Penetration Testing mailing list archives
Re: VPNs and double encryption
From: Nick Besant <lists () hwf cc>
Date: Thu, 15 Jul 2010 20:07:17 +0100
Hi. I think this is a little off-topic for pen-test, but the following pointers should be of some use (also some suggestions to bring it back on-topic); 1. Using HTTP over SSL through a VPN will add some overhead to the network throughput - you are encapsulating packets inside other packets, so you will be using extra bits on the wire than if it were unencrypted. If you have a lab set-up to test this, capture some sample sessions (using the same data etc) with no encryption, then HTTPS, then HTTPS + VPN. Things to look at could be packet count, time taken, capture size, control / handshake packet count etc. 2. Same goes for the network kit between your hosts. If you have a lab set-up to test this, then you can monitor network performance directly. As below, unless you have very limited bandwidth or very old networking kit, you probably won't see any issue here. 3. If your VPN endpoint is on the same box as the box you're serving your HTTPS content through, you will have some additional processing overhead. Unless you're talking about a very old box and/or a high-throughput network, this shouldn't be an issue - but you can do some testing as above to look at load etc. 4. It's worth thinking about why you want both layers. If you're relying/hoping on obtaining combined benefits from both layers of encryption (confidentiality, integrity, availability from each) you should be aware that this also means you have (at least) two sets of keys to manage (ensuring they are different), two (at least) sets of apps/code to keep patched and configured etc. In addition, your VPN may well traverse any additional perimeter checks (IDS/IPS) you're doing at your network. If it doesn't, and you're sending traffic through it over HTTPS then you'll either not be able to monitor it or you'll need additional configuration to manage that. There are some interesting attack vectors here that should be of interest to any good network penetration test. Regards, Nick On 10/07/2010 11:03, Miguel González Castaños wrote:
Dear all, As I have already mentioned here I'm doing an online course in Security. My final assignment or project is to design (but I have decided to go further and implement it) a VPN for a small office which in theory would have HTTPs I've chosen OpenVPN for my tests. My tutor mentions that I should realize that using a VPN and https can be a problem when it comes about slow connections. I have used in the past some VPNs at work and using https and I haven't realized such problem (and I was using wireless connections in hotels). Any tool or guidance that I could use to measure if there is such impact on performance? Thanks! Miguel ------------------------------------------------------------------------ This list is sponsored by: Information Assurance Certification Review Board Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified. http://www.iacertification.org ------------------------------------------------------------------------
------------------------------------------------------------------------ This list is sponsored by: Information Assurance Certification Review Board Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified. http://www.iacertification.org ------------------------------------------------------------------------
Current thread:
- VPNs and double encryption Miguel González Castaños (Jul 13)
- Re: VPNs and double encryption Nick Besant (Jul 20)
- Re: VPNs and double encryption Miguel Gonzalez (Jul 24)
- Re: VPNs and double encryption Nick Besant (Jul 20)