Penetration Testing mailing list archives
Re: VPNs and double encryption
From: Miguel Gonzalez <miguel_3_gonzalez () yahoo es>
Date: Wed, 21 Jul 2010 05:55:18 -0700 (PDT)
Many thanks to everybody. Someone pointed me out that TCP over TCP was not a good idea and was much better to use TCP over UDP. That's what I've done, OpenVPN allows using UDP instead. I have tested Asterisk and works pretty fine. Miguel --- El jue, 15/7/10, Nick Besant <lists () hwf cc> escribió:
De: Nick Besant <lists () hwf cc> Asunto: Re: VPNs and double encryption Para: pen-test () securityfocus com, miguel_3_gonzalez () yahoo es Fecha: jueves, 15 de julio, 2010 15:07 Hi. I think this is a little off-topic for pen-test, but the following pointers should be of some use (also some suggestions to bring it back on-topic); 1. Using HTTP over SSL through a VPN will add some overhead to the network throughput - you are encapsulating packets inside other packets, so you will be using extra bits on the wire than if it were unencrypted. If you have a lab set-up to test this, capture some sample sessions (using the same data etc) with no encryption, then HTTPS, then HTTPS + VPN. Things to look at could be packet count, time taken, capture size, control / handshake packet count etc. 2. Same goes for the network kit between your hosts. If you have a lab set-up to test this, then you can monitor network performance directly. As below, unless you have very limited bandwidth or very old networking kit, you probably won't see any issue here. 3. If your VPN endpoint is on the same box as the box you're serving your HTTPS content through, you will have some additional processing overhead. Unless you're talking about a very old box and/or a high-throughput network, this shouldn't be an issue - but you can do some testing as above to look at load etc. 4. It's worth thinking about why you want both layers. If you're relying/hoping on obtaining combined benefits from both layers of encryption (confidentiality, integrity, availability from each) you should be aware that this also means you have (at least) two sets of keys to manage (ensuring they are different), two (at least) sets of apps/code to keep patched and configured etc. In addition, your VPN may well traverse any additional perimeter checks (IDS/IPS) you're doing at your network. If it doesn't, and you're sending traffic through it over HTTPS then you'll either not be able to monitor it or you'll need additional configuration to manage that. There are some interesting attack vectors here that should be of interest to any good network penetration test. Regards, Nick On 10/07/2010 11:03, Miguel González Castaños wrote:Dear all, As I have already mentioned here I'mdoing an online course inSecurity. My final assignment or project is to design(but I havedecided to go further and implement it) a VPN for asmall office whichin theory would have HTTPs I've chosen OpenVPNfor my tests. My tutormentions that I should realize that using a VPN andhttps can be aproblem when it comes about slow connections. I haveused in the pastsome VPNs at work and using https and I haven'trealized such problem(and I was using wireless connections in hotels). Any tool or guidance that I could useto measure if there is suchimpact on performance? Thanks! Miguel------------------------------------------------------------------------This list is sponsored by: Information AssuranceCertification ReviewBoard Prove to peers and potential employers without a doubtthat you canactually do a proper penetration test. IACRB CPT andCEPT certsrequire a full practical examination in order tobecome certified.http://www.iacertification.org------------------------------------------------------------------------------------------------------------------------------------------------ This list is sponsored by: Information Assurance Certification Review Board Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified. http://www.iacertification.org ------------------------------------------------------------------------
------------------------------------------------------------------------ This list is sponsored by: Information Assurance Certification Review Board Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified. http://www.iacertification.org ------------------------------------------------------------------------
Current thread:
- VPNs and double encryption Miguel González Castaños (Jul 13)
- Re: VPNs and double encryption Nick Besant (Jul 20)
- Re: VPNs and double encryption Miguel Gonzalez (Jul 24)
- Re: VPNs and double encryption Nick Besant (Jul 20)