How devastating might it be for your business if a hacker was able to hang out on your virtual private network (VPN) and monitor the traffic at will: login credentials for applications, sensitive data from clients, emails to and from your C-level executives, you name it? That’s a risk many businesses—including several Pivot Point customers where I’ve recently conducted penetration testing—take every day because their VPN endpoints are configured to allow less secure authentication.
VPNs are the primary means for connection and communication between remote users and private organizational intranets. As such, they are very tempting targets for hackers. That’s why it’s a very good idea to decrease your VPN security risks by making your connection process as tamper-resistant as possible.
Aggressive vs. Main Mode
Like so many other systems, VPNs initiate sessions using authentication credentials. The standard way to perform this process is called Internet Key Exchange (IKE), which negotiates an agreed Security Association (SA) between sender and recipient. IKE takes place in two phases: one to establish a secure channel and the second to encrypt and transport the data.
The VPN security risks in question relates to that first phase. It can happen in either of two ways: Main Mode, which uses a secure, encrypted, six-way handshake; and Aggressive Mode, which uses a three-way handshake that involves sending a pre-shared key (PSK) from the “responder” (device) to the “initiator” (client) unencrypted. It’s therefore possible for a hacker to capture these hashed PSK packets using a sniffer (e.g., tcpdump) or capture them directly from the VPN itself. The attacker would then crack them using a brute-force or dictionary attack to recover the PSK and authenticate successfully with the VPN.
While this basic attack strategy has been known since at least 2004, Aggressive Mode remains the default configuration for many VPN devices. One reason is that it is more convenient for users, in that Main Mode takes a few seconds longer. Another common reason for using Aggressive Mode is that the VPN vendor simply sets it up that way for convenience, and it’s never questioned. Some organizations intentionally configure their VPNs with Aggressive Mode IKE in order to use pre-shared key (PSK) authentication and avoid having to install certificates on client devices.
While somewhat more convenient, Aggressive Mode is much less secure than Main Mode. This is why using Aggressive handshaking on your VPN is in violation of PCI, SOX and a number of other security standards, so that detection of Aggressive Mode may cause you to fail an audit.
Is Your VPN Configured to Hand Hackers the Keys to Your Intranet?
If you feel you must continue to use Aggressive Mode, you need to ensure that your PSKs are strong; that is, alphanumeric values greater than 16 characters, and rotated at regular intervals. But for most organizations, it’s well worth the effort to mitigate this potentially damaging vulnerability by using Main Mode authentication.
To find out whether authentication is an issue in your environment, and dialog with experts on how to mitigate these VPN security risks and other vulnerabilities before it’s too late, contact Pivot Point Security.
For more information:
- The most definitive paper I could find on VPN hacking
- A step-by-step guide to mounting a brute force attack on your local VPN
- The original description of this type of attack (from 2004)