Penetration Testing SSL VPNs

By Paladion

November 22, 2007

Hi, sorry for being silent these last seven months. We had a surge in work and we put the blog on hold. We are back now.
Last week two clients asked us about testing SSL VPNs. Today I want to discuss what we look for in a SSL VPN penetration test.
We perform two types of checks on SSL VPNs as part of our penetration testing service:

  • Can the security of the SSL VPN be compromised?
  • Are the security features in the SSL VPN adequate and correctly configured?

Compromise the security of the SSL VPN

  1. Can an adversary add fake users or reset passwords without authorization?
  2. Can an adversary change the access rights of others without permissions?
  3. Can an adversary delete audit logs or fake them?
  4. Can an adversary deny access to other users?
  5. Can an adversary escalate privileges and become an administrator?
  6. Can an outsider bypass the authentication system?
  7. Can an adversary change group memberships of himself or others?
  8. Are login credentials cached on the browser, or visible in memory?

Adequacy of Security features

  1. How powerful are the audit trails?
    • Is it adequate to detect the attacks from the pen test?
  2. What are the identification schemes supported?
    • In addition to user identity, does the VPN also support identification based on IP-addresses, certificates, etc?
  3. Does the VPN check for integrity of the endpoint?
    • Does it check for missing patches, outdated virus signatures, etc?
  4. How granular is the authorization scheme?
    • Can authorizations be made at the servers, applications, URLs, folders level?
  5. How are session data protected at the end point?
    • Are session data (like cache, cookies) deleted on logout?

If you have more ideas, we are eager to hear that. Please post them as comments to this post.

Tags: Penetration testing, Uncategorized, ethical hacking, SSL Virtual Private Network