A Recent report 1 suggested that VPNs are not as secure as they claimto be. VPN services claim that they provide privacy and anonymity. They studiedthese claims in various VPN services. They analyzed a few of the most popular VPNs.They decided to investigate the internals and the infrastructures.
They tested the VPNs using two kinds of attacks: passive monitoring, and DNS hijacking. Passive monitoring iswhen a user’s unencrypted information is collected by a third party, and DNShijacking is when the user’s browser is being redirected to a controlled Web serverwhich pretends to be a popular site like Twitter2. What theirexperiment revealed is very agitating, that most of the VPN services suffer fromIPv6 traf?c leakage and most of the VPN services leaked information and notonly the information of the websites but also the user’s. They went on to studyvarious mobile platforms which use VPNs and found that these platforms are muchsecure when an iOS is being used, however, were vulnerable when an Androidplatform is being used.
They also talkedabout more sophisticated DNS hijacking attacks that allow all traf?c to be transparentlycaptured. To make thingsworse, most of the VPNs that were part of the experiment used Point-to-Point TunnelingProtocol with MS-CHAPv2 authentications, which according to TechReport, makesthem vulnerable to brute force hacks 10. Akamai argued that VPNs cannot be a wise Security Solution and thatit can be a drawback for remote accessfor third party. If you have an institution that requires interacting withthird parties in a regular basis who need remote access to enterpriseapplications hosted in your hybrid cloud, a VPN is no way a good solution.After all, you don’t want to give untrusted third parties carte-blanche accessto the network when all they need is access to a limited number ofapplications. Typically, third parties only need access to a given applicationfor a limited time.
The time it takes to configure, manage, and deploy aseparate set of subnets for third parties — coupled with managing user moves,adds, and changes — are all time-intensive activities. Whether the processtakes days or weeks, it is clearly an impediment to business. VPNs have always been considered a secure mechanism fortransmitting sensitive data between client and server applications for remoteworkers.
VPN technology is well known and is widely deployed across the world. TtheSOX mandates have pushed organizations to deliver end-to-end VPN security. Thismeans that the VPN itself is not enough. Moreover, many VPN systems do not providethe ability to easily manage and maintain the security of the clients utilizingthe VPN solution. This includes visibility into client-loaded software toensure the clients are up to date, as well as the ability to “push”out updates to the clients.
Another research 9 revealedthat Nine in ten SSL VPNs use encryption method that are not up to date, whichultimately puts corporate data at risk An Internet research publicly-accessibleSSL VPN servers was conducted by HTB(High Tech Bridge). From of four million randomly selected IPv4addresses including popular suppliers such as Cisco, 10,436 randomly selectedpublicly available SSL VPN servers were scanned which revealed the followingproblems:1. Quite a few VPN services haveSSLv2 and approximately 77% of SSL VPN services use SSLv3 protocol which isbeing considered obsolete now. Both these protocols have various vulnerabilitiesand both are unsafe.2. About 76 per cent of SSL VPNSuse an untrusted SSL certificate, which might result in a man-in-the-middle attacks.Hackers might be able to set up a counterfeit server impersonating the realdeal before harvesting data sent over a supposedly allegedly “secure” VPNconnection. Usage by corporates of default pre-installed certificate from thevendor is the main cause of this problem in practice, according to HTB.
3. A similar 74 per cent ofcertificates have an insecure SHA-1 signature, while five per cent make use ofeven older MD5 technology. By 1 January 2017, the majority of web browsers planto deprecate and stop accepting SHA-1 signed certificates, since the ageingtechnology is no strong enough to withstand potential attacks.4. Around 41 per cent of SSLVPNs use insecure 1024-bit keys for their RSA certificates.
RSA certificate isused for authentication and encryption key exchange. RSA key lengths below 2048are considered insecure because they open the door to attacks, some based on advancesin code breaking and crypto-analysis.5. One in 10 of SSL VPN serversthat rely on OpenSSL (e.g. Fortinet), are still vulnerable to Heartbleed. Theinfamous Heartbleed vulnerability, discovered in April 2014, affected allproducts using or relying on OpenSSL, creating a straightforward way forhackers to extract sensitive data such as encryption keys and more from thememory of unmatched systems.
6. Only three per cent of scanned SSL VPNs are compliantwith PCI DSS requirements, and none was found compliant with NIST guidelines.The credit card industry’s PCI DSS requirements and NIST guidelines from the USset out baseline security standards for organisation handling credit cardtransactions or government data.? ??