Re: VPNs and double encryption

[Nick Besant <lists () hwf cc>]

 Hi.  I think this is a little off-topic for pen-test, but the following
pointers should be of some use (also some suggestions to bring it back
on-topic);

1. Using HTTP over SSL through a VPN will add some overhead to the
network throughput - you are encapsulating packets inside other packets,
so you will be using extra bits on the wire than if it were
unencrypted.  If you have a lab set-up to test this, capture some sample
sessions (using the same data etc) with no encryption, then HTTPS, then
HTTPS + VPN.  Things to look at could be packet count, time taken,
capture size, control / handshake packet count etc.

2. Same goes for the network kit between your hosts.  If you have a lab
set-up to test this, then you can monitor network performance directly. 
As below, unless you have very limited bandwidth or very old networking
kit, you probably won't see any issue here.

3. If your VPN endpoint is on the same box as the box you're serving
your HTTPS content through, you will have some additional processing
overhead.  Unless you're talking about a very old box and/or a
high-throughput network, this shouldn't be an issue - but you can do
some testing as above to look at load etc.

4. It's worth thinking about why you want both layers.  If you're
relying/hoping on obtaining combined benefits from both layers of
encryption (confidentiality, integrity, availability from each) you
should be aware that this also means you have (at least) two sets of
keys to manage (ensuring they are different), two (at least) sets of
apps/code to keep patched and configured etc.  In addition, your VPN may
well traverse any additional perimeter checks (IDS/IPS) you're doing at
your network.  If it doesn't, and you're sending traffic through it over
HTTPS then you'll either not be able to monitor it or you'll need
additional configuration to manage that.  There are some interesting
attack vectors here that should be of interest to any good network
penetration test.

Regards,

Nick


On 10/07/2010 11:03, Miguel González Castaños wrote:
> Dear all,
>
>   As I have already mentioned here I'm doing an online course in
> Security. My final assignment or project is to design (but I have
> decided to go further and implement it) a VPN for a small office which
> in theory would have HTTPs  I've chosen OpenVPN for my tests. My tutor
> mentions that I should realize that using a VPN and https can be a
> problem when it comes about slow connections. I have used in the past
> some VPNs at work and using https and I haven't realized such problem
> (and I was using wireless connections in hotels).
>
>   Any tool or guidance that I could use to measure if there is such
> impact on performance?
>
>   Thanks!
>
>   Miguel
>
> ------------------------------------------------------------------------
> This list is sponsored by: Information Assurance Certification Review
> Board
>
> Prove to peers and potential employers without a doubt that you can
> actually do a proper penetration test. IACRB CPT and CEPT certs
> require a full practical examination in order to become certified.
> http://www.iacertification.org
> ------------------------------------------------------------------------



------------------------------------------------------------------------
This list is sponsored by: Information Assurance Certification Review Board

Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT 
and CEPT certs require a full practical examination in order to become certified. 

http://www.iacertification.org
------------------------------------------------------------------------