• United States
Executive Editor

VPN vulnerability depends on implementation

Nov 22, 20052 mins

* Some VPN gear open to denial-of-service attack

Last week a Finnish university group discovered it could successfully knock out some IPSec VPN gear with denial-of-service attacks using carefully crafted packets to overwhelm a VPN gateway.

The attacks resulted in several companies – Check Point, Cisco, Juniper, Stonesoft and Secgo among them – issuing security advisories and patches.

The point of attack was against a protocol used in establishing security associations within IPSec known as Internet Security Association and Key Management Protocol (ISAKMP). It is the means by which two devices authenticate to each other and create security keys before setting up an IPSec tunnel.

The alert from the University of Oulu in Finland said that it discovered exploitable flaws in a number of vendors’ VPN gear.

There are two important things to note. The first is that this is not a flaw with the basic protocol but rather with the implementations of the protocol for specific products. If implemented differently, the protocol is safe from these attacks.

Second, it underscores that customers should keep up with software updates distributed by vendors. Makers of VPN products identify such vulnerabilities themselves and correct them via their routine version upgrades without all the splash the University of Oulu got with its announcement.

The type of analysis and testing the university group did to discover the vulnerabilities can be turned on other protocols, notes Paul Hoffman, director of the VPN Consortium. The more complex the protocol, the more susceptible it is to such attacks, he says. Other protocols ripe for such implementation flaws: SSL and SIP, he says, so keep your software updated in accordance with your vendors.