10 reasons why IPsec VPN failed
During the discussion around IPsec VPN deployment issues, I heard an idea as follows: 'We have an IPsec VPN, and it is configured to use encryption algorithms. So it's absolutely safe, and you can
As an independent advisor, I am often asked to have a 'keen eye' when performing a network assessment. Sometimes including IPsec VPN survey.
During the discussion around IPsec VPN deployment issues, I heard an idea as follows: " We have an IPsec VPN, and it is configured to use encryption algorithms. Therefore it It is absolutely safe, and you can spend more time with other members of the network than spend time surveying VPN ". This is sometimes too complacent and believes in the surprising widespread popularity of IPsec VPNs, especially when using powerful encryption algorithms such as AES, is very secure without bothering to design. and configure correctly.
Until now, almost everyone knew that it was not a good idea to use weak 56-bit DES algorithms on IPsec VPN.
But there are still sometimes unexplainable things that even though an IPsec VPN uses relatively strong algorithms like AES, all the power and protection proposed by these algorithms can be weakened. by IPsec design VPN and bad configuration.
So, if you have an IPsec VPN and are unsure of its configuration, this might be a good idea to double check if you have used the correct algorithms or not and also consider Is VPN also designed and configured correctly?
Here are ten weaknesses that need to be checked when accessing IPsec VPN :
1. Use weak shared keys.
2. Use of inappropriate IKE / ISAKMP attack method (weak shared key).
3. Appropriate authentication method (shared key when electronic signature [certificate] based on authentication may be more appropriate).
4. Use inappropriate groups of wildcards or wildcards (using more solutions will be better).
6. Inappropriate use of extended authentication (XAuth, vulnerable when used with shared keys and IKE / ISAKMP).
7. Vulnerability of NTP or CRLs / OCSP used by PKI for DOS attack (related when using electronic signature authentication).
8. Securing the weaknesses of storing primary keys CA.
9. Store IPsec VPN gateway configuration files containing shared key color letters.
10. Use encryption without authentication.
The ten weak points on the offer just started. Therefore, there is a need for good precautions until you have embraced every facility and are absolutely satisfied that the IPsec VPN is truly secure.
And if you need more information about the ten points I listed above, then Google is a good search engine. If Google does not do this, please refer to some books on Amazon.
You should read it
- How to set up IKEv2 IPsec on Windows
- How to connect L2TP / IPsec VPN on Windows 10
- IPSec Policy Agent security
- Configure IPSec Policy through GPO
- Block web browser with IPSec
- Deploying IPsec Server and Domain Isolation with Windows Server 2008 Group Policy - Part 3
- Lock Ping traffic with IPSec
- Export and Import IPSec Policy
- What are IKE and IKEv2 VPN protocols?
- How to fix 'This App is No Longer Shared' error, no data loss
- Check the TMG 2010 virtual private network server - Part 3: Configure TMG Firewall as L2TP / IPsec Remote Access VPN Server
- How to add photos to iPhone shared albums
Maybe you are interested
How to reduce battery consumption on Android phones by Google Play Services This summer, should a misting fan, steam fan or air conditioner be selected? Life at Apple is like in a nuclear reactor Apple may sell 189 million iPhones in 2015 The battle between Apple and Google is very useful for humanity Samsung mocked Apple for the iPhone bend