VPN Security

Today, we can see powerful supercomputers available to the science to predict disasters, improve the health and life of people, etc, like the newly Lusitania II, but we can also know that these supercomputers could be used to find out vulnerabilities and flaws in protocols and algorithms that would allow us to do malicious actions against the society.

Last week I have been working with VPN in a deeper way and while I was reading, configuring and testing different kind of VPNs like IPSec, SSL, GRE, L2TP/PPTP or MPLS, I was thinking how easy it would be to crack and sniff these VPNs in a passive way if we use supercomputers, because all of us know that one way to decrypt messages is by bruteforce attacks that it could be done by powerful supercomputers.

In fact, the black budget of the EEUU for spy agencies, like NSA and CIA, seems to have developed in the Utah Data Center a system called TURMOIL which uses a vulnerability in the Diffie Hellman cryptographic protocol to intercept and sniff VPN traffic, and SSH and HTTPS sessions too, in a passive way.

This could be done because most servers and applications use the same prime number to exchange the key in the Diffie Hellman protocol to encrypt data and if this prime number can be cracked then we can intercept, analyze and sniff a huge amount of traffic. Do you realize how much worth to crack this prime number? For this reason, we should use Diffie Hellman group 14 with 2048 bit length as a mandatory recommendation, or stronger.

On the other hand, there are another weakness in the VPN IPsec protocol which is in the IKE Aggressive Mode's Phase 1 because Aggressive Mode exchanges pre-shared keys in clear-text by default for VPN authentication. For this reason, it is important to configure properly our VPN and use Main Mode instead.

Last, but not less important, is to choose a strong encryption algorithm to encrypt data. Although 3DES isn't still vulnerable or cracked, it is highly recommended to use the AES algorithm, and never use DES because it is do vulnerable.

Do you know more recommendations for VPN configuration? Let us know to make secure communications.