RE: VPN's ( ssl or ipsec )

Okay, I swear this to be my last post on this topic.

ssl sniffing and layer 2/3 play
---------------------------------------
http://www.google.com/search?hl=en&q=open+vpn+man+in+the+middle&btnG=Google+Search
http://www.oxid.it/downloads/apr-intro.swf
http://ettercap.sourceforge.net/forum/ (search for ssl or ssl sniffing)

http://www.irongeek.com/i.php?page=security/vids-by-others <---- watch the
darn vids!

pptp man in the middle
------------------------------
http://ettercap.sourceforge.net/forum/ (search for pptp)
http://asleap.sourceforge.net/ <--- awesome tool!

note: registry entries can prevent this from being exploited.

Please build a lab, install the software and learn the insecurities built
into the trust model of ssl and tcp/ip. Another test, see if you can exploit
ssh v1, it's vuln too. Yes, even on Cisco devices ;p)

ipsec ike2 man in the middle
--------------------------------------
anyone?

IPSEC, for a end user/road warrior know nothing about computers other than
what the saints in IT tell them, is a fine secure method of communication,
and besides user/admin error, works great. Cisco and other vendors have done
a fine job (well...) in keeping things simple for them; the client programs
are no brainers...

Now comes along the ssl vpns, yes, even more simple, but if I can wiggle my
butt in between the initial communications and slip them a cert, where they
wouldn't know the difference due to a lacking USER POLICY that allows users
to click [yes] on cert failures, then by all means, it's broken or at best,
a denial of service due to the user correctly clicking [no].

Another thing to consider with ssl, nearly all vendors of network devices
use self signed certs, thus I admit, I like many on the list have become
accustomed to clicking yes on those failures, but what if that failure was a
man in the middle cert, we wouldn't know the difference. Like whose gonna
examine every popup, and who is gonna import every cert? Besides, there's
always that first one ;p)

So, to sum/shut myself up, ipsec is surviving, tcp/ip is broken, openvpn is
great, I like it and use it too and SSL vpns need a user policy and
purchased certs to be 100% effective. This isn't even considering malware...

Open Source BEER, burp.

>From: Damien Hull <dhull@digitaloverload.net>
>To: aklug@aklug.org
>Subject: VPN's ( ssl or ipsec )
>Date: Sat, 14 Oct 2006 19:08:25 -0800
>
>I'm no expert on VPN's. My only experience is with OpenVPN. It's SSL
>based, which some are saying isn't as secure as IPsec.
>
>I like OpenVPN for the following reasons.
>
> 1. Free and Open
> 2. Gives me a secure connection to my network
> 3. Works from any ware
>
>Here are some links to information on OpenVPN. Maybe someone on the list
>can explain to me and others what's really going on here.
>
>http://openvpn.net/
>
>http://openvpn.net/papers/BLUG-talk/
>
>http://www.sans.org/rr/whitepapers/vpns/1459.php
>---------
>To unsubscribe, send email to <aklug-request@aklug.org>
>with 'unsubscribe' in the message body.
>

---------
To unsubscribe, send email to <aklug-request@aklug.org>
with 'unsubscribe' in the message body.
Received on Sat Oct 14 21:06:37 2006