Top 10 reasons why IPsec VPNs fail.

As an independent consultant, I am often asked to be a ‘fresh set of eyes’ and perform a network assessment. This sometimes involves an examination of an IPsec VPN.

During discussions around an IPsec VPN deployment, I occasionally hear a variation of the following: “Yes, we have an IPsec VPN, and it is configured to use strong cryptographic algorithms. So it’s absolutely secure, and you might like to spend your time on other elements of our network rather than wasting your time examining the VPN.” These words can sometimes indicate complacency and a belief in the still surprisingly widespread view that an IPsec VPN, especially one using strong cryptographic algorithms such as AES, is secure, irrespective of its precise design and configuration. 

By now, almost everyone knows that it’s generally not a good idea to use weak algorithms such as 56-bit DES in an IPsec VPN. 

But what is still sometimes not understood is that even if an IPsec VPN uses relatively strong algorithms such as AES, the very strength and protection offered by these algorithms can be completely undermined by bad IPsec VPN design and configuration. 

If you are think that I am exaggerating, and that even badly configured IPsec VPNs might be vulnerable only to governments and others with access to huge computing resources, you might like to have a look at articles such as these two fairly random examples: "Lost in Translation: Theory and Practice in Cryptography"  and  "Cisco Security Notice: Cisco Response to Internet Key Exchange Issue". 

So, if you have an IPsec VPN and you are not absolutely certain about its configuration, it may be a good idea to just to double check that you are not only using the right algorithms, but also that the VPN is otherwise properly designed and configured.  

Here's a top ten of possible weak points to check as you assess your IPsec VPN:

1. Use of weak pre-shared keys.

2. Inappropriate use of IKE/ISAKMP aggressive mode (with weak pre-shared keys).

3. Inappropriate method of authentication (pre-shared keys when digital signature [certificate] based authentication might be more appropriate).

4. Inappropriate use of wildcard or group pre-shared keys (where use of alternatives might be more appropriate/possible).

5. Use of identical pre-shared key with multiple peers (similar to #4).

6. Inappropriate use of Extended Authentication (XAuth, which may be vulnerable when used with weak pre-shared keys and aggressive mode IKE/ISAKMP).

7. Vulnerability of NTP and/or CRLs/OCSP used by PKI to DoS attack (relevant when using digital signature authentication).

8. Relatively weakly secured CA private key storage.

9. Storage of IPsec VPN gateway configuration files containing paintext pre-shared keys.

10. Use of encryption without authentication. 

That top ten is really just the start. So, have a really good dig around until you have covered all the bases and are absolutely satisfied that your IPsec VPN really is secure.

And if you need more information on the above top ten (and more), Google is a good place to start. If Google doesn't do the job, there a number of books (including my own!) that offer much more on this - just pay a visit to Amazon.

Well, that’s it for this blog entry. If you have any thoughts, please do leave a comment. In the coming weeks, I’ll be blogging on a variety of subjects, but if you would like me to cover something in particular be sure to let me know.

Mark