (22/TCP). • Don't allow interactive username/password logins. Use keys with passphrases instead. Further reading: • OpenSSH security information • Detailed Review of SSH
99 - Things in Life 24 DeepSec Conference © November 2007
Other VPN Implementations
The Key is Out There. D 7
eep L ayers o Sec
Vien f I n secu n a 2007 rity
© November 2007 53 - VPN 25
99 - Things in Life 25 DeepSec Conference © November 2007
VPN Implementations
CIPE Crypto IP Encapsulation vtun D 7
eep Supports layer 2/3 tunnel L ayers o
Uses Blowfish 128 bit and PSK Sec tinc
Vien Hamachi f I n secu Proprietary VPN tool n a 2007 rity
© November 2007 53 - VPN 26
99 - Things in Life 26 DeepSec Conference © November 2007
Chapter 53 VPN
Summary . Always check implementation. . Use known secure algorithms. D 7
eep . Be careful when using certificates. L ayers o
. Protect and change your keys. Sec
Vien f I n secu n a 2007 rity
© November 2007 53 - VPN 27
99 - Things in Life 27 DeepSec Conference © November 2007
Thank You
Questions? D 7
eep L ayers o Sec
Vien f I n secu n a 2007 rity
© November 2007 53 - VPN 28
99 - Things in Life 28