Hi, sorry for being silent these last seven months. We had a surge in work and we put the blog on hold. We are back now.
Last week two clients asked us about testing SSL VPNs. Today I want to discuss what we look for in a SSL VPN penetration test.
We perform two types of checks on SSL VPNs as part of our penetration testing service:
- Can the security of the SSL VPN be compromised?
- Are the security features in the SSL VPN adequate and correctly configured?
Compromise the security of the SSL VPN
- Can an adversary add fake users or reset passwords without authorization?
- Can an adversary change the access rights of others without permissions?
- Can an adversary delete audit logs or fake them?
- Can an adversary deny access to other users?
- Can an adversary escalate privileges and become an administrator?
- Can an outsider bypass the authentication system?
- Can an adversary change group memberships of himself or others?
- Are login credentials cached on the browser, or visible in memory?
Adequacy of Security features
- How powerful are the audit trails?
- Is it adequate to detect the attacks from the pen test?
- What are the identification schemes supported?
- In addition to user identity, does the VPN also support identification based on IP-addresses, certificates, etc?
- Does the VPN check for integrity of the endpoint?
- Does it check for missing patches, outdated virus signatures, etc?
- How granular is the authorization scheme?
- Can authorizations be made at the servers, applications, URLs, folders level?
- How are session data protected at the end point?
- Are session data (like cache, cookies) deleted on logout?
If you have more ideas, we are eager to hear that. Please post them as comments to this post.
Tags: Penetration testing, Uncategorized, ethical hacking, SSL Virtual Private Network