VPNs – a secure way to call home?

iStock_000035084458_Medium Most business users are familiar with the VPN, the must-have reach-back mechanism that allows us to work from home, a train, a coffee shop. The VPN allows us to securely connect to our company’s network and access email, documents, applications – even VOIP and video conferencing. But how secure are the low-cost, consumer focused providers and the transition toolson every network?

VPNs are now arriving in the consumer space – not to call home, but to protect consumers from the prying eyes of law enforcement authorities, intelligence agencies and your ISP. This technology has been around for years – probably the best known service is tor. The idea is to tunnel all your traffic to aserver, probably not in your country and certainly outside the control of your ISP; this then routes your traffic onwards to its destination and potentially anonymises your use of the Internet.

Enter the low-cost, consumer-focused VPN providers

Whenever new ideas come along there are always plenty of people entering the market. Enter the low-cost, consumer-focused VPN providers who offer to securely connect your laptop or mobile device, provide anonymity and protect you from the bad guys lurking on your train or in your local Starbucks (other brands available), who want to steal yourpersonal data such as your credit card details.

A recent paper ‘A Glance through the VPN Looking Glass’ by security researchers at Queen Mary College, University of London takes a closer look at these technologies. Information about this paper was originally identified on The Register .

Hopefully, you’ll have time to look at The Register coverage – it makes for scary reading.

Leaks galore thanks to IPv4/IPv6 transition tools

Let’s look at the VPN security issues raised in the paper in more detail. What technology is used here – PPTP (good grief!), OpenVPN (hmmm), L2TP over IPsec (oh!). If IPsec is in the mix, does that mean that ‘real’ products might be at risk here?

Reading the paper it is pretty clear that the researchers have spotted an issue that many people (including me) have been trying to highlight for years – IPv6 is here, it is on every network and very few people know about it. Peter Curran, Ascentor

IPv4/IPv6 transition technologies represent a potential security hole and there is a very poor level of understanding about this – my test below is a perfect example.

I ran ping -6 ipv6-test.com from a command prompt on a VPN connected laptop (using a popular commercial-grade VPN client). Guess what – I got an answer! I ran a quick tracert -6 to the same address and, sure enough, all IPv6 traffic from this laptop is completely ignoring the strict ‘no split-routing, everything via the company outbound proxies’ policy and going straight out on the net. I am not surprised by this – the VPN client is a bit old and probably does not know about IPv6.

The other problem that the paper highlights is the ease with which they could perform DNS hijacking attacks and effectively bypass the VPNs setup explicitly to avoid this problem. I would expect this to be less of an issue on proper commercial-grade VPN software – I tested IPv4 that was OK, but IPv6 is again a problem.

Secure today. But what about tomorrow?

For me this proves a favourite hobby horse – dual-stack IPv4/IPv6 creates unexpected security issues for the unwary. It also highlights another old adage – just because it is secure today, doesn’t mean it will be tomorrow. Does your network security stance include managing IPv6? You may think you are not using IPv6 but are you running Windows 7/8/2008/2012 or Linux? If so, you’re using IPv6.

If you have concerns about your VPN security, Ascentor can help assess the suitability of your current arrangements to cope with attacks and make recommendations to improve the level of your technical security.

Peter Curran

Peter Curran is Ascentor’s specialist in all Government related Information Assurance work with an emphasis on HMG IA policy and practices; policy and technical aspects of IP networking technologies such as VPNs, SSL/TLS, secure email; policy and technical aspects of cryptography including PKI.

For more informationpleasecontact:

Email: [email protected]

Office: 01452 881712

Web: ascentor.co.uk

Other posts you might like:

IA Inside – building Information Assurance into the heart of your projects

What is ‘IL3’ and why are so many searching for it?

G-Cloud 6: Accreditation is dead – long live Assertions!

You may also be interested in:

Building business resilience

Building business resilience - through Information Security, Business Continuity and Disaster Recovery

How strong is your business resilience to threats to IT, information and physical security? And how can security standards like ISO 27001 and ISO 22301 help?

Ascentor's cyber security review 2020

Ascentor’s cyber security review of 2020

It was the year a different kind of virus dominated. But that didn’t stop cyber criminals exploiting it. We look back at 2020.

Cyber security myths of SMEs

Cyber security myths putting SMEs at risk

SMEs have long been a favourite hunting ground for cyber criminals and, in the worst case scenario, may not survive. We look at some of the myths that put SMEs at risk of cyber crime.