Questions

Is it possible? Double security through vpn ?

+
0 Votes
Locked

Is it possible? Double security through vpn ?

ukro
Please tell me if from the point of view of security i am right.

2 Pc's on different locations
Connected together with VPN.

On each PC there is VirtualMachine with Win OS and additional VPN inside it.
So we have route:
VM(with vpn) -> 1PChost(VPN) -> 2PChost(VPN) -> VM(with vpn)
Of course the route will be routed through the host VPN.

so does it mean that regular CHAP man in the middle hack is not possible so easily? because he will hack the password for the 1 VPN,but other VPN is still unhacked.
So he need to connect inside the VPN and again hack the other VPN am i right?

and from this point i will know because i will have some vb.net app who check the host PC's for the files/mac/certificate whatever from both sides independently.


right?
please tell me if i'm dreaming or it is possible.

Thank you very much for any comments !!!!!
Live long and prosper !!!
  • +
    0 Votes

    vpn

    ukro

    Maybe with this it is possible even 3 layers vpn vm inside the vm like in the movie Inception ? lilke a dream within the dream in the dream

    +
    0 Votes
    sire_tim

    What's your VPN based on? If it's IPSec, then I would argue that it won't do anything perceptibly more than one VPN logon, since with IPSec you're dealing not with passwords but with encrypted packets themselves. Bear in mind as well, with vmware machines there are already inherent weaknesses that can be directly attacked if your outer VPN is hit.

    Perhaps easier to comment if you can identify the VPN in place, and your objective?

    +
    0 Votes
    ukro

    well i'm thinking of Kerio VPN, it have automatic reconnection etc.
    2 times kerio VPN on host and on vm's
    There will be only 1 port for voice communication thats all.
    Objective, create super bullet proof voice communication.
    If someone attack or use the weakness of the VM,i will know it on the time and change all the stuff i need or even stop the communication.

    reply on your text:
    1)i have no idea which base kerio is using.
    2)If they decrypt packets from 1 layer they will still need to decrypt the 2nd layer. right? If we are talking only about voice communication.
    3)i would have some checking of 2 PC's that they are really the PC that i want.By as i said (some apps with pinging,checking,whatever i can imagine it can test)

    Thank you for comments !!

    +
    2 Votes
    robo_dev

    Sorry to give a whole security lecture here but....

    First of all, a properly configured point-to-point IPSEC VPN, when connected, has very little attack surface.

    When VPN router A is connected to VPN router B, you cannot connect a rogue VPN to router A, for example....the tunnel is already established. (The pattern is full)

    Of course setting up the tunnel COULD be a point of entry, but only when the connection is offline...but a shared secret cannot be brute forced and also guessing and spoofing the remote IP address gets a bit complicated. Any device on the Internet will get probed, but the main security risk out there are USER VPNs, not site-to-site VPNs.

    With VPN hacking tools like ikescan somebody can determine if aggressive mode and a pre-shared key is in use, but if the device is in 'main mode' with a certificate then it's safe enough for the Pentagon at that point.

    Once the tunnel is established, you're relying on the strength of the encryption mainly, but typically unless you're on a military base in enemy territory, someone is not going to be intercepting and trying to cryptoanalyze your every packet.

    +
    0 Votes
    ukro

    Thank you for reply,

    The thing is i want to be sure and double triple sure. And know if someone entered my VPN and i have some extra minute to stop everything what is going on. I saw same clips how easy is crack some of the VPN's i'm not a specialist but just putting logic on the table.Basicaly i want to know if it is really as i am thinking that will be harder to break(spy) or not,this is the main point of my question.

    You said the pattern is full that i don't understand.
    The traffic will go through 2 layers of vpn not only the host vpn but also VM vpn additionaly.
    By my logic the pattern can't be full it can be only added,please explain.

    Thank you !

    +
    0 Votes
    robo_dev

    The point to 'the pattern is full' meaning that a point-to-point VPN device, such as a Cisco router or VPN concentrator does not accept multiple connections. If you define a VPN tunnel in such as device at location "a" to another device in "location b", it is impossible for a second VPN tunnel connection to be made to the VPN device at either location. Even if the attacker had the correct shared secret, certificate, and IP address (not likely!), there is no second connection that can be made.

    in reading your question, I made one huge mistake....I did not notice you were talking about CHAP and MITM attacks....

    When we talk about 'secure VPN' solutions, that would be a IPSEC/L2TP VPN, using AES encryption and SHA256 hashing algorithm and something OTHER that CHAP or MS-CHAP authentication (such as shared-secret or digital certificate)

    That would be a Cisco ASA-5505 security appliance connecting to a Cisco ASA-5505 security appliance, configured to use AES-256 encryption and SHA-256 or even SHA-384 hashing and a certificate is used for authentication. That is a secure point-to-point VPN solution, and this cannot be hacked by any currently known method or technology.

    The hacks you hear about are: Microsoft VPN using PPTP and MS CHAP V2. Microsoft PPTP VPN technology is not all that secure, and specifically the MS CHAP V2 protocol is very very hacked...like since 2007.

    Partly to answer your original question, putting a Microsoft VPN inside a Microsoft VPN is like putting a small leaky boat inside a a larger leaky boat. It may keep you afloat longer, but for the extra work and time, instead buy one very seaworthy boat instead.

    From a security standpoint, that is like comparing the lethality of a F-15 fighter jet to an old man with a rolled-up newspaper.....not the same thing!

    +
    0 Votes
    ukro

    Thank you for a crystal clear explanation and examples !
    Long live and prosper ! :)

    +
    0 Votes
    wsmario

    In principle yes, it can be possible but all VPN's must be from the same company and the same version for avoiding conflicts .... or miss understanding between versions.

    +
    0 Votes
    Farangols

    It is surely possible with more than pne layered VPN. But keep rememering that you need to acquire all VPNs from same vendor/manufacturer or company/organizaiton. You must have no cpncurrencies or conflicts at your maximum. Have a look at get best vpn services/guidelines at http://www.bestvpn.co.uk/

  • +
    0 Votes

    vpn

    ukro

    Maybe with this it is possible even 3 layers vpn vm inside the vm like in the movie Inception ? lilke a dream within the dream in the dream

    +
    0 Votes
    sire_tim

    What's your VPN based on? If it's IPSec, then I would argue that it won't do anything perceptibly more than one VPN logon, since with IPSec you're dealing not with passwords but with encrypted packets themselves. Bear in mind as well, with vmware machines there are already inherent weaknesses that can be directly attacked if your outer VPN is hit.

    Perhaps easier to comment if you can identify the VPN in place, and your objective?

    +
    0 Votes
    ukro

    well i'm thinking of Kerio VPN, it have automatic reconnection etc.
    2 times kerio VPN on host and on vm's
    There will be only 1 port for voice communication thats all.
    Objective, create super bullet proof voice communication.
    If someone attack or use the weakness of the VM,i will know it on the time and change all the stuff i need or even stop the communication.

    reply on your text:
    1)i have no idea which base kerio is using.
    2)If they decrypt packets from 1 layer they will still need to decrypt the 2nd layer. right? If we are talking only about voice communication.
    3)i would have some checking of 2 PC's that they are really the PC that i want.By as i said (some apps with pinging,checking,whatever i can imagine it can test)

    Thank you for comments !!

    +
    2 Votes
    robo_dev

    Sorry to give a whole security lecture here but....

    First of all, a properly configured point-to-point IPSEC VPN, when connected, has very little attack surface.

    When VPN router A is connected to VPN router B, you cannot connect a rogue VPN to router A, for example....the tunnel is already established. (The pattern is full)

    Of course setting up the tunnel COULD be a point of entry, but only when the connection is offline...but a shared secret cannot be brute forced and also guessing and spoofing the remote IP address gets a bit complicated. Any device on the Internet will get probed, but the main security risk out there are USER VPNs, not site-to-site VPNs.

    With VPN hacking tools like ikescan somebody can determine if aggressive mode and a pre-shared key is in use, but if the device is in 'main mode' with a certificate then it's safe enough for the Pentagon at that point.

    Once the tunnel is established, you're relying on the strength of the encryption mainly, but typically unless you're on a military base in enemy territory, someone is not going to be intercepting and trying to cryptoanalyze your every packet.

    +
    0 Votes
    ukro

    Thank you for reply,

    The thing is i want to be sure and double triple sure. And know if someone entered my VPN and i have some extra minute to stop everything what is going on. I saw same clips how easy is crack some of the VPN's i'm not a specialist but just putting logic on the table.Basicaly i want to know if it is really as i am thinking that will be harder to break(spy) or not,this is the main point of my question.

    You said the pattern is full that i don't understand.
    The traffic will go through 2 layers of vpn not only the host vpn but also VM vpn additionaly.
    By my logic the pattern can't be full it can be only added,please explain.

    Thank you !

    +
    0 Votes
    robo_dev

    The point to 'the pattern is full' meaning that a point-to-point VPN device, such as a Cisco router or VPN concentrator does not accept multiple connections. If you define a VPN tunnel in such as device at location "a" to another device in "location b", it is impossible for a second VPN tunnel connection to be made to the VPN device at either location. Even if the attacker had the correct shared secret, certificate, and IP address (not likely!), there is no second connection that can be made.

    in reading your question, I made one huge mistake....I did not notice you were talking about CHAP and MITM attacks....

    When we talk about 'secure VPN' solutions, that would be a IPSEC/L2TP VPN, using AES encryption and SHA256 hashing algorithm and something OTHER that CHAP or MS-CHAP authentication (such as shared-secret or digital certificate)

    That would be a Cisco ASA-5505 security appliance connecting to a Cisco ASA-5505 security appliance, configured to use AES-256 encryption and SHA-256 or even SHA-384 hashing and a certificate is used for authentication. That is a secure point-to-point VPN solution, and this cannot be hacked by any currently known method or technology.

    The hacks you hear about are: Microsoft VPN using PPTP and MS CHAP V2. Microsoft PPTP VPN technology is not all that secure, and specifically the MS CHAP V2 protocol is very very hacked...like since 2007.

    Partly to answer your original question, putting a Microsoft VPN inside a Microsoft VPN is like putting a small leaky boat inside a a larger leaky boat. It may keep you afloat longer, but for the extra work and time, instead buy one very seaworthy boat instead.

    From a security standpoint, that is like comparing the lethality of a F-15 fighter jet to an old man with a rolled-up newspaper.....not the same thing!

    +
    0 Votes
    ukro

    Thank you for a crystal clear explanation and examples !
    Long live and prosper ! :)

    +
    0 Votes
    wsmario

    In principle yes, it can be possible but all VPN's must be from the same company and the same version for avoiding conflicts .... or miss understanding between versions.

    +
    0 Votes
    Farangols

    It is surely possible with more than pne layered VPN. But keep rememering that you need to acquire all VPNs from same vendor/manufacturer or company/organizaiton. You must have no cpncurrencies or conflicts at your maximum. Have a look at get best vpn services/guidelines at http://www.bestvpn.co.uk/