Virtual Private Networks (VPN)

Last week I've been in the north of Spain (Oviedo) working with VPNs and this is the reason why I've been reviewing and studying deeply all kind of VPNs like IPSec, SSL, GRE, L2TP/PPTP and MPLS, and I've also been working with cryptographic algorithms like Diffie Hellman, ciphers like 3DES and AES, authentication mode like PSK and RSA, Aggressive Mode VPNs, Main Mode VPNs, etc, etc.

Speaking about IPsec, we have to begin with the framework where we can see protocols and algorithms which give us confidentiality, integrity and authentication over an untrusted network like Internet.

When we have to configure an IPsec VPN, we have to choose a set of these protocols and algorithms which are needed to make a Security Association (SA). It is important to choose strong algorithms like AES and SHA, and a strong group of Diffie Hellman as well, which I recommend at least 2048 bits or the 14 group.

The authentication mode could be PSK (Pre Shared Key) or RSA. Obviously, PSK is easier to configure but easier to crack when it is compared with RSA because the asymmetric algorithm RSA is composed by public key and private key, which is stronger than just having a key. The RSA algorithm is easy to understand if we think about padlocks because they are opened (Public key) to everybody who wants to write a confidential message, which is only able to be opened (read) by the private key. On the other hand, we shouldn't confuse RSA with Diffie Hellman (DH), even though DH is an asymmetric cryptographic protocol, because DH is used to exchange keys between two peers who don't know each other. DH uses a large prime number and a base group along with the private key and public key to agree a secret key between peers, once it is done, peers exchange messages encrypted by the secret key with a symmetric algorithm.

If we are going to configure an IPsec VPN, we should know how it works because if something goes wrong we have to know what we are doing. Therefore, we should know that the first phase is going to propose algorithms and protocols to the remote peer to make a security association. In the first phase we can choose between two mode, Aggressive Mode which has three steps or packets and Main Mode which has six steps or packets and it is more secure than Aggressive Mode. While in the second phase, peers are going to negotiate networks to share in the VPN and algorithms to cipher data as well.

I've been working with FortiGate appliances to analyze and understand IPsec and SSL VPN protocols, and Cisco emulators for IPsec and GRE VPN and this has been the best way to consolidate my knowledge about Virtual Private Networks. In fact, this has been the reason why I wrote about VPN Security last week, and these are the slides about that speech:

VPN Security from dromerotrejo

Speaking about tendencies, although it seems that VPN as a services is the trend due to the fact that there are many free VPN services, we should be careful about what we are using because sometimes we can be paying with confidential data or personal data if we send this information through the free VPN.

Last, but not less important, I have to say … that while I've been in Oviedo, I've been drinking cider in Tierra Astur, eating the typical food like Cachopo and of course taking pictures with Woody Allen.

Regards my friend and remember, drop me a line with the first thing you're thinking.

VPN Security

Today, we can see powerful supercomputers available to the science to predict disasters, improve the health and life of people, etc, like the newly Lusitania II, but we can also know that these supercomputers could be used to find out vulnerabilities and flaws in protocols and algorithms that would allow us to do malicious actions against the society.

Last week I have been working with VPN in a deeper way and while I was reading, configuring and testing different kind of VPNs like IPSec, SSL, GRE, L2TP/PPTP or MPLS, I was thinking how easy it would be to crack and sniff these VPNs in a passive way if we use supercomputers, because all of us know that one way to decrypt messages is by bruteforce attacks that it could be done by powerful supercomputers.

In fact, the black budget of the EEUU for spy agencies, like NSA and CIA, seems to have developed in the Utah Data Center a system called TURMOIL which uses a vulnerability in the Diffie Hellman cryptographic protocol to intercept and sniff VPN traffic, and SSH and HTTPS sessions too, in a passive way.

This could be done because most servers and applications use the same prime number to exchange the key in the Diffie Hellman protocol to encrypt data and if this prime number can be cracked then we can intercept, analyze and sniff a huge amount of traffic. Do you realize how much worth to crack this prime number? For this reason, we should use Diffie Hellman group 14 with 2048 bit length as a mandatory recommendation, or stronger.

On the other hand, there are another weakness in the VPN IPsec protocol which is in the IKE Aggressive Mode's Phase 1 because Aggressive Mode exchanges pre-shared keys in clear-text by default for VPN authentication. For this reason, it is important to configure properly our VPN and use Main Mode instead.

Last, but not less important, is to choose a strong encryption algorithm to encrypt data. Although 3DES isn't still vulnerable or cracked, it is highly recommended to use the AES algorithm, and never use DES because it is do vulnerable.

Do you know more recommendations for VPN configuration? Let us know to make secure communications.

PCI-DSS Compliance

Three years ago I wrote about PCI-DSS explaining what it is and what requirements companies have to comply if they want to store, process or transmit cardholder data. However, today, I have more knowledge than three years ago about PCI because I have been working for the banking sector and some companies from then to try to protect their data. Therefore, I would like to share and write an overview about this standard.

Obviously, this standard has increasingly demanding requirements due to the fact that more and more people are using plastic card to buy online. As a result, the Payment Card Industry like the major card brands (Visa, MasterCard, American Express, etc) want to reinforce the requirements because they are losing money with the last attacks to the systems of merchants, processors, acquirers, issuers, and service providers. Consequently, it is mandatory to implement the requirements of PCI-DSS if you want to work with cardholder data. Until when? Maybe when all of us have our money in Google Bank. Nooo please!!

One of the latest change the council has done into the PCI-DSS standard has been last April when they released the 3.1 version which doesn't recommend the SSL libraries because last SSL vulnerabilities like FREAK, PODDLE, Heartbleed or BEAST are painful and dangerous for their pockets. However, policies and procedures like Security Policy, Change Management Procedure, Incident Response Procedure or the Security Development Methodology remain important if we want to protect our data and comply with this standard.

Although documentation is essential and auditors couldn't audit anything without them, in fact, if it isn't written down, it doesn't exist, technical controls should be implemented as well. One of the technical control that more impact to me is how we should encrypt the cardholder data because we must encrypt the Data Encryption Key (DEK) with a Key Encryption Key (KEK), they must be store separately and KEK should be at least as strong as the DEK. The best option to do this is with an HSM appliance but the cheapest option is to store the cardholder data and DEK in a server and KEK and master key in another server. What does all of this mean? We have at least to encrypt the cardholder data with a key, this with another key store in other place, and this last key should be encrypted as well. All of this to protect cardholder data.

In addition to encryption keys, there are a lot of technical controls that we should take into account like two factor authentication for remote access to the PCI infrastructure, penetration test and vulnerability scan, user management, firewall installation, network and services segmentation, file integrity monitoring, IDS/IPS, retention of logs, etc.

Best regards my friend and remember, if you have to adapt your infrastructure to the PCI-DSS standard, you'll have to implement the 12 requirements to protect the most important thing for your customers, the cardholder data.

I want the three kings bring me an AS

Three years ago I studied routing protocols in the CCNP certification and at the beginning I thought it would be difficult to use and apply this concepts in the real world because I don't work in an ISP. However, I have had the opportunity to use it for the last three years. First, I have to migrate a firewall which used the RIP protocol, next I had to teach the CCNA certification with an unit about routing protocols, I could also configure some BGP routes in the Technological Scientific Network of the Government of Extremadura and some other private companies, and finally, I taught OSPF protocol under Alcatel-Lucent to the engineers of AENA. For this reason, I think the next step could be to manage, operate and configure an AS or Autonomous System.

An autonomous system is a set of network, we can also call it a mini-internet, manages by our own where we can make decisions about traffic flow with policy based routing. If we want an Autonomous System, we have to contact with IANA and RIPE, which are the authorities who give us the Autonomous System Number (ASN)  and public IPs as well. Once administrative tasks have been done, we have to design the topology network and we should think about redundancy, peering, bandwidth, latency and the IP addressing scheme.

When we speak about an Autonomous System we shouldn't think in a particular geographical area or region but an ASN or public IPs, which are announced by routers with the BGP protocol against remote peers. This is the main protocol of Internet, BGP, which is an old protocol that works by trust because anyone can announced routes even if they aren't theirs, like when Google's services were disrupted by routing error. And this is an advantage of having an Autonomous System because we can have the IP addresses regardless where we are, geographically speaking.

As I said, an advantage of having our own Autonomous System could be the flexibility and scalability that we get when we have the possibility to move IP addresses from one area to another without disrupting the services, which is useful in business continuity scenarios along with  Global Server Load Balancing. This is possible when our Autonomous System reaches a whole area with several cities, or it is interconnected by VPN technologies, which allow us to make peering with other Autonomous Systems to get Internet through two or more different service providers.

 

However, there are some disadvantages. First of all, we have to be careful with suboptimal routing because asymmetric routing is common in this kind of scenarios and it's difficult to avoid it. Therefore, we can be delivering traffic through expensive lines or we are not taking the advantage of using the maximum bandwidth available. And another thing to mention is the knowledge we need if we want to manage these complex networks properly.

This is my letter for the three kings this year. We'll see if I can keep learning and playing with these toys to improve my knowledge and myself and enjoy with network and security.

Do you want to tell us your wishes?