Virtually Private Networks

Conference:  BlackHat USA 2020



The presentation discusses the six specific technical threats that a VPN should protect against and the approach taken to test various vendors in the space.
  • The VPN should prevent sniffing and protect against DNS meddling attacks
  • It should protect against spoofed websites and responder attacks
  • The interaction with the captive portal should not introduce the opportunity for an attacker to inject malicious javascript into the browser
  • IPv6 susceptibility should be the same for hosts on a Wi-Fi network and those on the corporate network
  • Standard equivalent configurations were created to compare vendors in the context of the identified threat scenarios
  • The research question is how much protection enterprise VPN technologies provide against common and realistic threats
The presentation highlights the importance of combining different solutions to address cybersecurity threats. VPNs alone cannot do the job, and it is crucial to understand the threat landscape and how to address these issues. The six specific threat scenarios identified in the presentation demonstrate the need for a comprehensive approach to cybersecurity. The approach taken to test various vendors in the space provides valuable insights into the effectiveness of different VPN solutions. Overall, the presentation emphasizes the importance of staying up-to-date with the latest research and testing to ensure the security of enterprise networks.


Is Secure Remote Access like the emperor’s new clothes?Enterprise businesses equip staff with mobile devices such as laptops and smart phones to perform daily tasks. This makes the workforce much more mobile but places an implicit burden on the staff to ensure that they are always on-line. Security is handled by the underlying operating system and supporting solutions, for example a Secure Remote Access solution or “VPN”.Endpoint VPN technology has been around since at least 1996 when Microsoft created the Peer to Peer Tunneling Protocol (PPTP). OpenVPN and similar open source VPN technologies have advanced this tech from highly specialized to near commodity.However, enterprise Secure Remote Access solutions can be complicated and nuanced. One case involves remote workers that connect to complimentary Internet hotspots typically offered by coffee shops, airports, hotels, etc. Hotspots are Wi-Fi access points that offer free Internet bandwidth. Most hotspots today feature a captive portal that require either a password, voucher code, or some form of consent that involves agreeing to terms of use.A robust VPN implementation should not allow a user to interact with a network resource that bypasses the secure tunnel. What then happens in the time between connecting to the Wi-Fi hotspot and activating the tunnel? How vulnerable is the user during this time? Surely the Wi-Fi hotspot securely isolates guests and surely the local firewall on the laptop will protect the user from any attacker, but does this assumption hold even if the hotspot is fully under the control of an attacker?In this presentation, we will reveal research we conducted into the efficacy of modern commercial “VPN” solutions in the face of modern mobile worker use cases, typical endpoint technologies, and contemporary threat models.In short: How “secure” can remote access ever be?



Post a comment