Re: VPNs and double encryption

[Miguel Gonzalez <miguel_3_gonzalez () yahoo es>]

Many thanks to everybody. Someone pointed me out that TCP over TCP was not a good idea and was much better to use TCP 
over UDP. That's what I've done, OpenVPN allows using UDP instead. I have tested Asterisk and works pretty fine.

Miguel

--- El jue, 15/7/10, Nick Besant <lists () hwf cc> escribió:

> De: Nick Besant <lists () hwf cc>
> Asunto: Re: VPNs and double encryption
> Para: pen-test () securityfocus com, miguel_3_gonzalez () yahoo es
> Fecha: jueves, 15 de julio, 2010 15:07
>  Hi.  I think this is a little
> off-topic for pen-test, but the following
> pointers should be of some use (also some suggestions to
> bring it back
> on-topic);
>
> 1. Using HTTP over SSL through a VPN will add some overhead
> to the
> network throughput - you are encapsulating packets inside
> other packets,
> so you will be using extra bits on the wire than if it
> were
> unencrypted.  If you have a lab set-up to test this,
> capture some sample
> sessions (using the same data etc) with no encryption, then
> HTTPS, then
> HTTPS + VPN.  Things to look at could be packet count,
> time taken,
> capture size, control / handshake packet count etc.
>
> 2. Same goes for the network kit between your hosts. 
> If you have a lab
> set-up to test this, then you can monitor network
> performance directly. 
> As below, unless you have very limited bandwidth or very
> old networking
> kit, you probably won't see any issue here.
>
> 3. If your VPN endpoint is on the same box as the box
> you're serving
> your HTTPS content through, you will have some additional
> processing
> overhead.  Unless you're talking about a very old box
> and/or a
> high-throughput network, this shouldn't be an issue - but
> you can do
> some testing as above to look at load etc.
>
> 4. It's worth thinking about why you want both
> layers.  If you're
> relying/hoping on obtaining combined benefits from both
> layers of
> encryption (confidentiality, integrity, availability from
> each) you
> should be aware that this also means you have (at least)
> two sets of
> keys to manage (ensuring they are different), two (at
> least) sets of
> apps/code to keep patched and configured etc.  In
> addition, your VPN may
> well traverse any additional perimeter checks (IDS/IPS)
> you're doing at
> your network.  If it doesn't, and you're sending
> traffic through it over
> HTTPS then you'll either not be able to monitor it or
> you'll need
> additional configuration to manage that.  There are
> some interesting
> attack vectors here that should be of interest to any good
> network
> penetration test.
>
> Regards,
>
> Nick
>
>
> On 10/07/2010 11:03, Miguel González Castaños wrote:
> > Dear all,
> >
> >    As I have already mentioned here I'm
> doing an online course in
> > Security. My final assignment or project is to design
> (but I have
> > decided to go further and implement it) a VPN for a
> small office which
> > in theory would have HTTPs  I've chosen OpenVPN
> for my tests. My tutor
> > mentions that I should realize that using a VPN and
> https can be a
> > problem when it comes about slow connections. I have
> used in the past
> > some VPNs at work and using https and I haven't
> realized such problem
> > (and I was using wireless connections in hotels).
> >
> >    Any tool or guidance that I could use
> to measure if there is such
> > impact on performance?
> >
> >    Thanks!
> >
> >    Miguel
> ------------------------------------------------------------------------
> > This list is sponsored by: Information Assurance
> Certification Review
> > Board
> >
> > Prove to peers and potential employers without a doubt
> that you can
> > actually do a proper penetration test. IACRB CPT and
> CEPT certs
> > require a full practical examination in order to
> become certified.
> > http://www.iacertification.org
> ------------------------------------------------------------------------
> >
>
>
>
> ------------------------------------------------------------------------
> This list is sponsored by: Information Assurance
> Certification Review Board
>
> Prove to peers and potential employers without a doubt that
> you can actually do a proper penetration test. IACRB CPT and
> CEPT certs require a full practical examination in order to
> become certified. 
>
> http://www.iacertification.org
> ------------------------------------------------------------------------




------------------------------------------------------------------------
This list is sponsored by: Information Assurance Certification Review Board

Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT 
and CEPT certs require a full practical examination in order to become certified.

http://www.iacertification.org
------------------------------------------------------------------------